2019 Annual Report and Accounts 2019 Annual Report and Ac and Report Annual 2019 counts

Sophos Group plc The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom.

Tel: +44 1235 559933 www.sophos.com Cybersecurity evolved 2019 Annual Report and Accounts 181

Innovative, simple and highly effective cybersecurity Introduction solutions, for organisations Financial calendar of any size Announcement of results The results of the Group are normally published at the following times:

Sophos delivers award-winning At Sophos we know that the • Half-year results for the six months to 30 September endpoint protection harnessing the solution to complexity is not more in mid-November. power of artificial intelligence (“AI”), complexity. We tackle security Preliminary announcement for the year to 31 March enabling unmatched defence challenges with clarity and • in late May. against malware, exploits, and confidence, knowing that simple ransomware. Our network security security is better security. • Annual Report and Accounts for the year to 31 March offers the world’s best visibility, in mid-June. protection, and response, powered Find out more at ReportStrategic Dividend payments by deep learning and synchronized www.sophos.com security. And we combine the Our current policy is to make dividend payments at the power of AI and automation to following times: simplify compliance, governance, • Interim dividend in December. and security monitoring in the public cloud. • Final dividend as reasonably practicable following the AGM, which in 2019 is on 25 September.

2019 final dividend timetable: • Record date: 20 September. • Dividend paid: 11 October. Corporate Governance 2019 Highlights Cautionary statement This Annual Report and Accounts has been prepared for, and Revenue Adjusted Operating Profit only for, the members of Sophos Group plc (“the Company”), as a body, and no other persons. The Company, its Directors, employees, agents or advisers do not accept or assume responsibility to any other person to whom this document is +11% +87% shown or into whose hands it may come and any such responsibility or liability is expressly disclaimed. By their Business Highlights nature, the statements concerning the risks and uncertainties facing the Group in this Annual Report and • Strong growth in subscription • Renewal rates within the Group’s Accounts involve uncertainty since future events and revenue, up 16% year-on-year subscription business remain circumstances can cause results and developments to differ at healthy levels at 124% StatementsFinancial • Strong demand for our cloud solutions, materially from those anticipated. The forward-looking with over 135,000 of our customers • The Group remains well-positioned statements reflect knowledge and information available at managing their security via the Sophos competitively, with industry-leading the date of preparation of this Annual Report and Accounts Central cloud platform technology and a differentiated and the Company undertakes no obligation to update these strategy for synchronized security forward-looking statements. Nothing in this Annual Report • Sophos is now established as and Accounts should be construed as a profit forecast. a leader in the fast-growing market • Step change in profitability, for next-gen cybersecurity solutions, reflecting good revenue growth founded on powerful artificial and operating leverage intelligence capabilities Additional InformationAdditional 403838c

2019 Annual Report and Accounts 01

CHAIRMAN’S INTRODUCTION Introduction

Our strategic progress has positioned Sophos as one of the CONTENTS world’s leading next-generation cybersecurity vendors.

Despite the challenges we faced in FY19 selling against an exceptional prior-year Introduction comparative which resulted in a 1 per cent reduction in billings, our subscription- 00 Highlights based business model together with continued demand delivered a 124 per cent 01 Chairman’s Introduction renewal rate and 35,000 net new customers, and enabled us to achieve growth of 02 At a Glance 11.2 per cent in revenue, driven by a 15.9 per cent growth in subscription revenue. 04 Our Investment Proposition Additionally, as we’ve continued to grow the number of customers deploying both Strategic Report ReportStrategic our endpoint and UTM/next-gen firewall to approximately 12.1 per cent, our now Key Product and Technology 335,000-strong customer base represents a compelling opportunity as we look 08 Developments to continue to increase adoption rates of multiple products across our portfolio. 10 Network Security 13 Enduser Security We continue to prioritise investment in innovation, which has produced important 14 Our Markets advances this year. Sophos Intercept X Advanced with EDR automates much of 16 Our Business Model the process of active threat hunting via some of the world’s most advanced deep 18 Strategic Framework learning, neural network-based artificial intelligence. With the latest Sophos XG 20 Key Performance Indicators Firewall, customers are able to manage their Sophos security solutions fully 22 Chief Executive’s Statement within the Sophos Central cloud platform. These and other innovations, and 28 Financial Review Risk Management and Principal looking forward, a robust development calendar for the near and medium term, 36 contribute to our evolution – already well underway – to become one of the Risks & Uncertainties 40 Corporate Responsibility Report world’s leading next-generation cybersecurity vendors. Already 47 per cent of our FY19 billings came from our next-generation products. As this evolution Governance Corporate Governance continues, we believe our differentiated strategy around synchronized security 54 Board of Directors spanning endpoint, network, and public cloud will further drive demand. 56 Corporate Governance Statement 68 Nomination Committee Report We also continue our investments in our sales and marketing operations, 71 Audit and Risk Committee Report emphasising continued partner support, customer service, and productivity. 77 Disclosure Committee Report Annual Statement of the Our strategy of channel partnering along with our relentless culture to serve 78 Remuneration Committee Chairman our customers and partners we believe has enhanced our visibility and market 80 Remuneration at a Glance reach, our customer following, and our growth opportunities as we continue to 82 Directors’ Remuneration Policy strengthen our next-generation offerings. 91 Annual Report on Remuneration 102 Directors’ Report Our market continues to show significant demand for cybersecurity solutions Financial Statements across an increasingly complex landscape of devices, networks, and applications in organisations of all sizes. We believe our rigorous and strategic focus on 110 Independent Auditor’s Report Consolidated Financial Statements StatementsFinancial 118 security solutions managed centrally through the cloud, our focus on channel and Notes partners serving these customers, our differentiated offerings in the market, Company Financial Statements 174 our robust product roadmap, our substantial customer base, and the scale and and Notes momentum of our next-generation offerings represent powerful ingredients Additional Information for our continued growth and market leadership. 178 Glossary 179 Company Information On behalf of our Board, thank you very much to our Sophos team members 180 Shareholder Information and partners around the world for your hard work and dedication to deliver value to our customers and returns to our shareholders. To our partners, customers, and investors, thank you very much for your continued support and confidence. We maintain our relentless focus to keep earning it.

Find out more at: InformationAdditional Peter Gyenes www.sophos.com Non-Executive Chairman 02 Cybersecurity evolved

AT A GLANCE

IRELAND 20 employees

UK Cybersecurity evolved, 589 employees

FRANCE CHINA Sophos is a global leader 64 employees 16 employees in 3 locations NETHERLANDS TAIWAN in next-gen 42 employees in 2 locations 10 employees GERMANY 310 employees in 3 locations SOUTH KOREA 3 employees CANADA SWEDEN 305 employees in 2 locations 11 employees JAPAN Sophos is at the forefront at a pivotal moment of evolution 51 employees FINLAND in the cybersecurity industry. The Group is a global leader 2 employees in next-gen, cloud-managed network and enduser cybersecurity, and consequently is helping to drive change POLAND that is reshaping the market, as it harnesses the power of 4 employees world-leading artificial intelligence, through deep learning neural networks, to adapt ever more quickly to the emerging threat landscape. At the heart of the strategy lies the US concept of synchronized security, where all of the Group’s 607 employees in 4 locations INDIA products actively work together in order to provide faster, 819 employees in 10 locations more accurate detection, and greater levels of automation UAE 16 employees than ever before. PHILLIPINES TURKEY 146 employees 5 employees MALAYSIA HUNGARY 6 employees 99 employees

INDONESIA Geographic footprint 5 employees AUSTRIA Sophos is a truly global company with more than 50 offices AUSTRALIA 58 employees in 2 locations around the world, with major offices in the UK, USA, Canada, 80 employees India and Germany. ITALY SINGAPORE 42 employees in 2 locations 21 employees SWITZERLAND PARTNERS END USER CUSTOMERS OFFICES EMPLOYEES 13 employees THAILAND 47,000 382,000 51 3,400 SPAIN 4 employees 26 employees

GAAP financial highlights

Revenue Profit/(Loss) Before Tax Net Cash Flow From Operating Activities

$711m $54m $143m (FY18: $639m) (FY18: ($41m)) (FY18: $148m)

2019 $711m 2019 $54m 2019 $143m 2018 $639m ($41m) 2018 2018 $148m 2017 $530m ($49m) 2017 2017 $119m 2019 Annual Report and Accounts 03

IRELAND 20 employees Our 2019 Awards Introduction UK CIO Choice 589 employees Network Security CIO Choice 2018 FRANCE CHINA 64 employees 16 employees in 3 locations CRN NETHERLANDS ARC – Annual Report TAIWAN Card awards 42 employees in 2 locations 10 employees Overall Winner – Network GERMANY Security and Overall 310 employees in 3 locations SOUTH KOREA Winner – Endpoint 3 employees Security + Scored 100 for CANADA SWEDEN Ease of Doing Business 305 employees in 2 locations 11 employees JAPAN 51 employees FINLAND CRN Germany Sophos ReportStrategic 2 employees IT Security Vendor POLAND of the Year 4 employees CRN UK Sophos US Security Vendor of the Year 607 employees in 4 locations INDIA CRN US UAE 819 employees in 10 locations Intercept X with Deep 16 employees PHILLIPINES Learning CRN Tech Innovator Award TURKEY 146 employees 5 employees Intercept X and XG Firewall

CRN Products of the Year Corporate Governance MALAYSIA HUNGARY 6 employees 99 employees Information Age Sophos INDONESIA Employer of the Year 5 employees AUSTRIA Funkschau AUSTRALIA 58 employees in 2 locations XG Firewall 80 employees Product of the Year in ITALY category “Cybersecurity” SINGAPORE 42 employees in 2 locations 21 employees SWITZERLAND Computing Security Excellence Awards 13 employees THAILAND Intercept X SPAIN 4 employees Innovation of the Year 26 employees StatementsFinancial Channelnomics Security Innovation Security Innovation Non-GAAP financial highlights of the Year

Billings1 Cash EBITDA¹ Unlevered Free Cash Flow¹ Computer Bild Sophos Trusted Solutions Award $760m $168m $124m 2019 in the category “IT Security” (FY18: $769m) (FY18: $199m) (FY18: $140m) Additional InformationAdditional 2019 $760m 2019 $168m 2019 $124m 1 D efinitions and reconciliations of 2018 $769m 2018 $199m 2018 $140m non-GAAP measures are included in note 5 of the Financial 2017 $632m 2017 $150m 2017 $133m Statements and in the glossary 04 Cybersecurity evolved

OUR INVESTMENT PROPOSITION

Continued growth in revenue and significant long-term profitability

1. 2. 3. COMPELLING DIFFERENTIATED SaaS INDUSTRY STRATEGY SUBSCRIPTION FUNDAMENTALS FINANCIAL MODEL

A large, dynamic, growing A clear and compelling High recurring revenues and market opportunity strategy renewal rates

• Security is consistently the top • Sophos is solely focused on • Sophos principally sells Software priority for corporate IT spend cybersecurity and we strive as a Service (“SaaS”) via both to deliver industry-leading recurring, upfront subscription • The total market is estimated technology that is simple to billings and increasingly through to be worth around $43 billion, deploy, use and manage monthly MSP billings, which growing at around 8 per cent per provide significant visibility and annum, within which the Group’s • Sophos offers enterprise-grade stability of future revenues and products address markets technology, independently rated are increasing the focus of the growing even faster as amongst the best in the Directors on Revenue and Adjusted industry, appropriate to Operating Profit measures • The cybersecurity threat enterprises of any size, including environment is constantly SMEs with fewer resources • The Group has a proven ability to evolving in scale and deliver consistent new customer sophistication, presenting new • The Group’s sales strategy is 100 growth and maintain strong challenges at a rapid pace to per cent “channel first” and as a renewal rates organisations of all sizes result of considerable investment • The business generates the Group now has more than significant cash flows which are • Sophos is well-positioned to take 46,000 global partners advantage of opportunities as reinvested to drive future growth, a leader in high growth areas, via innovation, building brand for example next-generation awareness, and sensible endpoint, cloud, network, and acquisitions synchronized security • The total renewal base now exceeds $1.2 billion

Total cybersecurity Proportion of customers Proportion of revenue market with <5,000 employees from subscriptions

$43B 86% 84%

See Our Markets See Strategic Framework See Financial Review for further information on page 14 for further information on page 18 for further information on page 28 2019 Annual Report and Accounts 05 Introduction

4. 5. 6. ReportStrategic THE SOPHOS OPPORTUNITIES EXPERIENCED BRAND FOR GROWTH MANAGEMENT TEAM

Innovative, simple and highly An expectation to continue to Consistently delivering against effective security outperform the IT security strategic goals market • Sophos is very proud of our brand • Strongly motivated team with the and the ethos of simplicity that it • Differentiation is a key driver of background and skills to deliver represents – which spans all that market share gains profitable growth over the Corporate Governance Sophos does long term • Innovation will remain a key • The Group employs a highly growth driver, with internal • Extensive experience in running creative digital marketing investment supplemented large technology businesses, approach, utilising educational by sensible, disciplined typically with more than 20 in-person events and social technology acquisitions years of experience in their media outreach respective fields • Despite a broad international • With one of the world’s leading reach, the Group sees • Completely aligned in driving threat intelligence operations, opportunities for further forward the Sophos vision and SophosLabs, and a reputation for regional expansion strategy of innovative, simple, excellence built over many years, and highly effective security Sophos is a trusted voice in the • Synchronized security lies at the world of cybersecurity heart of an integrated product portfolio, delivered via the cloud in Sophos Central, and provides StatementsFinancial significant cross-sell and upsell opportunities

• Sophos is focused on continuing to build its partner network and increasing sales productivity

Annual sales and marketing Net renewal investment rate

$260m 124% InformationAdditional

See Our Markets for further information on page 14 06 Cybersecurity evolved

Threat landscape

The seven uncomfortable truths of endpoint security

Four out of five organisations are struggling with threat detection and response due to lack of security expertise.

The results of a recent Endpoint Detection and Response independent report (Seven ("EDR") has swiftly become Uncomfortable Truths of Endpoint must-have technology and nine Security¹, March 2019), in ten plan to add it to their commissioned by Sophos to defences, with 61 per cent better understand the realities of planning to do so within the next endpoint security today, showed six months. Sophos believes this that one of the key challenges in makes sense, as EDR helps to stopping today’s advanced reduce the time spent attacks is the lack of the investigating security incidents specialist cybersecurity skills to and increases visibility into the address them. threat chain. Interestingly, EDR has become a tool for all, and we While organisations recognise see almost equal demand from they need better help, addressing both smaller and larger this skills shortage is no easy task, organisations. with 79 per cent of respondents citing cybersecurity recruitment as a challenge. Putting the necessary teams in place is an

uphill battle, and organisations are Find out more at: increasingly looking to technology, ¹www.sophos.com/truths such as artificial intelligence, to fill For more information see page 08 in the gaps. 2019 Annual Report and Accounts and Report Annual 2019 40 36 18 16 14 13 and 10 Product ey 08 Strategic Report 28 22 20

Principal Risks and Risks Uncertainties Principal  C R F Technology Developments C Ke S O O E N K inancial Review nduser Security nduser hief Executive’s Statement Executive’s hief orporate Responsibility Report Responsibility orporate trategic Framework trategic isk Management and ur Business Model Business ur Markets ur etwork Security etwork y Performance Indicators y Performance

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 07 08 Cybersecurity evolved

KEY PRODUCT AND TECHNOLOGY DEVELOPMENTS

IT security experts have first-responder forensics at their fingertips with endpoint detection and response

Endpoint Detection and Response ("EDR")

Intercept X Advanced with EDR powered by deep learning technology delivers faster, more extensive threat discovery.

START WITH ADD GUIDED THE STRONGEST EXPERTISE NOT INCIDENT PROTECTION HEADCOUNT RESPONSE

To stop breaches before they start, Intercept X Advanced with EDR Intercept X Advanced with EDR prevention is crucial. Intercept X replicates the tasks normally allows administrators to answer consolidates unmatched performed by skilled analysts, so the tough questions about security protection and endpoint detection organisations can add expertise incidents by providing visibility into and response into a single solution. without having to add staff. Unlike the scope of an attack, how it This means that most threats are other EDR solutions which rely on started, what was impacted, and stopped before they can ever highly skilled human analysts to how to respond. Security teams of cause damage and Intercept X ask questions and interpret data, all skill levels can quickly Advanced with EDR provides Intercept X Advanced with EDR is understand their security posture additional cybersecurity assurance powered by machine learning and thanks to guided investigations with the ability to detect, enhanced with curated which offer suggested next steps, investigate, and respond to SophosLabs threat intelligence. clear visual attack representations, potential security threats. and built-in expertise.

Sophos’ deep learning neural network is trained on hundreds of millions of samples to look for suspicious attributes of malicious code to detect never-before-seen threats. It provides broad, expert analysis of potential attacks by comparing the DNA of suspicious files against the malware samples already categorised in SophosLabs.

Until now, effective investigation and incident response has only been achievable in organisations with a dedicated security operations center ("SOC") or specialised IT security team trained to hunt and analyse cyber-attacks. With Sophos Intercept X Advanced with EDR, businesses of all sizes, and those with limited resources, can add threat tracking and SOC-like capabilities to their security defences, reducing the time criminal hackers can hide in their network.

With a single click, IT managers have on-demand access to curated intelligence from SophosLabs, guided investigations into suspicious events, and recommended next steps. To maintain full visibility into the threat landscape, SophosLabs tracks, deconstructs, and analyses 400,000 new and previously unseen suspicious files and attack components each day. By providing access to SophosLabs data, IT managers of all skill levels have first-responder forensics at their fingertips to best determine if and what types of attacks are happening.

Product timeline

2012 2013 2015 2016

Mobile Control became Sophos Mobile Sandboxing integrated into XG Firewall Intercept X launched Sophos Email launched Synchronized Security launched Sophos Central Device Encryption Mobile Control launched Sophos Central launched First XG Firewall launched Sophos Wireless launched View more information on our website 2019 Annual Report and Accounts and Report Annual 2019 www.sophos.com their network. in hide can hackers criminal time the reducing defences, security their to capabilities SOC-like and tracking threat add can resources limited with those and sizes all of businesses EDR, with Sophos Intercept X Advanced With product. Advanced X Intercept winning award- its to EDR added Sophos 2018, October In X Intercept Sophos security. synchronized byprotection easily enabling bolstering while customers management for Sophos simplifies it as ecosystem Sophos the of benefits the valuestrengthens and Sophos further Central into integration Firewall XG compromised network. a into further infiltrating from spreadingexploits and prevent cyber-attacks or Movement to Protection, Lateral first: another industry introducing Firewall XG its of version latest the released In November 2018, Sophos XG Firewall Sophos Sophos Central. This is an industry first as Sophos is the only vendor to offer both a leading Firewall and Endpoint solution managed from the same cloud console. cloud same the from managed solution Endpoint and Firewall leading a both offer to vendor only the is Sophos as first industry an is This Central. Sophos 2017 Sophos provides the ability for remote management and deployment of all Sophos through products a single integrated cloud-based management console, Intercept X added deep learning deep Xadded Intercept XG Firewall App Control Synchronized introduced Phish launched Threat Wireless Web

and Google Cloud Sophos for AWS, Azure, the next victim. from becomingbusinesses addition that helps defend apowerful is Server for Sophos Intercept Central, X and easy management from intelligence sharingsecurity synchronized with Combined threats. cyber against evolving security constantly thattechnology provides learning deep predictive with protection server Server, next-generation Xfor Intercept released Sophos 2018, July In Server Xfor Intercept Sophos Google. and Azure, AWS, as public such cloud services end-to-end in protection to provideplatform effective compliance, and DevSecOps analytics, security cloud intelligence-basedartificial an offers Optix Cloud cloud Sophos environments, across publicprotection ToPlatform. enhance the Cloud Google and Azure, Microsoft Web Services, environments in Amazon hosted for security network andSophos provides server Firewall 2018 Mail

Intercept X added EDR X added Intercept Visibility App Cloud added Firewall XG added Security Wireless Synchronized Series –APX launched Points Access WiFi New released Server Xfor Intercept Central Sophos into integrated Threat Phish Sophos Central Sophos Central

space considerably. this in market addressable Firewall, broadening the XG or Central Sophos either in points access Series APX their managing between choose to flexibility the have also now customers 2019, February Since Central. Mobile managed in Sophos Sophos Xand Intercept combination Sophos with in used when support security synchronized with along released, were points series of wireless access New versions of the APX Sophos Wireless Intercept X. technologies found in Sophos learning deep same the using forprotection mobile devices Includes best-in-class platform. cybersecurity next-gen aleading of part integral an is that world the in solution ("MTD") Defense Threat Mobile and ("UEM") Endpoint Management Unified only the it making Central, Sophos in natively built is Mobile Sophos Sophos Mobile

Mobile Server 2019 XG Firewall introduced Movement Lateral Central Sophos into integrated Firewall XG Encryption and zero-day malware. defend against ransomware to intelligence artificial latest the with tomorrow, and today, threats email malicious and unwanted protecting users from management console, easy-to-use single Central’s Sophos through simply delivered security email is Email Sophos Sophos Email on phishing attacks. click not and identify, to them train and organisation the within users at-risk identify to teams security IT allow to security synchronized Sophos email through Sophos with bymarket integrating the in out stands Threat engaging training. Phish phishing simulation and regular through attack, to susceptibility employees andorganisation, its unique onto the window a provides training based awareness and computer- security Threat Phish Sophos PhishSophos Threat Endpoint

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 09 10 Cybersecurity evolved

Spotlight on Network security Sophos XG Firewall provides unprecedented visibility into a company’s network, its users, and its applications directly from the control centre.

With cybercriminals constantly finding new ways to infiltrate a system, it’s crucial that businesses protect their networks with a security system that exposes blind Firewall spots. Having visibility into what’s on the network is critical to detecting and preventing breaches. Sophos has innovated key technology advancements to provide customers with unmatched Wireless visibility and protection. Hackers can be stopped as they attempt to move laterally within networks and provide IT managers with visibility into the different, potentially risky, applications employees are knowingly or unknowingly downloading onto their systems. Sophos also knows how important it is for security layers to talk and share intelligence. With Sophos synchronized security, Sophos network and endpoint security talk to each other, Central isolating infected devices automatically Web and stopping cybercriminals in their tracks. With the recent announcement of Sophos Central management of XG Firewall, partners and organisations now have the added benefit of synchronized security on Mail the cloud-based management platform. This allows them to manage their next-gen network and endpoint protection from a single pane of glass, accelerating threat detection and response.

Get rich on-box reporting and the option to add Sophos iView for centralised reporting across multiple firewalls”

GARTNER MAGIC QUANDRANT NSS LABS Leader Recommended

MQ Leader NSS Recommended Gartner, “Magic Quadrant for Unified Threat Management NSS Labs, “Next Generation Firewall Test Report – Sophos XG (SMB Multifunction Firewalls),” Rajpreet Kaur, Claudio Nevia, Firewall 750 SFOS v17.0.7 MR7,” Devon James, Michael Shirley, 20 September 2018 Tim Otto, 13 September 2018 2019 Annual Report and Accounts and Report Annual 2019

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 11 12 Cybersecurity evolved 2019 Annual Report and Accounts 13

Spotlight on Enduser security Intercept X delivers unmatched protection against unknown malware, exploits, and ransomware by combining cutting-edge technologies, Introduction such as deep learning and endpoint detection and response.

Intercept X uses a deep learning neural network that works like the human brain"

SE LABS SE LABS ENTERPRISE SMALL BUSINESS MRG EFFITAS MRG EFFITAS GARTNER MAGIC ENDPOINT ENDPOINT EXPLOIT MALWARE QUANDRANT PROTECTION PROTECTION PROTECTION PROTECTION Leader AAA AAA #1 #1 ReportStrategic rated rated

MQ Leader SC Labs AAA rated SC Labs AAA rated MRG #1 exploit MRG #1 malware Gartner, “Magic Quadrant SC Labs, “Enterprise SC Labs, “Small MRG Effitas, “Exploit and MRG Effitas, for Endpoint Protection Endpoint Protection Apr Business Endpoint Post-exploit Protection “Comparative Malware Platforms,” Ian McShane, – Jun 2018” Protection Apr – Jun Functionality Test,” 24 Protection Assessment,” Avivah Litan, Eric Ouellet, 2018” May 2018 28 February 2018 Prateek Bhajanka, 24 January 2018 The endpoint, be it laptop, server, or mobile device, is the ultimate target for cyber attackers. Once they get a foot hold, cybercriminals use

multiple methods to escalate privileges, steal Corporate Governance data, or move laterally to move valuable systems. This is why prevention is key. Sophos uses deep learning and endpoint detection and response Mobile ("EDR") to predict, prevent, and protect against threats. Like Sophos’ network security, its endpoint security solutions, including Intercept X, synchronise to provide added intelligence and Encryption immediate action. By working together, these security components can provide businesses with more control and improve their defences from persistent and determined attackers. Specifically, with Sophos Intercept X with EDR,

Sophos’ latest endpoint offering, businesses of StatementsFinancial all sizes can add threat tracking and SOC-like capabilities to their security defences. Intercept X with EDR compares the DNA of suspicious files against malware samples already categorised in SophosLabs, accelerating detection. IT Endpoint managers also have on-demand access to curated threat intelligence, which allows them to better understand and decipher whether a potential attack is underway and where it’s happening. When time is of the essence to Server interrupt an attack or prevent an adversary from moving deeper into the network, Sophos endpoint security is essential. InformationAdditional 14 Cybersecurity evolved

OUR MARKETS

The threat landscape is evolving along with security technologies; advanced protection supported by machine learning is highly effective at stopping attacks from the less skilled cybercriminals and forcing those who are both motivated and able to significantly increase their attack vectors and methods

IT SECURITY Cybersecurity strategies within all organisations must MARKET 1 evolve to address these smarter and stronger adversaries. In 2018 there was a significant By creating a sequence of different TAM advancement in hand-delivered, script types, hackers can instigate a targeted ransomware attacks that chain reaction before IT managers even reaped multi-million-dollar gains. detect that a threat is on the network. Targeted ransomware is more Once started it’s difficult to stop the $43B damaging than a ‘spray and pray’ payload from executing. campaign as human attackers can CAGR stake out victims, think laterally, trouble In 2018 there was a continued increase shoot obstructions, and wipe out in malware for Android phones, tablets, back-ups so the ransom must be paid. and Linux-based IoT devices. As homes This interactive and intelligent attack and businesses deploy more internet- 8.4% connected devices, criminals are style where adversaries manually manoeuvre through a network step-by- exploiting them to use as nodes in step is increasing in popularity. Sophos huge botnet attacks. VPNFilter experts believe the financial success of demonstrated how malware can affect SamSam, BitPaymer, and Dharma will embedded systems and devices that inspire more targeted attacks and have no obvious user interface. Other expects reports of more in 2019. automated attacks hijacked devices to use for DDoS attacks, to mine Cybercriminals are using readily cryptocurrency, and infiltrate networks. available Windows systems administration tools. This is a shift in The scale of the cybercriminal industry threat execution, as more attackers has reached a point where organisations employ advanced persistent threat have to assume that they have been ("APT") techniques to exploit the attacked on some level and focus on capabilities of essential and built-in IT achieving the greatest levels of network admin tools including PowerShell files visibility with advanced detection and and Windows Scripting executables as response technologies. their route to advance through a system. 2019 Annual Report and Accounts and Report Annual 2019 2 Forecast, Products Security IT orldwide 1

8.6% CAGR $7.6B TAM SECURITY ENDPOINT CORPORATE W W represents expected market size in 2019 in size market expected represents and #US43992718) IDC 2018, (July 2018–2022 2019 in size market expected represents and #US44182918) IDC 2018, (August aPortfolio? Out Round to Technology Acquire or Friends Make You Do 2018–2022: orldwide Corporate Endpoint Security Forecast, Forecast, Security Endpoint Corporate orldwide 2 4 3

$3.2B Management Mobility Enterprise $3.5B Web Security $2.5B Email Security $0.7B Encryption CROSS-SELL ADDITIONAL expected market size in 2019 in size market expected represents and #US43984018) IDC 2018, (September 2018–2022 Forecast, Software W $B in expressed 2019 in size market expected represents and #US43488218) IDC 2018, (May 2018–2022 W orldwide Mobility Enterprise Management orldwide Endpoint Forecast, Encryption 3 1 1 4 5

10.0% CAGR $12.5B TAM NEXT-GEN FW UTM AND W size in 2019 in size market expected represents and #US44154217) IDC 2018, (July Technologies Core in Investment Driving Multicloud and Hybrid 2018–2022: orldwide Network Security Forecast, Forecast, Security Network orldwide

5

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 15 16 Cybersecurity evolved

OUR BUSINESS MODEL

Competitively well-positioned, with industry-leading technology, and a differentiated strategy

Resources and relationships How we create value

TALENTED AND Products and platform MOTIVATED EMPLOYEES

Sophos is privileged to count some of the most talented individuals in the Firewall Mobile cybersecurity industry among its employees

Wireless Encryption CULTURE OF INNOVATION

We continually innovate and evolve in order to provide effective protection for our customers against a rapidly evolving Sophos threat landscape Web Central Endpoint

STRONG PARTNER Mail Server RELATIONSHIPS

Our network of over 45,000 partners is a key asset of our business, and we NETWORK ENDUSER are independently recognised for the high-quality program offerings we SECURITY SECURITY deliver to our channel • Comprehensive next-gen firewall • Advanced endpoint protection, protection that blocks unknown threats, combined with signatureless anti- automatically responds to incidents, and exploit, anti-ransomware, and root MARKET LEADING exposes hidden risks on your network cause analysis to protect endpoints from advanced threats REPUTATION • Enterprise grade secure Web, Wireless Network and cloud Email protection, • Comprehensive Enterprise Mobility which is simple and easy to use Management, Server Security, and Sophos has capitalised on its long data protection heritage and is now firmly established as a clear leader in the market for next-gen cybersecurity solutions, independently S ee our focus spread S ee our focus spread recognised for our technology strengths for further information on page 10 for further information on page 13

STRATEGY

Grow through channel partners. Maintain technology leadership. Operate responsibly Sophos Central GOVERNANCE AND Sophos Central is a unified cloud administration console for managing RISK MANAGEMENT all Sophos products. Customers benefit from improved security

Sophos is committed to good corporate effectiveness, the ability to manage their security via a single governance, in order to build a successful integrated cloud console, and powerful synchronized security features business that is sustainable over the long term How we create value create we How * 2019 Annual Report and Accounts and Report Annual 2019

highest inhighest all sub-categories* ranked and security, synchronized provide to position aunique in being as recognised was Sophos survey, independent arecent In Channel ‘Best’ world the around partners 45,000 than more of channel its through sells only Sophos Channel ‘First’ providing enhanced security system, asecurity as together work actively that products award-winning with platform security intuitive an combines Sophos Pioneering cybersecurity synchronised smaller fewer with enterprises resources for deploy to easy and simple being size, any of organisations by use for designed are solutions cybersecurity Our enterprise-grade size any of Design for products organisations C ee our technology spread ee our technology spread RN’s 2018 Annual Report Card (ARC) Awards) (ARC) Card Report Annual 2018 RN’s

for information further on page 08 for information further on page 08 S S

TO-MARKET ROUTE- FOCUS MARKET

no longer the concept of a safe, internal network internal asafe, of concept the longer no where the perimeter has vanished and there is aworld in computing secure highly enable solutions its ensure to investing is Sophos Zero trust anddetection automation speed, of levels unmatched with real-time, in information share to able are products its where vision, security a synchronized broaden and deepen to investing is Sophos andProduct platform development amount of services revenue services of amount small a and appliances firewall to related revenueOther include streams the hardware andHardware other revenues subscription annual recurring from comes business the of majority The Subscription Revenue types: MODEL REVENUE TECHNOLOGY INNOVATION & ee our technology spread ee our technology spread

for information further on page 08 for information further on page 08 S S

Stakeholder outcomes Stakeholder Net renewal rate 124% innovation continual to commitment our and security enterprise-grade integrated, from benefit comprehensive, Customers CUSTOMERS Three year shareholderThree total return 42% operating cashstrong flow and business our growing in investment upsell and cross-sell, allows for ongoing in including growth subscriptions, Strong SHAREHOLDERS 'Blue chip' partners c.8,000 succeed to them enable to providing the tools, training, and support network, partner our in investment asignificant make to continue We PARTNERS participation Employee engagement survey 83% employee engagement active through Sophos, at careers their of work best the do to employees our enabling to committed are We EMPLOYEES

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 17 18 Cybersecurity evolved

STRATEGIC FRAMEWORK

Innovative, simple, highly-effective, cloud-managed cybersecurity for enterprises of any size

Focused on Priorities cybersecurity, and Efficient investment in research and development to ensure a strong with a commitment product roadmap, enabling Sophos to evolve with the changing threat to the cloud, Sophos landscape. prioritises investment to deliver new Promote a culture of innovation throughout the business, to create capabilities and and capture intellectual capital, and attract leading talent. products at a rapid Disciplined approach to technology acquisitions to expand the pace to maintain its product offering, gain technical expertise, and bolster internal 1. independently-ranked development efforts. MAINTAIN leadership position. Channel education to support and enable channel partners, improving their expertise across the Sophos product platform, and helping them TECHNOLOGY to transition customers to our next-gen cloud technologies. LEADERSHIP

Sophos is committed Priorities to its channel only Strengthen existing partner relationships and increase partner sales strategy, with a productivity through investment in tools, training, support and education. global partner Optimise incentives for product and cloud transition to drive further ecosystem that has uptake of Sophos Central, improve retention rates, product penetration grown to more than and average customer spend, and help partners grow their managed 45,000 channel service ("MSP") businesses. partners, with close to 8,000 ‘blue-chip’ Further regional expansion of partner network to drive additional 2. partners growth, enabling Sophos to efficiently scale and capture the global CHANNEL demonstrating opportunity in our chosen markets. ‘FIRST’, higher levels of Maintain best-in-class renewal rates by improving retention rates productivity. and successfully cross-selling additional products at the point of CHANNEL ‘BEST’ customer renewals.

Efficiently grow and Priorities scale the business Financial discipline: through responsible • Focus on cost control, operating margin leverage, investment and and working capital management. engagement with all stakeholders, • Bolster returns through value-enhancing investment including our people, in innovation and technology acquisitions. customers, partners Corporate responsibility framework: and investors. • Securing customers. 3. • Engaging employees. • Enhancing communities. OPERATE • P rotecting the environment. RESPONSIBLY 2019 Annual Report and Accounts and Report Annual 2019 Sophos cloud Central in Subscriptions 35 channel partners of number Total 45 Number of employees 3,400 Revenue $ Statement Income to charged all expenditure R&D $ 711 144 K % M M upsell and cross-sell and upsell Net renewal rate,including 124 partners productive most chip’, ‘Blue c.8 next-gen products usingCustomers 188 satisfaction Overall employee 86 Adjusted operating profit $ 109 % K % K M Central cloudCentral platform on SophosCustomers 140 Employee rate retention 87 operating activities from flow cash Net $ than one product with more Customers 25 MSP customers 47 143 % K % K

M

ee our corporate ee www.sophos.com/ ee our technology spread

S S S page 40 informationfurther on for report responsibility information for further partners page 08 for information further on

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 19 20 Cybersecurity evolved

KEY PERFORMANCE INDICATORS

The Group makes use of a number of key performance indicators (“KPIs”) to measure its performance against the Group’s strategy, as well as providing key inputs into modelling of future performance. Definitions of KPIs are included in the glossary and further explanation and reconciliation of non-GAAP measures are included in Note 5 of the Financial Statements. As the mix of the Group’s business transitions over time toward “cybersecurity as a service”, the Directors continue to evaluate which indicators best reflect underlying activity. In this respect, the Directors are now increasingly focussing on both Revenue and Adjusted Operating Profit on a more regular basis and may consider promoting these to full KPIs in future reporting periods. In FY19, Annual Recurring Revenue was $631.3 million and Adjusted Operating Profit was $109.0 million.

Revenue Billings

$710.6M $760.3M (FY18: $639.0m) (FY18: $768.6m)

2019 $710.6m 2019 $760.3m

2018 $639.0m 2018 $768.6m

2017 $529.7m 2017 $632.1m

Revenue reflects the element of billings Billings represents the value of goods and recognised in the period. The majority of billings services invoiced to customers and is a key are for subscription contracts that are recognised leading indicator of future revenue performance. rateably over the contract term. Performance Performance Billings remain at prior-year levels which reflects Strong growth as prior-period subscription a challenging comparative, where Enduser billings are now converting to revenue. product demand had been significantly boosted by the high-profile ransomware attacks in 2017.

Cash EBITDA Unlevered Free Cash Flow

$167.9 M $123.8M (FY18: $199.2m) (FY18: $139.6m)

2019 $167.9m 2019 $123.8m

2018 $199.2m 2018 $139.6m

2017 $150.1m 2017 $133.4m

Cash EBITDA provides visibility of earnings from Unlevered free cash flow represents the amount the period, even if the associated revenue for that of cash generated by operations after allowing for period’s billings have not yet been recognised. capital expenditure, taxation and working capital movements. Performance Cash EBITDA margins decrease as overheads, Performance particularly sales and marketing expenditure, Reduction due to reduced cashflow from increased year-on-year as the Group continues exceptional items and operating activities. to invest in future growth. Accounts and Report Annual 2019 primarily through Sophos Central. and functionality, in support, management, ofGroup the benefit synergies has demonstrated the as rate cross-sell in improvement Continued Performance customers. existing to services and products sellingdepends on additional successfully partly business the of growth continued The 11%) (FY18: 12 Cross-sell Endpoint/UTM cross-sell. in increase an and billings sustained reflecting rate retention Steady Performance end users. retain to ability Group’s the and agreements customer of value long-term of ameasure is cross-sell, and upsell after rate, Retention 109%) (FY18: 106 Rate Retention 2019 2019 2018 2018 2017 2017 % %

10% 11% 106% 106% 12% 109% (FY18: 140%) 140%) (FY18: 124 Renewal Rate (FY18: 27.6) (FY18: 26.4 Weighted Length Average Contract billings to new customers from the MSP business. MSP the from customers new to billings monthly in growth the and deals larger fewer to weightedReduced due length, average contract Performance be recognised. will revenue future which over period the of indication an Group the gives months, in weighted The measured length, average contract opportunities. cross-sell and strategy cloud the of effectiveness the reflecting strong be to continues rate though attacks, ransomware of impact the by boosted was which prior-year, on Reduction Performance them. by used products of volume or nature the expand and period in users end retain to Group the of ability the measures Renewal including rate, upsell and cross-sell, 2019 2019 2018 2018 2017 2017 % 124% 129% 26.4 27.6 140% 28.1

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 21 22 Cybersecurity evolved

CHIEF EXECUTIVE’S STATEMENT

Next-gen Total Subscription Billings Growth Base

30% $1.2B (FY18: 114%) (FY18: $1.1B)

“FY19 was a challenging For the fiscal year 2019 (“FY19”), Sophos year, primarily due to delivered an 11.2 per cent increase in total revenue (12.0 per cent at constant a difficult compare. currency), driven by a 15.9 per cent (16.7 However, we are pleased per cent at constant currency) increase in with the strategic subscription revenue. Profitability improved progress we made during significantly, with 87 per cent growth in the year as we drive adjusted operating profit. The Group also Sophos’ transition to be reported a profit before taxation of $54 a market leader in next- million and operating cash conversion generation cybersecurity” remained strong. We continued to see healthy growth in our customer base, Kris Hagerman and closed the year with over 335,000 term customers, having added more than 35,000 net new term customers in Chief Executive Officer FY19. Growth in MSP was particularly strong, with 119 per cent growth and ARR now at $27 million. When including our MSP program, our customer base now exceeds 382,000. Importantly, we saw continued strong demand for our next-gen security solutions, consisting of our most advanced products, managed in our Sophos Central integrated cloud management platform, including Intercept X for endpoint security, and XG Firewall for network security. Our next-gen business grew 30 per cent at constant currency to $340 million and represented 47 per cent of FY19 billings.

Evolution to security as a system

1985 1988 1989 1996

Voted BEST small/medium FIRST FIRST sized company in UK checksum- signature- Peter Lammer Jan Hruska Founded in Abingdon based antivirus based antivirus US PRESENCE c1985 c1985 (Oxford), UK software software established in Boston 2007 product line, and across our customer and partner base. partner and customer our across and line, product our across security next-gen to transition exciting an driving proactively are we and challenge, this embraced fully has Sophos rapidly. –and evolve to continue must they forward, looking and today effective be to are solutions cybersecurity If etc. aservice, as delivered IoT, 5G, security networks, zero-trust AI, SaaS, infrastructure, cloud public change: radical undergoing is itself that landscape technology overall an in approaches, sophisticated more using attackers, more by driven rapidly, changing is cybersecurity of world The months. 26 of duration average an with contracts monthly billings,generates as term to opposed traditional typically which business, MSP our by driven particularly in smaller growth stronger combined with customers deals multi-year large fewer somewhat with mix, billings the in ashift experienced we year the During healthy. remained however, renewal subscription customer rates Network cycles; refresh extended customers as business, Network our in year the in sales hardware lower We saw prior-year. the in cent per 140 to compared FY19, in cent per 124 to declined which rate, renewal the to saw we headwind the in reflected is This outbreaks. ransomware global high-profile and release product anew to due period, comparative the in growth and demand of levels elevated unusually seen had that business security Enduser our in activity cross-sell of levels traditional more to return a reflecting principally year-over-year, unchanged broadly were Billings Accounts and Report Annual 2019 ENDFORCE Acquired

2008 Utimaco Safeware AG Safeware Utimaco Acquired

• • • • priority: operational and astrategic cybersecurity next-gen made steadily have we years, plus five past the During overnight. happen didn’t it And portfolio. security next-gen our to customers new net 11,000 than more added we FY19 Q4, in and cybersecurity, Sophos is one in leaders of next-gen the clear industry Today MSPs. through were which 47,000 of customers, 175,000 over from billings in $340M over generated business next-gen our FY19, of close the At zero. from literally ago years five roughly business next-gen our We started Transition to next-gen cybersecurity

of cybersecurity discipline the to networks, neural learning deep especially manageability better and security better both deliver to other each with communicate actively network, and endpoint especially across products, cybersecurity where different cloud-based management console called Sophos Central integrated asingle, in managed be to them enabled W W W W 2011 e committed to be a world leader in applying AI, and and AI, applying in leader aworld be to e committed e pioneered a called concept “synchronized security”, and products flagship advanced, most our all e took cloud the embrace fully to company entire our e shifted Acquired

2012 Acquired

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 23 24 Cybersecurity evolved

CHIEF EXECUTIVE’S STATEMENT CONTINUED

Subscription Revenue Recurring Subscriptions Growth Net Renewal Rate

16% 124% (FY18: 25%) (FY18: 140%)

We are now seeing the impact of those investments in the Strategic innovation priorities scale, growth, and robust product roadmap associated with We are excited about the opportunity to continue to drive our next-gen offerings. Our next-gen portfolio is the future of Sophos’ evolution into a fully next-gen cybersecurity Sophos, and as our business fully transitions to next-gen over company – which is already well underway – and to lead the time, we believe there will be multiple and significant benefits industry in applying next-gen technologies and business to Sophos, our customers, and our partners: models to deliver better protection for customers that stays • Advanced capabilities. Our next-gen products leverage ahead of the ever-changing threat landscape, and at the cutting-edge capabilities, including artificial intelligence same time is easier to manage and administer. We are and synchronized security, to deliver enhanced security making strategic investments in a variety of areas: that is at the same time easier to manage. 1. Synchronized security. Several years ago, we introduced • Robust platform for innovation. Our next-gen products the concept of synchronized security – in which multiple feature modern architectures that are more modular, Sophos products, including endpoint, firewall, server, scalable, and open – which means we can innovate faster. mobile, email, and others – could share information in And as we focus more of our product development real-time, with unmatched levels of speed, detection, resources on our next-gen portfolio, we can advance them and automation. We now plan to take the concept of faster vs. competitors. synchronized security to a whole new level, through our • Improved metrics. Our business metrics for our next-gen Darwin project – which will allow multiple security sensors, products managed in Sophos Central are consistently whether from Sophos or other vendors, to operate as a stronger than their traditional counterparts: higher system to deliver unparalleled protection, with greater customer satisfaction, higher retention rates, higher levels visibility, automation, and manageability. of upsell and cross-sell, lower operating costs for our 2. Artificial Intelligence (AI). The scale and sophistication of partners, etc. the threat landscape is outpacing the ability of humans • Opportunity for margin leverage. Our next-gen portfolio is alone to respond. Sophos is already a leader in applying rapidly increasing its share of our total Sophos business. artificial intelligence and deep learning to improve As it does so, over time we can streamline our product cybersecurity. Going forward, we will continue to advance development, go-to-market, support, and back office our AI capabilities, and broaden and deepen our use of AI investments to focus on fewer products. across our entire next-gen portfolio.

Evolution to security as a system continued

2013 2014 2015 2016

Acquired Acquired IPO LONDON STOCK EXCHANGE Acquired Acquired DIVESTED non-core LAUNCHED Cyber business Synchronized Security 2016 6. 5. 4. integrated apowerful is Central Sophos penness. 3. unmatched levels of speed, and detection automation” with real-time, in information share to products our to deepen and thisbroaden vision, enabling all of of synchronized security, and we investing are heavily At lies of our the the strategy concept product heart Accounts and Report Annual 2019 Barricade Acquired PhishThreat Acquired

channel, where cybersecurity value-added of resellers allchannel, where cybersecurity the in transformation adramatic driving is aservice” “as to shift the addition, In more. and aservice, as security cloud public service, as a firewall aservice, as endpoint aservice: as available solutions our all make to expect we time, Over different. no is cybersecurity and businesses, technology-driven and technology of areas all virtually E and context. location, data, identity, user on based verify”, always trust, “never of a mode in operate to organisations many encouraging 5G like platforms new by driven connectivity high-bandwidth ubiquitous with norm, the become will trust” “zero Instead, common. less be will network internal a“safe” of concept and perimeter where over the network time the traditional world a“zero-trust” in security effective more enable to Z value in proposition our cloud security environments. extending and enhancing meaningfully are we Secure, Avid of acquisition our from technology on based product, Optix the recentcloud launch With environments. of our Cloud public protect help –already form virtual and physical both –in products server and network, endpoint, Our computing. P openness. in aleader be also to committing are we innovation, cybersecurity in aleader be to committed has Sophos as Just security. synchronized of proposition value and vision the extend and partners, and customers to useful and flexible, attractive, more it make will Central vendors. Weand believe other security opening up Sophos partners, reseller our customers, to available APIs of set rich a through Central Sophos up opening be will we year This formanagement Sophos’ next-gen platform products. O ero-trust networks. We are architecting our solutions solutions our architecting We are networks. ero-trust verything as a service. “As a service” is taking over over taking is “As aservice” aservice. as verything ublic cloud. Public cloud represents a sea change in in change asea represents cloud Public cloud. ublic

2017 Acquired

• • in our next-gen particularly products: portfolio, product our in advances significant made we year the During innovation product FY19

positive rates, and unmatched levels of automation. automation. of levels unmatched and rates, positive false- (low) leading with combined rates, detection best-in-class achieved have we technology, network foundation of our deep-learning industry-leading neural the on built and SophosLabs by curated intelligence Backed by to on-demand access networks. customer on exist already may that threats advanced and hacking active against protect to designed offering, endpoint our in advance akey represented (“EDR”) Response I for theirproducts customers. Sophos multiple manage and deploy and Central Sophos environments and designed features for to MSPs adopt managementits and for administrationcapabilities larger W 2019 ntercept X Advanced with Endpoint Detection and and Detection Endpoint with XAdvanced ntercept growing over per year-over-year. cent 100 47,000 customers, than more from million $27 of revenue recurring annual with FY19 closed we and MSP in growth rapid seen have we launch, since time short relatively the In partners. MSP for fit ideal an are focus channel and cloud integrated managementproduct console, portfolio, our believe we and opportunity, new dollar multi-billion this embrace they as partners our support and enable to designed explicitly program MSP anew introduced we ago years two over Just “stickiness”. customer and model business their of predictability the enhances also and strategic more become to chain value the up move to providers for which their enables customers, them service become to businesses their transitioning rapidly are sizes e enhanced the Sophos Central platform, especially in in especially platform, Central Sophos the e enhanced Acquired Acquired

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 25 26 Cybersecurity evolved

CHIEF EXECUTIVE’S STATEMENT CONTINUED

Through this innovative use of advanced AI, we are now ‘Channel First’ and ‘Channel Best’ enabling enterprises of any size, even the most resource- Our extensive global partner channel is a key strategic asset constrained, to identify and prevent cyber-attacks in real for Sophos and remains a key differentiator, compared to time with threat-tracking and first-responder forensics at other IT security vendors that often operate conflicting their fingertips. routes to market. Our total partner network expanded to • XG Firewall v17.5 was an important new release in our approximately 47,000 during the year and, encouragingly, flagship next-gen firewall product that enables customers the number of our most active and productive ‘blue-chip’ for the first time to seamlessly manage their firewall within partners rose to 8,000, up from 7,000 a year ago. the Sophos Central integrated cloud platform. In addition, v17.5 offers powerful new synchronized security features, We were pleased to be recognised once more as the “overall including lateral movement detection, to prevent threats winner” for both Network Security and Endpoint Security in from spreading on the same network segment, and CRN's 2018 Annual Report Card (ARC) Awards, in recognition synchronised user ID. The ability to manage the firewall of the high quality and innovative product and program within Sophos Central is an important strategic step and offerings we deliver to our partner channel. Sophos ranked one that we believe will aid future cross-selling activities highest in all sub-categories and topped the new sub- between the firewall and the rest of our product set. category for managed and cloud services. • We delivered Intercept X for Server, enhancing our existing Outlook server protection through the addition of deep learning and anti-exploit capabilities. Intercept X for Server protects the The demand environment for cybersecurity solutions high-value information that is typically stored on servers continues to be robust, and we are confident that we are well and often targeted by cybercriminals. positioned competitively, especially as more organisations move to adopt next-gen cybersecurity offerings. Increasingly, • We supplemented our own organic product enhancement organisations of all sizes are looking for cloud-native solutions, efforts via targeted acquisitions of two companies: Avid centralised administration, integrated products, AI-powered Secure and DarkBytes: protection, openness, and a service-oriented approach to – Avid Secure has accelerated our roadmap for cloud security. Our next-gen solution set and strategy align well with security and lies at the heart of our new Sophos Cloud these demands and have helped Sophos deliver strong growth Optix product. Cloud Optix provides unmatched in subscription revenue and customer count. We have become visibility into cloud environments, and leverages AI and a leader in the next-gen cybersecurity market, and we are automation to simplify compliance, governance, and excited about the road ahead. security monitoring in the cloud. Public cloud providers We believe the drivers are in place for continued future like AWS and Azure offer customers extraordinary revenue growth, principally driven by growth in our flexibility and power in how they build and operate subscription business, especially in our next-generation their cloud infrastructure environments, but they don’t products. We intend to continue to invest to support this provide for full security. Instead they run a Shared growth, with a return to operating profit margin leverage Responsibility model – they ensure security of the cloud, after FY20. while customers are responsible for anything they place in the cloud. This is where our new Cloud Optix product Finally, I want to thank our entire Sophos team, and our comes in, which starts with the premise that you can’t extensive network of channel partners around the world, secure what you can’t see. Cloud Optix represents whose talent and passionate commitment enable us to an important new strategic opportunity for Sophos protect and support over 382,000 organisations (and and allows us to extend our protection to span across growing!), every single day. We sincerely appreciate all endpoint, network, and public cloud environments. you do to make the world a safer place. – DarkBytes brings to Sophos a highly talented team with significant experience in managed detection and response (“MDR”) and Security Orchestration Kris Hagerman Automation Response (“SOAR”). We are using the Chief Executive Officer DarkBytes technology to enhance our internal efforts 15 May 2019 to develop a new MDR service offering, which we expect to release in FY20, and we believe represents a natural complement to our EDR product and an exciting cross- sell opportunity for our Intercept X installed base. 2019 Annual Report and Accounts and Report Annual 2019 they have running in the cloud. the in running have they challenged howstate many to confidently assets wherebyenvironments, many are businesses cloud multiple across visibility of lack the is first The challengesmajor are customers facing. cloud security three the address to designed is Optix Cloud Sophos posture. security as face businesses they seek to optimise their cloud Consequently, is visibility challenge the toughest responsible for any they data place in the cloud. are their customers the cloud infrastructure, of security ensure they whilst model: Responsibility public it, within cloudsits a providers operate Shared that data the and cloud the securing to comes it When premise. on possible be wouldn’t that ways in innovate build their cloud allowing environments, them to as enormousto flexibility businesses howtheyoffer Public cloud providers such as AWS, and Google Azure and visibility, protection best wherever your data resides. Sophos Cloud helps Optix enable our vision to within evolve the security cloud synchronized – providing the security in cloud challenges toughest the –solving Sophos Cloud Optix STUDY CASE Find out more at www.sophos.com/cloud-optix remediation andautomated incident response. and continuous instant compliance reporting, allowing cloud, public the in assets organisation’s an of discovery the automates Optix Cloud response. threat cloud visible, and workload compliance and simplifying challenges, bySophos these Cloud solves Optix making incident response. to comes it when automation for need urgent an with alerts, security all to respond manually to teams for possible longer no is It expanding. is surface attack the that time same the at targeted, and sophisticated more becoming are Attacks arise. they as proactively, issues security address to need businesses Finally, changing. constantly are things where cloud the of nature dynamic the to due challenging very be can This compliance. andimplementation and maintenance of security effective the in lies challenge A second

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 27 28 Cybersecurity evolved

FINANCIAL REVIEW

Strong revenue and adjusted operating profit performance

"Revenue growth was For 31 March 2019 ("FY19"), in constant strong in the year-ended currency Sophos delivered a 12.0 per cent increase in total revenue, driven by a 16.7 per 31 March 2019 as prior- cent increase in subscription revenue. period subscription billings With the impact of the change to IFRS 15, Revenue from converted into revenue Contracts with Customers reflected in both periods, this and as the recently growth reflects a true underlying rate. Reported subscription established MSP channel revenue grew 15.9 per cent, whilst total reported revenue grew 11.2 per cent. Deferred revenue at the end of the period increased in scale" increased to $742.1 million from $728.6 million a year ago representing a reported growth of 1.9 per cent; lower than revenue growth due to $36.2 million of foreign exchange Nick Bray revaluation principally arising from the weakening of euro and Chief Financial Officer sterling against the US dollar. The deferred revenue balance gives the Group good visibility of future revenue, with $428.6 million of the deferred revenue due for recognition in less than one year, an increase of 5.1 per cent over the prior-year, or 10.7 per cent at constant currency.

Billings at reported exchange rates decreased by one per cent to $760.3 million, within which subscription billings were flat year-on-year at $644.6 million. This performance reflects a challenging prior-year comparison, where Enduser product demand had been significantly boosted by the high-profile ransomware attacks in 2017 and the launch of the Group’s next-gen endpoint product. In addition to this, albeit of lesser extent, the Group experienced a headwind to Network billings as a result of a legacy product transition, principally in the first half, a slow-down in hardware sales as customers extend refresh cycles; and, the increasing significance of the MSP channel with monthly billings. (FY18: $639M) $ Revenue The table below presents the Group’s financial highlights on a reported basis: basis: reported on a highlights financial Group’s the presents below table The Accounts and Report Annual 2019 estated for the adoption of IFRS 15 and change in accounting policy in respect of research and development expenditure tax credit scheme and provision for interest on on interest for provision and scheme credit tax expenditure development and research of respect in policy accounting in change and 15 IFRS of adoption the for 2 estated 1 dollar, compared to foreign exchange losses in the prior-year. prior-year. the in losses exchange foreign to compared dollar, US the against euro the and sterling both of strengthening the from resulting year current the in gains exchange from foreignFinancebenefited expenses finance expenses. in reduction million $13.4 by a supported profit operating in improvement million $80.6 the of aconsequence as primarily prior-year, the in million $41.0 of aloss from million, $53.6 to million $94.6 by increased taxation before profit Group’s The prior-year. the in million $6.9 of loss exchange aforeign to compared million, $1.5 of gain exchange foreign a from benefited result year's This growth. revenue strong of aresult as primarily million, $109.0 to million $50.7 by increased profit operating adjusted and year the in million $60.9 of profit operating an made Group The Alternative performance measures Alternative performance Adjusted operating profit operating Adjusted Cash EBITDA activities operating from flow cash Net Unlevered free cash flow cash free Unlevered Billings taxation before / (Loss) Profit Revenue measures Statutory

711 D R  Statements Financial the 2of note in explained as positions, tax uncertain efinitions andreconciliations measures are of included non-GAAP in note 5 ofthe Financial Statements M (FY18: ($61M)) (FY18: $ TaxationAfter Profit/(Loss) 2 29 M (FY18: $148M) (FY18: $ Operating Activities From Flow Cash Net cashflow impact of exceptional items. items. exceptional of impact cashflow the for adjusted activities operating from flow cash net in reduction the representing million $123.8 to million $15.8 by decreased cashflow free Unlevered capital. working of use improved an and items exceptional on outflow cashflow the in areduction by offset partially overheads, in increase an to due was decrease overall small The prior-year. the in $147.7 million from million $4.8 by reduced million, $142.9 at strong remained activities operating from flow Cash before taxation. profit the in improvement the to attributable primarily was charge tax income year-on-year the in increase asmall only given which 2019, March 31 year-ended the in million $26.9 to $87.8by million increased year the for profit Group’s The 143 M 109.0 123.8 142.9 760.3 710.6 167.9 FY19 53.6 $M 639.0 FY18 199.2 139.6 768.6 147.7 (41.0) 58.3 $M 1 Change (11.3) (15.7) 11.2 87.0 (3.2) (1.1) nm %

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 29 30 Cybersecurity evolved

FINANCIAL REVIEW CONTINUED

Revenue and deferred revenue

The Group adopted IFRS 15 Revenue from Contracts with Customers in the current year and has therefore restated the results for the prior-year on a consistent basis, see note 2 of the Financial Statements for further details.

The Group’s revenue increased by $71.6 million, or 11.2 per cent, to $710.6 million in the year-ended 31 March 2019. Subscription revenue was notably strong in the period, with reported growth of 15.9 per cent, or 16.7 per cent on a constant currency basis, because of strong prior-period billings and incremental growth of the MSP channel in the current period.

Growth Growth FY19 FY18¹ % % $m (Reported) $m (Reported) (Reported) (CC) Revenue by Region: – Americas 253.3 223.6 13.3 13.4 – EMEA 363.6 324.5 12.0 12.7 – APJ 93.7 90.9 3.1 6.2 710.6 639.0 11.2 12.0 Revenue by Product: – Network 328.5 316.5 3.8 4.7 – Enduser 348.4 291.8 19.4 20.2 – Other 33.7 30.7 9.8 10.0 710.6 639.0 11.2 12.0 Revenue by Type: – Subscription 593.9 512.4 15.9 16.7 – Hardware 106.8 115.1 (7.2) (6.3) – Other 9.9 11.5 (13.9) (12.8) 710.6 639.0 11.2 12.0

1 Restated for the adoption of IFRS 15 as explained in note 2 of the Financial Statements

Revenue in the period of $710.6 million comprised $394.1 million from the recognition of prior-period deferred revenues and $316.5 million from in-period billings. The majority of the Group’s billings, which are recognised over the life of the contract, relate to subscription products (FY19: 84.8 per cent; FY18: 83.8 per cent), with the benefit from increased billings being spread over a number of years on the subsequent recognition of deferred revenue. The deferred revenue balance at the end of the period of $742.1 million increased $13.5 million year-on-year, an increase of 1.9 per cent. This was mainly due to a net deferral of billings amounting to $49.7 million partially offset by a net currency revaluation of $36.2 million, a consequence of the weakening of the euro and sterling against the US dollar during the year. Deferred revenue due within one year at the balance sheet date of $428.6M increased by 5.1 per cent at actual rates or by 10.7 per cent in constant currency.

Revenue in the Americas increased by $29.7 million or 13.3 per cent to $253.3 million in the year-ended 31 March 2019, supported by the recognition of prior-period Enduser billings from the Sophos Central platform and the growth of the MSP channel in the current period.

EMEA revenue increased by $39.1 million or 12.0 per cent to $363.6 million in the year-ended 31 March 2019, with growth in Enduser in particular, but also aided by Network sales.

APJ revenue increased by $2.8 million, or 3.1 per cent to $93.7 million in the year-ended 31 March 2019, with good growth in Enduser products partially offset by a decline in Network sales following the legacy product transition. partially offset by an improvement in sales of Server products. products. Server of sales in improvement an by offset partially year the of first-half the in transition product Network alegacy by compounded compare prior-year the in performance stronger the by impacted negatively was growth Americas, the in As basis. currency aconstant on cent per 2.8 and basis areported on cent per 6.1 representing period, the in $97.2 million to million $6.3 by decreased APJ to attributable Billings APJ products. email and endpoint in areduction by offset partially being products Server of sales in increase An basis. currency aconstant on growth cent per 0.9 and basis a on reported growth cent per 0.1 representing period, the in million $395.3 to million $0.2 by increased EMEA to attributable Billings EMEA sales. UTM in performance improved an by offset partially product, endpoint next-gen Group’s the X, Intercept of launch the and outbreak ransomware WannaCry the of impact the of aconsequence as compare prior-year the in performance stronger the to due products Enduser in adecline by driven largely decrease this basis; currency aconstant on cent per 0.7 and basis areported on reduction cent per a0.8 representing period, the in million $267.8 to million $2.2 by decreased Americas the to attributable Billings Americas region by Billings This represented a 0.1 per cent decrease on a constant currency (“CC”) basis. basis. (“CC”) currency aconstant on decrease cent per a0.1 represented This 2019. March 31 year-ended the in million $760.3 to cent per 1.1 or million $8.3 by decreased billings reported Group Billings Accounts and Report Annual 2019 – Hardware – Subscription Billings by Type: – Other – APJ – – EMEA – Americas Billings by Region: – Other – Enduser – Network Billings by Product: $m (Reported) 644.6 644.6 345.9 345.9 395.3 395.3 760.3 760.3 760.3 105.7 267.8 267.8 37 7.1 7.1 37 FY19 10.0 10.0 97.2 97.2 37.3 37.3 $m (Reported) 644.2 383.2 353.4 395.1 103.5 270.0 768.6 768.6 768.6 113.7 FY18 32.0 10.7 (Reported) Growth 16.6 (1.6) (1.1) (1.1) (1.1) (0.8) (2.1) (6.5) (6.1) (7.0) 0.1 0.1 % Growth (CC) 17.1 (2.8) (1.1) (4.6) (0.1) (0.1) (0.1) (6.1) (0.7) (0.7) 0.9 1.0 %

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 31 32 Cybersecurity evolved

FINANCIAL REVIEW CONTINUED

Billings by product Key billings metrics

Network products Billings from new customers The Group’s billings attributable to Network products Billings from new customers, including all MSP billings and decreased by $7.5 million to $345.9 million in the period, excluding OEM and consumer, remained consistent at 24.7 representing 2.1 per cent reduction on a reported basis and per cent of total billings compared to 24.2 per cent in the 1.1 per cent on a constant currency basis. This was mainly year-ended 31 March 2018. a consequence of the previously reported legacy product Retention and renewal rates transition and lower hardware sales to existing customers, The Group’s net retention and renewal rates include the who extended their refresh cycles. impact of cross-selling and upselling, which helps the Group Enduser products evaluate the success of its strategy to broaden the sales of The Group’s billings attributable to Enduser products its product portfolio to existing customers. The Group’s net decreased by $6.1 million to $377.1 million in the period retention rate decreased from 109.2 per cent at 31 March representing 1.6 per cent reduction on a reported basis and 2018 to 105.6 per cent at 31 March 2019. The Group's 0.7 per cent on a constant currency basis. The comparative renewal rate decreased to 124.2 per cent from 139.7 per period benefitted from increased demand driven by high- cent. Both measures were impacted by the significant profile ransomware attacks and the launch of Intercept X, the increase in cross-sell and upsell during the prior period Group’s next-gen endpoint product, whilst the current period arising from the impact of the WannaCry ransomware saw an increasing significance of the MSP channel which outbreak and the launch of Intercept X, the Group’s delivers monthly billings. next-gen endpoint product.

Billings by type Billings by size Subscription billings Sophos’ products are suitable for organisations of any size but are specifically tailored for the Group’s target market of The Group’s billings attributable to subscriptions increased by mid-market enterprises, typically with fewer than 5,000 $0.4 million to $644.6 million in the period, representing 0.1 employees. The proportion of billings to this target market per cent growth on a reported basis and 1.0 per cent growth remained stable at 86 per cent in the period compared to on a constant currency basis. The lower year-on-year growth 85 per cent in the year-ended 31 March 2018. rate was due to the stronger performance in the prior-year compare as a consequence of the impact of the WannaCry Billings by length of contract ransomware outbreak and the launch of Intercept X, the Group’s next-gen endpoint product, which also resulted in Subscription agreements sold by the Group are of differing the prior-year in abnormal cross-sell and renewal rates. durations and are generally between one and three years in Within subscription billings, amounts invoiced to managed duration. The last twelve months’ weighted average contract service providers (“MSPs”) increased year-on-year which, duration, which provides an indication of the period over combined with a reduction in the number of larger deals in which future revenue will be recognised, was 26.4 months for FY18, lowered the overall average deal size. the year-ended 31 March 2019, a small decrease on the 27.6 months for the year-ended 31 March 2018, due primarily to Hardware billings fewer larger deals in the current year which tend to be longer The Group’s billings for hardware decreased by $8.0 million in length and the growth in monthly billings to new customers to $105.7 million, representing 7.0 per cent fall on a reported from the Group’s MSP business which increased from 1.1 per basis and 6.1 per cent fall on a constant currency basis. cent of total billings in the prior-year to 2.5 per cent in the This was mainly a consequence of the previously reported current year. legacy product transition and lower hardware sales to existing customers, who extended their refresh cycles. The billings analysis of contracts by subscription length for However, hardware sales to existing customers is each year was as follows: being partially offset by improved hardware sales to new customers. FY19 FY18 Constant currency % % Under one year 37.7 34.5 One to two years 6.9 7.0 Two to three years 46.1 48.0 Greater than three years 9.3 10.5 offset by a reduction in the volume of appliances sold. appliances of volume the in areduction by offset partially grows, Group the as increase naturally that services and products Group’s the supporting with associated costs products, managed cloud to move customers Group’s the of more as costs hosting increased to due was This period. the in million $146.4 to million $2.4 by increased sales of Cost sales of Cost 1.7. at customer,Central higher the latter than the Group average Sophos per products of number average the and spend customer average the particular, in improved, have metrics cross-sell Group’s the products, additional take and platform cloud the onto move customers As strategy. cross-sell the of driver afundamental is Central Sophos activity. cross-selling future for room significant leaving products, 1.4 average on have currently customers base, installed entire the Across 2018. March 31 at customers of cent per 11.2 to compared product Endpoint an and product aUTM both had customers of cent per 12.1 approximately 2019, March 31 At improve. to continued has product UTM and Endpoint of who own percentage The a customers both Sophos or additionalproducts licences to customers. existing of versions enhanced upsell to or services, and products additional cross-sell to opportunity an is there innovate, to continues Sophos and evolves landscape threat the As opportunities upsell and Cross-sell Accounts and Report Annual 2019 or loss in full, is broadly targeted to grow at the rate of billings. billings. of rate the at grow to targeted broadly is full, in loss or profit of statement consolidated the to expensed was period prior and current both in which expenditure, development exists and allocates resources accordingly. Research and believes it that opportunity market significant the address to products enhanced and new on focus astrong has Group The period. the in million $143.9 to cent, per 2.6 or million, $3.6 by increased expenses development and Research and development Research provide margin leverage. to order in growth billings of rate the than less slightly at grow to targeted are expenses marketing and sales forward, Going year-on-year. size deal average reduced aslightly at transactions of volume the in increase an of consequence a being largely productivity sales in reduction the with business the of support continued facilitate to growth billings exceeded that arate at increased expenses marketing and Sales period. the in million $259.9 to cent, per 8.3 or million $20.0 by increased expenses marketing and Sales and marketing Sales

offset by some restructuring and legal costs. legal and restructuring some by offset changes in acquisition contingent partially consideration, value fair on arose credit period current The prior-year. the in million $13.2 of expense anet to compared period, the in million $3.8 of credit anet were expenses, administration included items, general within Exceptional finance and ongoing compliance costs. certain of increase an as well as people in investments prior-period from resulting increase annualised the reflecting million, $51.0 to cent per 8.7 by increased expenses Underlying generalschemes. finance and administration cash-settled to applied price share alower of consequence a as and granted awards performance for vesting expected the of arevision to due million, $36.9 to million $5.4 The share-basedexpenses. payment expense by decreased increase in underlying general finance and administration an by offset partially expense payment share-based lower a to due was decrease The period. the in $87.9 million to cent, per 1.5 or million, $1.3 by decreased assets, intangible of amortisation the and exchange foreign items, exceptional General finance andexcluding administration expenses, and finance administration General included in note 5 of the Financial Statements. Statements. Financial the 5 of note in included is loss operating to EBITDA Cash of reconciliation The increased year-on-year whilst billings decreased slightly. expenditure, marketing and sales particularly overheads, as prior-period, the in cent per 25.9 from cent per 22.1 to decreased margins EBITDA Cash period. the in million $167.9 to cent per 15.7 or million $31.3 by decreased EBITDA Cash EBITDA Cash period. the comparative in million $6.9 of aloss with compared dollar; US the against sterling and euro the of aweakening from resulting period the in million $1.5 of gain exchange aforeign recorded Group The and movements impact Currency the current period. in acquisitions from arising increase the than greater being policy amortisation balance reducing Group’s the to due was decrease The period. the in million $16.9 to cent, per 32.9 or million, $8.3 by decreased assets intangible of Amortisation assets intangible of Amortisation

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 33 34 Cybersecurity evolved

FINANCIAL REVIEW CONTINUED

Adjusted operating profit Cash flow

Adjusted operating profit increased by $50.7 million to $109.0 Net cash flow from operating activities decreased by million in the period, resulting from strong revenue growth $4.8 million to $142.9 million from $147.7 million in the prior and benefiting from a small foreign exchange gain partially period. The small overall decrease was due to a $9.9 million offset by increased sales and marketing expenditure. reduction in the cashflow outflow on exceptional items, The reconciliation of adjusted operating profit to operating a $7.0 million improved use of working capital within the loss is included in note 5 of the Financial Statements. business, both being offset by an increase in overheads, primarily in relation to Sales and Marketing expenses. Operating profit Unlevered free cashflow decreased by $15.8 million to $123.8 Operating profit was $60.9 million in the period, compared million from $139.6 million in the prior-period representing to a loss of $19.7 million in the comparative period which the reduction in net cash flow from operating activities represents an improvement of $80.6 million. This was adjusted for the cashflow impact of exceptional items. principally driven by strong growth in revenue, a foreign exchange gain in the period, compared to a loss in the FY19 FY181 comparative period, a decrease in the amortisation charge, $M $M and an exceptional credit compared to an exceptional loss in Cash EBITDA2 167.9 199.2 the comparative period. These gains were partially offset by Net deferral of revenue (49.7) (129.6) an increase in overheads including Sales and Marketing costs. Net deferral of expenses 0.9 8.4 Net finance costs Foreign exchange 1.5 (8.1) Depreciation (11.6) (11.6) Net finance costs decreased by $14.0 million to $7.3 million Adjusted operating profit 109.0 58.3 in the period, due mainly to foreign exchange gains on euro Net deferral of revenue 49.7 129.6 denominated debt following the strengthening of the US dollar in the period, resulting in a $6.4 million gain compared Net deferral of expenses (0.9) (8.4) to a $9.6 million loss in the prior-year. Interest on uncertain Exceptional items 3 (3.1) (13.0) tax positions increased by $2.6 million to $3.5 million due Depreciation 11.6 11.6 to the switch in the period of the overall tax balance from Foreign exchange (1.5) 8.1 deferred tax to current tax, interest only being accrued Change in working capital 2 (5.2) (12.2) on the latter balance. Corporation tax paid 2 (16.7) (26.3) Income tax Net cash flow from operating activities 142.9 147.7 The Group’s tax charge for the year was $26.7 million (FY18: Exceptional items 3 3.1 13.0 $19.9 million) with an effective tax rate of 49.8 per cent Net capital expenditure 2 (22.2) (21.1) (FY18: 48.5 per cent). The tax charge is higher than the prior-period primarily due to the Group generating a profit, Unlevered free cash flow 123.8 139.6 compared with a loss in the comparative period. 1 R estated for the adoption of IFRS 15 and change in accounting policy in respect of research and development expenditure tax credit scheme (“RDEC”) and Profit before tax and profit for the period provision for interest on uncertain tax positions, as explained in note 2 of the Financial Statements The profit before tax increased by $94.6 million to $53.6 million 2 U nlevered free cash flow is also represented by the sum of the marked rows and from a loss of $41.0 million in the prior-year, whilst the Group’s has been presented to enhance understanding of the Group’s cash generation capability profit for the year-ended 31 March 2019 increased by $87.8 3 Excludes non-cash movements on exceptional items million to $26.9 million from a loss of $60.9 million in the prior-year . This is as a result of strong revenue growth supported by increased Sales and Marketing spend and the benefit of a foreign exchange gain of $1.5 million, compared to a foreign exchange loss of $6.9 million in the prior-year combined with a slightly higher tax charge as explained above. 15 May 2019 May 15 Chief Financial Officer Nick Bray shareholders on the register on 20 2019. September all to 2019 October 11 on paid be will dividend final the approval shareholder to Subject cents). US 4.9 (FY18: cents US 5.2 of year financial the for dividend atotal gives share per cents US 1.5 of dividend interim the with Combined cents). US 3.5 (FY18: share per cents US 3.7 to amounting 2019 March 31 year-ended the of respect in dividend afinal pay will Company the that propose Directors The Dividends Statements. Financial the of 33 note in provided is basis cash analysis in ofreduction movements on net Further debt. a the for driver key the is and million $120.1 from million $172.1 to increased business the within retained cash flows, cash net strong continued of aresult As period. comparative the in million $186.2 from million $127.7 to decreasing debt net with year the in Group the of financing the in changes no were There Financing integrated. were as acquisitions declined also jurisdictions tax higher to paid Royalties year. prior the in overpayment tax a and tax income federal of rate the in acut to due tax less paid US The UK. the of outside subsidiaries in profits taxable lower to due million) $26.3 (FY18: prior-year the in than lower is million $16.7 of paid tax Corporation subsidiaries. local in arising profits of because payable remains tax Cash Cash tax assets. intangible in adecrease by offset being assets tangible in increase small a with year-on-year, flat largely was expenditure capital Net equipment. and plant property, as well as assets intangible of acquisition the comprises primarily expenditure Capital expenditure Capital of 42 days (FY18: 41 days). 41 (FY18: days 42 of outstanding days debtors’ with payables and receivables of control close continued to due part in year current the in outflow lower aslightly with albeit business the in growth reflect to continues capital working in change The Group. the by monitored closely is capital Working capital in working Changes Accounts and Report Annual 2019

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 35 36 Cybersecurity evolved

RISK MANAGEMENT AND PRINCIPAL RISKS AND UNCERTAINTIES

Principal risks are identified through a business wide risk assessment process, along with an evaluation of the strategy and operating environment of the Group

The risk review process encompasses the identification, The Directors consider the following matters to be the management and monitoring of risks in each area of the principal risks and uncertainties (in no specific order) business. This process includes an assessment of the risks affecting the Group: to determine the likelihood of occurrence, potential impact and the adequacy of the mitigation or controls already in RECRUITMENT AND RETENTION place. A review is then undertaken by the Risk and OF KEY PERSONNEL Compliance Committee, which evaluates the principal risks of the Group with reference to its strategy and the Risk movement operating environment.

The Audit and Risk Committee monitors and challenges these processes, reviewing the Group’s Consolidated Risk Register and reporting material risks to the Board. There may How it impacts us be other risks or uncertainties that could emerge in the The ongoing success of Sophos is dependent on attracting future, however the Group’s ongoing commitment to risk and retaining global high-quality employees at all levels in management will seek to address and mitigate the future the business who can effectively implement the Group’s strategy. risks, as and when they become apparent. Failure to attract, retain or develop high quality employees across the business could limit the Group’s ability to deliver Structure of risk management its business plan.

What we are doing RE SP Making Sophos a great place to work is central to the ON S IB Group’s strategy. SOPHOS GROUP IL IT PLC BOARD Y Sophos is increasing its commitment to diversity and F O R inclusion by introducing new programmes to attract and R I AUDIT AND RISK S develop diversity of all types. K MANAGEMENT TEAM

COMMITTEE M Additionally, Sophos has a commitment to all levels of A

N

A training and development throughout the organisation. SENIOR

G

L

E

O RISK AND M Reward schemes are continuously evaluated to drive and

R

COMPLIANCE INTERNAL AUDIT E

T N

N COMMITTEE reward performance and ensure retention of key talent. T

O C

Annual employee engagement surveys enable progress of E V

I BUSINESS T the Group’s people actions to be monitored, areas of

C FUNCTIONS

E improvement identified, and necessary actions performed. F

F

E

R The cybersecurity industry continues to be a competitive

O

F

Y INTEGRATED BUSINESS marketplace for talent. As such, Sophos is increasing our

T

I

L

I RISK MANAGEMENT

B commitment to strong recruitment processes supported by

A

T

N

U

O robust remuneration programmes, which are benchmarked C C

A appropriately. 2019 Annual Report and Accounts and Report Annual 2019 www.sophos.com/nobackdoors. intobackdoors our as here: described products https:// through worldwide ourcustomers pledge to never engineer of its and the privacy Further, security Sophos protects risk. this reduce slightly to us allowed have measures other and This attackers. by exploited be can they before defects software resolve to us allowing community, research the from activity good more and Group The secure. products web sees properties our make help to individuals of thousands of skills the leverage to program Bounty aBug run to continues Sophos security. Responsible Disclosure https://www.sophos.com/ Policy: the in described as community, research security the Group The a encourages testing. collaborationwith healthy penetration of forms various and tests code automated testing, efficacy party third private and public reviews, code source including products, of testing and reviews quality Sophos employs combinations of internal and external whichprocedures are subject to continuous improvement. quality and cycles test extensive to committed is Sophos doing are we What resources. harm the Group’s the and Group’s divert reputation could threat asecurity prevent to services or products Group’s the of failure the services, or products Group’s the in vulnerabilities or defects perceived or actual aresult, As and devices. networks customers’ end its protect to time in databases and intelligence threat updateto its identify or other virus the continual emergence of the Group new may threats, fail and threats of nature evolving the to due Further, threats. similar or viruses detect or prevent to fail and traffic, end interrupt networking customers’ temporarily networks, security help to fail to them cause attacks, security to cause the to Group’s be vulnerable or services products and could deployment defects by These end customers. are their until commercial not release after detected or design thatcontain, errors ordefects manufacturing future the in may and contained have they such as Group’sThe are and complex, and products services us impacts it How Risk movement OR SERVICES IN PRODUCTS VULNERABILITIES OR DEFECTS

affect the Group’saffect financialcondition and results. operating adversely materially could which of any litigation, of risk and to andcustomer any remedy sale, costs increased problem publicity, damage to the Group’s loss of end reputation, negative in result could applications or files important of identification false such Any failures. system material and end systems cause customers’ affect adversely could this restricted, be could that item other some or them as malware applications on based identifying falsely or files important restrict products Group’s the If of the Group’smarket acceptance products. Group’s and products impact may adversely therefore the of reliability perceived the impair may industry, Group’s the in inherent while positives, false These positives’). ‘false as (known categories URL or data exploits, vulnerability malware, virus, type, application of classification Group’s the on based content or applications in exist actually not do that malware or threats detect falsely may products Group’s The us impacts it How Risk movement THREATS OF DETECTION FALSE impact on the Group’s customers. the minimise to order in small, or large incident, any manage to place in processes mitigating are there ensuring to committed is and industry the within incident positive false the inherent aSophos acknowledges with risk associated suppression techniques. thatfiles might evade and our prevalencereputation unique even or rare those with deal to them and us enabling own, their on positives false of occurrences manage to customers and partners our allow to 2017 late in product were enhancements Product to introduced the Intercept X analysis. root cause through approach learnt’ ‘lessons a applying as well as event, positive afalse of detection early focus onproactive improvement to enable of processes is there Additionally, products. its in modules predictive intelligence of introduction artificial “Deep Learning” to suppression system complement false thebased positive In 2017, Sophos developed and launched a new reputation- procedures. and systems quality and testing to enhancements as well as optimisation, process and training staff ongoing in invests Group The operation. research threat class Sophos Labs for continuous improvementSophos strives in our world doing are we What

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 37 38 Cybersecurity evolved

PRINCIPAL RISKS AND UNCERTAINTIES CONTINUED

PRODUCT PORTFOLIO MANAGEMENT

Risk movement

How it impacts us Sophos has an extensive number of products, enhanced or partners and the risk they will look to alternative solutions, further by acquired technologies. The extent of investment resulting in the potential loss of both new and existing in each product needs to be managed and prioritised taking revenue streams. into account the expected future prospects. Additionally, Failure to protect the Group’s intellectual property could consideration must be given to the ability to be able to adversely affect the ability of the Group to operate in its adequately support the entire product range. markets. Failure to manage the product portfolio adequately could Additionally, insufficient focus on key research and innovation result in inappropriate investment focus in relation to projects may damage the long-term growth prospects of the research and product innovation. This could result in Group. products that do not meet the requirements of customers

What we are doing Sophos continues to focus on and improve the interaction The Group takes all appropriate opportunities to protect its between Product Management, Product Development, Sales intellectual property and brands. and Marketing and all Support functions in an integrated Sophos customer and partner communities continue to be product development approach. invaluable resources in guiding portfolio management Internal processes are run to identify opportunities for decisions. They provide immediate and constant feedback on standardisation and consistency across products lines. This how well Sophos is meeting its requirements, improvements helps eliminate redundancies, reduce development and that Sophos can make to its current offerings and support costs, and improve partner and customer experiences opportunities for portfolio consolidation or expansion. through a more predictable and coherent product portfolio. Whilst Sophos continues to make significant investments in Sophos is working to bring all products under a single cloud the technology and infrastructure of the Group, the risk has management platform to deliver a common management increased due to the growing demand and reliance on cloud experience for the portfolio and a comprehensive solution that delivery for the Group’s products. will encourage existing customers using on premise products In addition, the migration to Next Gen products has some risk to migrate to cloud management. The Group is also working on during the transition and end of life cycle. enabling instances of portability of the cloud infrastructure where required in order to address any privacy or data sovereignty issues that our customers/partners might face.

DISRUPTION TO DAY-TO-DAY GROUP OPERATIONS

Risk movement

How it impacts us Sophos is at risk of disruption to its day-to-day operations from a disaster incident which may seriously impact IT systems or access to office space. A failure in the operation of the Group’s key systems or infrastructure on which the Group relies could cause a failure of service to its customers and negatively impact the Sophos brand.

What we are doing Incident management procedures and escalation processes are in place as well as maintaining security, business continuity and disaster recovery plans. Sophos continues to invest in cloud technology that provides resilient infrastructure for the Company. 2019 Annual Report and Accounts and Report Annual 2019 industry-wide risk. The risk is not considered to be a standalone principal risk and is instead factored into the Directors’ consideration of ‘Product ‘Product of consideration Directors’ the into factored instead is and management’, risk whichportfolio is a principal risk. principal astandalone asoftware be be to to considered considered is not is which risk The risk. products, Group’s the against industry-wide infringement patent of claims of risk the consider Directors the addition, In Patent infringement be that should Brexit, ahard handle to takes. UK processes the place that into put route have the Group the achieved, be will Brexit which by method the of personnel’. key of uncertainty the to Due retention and ‘Recruitment the risks, principal Group’s the of one affect the in changes materially or to disruption anticipated some be may currently there not are while and these UK, considered been also the has to risk employees heightened a future and posing or current the on significant be to Brexit of impact The considered not are Group. which chain, supply its and Group the of operations the to changes anticipating a as and uncertain remains EU the from exit UK’s the to consequence the have Directors considered a number of subsequent and scenarios EU the Group’s the potential to responses and them. This UK scenario planning the has included between arrangements trading the of nature exact The of currency functional dollar US the on impact the mitigates which costs the Group. the in denominated sterling fluctuations any with revenue, balanced Group’s the adegree, of to cent are, per 12 rate, only in exchange results sterling which spread geographic a diverse with internationally operates Group the As that and year, financial the during place in put been has Committee respond to, continues to and assess, monitor whichCommittee developments, may impact the Group’s working business. Brexit consideration under keep to Across-functional continue Group. the on Directors the Brexit of impact (“Brexit”), Union expected the European the from course, due in exit, to electorate UK the by decision the Following Brexit issues, of range wide a assess Directors the Group which includedthe the followingfor that are not considered to be principal risks: significant be to considered are that uncertainties and risks the on concluding In on a quarterly basis. aquarterly on capabilities cybersecurity its improve and cybersecurity investmentSophos to continues in increase its programmes. andgovernance, technology and education awareness and implementingprocesses continual improvements to response improving threats, for hunting and monitoring active day-to-day on focused is Group The mechanisms. and response recovery detection, appropriate protection, related risks to cyber-attacks andidentifying planning on focused team cybersecurity adedicated has Sophos doing are we What to end customers. services including business, its the Group’s to ability provide support operate to ability Group’s the affect could breach security ofmarket perception the Group’s In a addition, products. the affect adversely could it systems, internal Group’s the in occurs security of breach perceived or actual an If business and harm the Group’s reputation. Group’s the disrupt to designed specifically attacks by targeted be, future the in may and been, time to time from have that vulnerabilities have may products and services TheGroup’s profile cyber-attack target. infrastructure, ahigher is Group the products, security IT of aprovider As us impacts it How Risk movement IT SECURITY AND CYBER RISK

might be unable to meet its strategic objectives. strategic its meet to unable be might adequate policies controls, andwithout Sophos procedures, that arisk is There requirements. market and legal differing Sophos GroupThe many across operates geographies with us impacts it How Risk movement PROCESSES, CONTROLS AND COMPLIANCE ultimately the Board. the ultimately the Audit and and RiskCompliance Committee, Committee and Risk the by overseen is process management risk The and slavery modern protection. data and corruption, bribery anti- as such policies its updates and reviews regularly controls andconsistent a Group The Group-wide process. receivable/payableaccounts and purchasing, enabling for example, functions, many financial also centralised environmentcontrol and to improve. assess Sophos has and Sophos to continues internal review processes its doing are we What

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 39 40 Cybersecurity evolved

CORPORATE RESPONSIBILITY REPORT

Sophos is committed to defending its customers against criminal activity and acting as a responsible business

Our approach conduct. To achieve this, Sophos Executive Officer, Chief Financial focuses on operating openly and Officer and other individuals who With over 335,000 customers around transparently, treating its people fairly, head key Group functions. the world, Sophos recognises the creating a diverse culture and reducing responsibility it holds in providing the its environmental impacts. The Group’s functional heads take right tools to protect its clients and leading roles in key strategic CR areas educate them on the importance of In the year, the Group further enhanced such as gender, HR and environmental digital security. The Group’s business its commitment to corporate management. The SMT are also model is built on securing its customers responsibility (“CR”) and work will responsible for ensuring global from the risks of cybercrime by offering continue on further establishing the compliance with key internal and innovative, simple and highly effective Group’s CR strategy and improving external policies including: cybersecurity solutions. measurement across key areas of focus. • Anti-human trafficking and slavery Beyond the impact of Sophos’ own Managing corporate responsibility policy products and services, the Group • Diversity policy recognises the duty it has in Ultimate responsibility for Sophos conducting its business activities in CR activities lies with the Senior • Anti-corruption and bribery policy Management Team (“SMT”) who set a responsible way. With over 3,400 • Whistleblowing policy employees across more than 40 the Group’s strategic approach, develop • UK Modern Slavery Act offices, it is vital that the Group key policies and coordinate activities. maintains the highest standards of The SMT is comprised of the Chief

Sophos CR framework

GUIDED ENGAGING ENHANCING PROTECTING INCIDENT PEOPLE COMMUNITIES THE RESPONSE ENVIRONMENT

Underpinned by our values

Simplicity Empowerment Passion Innovation Authenticity with sections 414CA and 414CB of the Companies Act. The information listed is incorporated by cross-reference: by incorporated is listed information The Act. Companies the of 414CB and sections 414CA with the Group's non-financialto produced comply constitutes report ofstatement, This information section the strategic statement Non-financial information T Accounts and Report Annual 2019 controls to identify and report policy outcomes are in place and were followed in FY19. in followed were and place in are outcomes policy report and identify to controls policiesThe which underpin the principlesrequirementsand for risk define Robustmandatory management. processes principles. management risk key on founded is which Framework Policy Group’s the of part form above mentioned policies The Groupertain Policies and internal standards and guidelines are not published externally 1 the organisation. across and action promote strategic responsibility corporate to commitment reinforce to Committee Steering aCR implement to aims Group the forward Moving 36). page (see management risk global and compliance financial as well as Conduct, of Code the with compliance the environment) on business Company’s the of impact (includingEnvironmental matters the Reporting requirement Employees key performance indicators key performance ofDescription the non-financial ofDescription business model and anti-bribery Anti-corruption rights human for Respect matters Social

he SMT support the Audit and Risk Committee ("ARC") and the Risk and Compliance Committee (“RCC”) in ensuring ensuring in (“RCC”) Committee Compliance and Risk the and ("ARC") Committee Risk and Audit the support SMT he C Environmental Statement Colleague Policy Policy Business Responsible and Ethics govern our approach Policies and which standards Anti-bribery Policy Anti-bribery Policy Anti-corruption Policy¹ Security Cyber and Information andAnti-Slavery TraffickingStatement Policy Privacy Data Events¹ Company Policy Diversity Equal Opportunities 1 1 1

diligence and outcomes due policy impact, its and business our understand to necessary Information page 50 50 page the environment, Protecting page 40 page Our strategic priorities, page 18 page priorities, strategic Our page indicators, 20 Key performance Our business model, page 16 https://www.sophos.com https://www.sophos.com pageEnhancing 49 communities, https://www.sophos.com

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 41 42 Cybersecurity evolved

CORPORATE RESPONSIBILITY REPORT CONTINUED

Engaging with key stakeholders

Communicating with key stakeholders is vital in helping to better understand their needs and requirements. The Group conducted several engagement activities throughout FY19, to encourage two-way dialogue with key stakeholder groups. Local offices also play a significant role in forming lasting relationships with local stakeholders, including community members.

Key stakeholders Engagement channels Key activities in the year

Channel • Channel ‘best’ commitment to have channel- • Partner conferences in the Americas, EMEA and partners excellence and industry ‘best’ at the Group’s core APJ with CEO and members of the SMT participating • Industry-leading partner programme as speakers • Partner conferences and global events • Regional partner programmes • Dedicated partner portal • Partner advisory meetings in key markets • Partner advisory councils • Webinars and live online events including product and threat landscape training

End customers • Community and support forums • Customer events across Americas, EMEA and APJ • Social media engagement markets • Dedicated and targeted product communications • Significant upgrade to Sophos Home Premium offering, including industry-leading next-gen artificial • VIP Newsletter and Sophos News updates intelligence capabilities • Daily industry news service – NakedSecurity • Free tools for home use (Sophos Home, XG Firewall, Sophos Mobile) • Enduser events in key markets • Webinars and live online events

Employees • Intranet site “Sophos Hub” for collaboration, • Annual kick-off led by CEO communication and information • Quarterly business updates • Annual employee survey • Local kick-off events • Access to online training tools and • Social events run locally instructor-led training

Investors and • Investor roadshows • Major refresh to investor website launched, with new analysts • Results presentations and webcasts tools and resources to aid analysis and understanding • Conference calls • Publication of Company-compiled consensus • Annual general meeting • Comprehensive consultation with respect to revised remuneration policy and matters of corporate • Investor and analyst 1:1 meetings governance • Analyst and investor visits to UK headquarters • Participation in leading investor conferences in US and Europe

Community • Employee driven charity and community actions in • Continued sponsorship of the UK National Computing local offices, supported by senior management team Museum and local management • Charitable and community activities undertaken around the world supporting a wide range of causes 2019 Annual Report and Accounts and Report Annual 2019

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 43 44 Cybersecurity evolved

CORPORATE RESPONSIBILITY REPORT CONTINUED

Securing our customers Sophos’ mission is to be the best in the world at delivering innovative, simple and highly effective cybersecurity solutions. With more than 100 million users across 150 countries and 335,000 businesses relying on Sophos to protect them against complex threats and data loss, the Group has a significant duty to protect and secure its customers 24/7.

Organisations are struggling to identify In November 2018, Sophos introduced even where the firewall doesn’t have the entry point of most attacks and do two significant developments to help direct control over traffic. not know how long an attacker might address the top concerns of have been on their network. A recent organisations worldwide. The most In October 2018, Sophos launched survey by Sophos revealed that 20 per recent version of the XG Firewall Intercept X Advanced with EDR. Effective cent of IT managers admitted not includes lateral movement protection to investigation and incident response had knowing how their most significant prevent targeted, manual cyber-attacks previously only been achievable in attack got in and 17 per cent couldn’t or exploits from infiltrating further into organisations with a dedicated Security determine how long an attack was a compromised network. By sharing Operations Center ("SOC") or specialised resident on a network. On average, intelligence between the firewall and IT security team trained to hunt and organisations that investigate one or endpoints and automatically isolating analyse cyber-attacks. With Sophos more potential security incidents each infected systems, organisations can Intercept X Advanced with EDR, month spend 48 days a year (four days reduce the blind spots on their network businesses of all sizes and those with a month) investigating them. It is not switches or LAN segments that can limited resources can add threat tracking surprising that 80 per cent of become launch pads for attacks. The and SOC-like capabilities to their security respondents wished they had a new features in Sophos XG Firewall defences, reducing the time criminal stronger IT team in place*. prevents threats from spreading, hackers can hide in their network.

CASE STUDY Synchronized security

Spicerhaart, a UK-based real estate agency has deployed Sophos Intercept X and XG Firewall network protection and is benefitting from synchronized security. Prior to deploying Sophos, Spicerhaart experienced several CryptoLocker-style ransomware attacks. Due to robust backups, no ransom was paid and the data was restored. However, Andrew Chaplin, IT Infrastructure Manager at Spicerhaart, knew that they could become the target of subsequent cyber-attacks and needed to put Sophos security in place. In addition, the pressure to achieve and maintain compliance with GDPR, which came into effect in May 2018, also influenced a greater priority on data security. Staying ahead of today’s cyber threats is paramount. With synchronized security, we have coordinated our defences and maximised all of our resources. Regardless of the attack complexity or surface, we are now more prepared than ever before”

* www.sophos.com/truths • • • • include: Highlights com. Sophos. on available is research This alike. customers and researchers fellow for practices security best for steps and analysis depth in provides research This learning. machine for algorithms for buildingrecommendations and behaviour, cybercriminal dedicated research into recent threats, ecosystemcybersecurity with the of understanding industry’s the to significantly contributed SophosLabs participants. industry all with collaborate we that do to and solutions, cybersecurity effective highly and simple innovative, delivering at world the in best the be to is mission our Sophos, At market. the on are that solutions security numerous the and threats to response daily the with overwhelmed are Organisations crowded and competitive. complex, is today market cybersecurity The key is Collaboration Accounts and Report Annual 2019

Artificial Intelligence. Artificial in Modes Failure Catastrophic IoT or Device. Your Server From dollar Ransomware. A Case Study. A Case Detection: Malware for Analysis UsingSelection Principal Component M “ C S Known Unknowns”:Known Overcoming halubo Botnet Wants to DDoS DDoS to Wants Botnet halubo amSam: The (Almost) Six Million Million Six (Almost) The amSam: achine Learning With Feature Feature With Learning achine Sophos. CTO, Levy, –Joe adversaries.” against fight the strengthen and forces join to able we’re together, come can minds brightest industry’s the where forum atrusted creating by but challenging, been always has vendors competing between strategies technology future discussing when transparent “Being Directors. of CTA’s Board joined Levy Joe CTO, Sophos year, this February In industry. the of advancement environment forcompetitive the to collaboratetogether in a non- vendors from cybersecurity experts and executives ("CTA"). CTA brings Alliance Threat Cyber the in partners industry with data threat contextual industry, including sharing the of to the advancement of the contributed actively also have Executives Sophos uncovered. or deconstructed they’ve threats about reports pertinent industry the with sharing now are world the from allSophos News, researchers over on Uncut SophosLabs In analysed. is it as researchers from directly data issuing been has SophosLabs research, in-depth to addition In • •

S the Moment. at Ransomware Distributed Widely G ophosLabs 2019 Threat Report. Threat 2019 ophosLabs randcrab 101: All About the Most Most the About All 101: randcrab as whole. as andvendors, customers the industry for good is testing why outlines Sophos Testing, Party Third of Principles the In Sophos. to important is technology independent of testing cybersecurity challenging, and imperfect While standard. the of favour in vote to founding member, Sophos was proud a As Standard. Protocol Testing AMTSO the adopted and approved ("AMTSO") officially Organisation Standards Testing Malware Anti- non-profit the 2018, June In Joe Levy, CTO, Sophos CTO, Levy, Joe scrutinised” be to foreasy their products should make it vendors want reviewed, see and to they items specific the on clear be continuously should users End correctly. environments configure to vendors over-deliver, with andwork should under-promise and Testingvendors. labs labs, and end users testing the between partnership a should be There

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 45 46 Cybersecurity evolved

CORPORATE RESPONSIBILITY REPORT CONTINUED

Number of Overall Employee Employees Satisfaction

3,400 86% (FY18: 3,300) (FY18: 87%) Engaging people Guided by the Group’s core values of simplicity, empowerment, passion, innovation and authenticity, the Group seeks to promote a culture where its people can thrive. For Sophos, this means promoting strong business ethics and putting in place policies and programmes to build trust with employees.

Creating an ethical culture In 2017, the UK government introduced new legislation As a first priority, Sophos seeks to uphold individual human requiring companies with 250 or more employees to publish rights in its operations and expects the same from all their gender pay gap. The Group's median gender pay gap in partners. The Group’s policies outline the behaviours the 12 months to April 2017 was 23.4 per cent. In the 12 expected from employees and suppliers at all times and set months to April 2018, Sophos reduced this gap to 17.2 per out the Group’s zero tolerance approach towards any form cent, and achieved greater female representation in the of modern slavery, discrimination, or unethical behaviour upper pay quartiles. relating to bribery, corruption or business conduct. The Group believes its current pay gap is due to lower female To support its people, the Group makes development representation at the higher levels of the organisation and a opportunities available to all employees through access high percentage of men in specialist positions carrying a to one of the largest online libraries of e-learning courses higher market premium. It is however encouraging to see in the world for technical, personal and leadership skills progress, as the Group continues to enhance gender development, as well as role-specific training and access to diversity and ensure equitable pay for all genders Instructor-Led Training. This training is aligned to personal throughout their careers. development initiatives such as quarterly manager ‘check- In line with this commitment, Sophos continued to promote ins’ and real-time coaching. gender diversity in FY19 through its actions and activities, Promoting diversity which included: The Sophos diversity policy outlines the Group’s commitment • C ontinuing our work as one of the founding organisations to building an inclusive culture, where people feel able to be of the PWC “Tech She Can” initiative. their best at work, irrespective of age, race, sexual orientation, religion, national origin or gender. Sophos is • In FY19, Sophos women attended and sponsored various passionate about creating a workplace that promotes equal women in technology and cybersecurity events in our opportunities and prides itself on recognising and rewarding major office locations. team members based on merit above anything else. • I ntroducing new Maternity Leave Policies.

At the end of the financial year, the gender breakdown of • C elebrating International Women’s Day with various employees and Directors was is shown in the table below: global office events, speakers, support of local women charities and special recognition of a spotlight of women 31 Mar 2019 31 Mar 2018 across Sophos. Female Male Female Male • Introducing a new apprenticeship scheme to provide Executive & alternative routes for women to pursue technical careers Non-Executive Directors 2 6 2 7 at Sophos. Senior Managers* 20 65 18 75 • P roviding unconscious bias training to managers and Employees 767 2,521 760 2,500 employees.

* T he Group has defined senior managers as members of the SMT and their direct reports (excluding executive Directors separately reported) as is set out in the Groups’ diversity policy. 2019 Annual Report and Accounts and Report Annual 2019 development at Sophos. career their enhance and business the in environment where they can supportive progress a create and need, they skills the develop women help to is group the of focus The roles. non-technical and technical –spanning industry technology the in women for work to place great a Sophos make to is initiative the of purpose The andsubsequent actions, projects. events, launch galvanising with India and U.S. Canada, UK, the in running groups dedicated now are There industry. technology the in launched in late 2017 to promote gender diversity was forum Technology in Women Sophos The in technology women Sophos

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 47 48 Cybersecurity evolved

Sophos staff walk against breast cancer

A 60+ strong group of Sophos colleagues, known as the “Sophos Interceptors”, hit the Thames Path to walk a marathon along the course of the river from our office in Abingdon to Pangbourne, near Reading, as part of the Breast Walk Ever campaign.

The group ran a number of fund-raising activities in advance of the walk, from car washes to dunk tanks, culminating in a fantastic £22,500 being raised for the charity. the team identified four key focus areas to target: to areas focus key four identified team the village, the in living people for life of quality the enhancing of aim the With need. alocal of recognition and engagement community extensive after employees by selected was Ropda offices. its to near village alocal of infrastructure the improving on engagementSophos India community efforts its focuses India basis. monthly a on pantry food alocal at volunteer employees of Agroup gifts. the all wrap and purchase Employees office. the in erected is care foster in children of wishes Christmas with Tree” decorated a “Giving December, In US environment. surrounding their and trails park maintain and clean support, help to volunteered employees 60 Over housing. affordable of need in families help to home Humanity for aHabitat building in volunteered Employees competitions. sporting and auctions raffles, sales, bake as such activities through raised were funds whom for families two with matched were employees 2018, In Christmas. aspecial have may they that so need in families assisting on focuses initiative local This Peace”. of “Presents YWCA’s for funds raised have employees Canada Sophos years, several past the for December Every Canada female students. young 80 hosted which day STEM agirls to resources and apresenter sending by this supported Sophos and autism, with children helping and coding into girls bringing on focus aparticular is There children. school host to week each times multiple used now is which aclassroom, refurbish completely them helped funding our FY19 in and 2020 until to sponsor the museum Sophos has committed computers. historical functioning of collection largest world’s the with action in seen be can security and computing of history the 2017, in where Bletchley in Computing of Museum National the at sponsor foundation acorporate became Group The UK in many enhance and to local initiatives them participated communities during year. the andrelevant projects community initiatives to aroundtheto support world local offices encourages Group The operates. it where communities the to difference make positive a and insights to helping to expertise and resources, using isSophos others committed its communities Enhancing Accounts and Report Annual 2019 CORPORATE RESPONSIBILITY REPORT RESPONSIBILITY CORPORATE

CONTINUED • • • •

at a subsidised cost. cost. asubsidised at treatment seek to able now are they where hospitals local with contact in put were villagers and introduced surrounding community. community. surrounding the to village the connect better to constructed renewable energy. Beyond this, a new road was reduce the financial burden ofvillagers and promote management waste ensure and effective cleanliness. to village the throughout installed was system drainage a and houses, 20 over in built were Toilets village. the in system drainage or facility sanitation central no was there H I S E of building another school. process the in now is Sophos hygiene. and health better encourage to shed ameal as well as school, the at built also was plant purification Awater exams. for attendance cent per 100 including year, the of end the by cent per 85 to cent per 25 from increased rate attendance the aresult, As rates. literacy improve to school into children their enrol to parents encourage to launched was campaign a this, To address Ropda. in arrived employees Sophos when cent per 25 just was rate attendance the village, nfrastructure Despite there only being one school in the the in school one being only there Despite ducation: anitation: Half-yearly health check-ups were were check-ups health ealth and fitness: Half-yearly As is common in many Indian rural villages, villages, rural Indian many in common is As : 60 solar street lights were installed to to installed were lights street solar : 60

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 49 50 Cybersecurity evolved

CORPORATE RESPONSIBILITY REPORT CONTINUED

tCO2e per $m billings 10.5 (FY18: 12.9) Protecting the environment As an office-based organisation, Sophos is an environmentally low-impact business. The Group has therefore not adopted a formal environmental policy. Despite this, the Group recognises the responsibility it has in managing its environmental performance and conducting local initiatives to reduce its overall carbon footprint, waste profile and water impact.

Greenhouse gas emissions Creating an environmentally friendly HQ

In line with the Companies Act 2006, Sophos is required to The Group commissioned a greening study of its global measure and report on its Greenhouse Gas (“GHG”) emissions headquarters in Abingdon, Oxfordshire. The purpose of the disclosures. These have been calculated for the year-ending study was to benchmark the current environmental, health 31 March 2019, in line with the Group’s financial year. and wellbeing performance of the building against current The calculation of the disclosures has been performed in best practice and against direct and indirect competitors. accordance with Greenhouse Gas Protocol Corporate Standard and using the UK government’s conversion The findings of the study showed that the building factor guidance for the year reported. performance was consistent with intermediate good practice and the building management was consistent with standard The Group’s operations that primarily release GHG includes good practice. The study highlighted areas of future usage of electricity and gas of owned and leased offices, improvement. The findings and recommendations of this business travel and usage of vehicles. The Group keeps its report will be a key driver for developing best practice in data capture process under review, seeking to extend the environmental sustainability to match the growth aspirations availability of direct information wherever possible. Where and objectives of the Company. direct information for certain sites is not available, estimates have been developed that enable reporting for them. These The Group is endeavouring to achieve the standards in estimates are revised if new or improved data is obtained. environmental performance, health and wellbeing that is expected of a global technology organisation at the Group’s The Group will continue to build its GHG reporting capabilities. headquarters.

The Group’s chosen intensity ratio is ‘tonnes of CO2 equivalent per million US dollars of billings’ as it aligns with Sophos’ strategic growth ambitions. Year-ended Year-ended Year-ended 31 March 2019 31 March 2018 31 March 2017

tCO2e tCO2e tCO2e Scope 1 Combustion of natural gas and operation of owned vehicles 220.9 320.0 251.8 Scope 2 Electricity consumption in offices 4,487.2 4,457.3 4,681.9 Scope 3 Business travel (air and car) 3,260.9 5,117.4 4,510.9 Total 7,969.0 9,894.7 9,444.6 Intensity ratio

tCO2e per $M of billings 10.5 12.9 14.9

Strategic report approval The strategic report on pages 8 to 50 was approved by the Board on 15 May 2019 and signed on its behalf by:

Kris Hagerman Chief Executive Officer 15 May 2019 2019 Annual Report and Accounts and Report Annual 2019 produce energy through supplier. the waste to boilers biomass in used be will which place in put was recycling waste food of introduction the strategy, recycling new the of part As the implementation of new recycling stations. and site on bins desk personal all of removal the with adopted was recycling for strategy new a 2019 of January In saved. were trees 259 of equivalent the recycled was that card and paper the From waste. its from energy of 24MWh over generated and CO₂ of 17.27 tons of equivalent the saved office Abingdon the year, financial last the of course the Over landfill. to zero in resulting recovery energy through goes waste the possible not where and recycling for sent is waste site all such As HQ. Abingdon the at 2018 in supplier waste landfill’ to a‘zero to moved Group The landfill to Zero

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 51 52 Cybersecurity evolved

Managed Service Providers

Sophos MSP Connect

Sophos Central provides the platform for the Sophos MSP Connect program, with a comprehensive product set enabling our channel partners to fully meet their customers’ security requirements. From endpoint and server protection to email, web, mobile, wireless, public cloud, phishing simulation, and encryption.

The intuitive partner dashboard Allowing a trusted partner to within Sophos Central allows manage their security estates channel partners to manage all of remotely via Sophos Central is a their customers’ Sophos products particularly attractive model for through a single, intuitive cloud many smaller enterprises. interface. There are clear Typically, these businesses lack benefits as this reduces the resources to establish, administration time and provides monitor and maintain an effective our partners with an additional cybersecurity operation, hence a service revenue opportunity. service-based monthly Furthermore, Sophos Central subscription model, leveraging delivers synchronized security, the partner’s expertise, is an with all the products sharing effective option. The Group’s MSP information via a patented business is growing rapidly and Security Heartbeat™ and now has over 47,000 customers, automatically responding to and thousands of channel threats, thus delivering faster, partners on the program. better protection, and giving Sophos Managed Service Partners a unique differentiator.

Find out more at: www.sophos.com/msp 2019 Annual Report and Accounts and Report Annual 2019 102 91 82 80 78 77 71 68 Directors of oard 56 54 Governance

Chairman Remuneration Committee D A N C B D A Di R A udit and Risk Committee Report Committee Risk and udit nnual Report on Remuneration on Report nnual the of Statement nnual orporate Governanceorporate Statement emuneration at aGlance at emuneration irectors’ Report irectors’ Report Committee isclosure omination Committee Report omination Committee rectors’ Remunerationrectors’ Policy

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 53 54 Cybersecurity evolved

BOARD OF DIRECTORS

PETER GYENES KRIS HAGERMAN NICK BRAY SANDRA BERGERON Non-Executive Chairman Chief Executive Officer Chief Financial Officer Independent Non- Executive Director

COMMITTEE MEMBERSHIP COMMITTEE MEMBERSHIP COMMITTEE MEMBERSHIP COMMITTEE MEMBERSHIP

Chairman of Nomination Member of Disclosure Member of Disclosure Member of Audit and Risk, Member of Remuneration Remuneration and Nomination

EXPERIENCE EXPERIENCE EXPERIENCE EXPERIENCE

Peter joined the Sophos Board in Kris joined Sophos in 2012 as CEO. Nick joined Sophos in 2010 as CFO, Sandra joined the Sophos Board in June 2006, bringing experience Kris was most recently CEO of Corel bringing more than 20 years’ June 2010. Sandra has more than with corporate growth and value Corporation, and prior to that, group experience in the technology sector, 20 years’ security, operations and creation to the Group’s vision for president, data centre management extensive international operational board advisory expertise having integrated threat management at Symantec, where he led a skills and significant public previously served on the boards of leadership. Peter has four decades business of more than $1.5 billion company experience on both the TraceSecurity Inc., Tipping Point, of experience in technical, sales, that represented nearly 30 per cent London Stock Exchange and Netegrity, Nuance Communications, marketing and general management of Symantec’s global revenue. Prior Nasdaq. Nick was most recently TriCipher Inc., and ArcSight Inc. positions within the computer to Symantec, Kris was EVP and GM, CFO at Micro Focus International plc, Earlier in her career Sandra spent systems and software industry storage and server management, at where he was instrumental in the 10 years at McAfee, Inc. holding a globally and was most recently the Veritas Software where, during his company tripling revenue and number of key executive positions. Chairman and CEO of Ascential tenure, the company’s revenue increasing market capitalisation Software Corporation. He has also more than doubled, before its from circa £200 million to in excess served on the boards of Carbonite acquisition by Symantec. Earlier in of £1 billion. He has also held Group Inc., Applix Inc., BladeLogic his career, Kris was founder and CEO CFO roles at Fibernet Group plc and Software, Epicor Software of BigBook and prior to that, Affinia. Gentia Software plc, as well as Corporation, Lawson Software, Kris also held positions at Silicon senior financial positions at EnerNOC Inc., Cimpress NV, Graphics and McKinsey & Company. Comshare Inc. and Lotus Software. Intralinks Holdings, Inc. and webMethods.

QUALIFICATIONS QUALIFICATIONS QUALIFICATIONS QUALIFICATIONS

BA in Mathematics and an MBA, BA in Russian and Economics, First class BA in Civil Engineering, MBA from Xavier University, Columbia University, New York Dartmouth College, an M.Phil. in Aston University, and a qualified Cincinnati, Ohio and a BBA in International Relations, Cambridge Chartered Accountant Business Administration (Cum University, and an MBA, Stanford Laude), Georgia State University Graduate School of Business

KEY EXTERNAL APPOINTMENTS KEY EXTERNAL APPOINTMENTS KEY EXTERNAL APPOINTMENTS KEY EXTERNAL APPOINTMENTS

Director of Information Builders, None Non-Executive Director of Director of F5 Networks, Inc. Inc., Pegasystems Inc., RealPage, De La Rue plc and Qualys Inc Inc. and is trustee emeritus of the Massachusetts Technology Leadership Council

ELEANOR LACEY EXPERIENCE Executive Vice President, Eleanor joined Sophos in 2016 as Business Development at Corel SVP General Counsel and Company Corporation, VP of Corporate Chief Legal Officer and Secretary. Most recently, Eleanor Development at SupportSoft, Inc. Group Company Secretary. had been SVP, General Counsel and VP and General Counsel at Niku and Corporate Secretary at Corporation, prior to its acquisition SurveyMonkey Inc. Prior to by Computer Associates. COMMITTEE MEMBERSHIP SurveyMonkey she has held the Member of Disclosure roles of General Counsel and VP of 2019 Annual Report and Accounts and Report Annual 2019 Massachusetts at Amherst Massachusetts of University English, and History in BA and School Law Yale J.D., QUALIFICATIONS London Engineering, Imperial College, in MA an and Business of School Graduate Stanford MBA, QUALIFICATIONS positions at Psion Computers. also held product management and sector technology high the in clients consulting on focusing Inc., &Company, McKinsey at worked plc. Previously, Roy Entertainment andSemiconductors, King Digital NXP Corporation, Software includinginvestments Epicor focussed technology of variety a in involved been has and 2003 in Partners Apax joined He team. technology andPartners’ telecoms Apax of apartner is Roy 2010. June in Board Sophos the joined Roy EXPERIENCE Member of Nomination MEMBERSHIP COMMITTEE Inc. and Exact Holdings NV Holdings Exact and Inc. Software, Creek Duck of Director KEY EXTERNAL APPOINTMENTS Director Non-Executive ROY MACKENZIE Accountant Chartered aqualified and Cambridge of University Economics, in MA QUALIFICATIONS US. the and UK the in companies technology backed equity private of a number of CFO as roles of avariety in career his of part early the spent He Ltd). Group (Edwards Vacuum Edwards of Committee Audit the of Chairman and Director aNon-Executive also was He plc. Group NDS of Secretary Company and CFO as years seven and plc Inmarsat of CFO as years nine spent had Rick Misys, joining Before 2013. December until Misys of CFO was Rick which, to prior 2018 February in Vantiv with merger its of completion the until Worldpay at CFO was Rick Previously, solutions. content video of provider leading the Synamedia, of CFO currently is Rick companies. technology management of large international financial the in experience of years 30 has Rick 2017. April in Board Sophos the joined Rick EXPERIENCE Nomination Member of Remuneration and Risk and Audit of Chairman MEMBERSHIP COMMITTEE Executive Director Executive Independent Non- RICK MEDLOCK None KEY EXTERNAL APPOINTMENTS Limited Holdings Synamedia of CFO KEY EXTERNAL APPOINTMENTS 2018 New Year’s Honours list. the in Technology and Software in Women of Empowerment the Digital Economy and the to services for OBE an received Vin 2014. in Year the of Company Tech named was Software Computer Advanced addition, in and 2012 in Year the of Entrepreneur Tech and Year the of Woman Cisco’s named Group and Vin Concateno. was Greenko Chime Communications, of Director aNon-Executive plc, Director of Group Zoopla Property also an Independent Non-Executive was Vin Previously, Group. Software Computer of CEO and Software Computer Advanced at CEO and founder was Vin 2017. January in Board Sophos the joined Vin EXPERIENCE Remuneration and Nomination Risk, and Audit of Member MEMBERSHIP COMMITTEE Edinburgh Napier University business administration (Honorary), a Doctorate and MBA, an (Hons), BSc QUALIFICATIONS Executive Director Executive Independent Non- VIN MURRIA OBE Elderstreet Investments Elderstreet at apartner and team, Advisory Senior – Advisor Rothschild Global plc, Group finnCap at Director aNon-Executive and plc Group DWF and plc Softcat at Director Independent Non-Executive KEY EXTERNAL APPOINTMENTS Group Ltd. Group Perform and plc Group Travel My and plc, Diageo plc, WANdisco of boards the on served previously has Paul term. three-year third his of completion the following 2019 July in retire will but plc, Experian of Director Executive aNon- also is Paul plc. Group Ashtead and plc Halma of Chairman Non-Executive Paul is currently experience, board extensive With businesses. medium and small leader in business solutions for a plc., Group Sage of CEO as years 16 for served having Sophos, of leadership experience to the Board senior and technology of years 30 than more brings Paul 2015. June in Board Sophos the joined Paul EXPERIENCE Nomination and Risk and Audit of Member Chairman of Remuneration MEMBERSHIP COMMITTEE & Young & Ernst at trained having Accountant Chartered aqualified and University, York Economics, in BA QUALIFICATIONS Director Senior Independent PAUL WALKER plc Experian of Director Non-Executive a and plc, Group Ashtead and plc Halma of Chairman Non-Executive KEY EXTERNAL APPOINTMENTS

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 55 56 Cybersecurity evolved

CORPORATE GOVERNANCE STATEMENT

Dear Shareholder, CHAIRMAN’S With the full support of the Board, I am committed to maintaining a robust governance framework to ensure that INTRODUCTION we discharge our duties responsibly in setting our strategy Ensuring that we create a and long-term objectives, monitoring and providing oversight framework and culture that to the performance of management and progress of our business, managing our risks, and carrying out our business supports good governance with integrity. Good corporate governance is critical in is at the heart of what we do helping to build a successful business that is sustainable over as a Board and is one of my the longer term, in the dynamic, fast-paced markets in which principal responsibilities we operate. The revised UK Corporate Governance Code (“the Code”), which we will report more formally next year, as Chairman. specifically puts relationships between companies, In doing so, long-term value shareholders and stakeholders at the heart of long-term success and places emphasis on businesses building trust for shareholders is created by creating strong relationships with key stakeholders. and the interests of our key This report sets out our approach to governance and the stakeholders is promoted. work of the Board and its Committees during the year. In carrying out these responsibilities, the Board holds meetings regularly with management to review operating performance and strategic progress.

Corporate Governance Code compliance

The Board spends considerable time focusing not only on operational matters, risks and financial reporting, but also focuses on how the strategy is being implemented and progress maintained. We also focus on the longer-term future and the implications that a changing market place might have. We do this in several ways, including actively seeking out internal and external perspectives on how the market place might develop and what risks and opportunities might emerge and how these should be addressed.

Board meetings in FY19

April May July 100% 100% 90% attendance attendance attendance August of the Board’s composition are set out on page 54 and 55. and 54 page on out set are composition Board’s the of details Full years. 15 past the during Sophos to contribution invaluable his for Steve thank to like Iwould Board, the of behalf On Officer. Executive Chief and Officer Operating Chief Company’s the as served previously having years, four almost for Board the of amember been had Steve 2019. 8 February on Director aNon-Executive as down stepped Munford Steve composition Board year. this during so do to continue to expects and Code the of provisions the applied and Principles, the with full in complied year this has Sophos that report to pleased I am Accounts and Report Annual 2019 priority areas identified in the previous year’s evaluation and and evaluation year’s previous the in identified areas priority the internally focusing questionnaires generated with on the Committees, its and Board the of evaluation FY19 the I led Secretary, Company the of support the with 2019, March In parties. external using conducted those particular, in evaluations, Board of effectiveness and quality the improve to wishing on focus We welcome the UK Government’s continued effectiveness. its further improve to required are adjustments any whether assess to and operates it how re-focus to Board the for opportunity an as this Isee Chairman, As Committees. its and Director each of that and effectiveness and performance its of evaluation formal annual an undertakes Board the Code, the and practice best current with accordance In evaluation Board External evaluation External FY17 Board evaluation Board attendance 100% During the year, the Company complied with all the principles and provisions of the 2016 Code. 2016 the of provisions and principles the all with complied Company the year, the During found be can Code The year. www.frc.org.uk the at during website focus of FRC’s areas the on highlight to and agreater applied been provide to have Code the of structure principles main governance the how of Company’s the of understanding features key the explains website, Company’s the on available is which report, This compliance Code Governance UK Corporate Internal evaluation FY18 . November attendance 90% 15 May 2019 May 15 Non-Executive Chairman Gyenes Peter stakeholders. our of all on focus with together value, long-term creating on provides the appropriate environment to ensure rigorous focus this that We believe organisation. the across framework, agovernance to committed are Board our on us of Each Conclusion 81. to 78 pages Chairman, on of the Remuneration Committee Statement Annual the in and 42, page on report, this in earlier noted are details of our engagement shareholders during with the year the views of understand ourproperly shareholders. Further we ensuring in critical remains Sophos, of ambition and scale the of agroup for appropriate framework, governance evolving yet arobust of operation and design the that believe and considers shareholder sentiment We and feedback. monitors regularly and institutions, financial and investors of representatives of views the to listens shareholders, with dialogue active an maintains and encourages Board The Shareholder engagement and 61. and 60 pages on summarised are taking are we decisions and outcomes The progressed. been have these effectively how Internal evaluation FY19 February attendance 100% External evaluation External FY20

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 57 58 Cybersecurity evolved

CORPORATE GOVERNANCE STATEMENT CONTINUED

Our governance structure

The Company’s governance is structured through the Board and a number of Committees that support the effective discharge of its duties, as illustrated below.

Board of Directors The Board is collectively responsible for the long-term success of the business. It provides leadership and direction, including setting and overseeing the implementation of the strategy, monitoring management activity and performance, building relationships and trust with our major stakeholders, ensuring that the Group operates within an appropriate risk and control framework and establishing the culture and values of the organisation.

More details on the roles and responsibilities of the Board are set out on pages 62 to 66

Audit and Risk Nomination Remuneration Disclosure Committee Committee Committee Committee The Audit and Risk The Nomination Committee The Remuneration The Disclosure Committee is Committee is responsible for reviews the structure, size Committee reviews and responsible for overseeing oversight of the Group’s and composition of the Board recommends to the Board the disclosure of information financial reporting processes and its Committees, and the Remuneration Policy and by the Company to meet its and significant financial makes recommendations to determines the remuneration obligations under the Market judgements, the integrity and the Board accordingly. It has packages of the Executive Abuse Regulations and the clarity of the Financial responsibility for succession Directors whilst overseeing Financial Conduct Authority’s Statements, review of the planning at Board level to the appropriateness of the List Rules and Disclosure risk management and ensure that the Board retains remuneration structure for Guidance and internal controls framework, an appropriate and diverse executive management and Transparency Rules. and agreeing the scope and balance of skills and the wider employee effectiveness of the external experience to effectively lead population. audit process. The Audit and the Company. Risk Committee also directly oversees the process for the selection of the external auditor and makes recommendations for their appointment.

For further information, For further information, For further information, For further information, see pages 71 to 76 see pages 68 to 70 see pages 78 to 101 see page 77

Risk and Senior Management Team (SMT) Compliance The SMT is led by the CEO and comprises senior management from across the business. Its role is to provide the highest executive level governance and discussion forum, responsible for optimising performance and delivery of Committee strategic objectives. It also assists in the implementation of operating plans, budgets, policies and procedures, The Risk and Compliance and manages the operational and financial performance of the business. Committee is a management Committee that has a direct reporting line to the Audit and Risk Committee, providing an additional level of assurance. Strategy FY19 during focus Board 4 Committee Nomination the of and Board 3 the of Chairman is Gyenes eter 2 1 asChairman, appropriate. Committee or Chairman the to directly comments provided and meeting that for circulated papers the reviewed they case, each In commitments. business prior to due entirely was this meetings, attend to able not were Directors Where year the during held Committees and Board the of meetings scheduled at Attendance Accounts and Report Annual 2019 eviewed the Company’s operating results results operating Company’s the eviewed • Financials • the of performance the on focus etained • Risk • the of oversight strong rovided •

Vin Murria Walker Paul Steve Munford Rick Medlock Roy Mackenzie Sandra Bergeron Nick Bray Kris Hagerman Peter Gyenes year. fiscal the for plan operating the approved and reviewed also Board The auditor. management and the Company’s external and with Financial Statements R cybersecurity. R scenarios; and, portfolio andmanagement different strategy the ongoing with together portfolio portfolio, the for delivery to risks key of products, portfolio Company’s existing R strategy. Company’s the of in support opportunities acquisition D and considered the key risks; and, plans, growth and strategy Group’s P etained focus on risk, and in particular particular in and risk, on focus etained iscussed potential future future potential iscussed S P R P teve Munford resigned as of 8 February 2019 8February of as resigned Munford teve aul Walker is Chairman of the Remuneration Committee Remuneration the of Chairman is Walker aul ick Medlock is Chairman of the Audit and Risk Committee Risk and Audit the of Chairman is Medlock ick 3 2 1 4 Board 100% 100% 100% 83% 100% 67% 100% 100% 100% Governance eviewed the Annual Report including including Report Annual the eviewed • Risk andfinancials

business model and strategy. Group’s and position performance, information necessary to assess the andunderstandable it provided the and balanced, fair, was Report disclosure; and, ensured that the Annual ofappropriateness Statement the Viability going basis concern of the accounting, ofappropriateness the adoption of the the ongoing objectives, strategic management to achieve the Group’s effective continued their and risks principal detailed consideration of the identified R S

R h

i a

s r

k e

h

a o

n l Committee Audit and Risk

d d

e

F r

i n e n

a g

n a

c g

i

a e

l m

s

e

n

t

100% 83% 100% 100%

S

F t r

i a

n Committee Nomination t

a e

n g

c y

i

a

l

s

R i s k 67% 100% 100% 100% 100% 100% ndertook a shareholderndertook engagement • Shareholder engagement • • eviewed the changing corporate • Governance

Committee Remuneration pages 78 to 81. to 78 pages Chairman on Remuneration Committee the of Statement Annual the in found be can details Further sentiment. investor on update an with Board the provided also Policy. Advisors Remuneration concerning the new proposed keyprogramme with shareholders U U implemented changes accordingly; and, and process evaluation Board FY18 recommended for improvement during the R Statement; ActModern Slavery Transparency the and blowing, whistle disclosure, share dealing, inside information and to relating policies internal preparedness, includinggovernance arrangements GDPR review the Group’s own corporate governance landscape and kept under R of each Director and Committees. and that and effectiveness, performance etained focus on those areas areas those on focus etained ndertook an internalndertook evaluation of its 100% 100% 100% 100% 100% Committee Disclosure

100% 100%

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 59 60 Cybersecurity evolved

CORPORATE GOVERNANCE STATEMENT CONTINUED

Board evaluation

In accordance with current best practice and the Code, the Board undertakes an annual formal evaluation of its performance and effectiveness and that of each Director and its Committees. It is the Board’s policy to invite external evaluation every three years. The last external evaluation took place in FY17, and the Board will conduct its next external evaluation during FY20. As part of the FY19 Board Evaluation Paul Walker and the NEDs considered, without the Chairman present, the Chairman’s performance.

The Board questionnaire focused on the four principal matters Evaluation process during FY19 raised during the previous evaluation, as well as considering various aspects of risk. 1 Group strategy (utilising the 2019 Strategy Day as the The Chairman with the support of the measure) Company Secretary discussed and agreed the scope of the evaluation. • The appropriateness of the agenda, the quality of the A questionnaire was developed for the Board and for each of its Committees. pre-meeting papers and how these might be improved. • The allocation of time. • How well were the long-term strategic issues drawn out. 2 • How well was the competitor landscape covered and understood by the Board. The relevant questionnaires were issued to each of the Directors for consideration • The clarity and articulation of the conclusions reached. and comment, and appropriate time provided for completion. Succession • The appropriateness of the current Board composition. • The key changes that might be made to the profile of the 3 Board over the next three years to match the Company’s strategic goals.

The Company Secretary compiled the individual Director responses and, Directors’ development following analysis of the comments, • The approach to Board development/training, with a mix of provided a report to the Chairman for consideration. A paper setting out the the use of external resources and its internal focus on findings, along with proposed actions, was discussed by the Board. targeted topics at Board and Committee meetings.

Stakeholder engagement 4 • The Board’s understanding of the views and requirements of various stakeholders (shareholders, customers and channel Following discussion, the Board agreed partners). objectives for its own performance and that of its Committees for the next 12 • The Board’s understanding of the view and requirements of months. The Chairman and Company Secretary agreed to monitor and employees across the organisation. facilitate the implementation of any actions as required and provided • The culture and behaviours across the Group. progress updates to the Directors. 2019 Annual Report and Accounts and Report Annual 2019 Recommendations for FY20 following theFY19evaluation are setoutbelow: scored. positively factors both were provided information the of quality the and time of use effective the specifically, Committees the For operate. they how and Committees its and Board the of effectiveness the improve further to FY20 during addressed be to matters the of basis the form will which and below summarised been have which Committees Development (Directors) had Some and themes recurring Engagement. emerged and the Board across Stakeholder its Management); and (Board Succession Day; Strategy Annual namely evaluation, Board year’s last during identified areas development the of each in noted progress with positive very was Committees its and Board the of evaluation the Overall evaluation FY18 the following FY19 in taken Actions requiring more focused training. focused more requiring topic asa evaluation the during identified specifically was management Risk FY21. of ahead amended necessary, thought where and, sought be will feedback monitored, be will programme new this FY20, into forward Going Group. the to relevant landscape competitive and technical the as well as governance and regulations sentiment, From during feedback received the evaluation, the new programme covers FY20. the appropriate topics on of shareholder remainder the through meetings Committee and Board for topics and opportunities development external and internal of amix comprises FY19, in established programme, development Board’s development: The Board organisation. the throughout behaviours and culture monitor effectively more Board the help also will This surveys. employee from feedback including engagement, for opportunities existing those of use make also will it mechanisms, Whilst developing new the wider workforce. these with Director can interact more effectively Non-Executive designated its which through mechanisms place in put will Board the workforce, wider the with effectively more the new and Code Governance UK the requirement With Corporate for the widerteam, Boards to workforce. engage in to the management respect layers particularly below could be the senior strengthened, managementconstituencies Developing was stakeholder There engagement: a general view that the Board’s of understanding various year. coming the over Committee the by addressed be will and prepared being is plan succession managed and Astructured Code. Governance Corporate UK new the and rotation Board normal to due forwards going exist to likely are or exist currently believe Directors the gaps any highlighting prepared being is matrix askills 2018, December in Munford Steve of retirement the to owing and received, feedback From Committee. Nomination the for consideration of area akey remains This succession: Board into theincorporated Board’s agenda. be would checkpoints strategy basis, quarterly on a and future, In plan. long-term the over outcomes financial of terms in manifest might options these how and required investments the face, they believe management which options the and model financial the on visibility more providing to given be would consideration FY20, in programme into andDirectors incorporated the planning to for the enhance December. the opportunities several identified Amongst from received feedback the of taken be will Account 2019. December in place taking be will Day Strategy next The improved. be might these how on made were recommendations although received, well were papers pre-circulated the and day the of structure The strategies. go-to-market and product landscape, industry wider the included Day Strategy 2018 November the at Topics operates. it which within context the and organisation the of strategy long-term the on speakers invite and team management wider the with programme astructured in part take Directors when Day Strategy Annual adedicated is onwards 2018 November from calendar year’s each into agenda:Board Built

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 61 62 Cybersecurity evolved

CORPORATE GOVERNANCE STATEMENT CONTINUED

Our approach to governance Board provides leadership and sets the Company’s strategic long-term objectives. The Company is committed to maintaining a high standard of corporate governance. This report, which is available on the The Board held six scheduled Board meetings during the year Company’s website, including the Audit and Risk Committee and holds additional meetings, as required. In addition, a report, Directors’ Remuneration report, the Nomination meeting is held each year at which strategic issues are Committee report and the Disclosure Committee report, considered in depth, with members of the SMT invited to explains how the Company has applied the main principles attend. All Directors are expected to attend all Board and and provisions of the Code: leadership; effectiveness; relevant Committee meetings in addition to general meetings accountability; remuneration; and, relations with shareholders. of the Company, including the Annual General Meeting (“AGM”). Details of Board and Committee attendance for The Company’s business model is explained in the strategic the year are set out on page 59. report. It is the Board’s view that it has been fully compliant with the principles, and applied the provisions of the Code The Board has a number of Committees that support the throughout the financial year. effective discharge of its duties. The various committee reports can be found on pages 68 to 101 of this report. Details of Directors’ independence are set out on pages 63 and 64. A.2 Division of responsibilities The division of responsibilities between the Chairman and A: Leadership CEO, and the role of the Senior Independent Director (“SID”), A.1 The role of the Board are clearly defined and are available on the Company’s The Board is collectively responsible to Sophos shareholders website at: investors.sophos.com. for promoting the long-term success of the Company and the The Board supports the separation of these roles and the operation of effective governance arrangements. The steps partnership between Peter Gyenes and Kris Hagerman is the Board takes to facilitate this are set out on page 67. The constructive and based on mutual trust.

Board matters A formal schedule of matters reserved for the Board is published on the Company’s website. Each year, the Board also undertakes a review of its schedule of matters reserved. This review took place in May 2019, with only minor updates.

The Board

Overall management of the Group, its Determining the Remuneration Policy Ensuring that necessary resources strategy and long-term objectives for the Directors and the SMT and the appropriate risk management controls, processes and culture are in place to deliver its strategy and long-term objectives

Approval of the Group’s annual and Succession to the Approval of all material policies half-year results, dividend policy and Board and SMT including Diversity, Anti-Bribery and shareholder distributions Corruption, Modern Slavery, Share Dealing and Whistle Blowing

Corporate governance arrangements Approval of all material corporate and Board evaluation transactions Board independence Board least once ayear. once least at NED each with individually and meeting, Board physical each after present (“EDs”) Directors Executive the without NEDs the with meets Chairman The defensible. and robust are management risk of systems and controls financial that and information financial of integrity the on themselves should They and satisfy monitorobjectives, reporting. and goals agreed meeting in management of performance the scrutinise strategy, on proposals develop help to NEDsThe and are encouraged to challenge constructively of Director (“NED”).commitment a Non-Executive time expected the to addition in is This years. exceptional in more significantly commit will and role the to year per days six commit to expected is SID The support. providing and board asounding as acting Chairman, the with closely working and CFO or CEO Chairman, the to contact alternative an as responsibilities of the SID include shareholders meeting with The year. the of duration the for SID was Walker Paul A.4 items. all of discussion the for available is time sufficient ensures and year the for agenda Board’s the sets Chairman, the with Secretary, Company The decision-making. to effective each Director contributes ensuring for and strategy overseeing for operation, effective its for responsible is and Board the leads Chairman The A.3 authority. unfettered has individual one no that ensure to helps and Board the by management executive the of enhances independent oversight of separation The authority Accounts and Report Annual 2019 Executive Non-Executive

N T he Chairman he on-Executive Directors

2 7 5% 5% Gender breakdown Gender Female Male

2 7 5% 5% independent NEDs. comprises Chairman the excluding Board, the of half least at as Code, the of B.1.2 with compliant is composition Board The EDs. two and Board the on Chairman, Non-Executive the including NEDs, six are there publication, of date the At Nomination Committee report. Nomination Committee the of 69 and 68 pages on outlined are details Further Sophos. for appropriate and right is brings, NED each that knowledge weighed against judgement the strong and considerable is Board The thatthe confidentbalance of independence Exchange. Stock London the on listed being and business, aglobal of leadership operates, Group the which in industry technology the history, combines of detailed knowledge the Group’s and operations that amembership requires it successfully Company the lead to ability its to crucial that believes Board The experience. and skills of range awide have members current its that view Board’s the is It business. the of requirements the meet to ability and size overall its carefully weighed and gender, including diversity, their and members Committee and Board balance of independence skills, and experience, of knowledge overall the review under kept Board the year, the During Independence composition oard B.1 B: Effectiveness unresolved concern must be recorded in the Board minutes. Board the in recorded be must concern unresolved such any that policy Company is It action. proposed any about of the operations the Company, governance or its During the year, had the Directors no concerns unresolved

B Length of service of Length 6+ years 6+ years 3-6 years 0-3

6 1 2 2.5% 5% 2.5%

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 63 64 Cybersecurity evolved

CORPORATE GOVERNANCE STATEMENT CONTINUED

In accordance with the Code, the Board undertakes an annual The Board deals with each notified conflict of interest, review of the independence of its NEDs taking into account or potential conflict of interest, on its individual merit and each individual’s professional characteristics, behaviour and takes into consideration all the circumstances. The following their contribution to unbiased and independent debate. The conflicts of interest have been authorised by the Board for Board considers that the NEDs, led by the SID, Paul Walker, the relevant period. have the skills, experience, and knowledge of the Group, and the markets in which we operate, to enable them to discharge • Roy Mackenzie is a partner at Apax Partners, LP. Apax their respective duties and responsibilities effectively. Each Partners, LP is a wholly owned subsidiary of Apax Partners, NED is prepared to question and to challenge management. LLP. Both Apax Partners, LP and Apax Partners, LLP are advisors of the Apax Funds, which wholly own Pentagon The Board considers four of its NEDs to be independent for Lock Sarl, Pentagon Lock 6-A Sarl, Pentagon Lock 7-A Sarl the purposes of the Code; Roy Mackenzie is not considered and Pentagon Lock US Sarl, and shares a common owner independent. with Apax Global Alpha Limited (collectively “Apax”). It is noted, that: The Board recognised that Sandra Bergeron’s overall length of service was more than eight years after the 2018 AGM – following the admission of the Company’s shares to the which may lead some investors to question her London Stock Exchange in 2015, Apax controlled 35.2 independence. The Board has re-considered this issue and per cent of the voting rights in the Company and at 31 agrees that Sandra continues to maintain and contribute an March 2019, controlled 10.77 per cent of the voting independent view in all Board deliberations and brings rights in the Company; and, invaluable security, operations and board advisory expertise – Apax is a shareholder of Global Logic, with whom the spanning more than 20 years. Company maintains an ongoing supplier relationship.

Comments have been made regarding Paul Walker’s past • Sandra Bergeron sits on the boards of F5 Networks and participation in a restricted share arrangement, as noted in Qualys, Inc., suppliers of application delivery networking the Annual Report on Remuneration, which may have led and cloud security and compliance management some investors to question his independence. The Board are solutions, respectively. agreed that since his appointment as SID, Paul, whose • Vin Murria is a Non-Executive Director of Softcat plc, technology and senior leadership experience spans more with whom the Company maintains an ongoing than 30 years, has been independent in character and customer relationship. judgement and he remains an active and committed Board member and Chairman of the Remuneration Committee. B.2 Appointments to the Board There were no appointments to the Board during the year. The Board consider that Peter Gyenes was independent upon The succession and appointment process is led by the appointment and continues to maintain and contribute an Nomination Committee with strong oversight from the Board. independent view. Peter brings valued leadership to the Further details concerning the succession and appointment Board and unwavering commitment to supporting the process, and the Company’s policy on diversity are set out in Company to achieve its long term strategic objectives. the Nomination Committee report on page 70.

Conflicts of interest All NEDs serve on the basis of letters of appointment which are available for inspection upon request, as well as being The Company has established procedures whereby actual available to view at the Company’s Registered Office and at and potential conflicts of interest arising from current and the AGM. The letters of appointment set out the expected proposed roles to be undertaken by Directors of the Board time commitment of NEDs who, on appointment, undertake with other organisations are regularly reviewed in respect of that they will have sufficient time to meet what is expected of both the nature of those roles, their time commitment, and them. NEDs are appointed for an initial three-year term and for proper authorisation to be sought prior to the appointment the continuation of their appointment is conditional on of any new Director. The Board consider these procedures to satisfactory performance and subject to annual re-election be working effectively. Directors are required to notify the at the Company’s annual general meetings. EDs serve on the Company when they become aware of any actual or potential basis of service agreements which are also available for conflict of interest. inspection upon request.

Further details on the EDs’ service agreements are included in the Directors’ Remuneration Policy, on page 88. between meetings. between communications of means by and meetings Board at Directors to published are matters technical and regulatory ensures that updates governance, on topical corporate Secretary Company the Accordingly, regularly. updated and refreshed are knowledge and skills Directors’ the ensure to important is it changes, environment business the As Group. the facing issues regulatory and legal business, key as well as products, Company’s the on briefings and advisors, Company’s the and individuals key with meetings materials, Board past and pack induction an of provision the includes currently and evolve to continues process governancebusiness, and induction The key stakeholders. Group’s the of understanding an provide to designed Board, the joining on Directors all to provided is programme ongoing development of all induction An Directors. the and Directors, new of induction the for responsible is Secretary, Company the of support the with Chairman, The B.4 Group. the for duties their fulfil to ability executive’s the prejudice not do appointments such that provided Chairman, the of approval prior the with appointments external accept may EDs Company. the of Directors as commitments time and duties their with conflict not do these that satisfied is and NEDs other and SID Chairman, its of commitments external the considered Board the year, the During B.3 skills and experience Board Accounts and Report Annual 2019 Bergeron Sandra Bray Nick Hagerman Kris Gyenes Peter NAME Paul Walker Paul Murria Vin Rick Medlock Mackenzie Roy

D Commitment evelopment SECTOR/CONTENT ANALOGOUS PLC/NED US EXECUTIVE EXECUTIVE SITTING SITTING B.5 as Directors of a UK listed company. company. listed aUK of Directors as Company and helpful guidance for documents their reference the about information including published, are materials Board which to portal online an to access have Directors All or advisable. necessary of where considered their duties, in the furtherance independent at professional advice the Company’s expense obtain may Directors effectively. duties its discharge to Board the enable to quality sufficient of are and Directors, to manner secure and atimely in delivered accurate, clear, are papers Board that ensure to together work Secretary Company the and CEO The Board. the to relating matters and proceedings the of administration proper the ensures and powers and responsibilities duties, their regarding Directors individual and Board the to advice and guidance provides Secretary Company The standards. governance other and Code the and Rules Listing the including regulation, and legislation relevant procedures, Board and policies Company’s the with compliance including matters, relevant on Committees Board the and Board the advises who Secretary, Company the to access full have Directors The andproducts operations. Group’s the with familiarity their support to Conferences Partner annual the attend to invited are Directors the year Each focus. for areas identified the address to tailored be to continues approach Board’s the process, this Through needs. development and training their ascertain to Directors with closely works Chairman) the with consultation (in Secretary continues to develop andopportunities the Company Board’sThe approach to training and development

I nformation andnformation support FINANCE/CAPITAL MARKETS OPERATIONAL OPERATIONAL EXPERIENCE CUSTOMER/ MARKETING

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 65 66 Cybersecurity evolved

CORPORATE GOVERNANCE STATEMENT CONTINUED

B.6 Evaluation C.3 Audit Committee and Auditor Full details of the evaluation process, together with The Audit and Risk Committee Report on pages 71 to 76 sets recommendations for FY20, can be found on pages 60 and 61. out the details of the composition of the Committee, including the expertise of its members, and outlines how the Committee B.7 Election and re-election has discharged its responsibilities in FY19. In accordance with the Company’s Articles of Association (“Articles”) and the Code, each Director is subject to election The Board has delegated a number of responsibilities to the at the first AGM following their appointment, and re-election Audit and Risk Committee, including: oversight of the Group’s at each subsequent AGM. The Directors unanimously financial reporting processes; management of the external recommend the re-election of all other members of the Board. auditor; and, management of the internal risk management Full biographical details for all Directors can be found on pages processes. KPMG LLP have expressed their willingness to 54 and 55 and also summarised in the Notice of AGM. continue as the Company’s auditor. Resolutions proposing their reappointment and to authorise the Committee to C: Accountability determine their remuneration will be proposed at the 2019 AGM. C.1 Financial and business reporting A Statement of the Directors’ Responsibilities regarding the D: Remuneration Financial Statements, including the status of the Group as a D.1 Level and components of remuneration going concern, is set out on pages 106 and 107, with an explanation of the Group’s strategy and business model, The Annual Report on Remuneration on pages 91 to 101 together with relevant risks and performance metrics, which outlines the activities of the Committee during FY19. are set out in the strategic report on pages 16 to 40. The Directors’ Remuneration Policy, including relevant remuneration components and how they support the A further statement is set out on page 107, confirming that achievement of the strategic long-term objectives of the the Board considers that the Annual Report and Accounts, Company are set out on pages 82 to 90. The Annual Report on taken as a whole, is fair, balanced and understandable and Remuneration sets out the implementation of remuneration provides the information necessary for shareholders to during FY19, including salary, bonus and share awards, and assess the Company’s position, performance, business any payments for loss of office paid to Directors. model and strategy. This year a new Remuneration Policy will be submitted for C.2 Risk management and internal controls consideration by shareholders at the 2019 AGM. Details of the The Board has carried out a robust assessment of the new Remuneration Policy and the process followed in principal risks facing the Company, including those that consulting with major shareholders is outlined in the Annual would threaten its business model, future performance, Statement of the Remuneration Committee Chairman on page solvency or liquidity. Further details concerning how they are 78 and Directors’ Remuneration Policy on pages 82 to 90. being managed or mitigated can be found on pages 36 to 39. D.2 Procedure The Audit and Risk Committee report explains the process The Board has delegated a number of responsibilities to the carried out for the ongoing assessment of the effectiveness Remuneration Committee, including the setting of the Group’s of the Company’s risk management and internal control overall Remuneration Policy and strategy, as well as the systems on pages 71 to 76. remuneration arrangements for the EDs and SMT and their direct reports. During FY19, no individual was present when The Board’s assessment of the prospects of the Company, their own remuneration was being discussed. its expectation that the Company will be able to continue in operation and meet its liabilities as they fall due, and the viability statement, is set out on page 106. • • follows: as are these and 2019, 1 January after or on beginning periods accounting to apply which areThere also additional requirements in the new Code, 90. to 82 pages on Policy Remuneration Directors’ and 78 page on Chairman Committee Remuneration the of Statement Annual the in found be can Policy Remuneration new the of details the as well as process this of Details Policy. Remuneration Group’s the of renewal the to regards with shareholders major with consulting been have Directors the Regulations reporting by required As regular contact. in are they whom with brokers corporate the from inputs including CFO, the and CEO the from reports periodic through shareholders the of views the of informed kept are NEDs throughoccasions, and meetings, presentations roadshows. of anumber on shareholders with engage actively to sought have Board the of members FY19, Throughout Group. the of success continued the to integral is shareholders its ialogue with Shareholders with engagement meaningful that recognises Board The E.1 Shareholders E: Relations with Accounts and Report Annual 2019

with its workforce will be reported in 2020. in reported be will workforce its with engage to use Company the methods the on information year. coming the for this remedy to intended Board the how on explanation an with noted this in along announcement, the subsequent results cent vote against the remuneration policy and Sophos per a20 had Sophos AGM 2018 the –at results announcing when actions resulting any and background provide at resolution recommended an AGM, a company should W S

takeholder and workforce engagementtakeholder and – additional workforce hen 20 per cent or more of votes cast against a board aboard against cast votes of more or cent per 20 hen D 15 May 2019 May 15 Company Secretary Eleanor Lacey Board the of order By shareholders. Company with communicates the which through forums key of anumber of one is AGM The issue. substantive each of respect in proposed are resolutions on notes Separate allexplanatory resolutions. proposed and meeting the of business the out sets AGM of Notice The investors.sophos.com. at: website our on found be also can and documentation copy hard receive to requested have who shareholders all to sent is AGM of Notice The proxy. by or person in vote, and attend to All shareholdershave the opportunity office. registered Company’s the at 2019 September 25 on held be will AGM The Meeting General Annual

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 67 68 Cybersecurity evolved

NOMINATION COMMITTEE REPORT

Dear Shareholder,

The Committee met three times during the year and ensures that Board and Committee composition is appropriate for a company of Sophos’ scale and ambition. The key aspects of the Committee’s role, together with the main areas of consideration and the activities undertaken during the year are set out in this report.

Committee composition and meeting attendance

The composition of the Committee complies with the UK Corporate Governance Code (“the Code”), which provides that a majority of its members should be independent Non- Executive Directors (“NED”).

The Committee is chaired by the Chairman of the Board. The CHAIRMAN Company Secretary is secretary to the Committee and attends all meetings. Other attendees at Committee meetings may Peter Gyenes differ from time to time and, upon invitation from the Committee, include the Chief Executive Officer (“CEO”), Chief MEETINGS HELD Legal Officer (“CLO”), and other members of the Senior Management Team (“SMT”).

3 The Chairman of the Committee provides updates to the Board on the proceedings of each meeting. The Board also receives copies of the minutes of each meeting. COMMITTEE MEMBERS

Sandra Bergeron Role and responsibilities Roy Mackenzie The Committee is responsible for regularly evaluating the Rick Medlock balance of skills, knowledge, experience and diversity of the Vin Murria Board and its Committees, as well as the size, structure and Paul Walker composition of each. It is also responsible for periodically reviewing the Board, Committees and senior management All appointments as at 31 March 2019 structure, succession plans, and identifying, with management, the priorities for succession planning in respect of each position. On an annual basis, the Attendance of members at the meetings of the Committee are noted on page 59 Committee considers the re-election of Directors prior to their recommended approval by shareholders. The full terms of reference of the Committee can be found on the Company’s website at www.sophos.com.

Board composition and independence

Excluding the Chairman, the Board is comprised of 57 per cent independent NEDs (FY18: 50 per cent).

The Board believes that crucial to its ability to lead the Company successfully it requires experience relevant to operations of the scale and ambitions of Sophos. In addition, it requires detailed knowledge of the technology industry in which the Group operates, and the corporate governance and regulatory environment associated with publicly listed companies, particularly in the UK. • Executive Director • Non-Executive Director below: out set is appointments Board to relation in process current Company’s The year. the during appointments no were There appropriate. as Board, the to recommendations makes and process appointment Board the leads Committee The appointments Board and its Committees. Board the to value bring would that capabilities personal and technical as well as candidates, new selecting when into consideration this to take continue will Committee The constituted. appropriately remain Committees its and Board to ensuring is the committed independence, the Committee directors’ to relating Code new the of provisions the of cognisant and Code, current the of spirit the in and of consideration The independence is an ongoing process Accounts and Report Annual 2019 external successor wouldas be successor identified, andwhen external an successor, internal asuitable identify to possible not was it where and role, such any assume to readiness relative by were their as categorised appropriate. Internal successors role, each on take to suited be would who internally identified been had who individuals those and roles SMT to succession of areview conducted Committee the year, the During Succession • • • •

Committee makes its recommendation to the Board. the to recommendation its makes Committee A T T makes its recommendation to the Board. the to recommendation its makes Committee the and CEO, the and Board the of Chairman T members. Committee the of all or some selected candidates. Successful candidates go on to meet T Committee. the to candidates of ashort-list submit consultants, search T each member. Board selected candidates. Successful candidates go on to meet meet each (“CFO”) Officer Financial Chief and CEO (“SID”), candidates. additional of inclusion and review for CEO and Committee the to candidates of a short-list he Committee’s assessment is reviewed with the the with reviewed is assessment Committee’s he the meet each CFO and CEO SID, Chairman, Committee he or, engaged, if CEO the and Chairman Committee he Chairman, Senior Independenthe Director Committee submit consultants search and Chairman Committee he fter all Board members have met the candidates, the the candidates, the met have members Board all fter

and would continue to do so during FY20. FY20. during so do to continue would and year the during roles Board to succession on brief watching a kept has Committee The role. such any assume to readiness relative successor’s internal any address to plans development appropriate. Management would look at the implementation of items that the Committee considers at each meeting. meeting. each at considers Committee the that items standing with reference of terms its from developed agenda forward annual an has Committee The Main activities FY19 focus areas FY19 Committee self-assessment Monitor actions pursuant to recommendations through Board and AGM 2019 Company’s Review and recommend the election and of re-election Directors at the their to time to commitments the Company and potential of conflicts relate interest they as Board, the of commitments external Monitor toobjectives deliver against commitments its Review the Policy Company’s Diversity and consider the Company’s NED new any in value would the Board which capabilities personal and technical of anumber Identify appointments Consider plans succession for and Board, SMT Committee evaluation Board FY19 Consider the implications for Board of composition the of results the Committees its and Board the of composition the Review

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 69 70 Cybersecurity evolved

NOMINATION COMMITTEE REPORT CONTINUED

Diversity In addition to taking into account gender, ethnicity and other forms of diversity, the Committee seeks to achieve the At 31 March 2019, the proportion of women on the Board was optimal balance of skills, experience, independence and 25 per cent (FY18: 22 per cent). Sophos will make its fourth knowledge of Sophos and the industry as a whole amongst data submission to the Hampton-Alexander Review in July the Board and SMT, and their direct reports in order to support 2019. The Company’s Diversity Policy is published on its the Company’s long-term strategic objectives. website at: investors.sophos.com and will be reviewed in 2019 to determine whether any adjustments are required. The Committee will continue to keep these measurable It has been noted that some FTSE listed companies have objectives under review and will make recommendations to developed their diversity policies beyond gender alone and the Board for their revision, as appropriate. The Committee now address diversity in a broader context, which is more is pleased with the Group’s performance against these in keeping with the Company’s own philosophy. objectives to date but acknowledges that this is a process which continues. The Company recognises the benefits of diversity in its broadest sense, including gender and ethnicity, and will Performance evaluation continue to ensure that all forms of diversity are actively considered when contemplating future appointments to the The Committee’s performance was assessed as part of the Board, and recruitment and promotion to the SMT, and their Board’s annual effectiveness review. It was concluded that direct reports. As set out in the Company’s Diversity Policy, the Committee operated effectively in FY19. In response to the Board is mindful of the recommendations of the findings of the review, Committee members will continue to Hampton-Alexander Review and also the reviews conducted focus on succession planning, particularly in light of the new by Parker on ethnic diversity of UK boards and by McGregor Code and Sandra Bergeron and Roy Mackenzie are coming to Smith on race in the workplace. the end of their third three-year term in 2019.

Details of a number of diversity initiatives put in place across Through a combination of internal and external education, the Group are set out in the Corporate Responsibility report involving periodic interaction with third party advisors, NEDs on page 46, together with details of diversity within our have access to a significant culture of training and workforce, including at Board and senior management level. development.

The Committee also undertakes a review of its terms of reference and composition each year. This review took place in May 2019, with only minor updates.

Board diversity objectives Peter Gyenes The Board’s objectives for achieving diversity on the Chairman of the Nominations Committee Board are set out below: 15 May 2019

• All Board appointments will be made on merit, in the context of the skills, knowledge and experience that are needed for the Board to be effective. • Ensure lists of potential NEDs include diverse candidates of appropriate merit. • Encourage the emergence of female candidates and candidates of diverse backgrounds among the senior management talent pool. • Only engage executive search firms who have signed up to the voluntary Code of Conduct on gender diversity and best practice. AUDIT AND RISK COMMITTEE REPORT COMMITTEE RISK AUDIT AND 2019 Annual Report and Accounts and Report Annual 2019 are noted on page 59 page on noted are Committee the of meetings the at members of Attendance All appointments as at 31 March 2019 March 31 at as appointments All P V Sandra Bergeron COMMITTEE MEMBERS 5 MEETINGS HELD Medlock Rick CHAIRMAN in Murria Murria in aul Walker

Board also receives copies of the minutes of each meeting. each of minutes the of copies receives also Board The meeting. each at covered matters key the on Board the to updates provides Committee the of Chairman The required. as attending LLP) &Young (Ernst auditor internal the with meetings, Committee all attend LLP) (KPMG auditor external Senior Management Team from the (“SMT”). Representatives the of members other and Risk and Audit Internal President Vice Finance, of President Vice (“CLO”), Officer Legal Chief (“CFO”), Officer Financial Chief the (“CEO”), Officer Executive Chief the Chairman, the include Committee, the from invitation upon and, time to time from differ may meetings Committee at attendees Other meetings. all attends and Committee the to secretary is Secretary Company The 55. and 54 pages on out set are details biographical Full effectively. duties its exercise to Committee the enable to sufficient operate, we which in industry technology the of experience extensive have Committee the of members all that satisfied also is Board The Accountant. Chartered aqualified is and companies, listed UK and large at positions financial senior in employment previous his through experience financial relevant and recent has Chairman, Committee the Medlock, Rick Committees, Audit on Guidance FRC’s the and Code the of requirements the with line In (“NED”). Directors Non-Executive which provides that all members should be independent (Code), Code Governance Corporate UK the of Principles the with compliant is Committee the of composition The year. the during considered has it issues significant the and undertaken has it activities main the with together role, Committee’s the of aspects key the of details are report this in out Set year. the during times five met Committee The Shareholder,Dear website at: investors.sophos.com. at: website Company’s the on found be can Committee the of reference of terms full The requirements. regulatory and professional legal, relevant account into taking process, audit the of and the effectiveness auditor’s independence, objectivity and monitors reviews the external the Committee addition, In appointment. their on Board the to recommendations makes and auditor external its and Group the between processes. The Committee also oversees the relationship the Company’s and financial controlinternal reporting of effectiveness and integrity the challenging and monitoring reviewing, in play to role afundamental has Committee The andRole responsibilities

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 71 72 Cybersecurity evolved

AUDIT AND RISK COMMITTEE REPORT CONTINUED

Main activities

The Committee has an annual forward agenda, developed from its terms of reference, with standing items that the Committee considers at each meeting, in addition to any specific matters arising, and topical business or financial items on which the Committee has chosen to focus. The Chairman and the Company Secretary have worked together to review and, where appropriate, refresh the annual forward agenda to bring in to greater focus areas of importance for the Committee, and the Company.

FY19 focus areas

Accounting, tax and Risk management and External Auditor financial reporting internal controls

The Committee has: The Committee has: The Committee has:

• reviewed and approved the • reviewed and approved the • supported the lead audit partner quarterly trading updates, internal audit plan for the year as in carrying out his duties at the half-year and annual Financial well as longer-term objectives Company; Statements, significant financial and reports and updates of the reporting judgements and work performed by the in-house • met with the external auditor, disclosures, and investor internal audit team and Ernst & KPMG, to review the annual audit plan and receive their findings presentations; Young LLP (“EY”), as the and reports on the annual audit outsourced internal audit • reviewed and approved the going and interim review; and, providers appointed by the concern and viability Committee in 2015; assessments, and the annual • reviewed and approved the external auditor evaluation paper external statement thereon; • reviewed and approved the risk prepared by management assessment process and, in • reviewed updates on accounting covering the external auditor’s particular the identification and matters, including consideration independence and objectivity, assessment of the Company’s of relevant accounting standards and evaluation of the principal risks and the attendant and underlying assumptions, and effectiveness of the audit disclosures; the impact of changing process, together with the accounting standards; and, • received and noted regular attendant recommendation for updates from the Risk and reappointment. • reviewed and approved the Compliance Committee (“RCC”), a interim and full-year dividend management Committee that proposals and declared them to has a direct reporting line to the be in line with the Company’s Committee, to provide an dividend policy. additional level of assurance to the Committee; and,

• received and noted regular updates from the CLO concerning pending or ongoing litigation, and statutory or regulatory risks, including General Data Protection Regulation and consideration of any new regulations relevant to the Group. discloses certain items separately within the consolidated T Revenue recognition below: out set are Group the to significant be to deemed are that Committee the by considered issues The issues Significant updates. minor only with 2019, May in reference and each year. composition This review took place of terms its of areview undertakes also Committee The evolves. and grows Company the as control internal and management risk for systems Company’s the challenge and review and profile risk Group’s continue management to work with closely to consider the will members Committee The quality. agood of was provided information and effectively, used was time its that noted FY19, in effectively operated Committee the that concluded was It review. effectiveness annual Board’s the of part as assessed was performance Committee’s Risk and Audit The evaluation Performance Accounts and Report Annual 2019 T and requirements Reporting presentation revenue for recognition the Group is appropriate. auditor, hasthe external concluded that the Committee Having provided challenge appropriate to management and for. accounted appropriately be to revenue found and year the across recognition revenue of testing detailed performing as well as processes, and policy recognition revenue the reviewed have they that Committee the to reported have auditor external Group’s The the Group. for 15 IFRS of application time first the to given been has Inrecognised. the current year, additional consideration revenue the on acommentary and standards updated from accounting paper on revenue any recognition, changes arising an Committee the to provide management year-end, and half-year At sold. services or goods the of nature individual andarrangements timing of dependent recognition upon the element multiple of components to value fair applying for rules includes policy The Group. the by sold services and products the to standards relevant of application the details that place in policy recognition arevenue has Group The correct. not is product the of criteria recognition the if or service or aproduct to apportioned incorrectly is revenue if recognised inappropriately is revenue that arisk is There services. professional or support enhanced of rendering the and hardware subscriptions, he Group makes use of certain non-GAAP measures and and measures non-GAAP certain of use makes Group he he Group revenue generates from salesof through products

Internal controls and risk management management risk and controls Internal reported to both the Committee and the Board. the and Committee the both to reported regularly are findings Their work. their of course the in assess they which system control internal the of areas those supplementary, independent on and autonomous perspective a provide auditor external The controls. internal of the Group’sthe adequacy and of systems effectiveness of review and oversight the for responsibility ultimate have who Committee the to assurance additional provides This mitigations. control and evaluate risks and strategic operational capture to designed been has framework risk The RCC. the by reviewed is function Management Risk and Audit Internal the within performed Group the by faced risks significant managing and evaluating identifying, for process formal The Group. the in risk eliminate than rather are systems designed that these to manageacknowledges further Board The objectives. strategic its of achievement the to fundamental and risks managing to critical are systems thatTherigorousBoard recognises control internalidentified. are uncertainties and risks which through process the of drivers key as recognised are leaders functional individual the of each control, internal and management risk of systems Group’s the for responsible ultimately is Board the Whilst havesystems been maintained the year. throughout concluded that sound risk management and internal control has Committee EY. by The supported is which function, Management Risk and Audit Internal Group’s the by provided assurance of level the with satisfied also was It identified. risks the of relevance the with and process management risk the with satisfied was Committee The Group. the across identified risks principal the and management risk regarding reports reviewed and received has Committee the year, the During and presentation madeand in presentation the Annual Report. content the with comfortable is it that ensure to as so auditor, external the with them discussed has and Report Annual this in made disclosures the reviewed also has Committee The prospects. its and performance financial appropriate and enhances of the understanding the Group’s is measures such of use the that satisfied is Committee The through management discussions advisors. with and external as well as regulations and guidance authoritative to reference with year the during Committee the by reviewed been have as items income exceptional statement bycertain the Group of classification the and measures non-GAAP of use The nature. in judgemental is disclosures and measures these of use The Group. the of performance the of opinion of enables an the Directors, enhanced understanding the in which, items exceptional as loss or profit of statement

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 73 74 Cybersecurity evolved

AUDIT AND RISK COMMITTEE REPORT CONTINUED

the Group. Each of the risks are prioritised according to Key elements of the internal controls environment are: likelihood of occurrence and potential impact to the Group and the register ensures that all risks are identified, measured, • annual budgets and strategic plans performed for all mitigated, and managed by the appropriate owner in line with business units and the Group as a whole; the risk appetite of the Group. • monitoring of performance against budget and subsequent forecast with reporting to the Board The Directors, through the use of appropriate procedures, on a regular basis; systems and the employment of competent personnel, have ensured that measures are in place to maintain compliance • monthly review of detailed key performance indicators; with the Company’s obligation to keep adequate accounting • all contracts are reviewed at a level of detail appropriate records. The accounting records are kept at the registered to the size and complexity of the contract; office of each legal entity. • timely reconciliations are performed for all significant balance sheet accounts; How we manage risk • clearly defined organisational structure and The Sophos Board is ultimately responsible for ensuring authorisation lines; effective identification, assessment and management of risk across the Group. Central to the risk management process is • the RCC that oversees the risk management the Group’s culture of openness, transparency and process; and accountability. • the Committee, which approves audit plans and assesses the overall appropriateness of the Group’s The Internal Audit and Risk Management function manage internal control environment. and drive the risk management framework and operate on an independent basis providing further assurance to the The preparation and issue of financial reports is managed by Committee and the Board. The risk management framework the Group’s finance department, as delegated by the Board. enables a robust assessment process to identify risks in line The Group’s financial reporting process is controlled using the with the overall achievement of the business strategy. This Group accounting policies and reporting systems. The Group function also ensures that all relevant and significant risks finance department supports all reporting entities with identified across the business are mapped to the Internal guidance on the preparation of financial information. Audit plan for the year. In addition, the Group’s annual planning and quarterly forecasting cycles include discussions Each legal entity has a Finance Director or Controller who has around business risks identified to ensure appropriate responsibility and accountability for providing information which investment by the Group. is in accordance with agreed policies. The financial information for each entity is subject to a review at reporting On a quarterly basis, the RCC reviews the status of risk entity and Group level by the CFO alongside the Vice President exposures and risk management throughout the business as of Finance. The Annual Report is reviewed by the Committee in managed by the Internal Audit and Risk Management function. advance of presentation to the Board for approval. Additionally, The RCC is a Committee of senior leaders authorised by the the Finance Director or Controller of the reporting entity Board to provide an additional level of assurance to the completes a self-certified quarterly questionnaire which is used Committee in overseeing risk management and internal to identify control strengths and weaknesses across all financial control activities. On behalf of the Board, the Committee areas with any weaknesses being subsequently addressed. reviews and challenges the effectiveness of the risk management process. The Group also maintains a consolidated Risk Register which sets out the nature and extent of the significant risks facing

Risk management process

Identify Analyse & Evaluate Develop & Implement Re-evaluate Risk Management Plan 2) 1) risks: identifying to approach atwo-pronged takes Group The Accounts and Report Annual 2019 any subsequent changes to the plan requiring further approval. approval. further requiring plan the to changes subsequent any with Committee, the by approved was approach, risk-based a using plan, Audit Internal the of scope and nature The Chairman. its and Committee the to line reporting adirect has In order to ensure independence, the Internal Audit function RCC. the from support with Audit Internal of co-ordination and Management Group’s The function. provides CFO oversight Risk and Audit Internal Sophos the support to continue EY Audit Internal raised. matters any of details receives Committee The ofconcern. matters employees to confidentiallyreport enabling Group the in place in is policy A whistleblowing Whistleblowing identified. risks principal the on focused is Board the that and appropriately managed and identified are risks relevant all that ensure to basis atimely on re-evaluated is risk each ensures management risk of reporting Regular RCC. the to feedback regular with owner risk assigned the by managed is this implemented; and developed is plan management risk a risks, of identification the Following evaluation. further for procedures escalation pre-defined with line in escalated are risk higher as rated be to deemed approach bottom-up the in identified risks Any accordingly. prioritised and matrix scoring pre-defined a against assessed are risks identified All basis. aquarterly on reviewed and maintained are registers and level function business the at owned fully are registers Risk meetings. team in discussions risk of inclusion and and horizonscanningidentification interviews, workshops, risk as such used, are approaches identification risk of A series

bottom-up approach. bottom-up the in identified risks the of several encompass may and Group the of plan business strategic the on impact aserious have could which risks principal the are these those risks rated as high. as rated risks those in process escalation appropriatelyplace defined for an with level operational the at managed are risks these A b A t op-down approach at the senior leadership team level; level; team leadership senior the at approach op-down ottom-up approach at the business function level; level; function business the at approach ottom-up

effectiveness of its systems of internal control. internal of systems its of effectiveness the improve to seeking continually is Group the Accordingly, regulations. or laws of breaches or fraud, losses, errors, material of risk no is there that or exist, not do irregularities and not absolute assurance that control weaknesses or reasonable provide ever only can control of system Any ofsystem internal controls in the Group. across operation of the risk management and considered the effectiveness and reviewed has Committee, the through Board, The Review of effectiveness effectiveness of Internal Audit during the financial year. financial the during Audit Internal of effectiveness the as well as activities auditor’s internal the of results and scope the reviewed and monitored Committee The audit. to subject be could that functions and processes of consideration with the Group’stogether key business assessments, risk formal of areview through developed be to continues plan Audit Internal The audits. the of results review to and plan audit internal the completing in progress ascertain to order in Auditor, Internal the from updates and reports audit received Committee the meeting, each At identified. the issues resolve to plans mitigation of appropriateness the with along improvement were considered in detail by the Committee graded as Anyfrom management. outcomes requiring responses alongside assessed were audits the of results The • • • • • are: systems control internal Group’s the of objectives main The

completeness and ofcompleteness accuracy records. the possible as far as ensuring so information, t t t t t o ensure the relevance, reliability and integrity of of integrity and reliability relevance, the o ensure and assets; o safeguard requirements; o ensure compliance statutory with o ensure adherence to management policies; met; are objectives and aims its o ensure

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 75 76 Cybersecurity evolved

AUDIT AND RISK COMMITTEE REPORT CONTINUED

The Committee has concluded that the Group’s risk Review of effectiveness of External Auditor management and system of internal controls is deemed An important role of the Committee is to assess the effective. This is informed by a number of sources: effectiveness of the external audit process. In performing this • The audit work undertaken by the Internal Audit function. assessment, the Committee:

• Risk management procedures managed and reviewed by • reviewed the annual audit plan and considered the auditor’s the RCC. performance against that plan along with any variations to it; • Reports issued by the Group’s external auditor. • met with the audit engagement partner to review the audit findings and responses received to questions raised by the A detailed review of the Group’s management of each principle Committee; risk or uncertainty is explained on pages 36 to 39. • held regular meetings with the audit engagement partner, External Auditor including in the absence of executive management;

The Committee reviews and makes recommendations with • considered their length of tenure; regard to the appointment and reappointment of the external • reviewed the nature and magnitude of non-audit services auditor. In making these recommendations, consideration is provided; and, given to auditor effectiveness and independence, partner • reviewed the external auditor’s own independence rotation and any other factors that may impact the confirmation presented to the Committee. reappointment of the external auditor. Based on the assessment performed, the Committee has There are no contractual restrictions on the choice of external recommended to the Board that a resolution to reappoint auditor and the Committee considers on an annual basis the KPMG LLP be proposed at the 2019 AGM. need for a formal tender process in accordance with the provisions of the Code. Rick Medlock

The Group’s auditor, KPMG LLP, were appointed for the Chairman of the Audit and Risk Committee year-ended 31 March 2001 with the audit engagement partner 15 May 2019 rotation last occurring for the year-end 31 March 2018. In view of this, it is now the intention of the Directors to tender the audit contract, currently held by KPMG, during the year-ending 31 March 2020.

The external auditor may perform certain non-audit services for the Group, though above a certain level of materiality, any such non-audit services require pre-approval by the Audit and Risk Committee and are only permitted to the extent allowed by relevant laws and regulations.

Non-audit fees for the year-ended 31 March 2019 were $0.1m (FY18: $0.1m). Full details of auditor remuneration is shown in note 10 to the Financial Statements. DISCLOSURE COMMITTEE REPORT COMMITTEE DISCLOSURE 2019 Annual Report and Accounts and Report Annual 2019 meeting. each of minutes the of copies receives also Board The Committee. the to secretary is Secretary Company The of business. for the transaction required is Director Executive one least at including members, two of Aquorum CEO. the Hagerman, Kris by chaired is and (“CLO”), Officer Legal Chief and (“CFO”) Officer Financial Chief (“CEO”), Officer Executive Chief the comprises Committee The are noted on page 59 page on noted are Committee the of meetings the at members of Attendance All appointments as at 31 March 2019 March 31 at as appointments All Eleanor Lacey Bray Nick COMMITTEE MEMBERS 5 MEETINGS HELD Hagerman Kris CHAIRMAN • • • include: Committee the of responsibilities primary The requirements. regulatory or legal applicable with comply Company the by issued shareholder and circulars, other documents prospectuses information and for announcements, ensuring that regulatory management andidentification, disclosure of inside the of respect in controls and systems of monitoring is responsible for Committee theThe implementation and andRole responsibilities in May 2019, with only minor updates. updates. minor only with 2019, May in reference and each year. composition This review took place of terms its of areview undertakes also Committee The sensitive. price be to considered is matter any whether and Company the of obligations or events are consideredtransactions against the disclosure Team meeting, Management Senior and Board each At •

it is permissible to delay disclosure. delay to permissible is it whether or obligation, disclosure immediate an to rise gives D R presentations. investor and statements, trading other any and results half-year R disclosable projects. disclosable R Company. the within existed first information inside that which at time and date the of determination and information as inside of potentialconsideration categorisation its eview of the preliminary results announcement, the eview the of announcement, the preliminary results eview and approval of announcements in respect of of respect in announcements of approval and eview Committee, the to provided information of eview during the year, included: year, the during Committee Disclosure the by reviewed issues Key Main activities etermination ofetermination any whether inside identified information FY19 focus areas FY19 The trading update for the three-months ended 31 December 2018 December 31 ended three-months the for update trading The The interim dividend ended 30 September 2018 The announcement in respect of the interim for results the six-months The proposed final dividend 2018 June 30 ended three-months the for update trading The The preliminary announcement results

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 77 78 Cybersecurity evolved

ANNUAL STATEMENT OF THE REMUNERATION COMMITTEE CHAIRMAN

Dear Shareholder,

As Chairman of Sophos’ Remuneration Committee, I am pleased to present the FY19 Directors’ Remuneration report, which has been prepared by the Committee and approved by the Board. In line with the UK reporting regulations, this report is divided into three sections:

• the Annual Statement of the Remuneration Committee Chairman, including a ‘Remuneration at a Glance’ section on pages 80 and 81; • the proposed future Directors’ Remuneration Policy, which will be submitted to a binding shareholder vote at the Annual General Meeting (“AGM”) on 25 September 2019. Further details on the proposed changes to the Policy (and the rationale for these) are set out on pages 82 to 90; and, CHAIRMAN • the Annual Report on Remuneration, which focuses on our remuneration arrangements and incentive outcomes for Paul Walker the year under review and how the Committee intends to implement the proposed Remuneration Policy in FY20, set out on pages 91 to 101. MEETINGS HELD The Annual Report on Remuneration will be put to an advisory 3 vote at the AGM in September 2019. The context for Executive remuneration at Sophos

COMMITTEE MEMBERS The IT security market is global, as is the market in which Sophos competes for high calibre executive talent. In order Sandra Bergeron for Sophos to be able to attract and retain executives in the Peter Gyenes relevant geographies with the right skills and experience to Rick Medlock drive the long-term success of the Group, the Committee Vin Murria believes that remuneration packages need to be All appointments as at 31 March 2019 appropriately calibrated to be competitive globally, including in the UK, where Nick Bray our Chief Financial Officer (“CFO”) is located, and on the US West Coast, where Kris Hagerman our Chief Executive Officer (“CEO”) and many of the Group’s Attendance of members at the meetings of the Committee executives are located. are noted on page 59 At the 2016 AGM, the Committee implemented a remuneration policy that was designed to balance this need, to be competitive globally with accepted UK market and best practice, and to measure and reward the performance of the Group’s executives against the best measures of the Group’s performance given its current size and stage of growth. In line with the Large and Medium-Sized Companies and Groups (Accounts and Reports) (Amendment) Regulations 2013, we are required to submit the remuneration policy to a new binding shareholder vote at the 2019 AGM. The UK remuneration governance landscape continues to evolve at pace, and the Committee has considered the implications of these developments for our Policy. In addition to the external context for executive director remuneration at Sophos, the (comprising 75 per cent of the awards) vest after three years years three after vest awards) the of cent per 75 (comprising units share Performance 2018. March 31 ending year the for results strong the of (LTIP) recognition in 2015 Plan respectively, under the Sophos Group Long-Term Incentive salary of cent per 390 and 500 of awards granted were Bray Nick and Hagerman Kris year, the during performance, company FY18 of recognition in AGM, 2016 the at approved In alignment Remuneration Policy the Directors with bonuses. receive not will Bray Nick and Hagerman Kris aresult, As targets. stretching against rates, actual at million $167.9 of EBITDA cash and million $760.3 of billings with 2019, March 31 year-ended the in results expected than lower experienced Sophos 2018, March 31 year-ended the in achieved results strong the Following in FY19 decisions Remuneration value creation. and objectives longer-termagainst strategic its shareholder are appropriately alignedoutcomes Group with performance pay that comfortable is Committee The index. FTSE250 and of Total the outperformance Shareholder (“TSR”) Return Listing since cent per 33.7 price share in growth significant Group’s the to contributed has years three last the over billings strong demonstrates, performance and cash EBITDA overleaf section aGlance’ at ‘Remuneration the As companies. UK-listed for norms market with closely more aligning as well as practice) best governance remuneration in developments latest the (and feedback investor reflecting while Group, the of success long-term the drive to experience and skills right the with talent executive senior for market aglobal in compete to continue to able is Sophos ensure will believe we which proposing are we policy remuneration our with majorconsultation shareholders on the atwo-way conducted We have strategy. our of delivery reinforce and culture corporate our underpin pay, effectively remuneration are the Group’s consistentwith philosophy of executive regarding decisions Committee’s the that ensures assessment holistic This abusiness. as matures Sophos as appropriate be may changes what evaluated and organisation that are forarrangements operated other levels of the has also reviewed the remuneration Committee Accounts and Report Annual 2019 audited information within this report and to state whether in their opinion those parts of the report have been prepared in accordance with the Act. The Auditor’s opinion is set set is opinion marked. Auditor’s The clearly Act. are the audit to with subject been accordance in have that prepared been report have the of report aspects the of those and parts 117 to those 110 opinion pages on their out in whether and state to and Large the and report this within Authority Conduct information Financial audited the of Rules Listing the Investment Act, the of latest the and provisions Code the with Governance Medium-Sized accordance in Companies and Groups Corporate (Accounts and UK Reports) (Amendment) the Regulations of prepared The 2013. Act requires the Auditor to been to report the Company’s Shareholders has on account the and takes Board, guidelines, the of PLSA and behalf ISS on Committee’) Association, (‘the Committee Remuneration the by prepared report, This 15 May 2019 May 15 Chairman of the Committee Remuneration Paul Walker On behalf of the Remuneration Committee: on Remuneration. Report Annual 2019 the and Policy proposed our for support your receive to hope Ialso where questions, your answer to AGM forthcoming the at available be also Iwill year. of time any at feedback welcomes and shareholders all with dialogue transparent and open an to committed remains Committee The Policy. proposed the on consulted we advisors proxy and shareholders the from received support broad and feedback the Iappreciate Committee, the of behalf On on on Remuneration, page 91. Report Annual the in out set are Policy new our implementing to approach our of details Further trusts). investment (excluding index FTSE250 the vs TSR Relative three-year and underpin) Profit Operating Adjusted an to (subject Growth Revenue three-year to subject vest will opportunity) award total the of cent per 75 represent will (which awards Remuneration Policy. Share (“PSU”) Units Performance proposed the with line in EDs to awards incentive term long- grant to intends also Committee the FY20, In cash. in paid be to continue will bonus The achieved. be to payout full for performance stretch significant require to continue to Committee the by set been have Targets objectives. performance personal and Profit, Operating Adjusted Revenue, on based be will and Policy, proposed our with line in be will opportunity bonus annual the FY20, For cent. per c.3 of population employee wider the for expected increase average the to compares This FY20. for unchanged remain will (“ED”) Directors Executive the of salaries the contribution, personal their and performance Group of areview Following FY20 for Remuneration the year to 31 March 2019 are set out on page 94. page on out set are 2019 March 31 to year the during vested have that units share performance of Details only. employment continued to subject years four over vest awards) the of cent per (25 units share restricted and targets, EBITDA cash and billings annual of achievement to subject

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 79 80 Cybersecurity evolved

REMUNERATION AT A GLANCE

KPI – Performance snapshot Billings Cash EBITDA

$768.6M $760.3M $199.2M +21.6% -1.1% +32.7% M $632.1M M $167.9 $150.1 -15.7% FY18 FY19 FY18 FY17 FY19 FY17

Used as a measure in the annual bonus and PSU Used as a measure in the annual bonus and PSU Billings is an important measure that represents EBITDA (as defined in the scheme rules) provides the value of products and services invoiced to visibility of cash earnings during the period, even if customers. Cash is received at the start of a the associated revenue for that period’s billings has subscription period and consequently billings are not yet been recognised. a key forward indicator of future performance.

Executive Director remuneration in FY19 Executive Director shareholdings

Kris Nick Bray Hagerman Kris Hagerman Nick Bray $000 £000 Salary 735 298 Taxable benefits 2 17 Pension 9 15 Single-year variable – – $10.7m £1.1m Restricted stock units 933 296 Performance stock 1,442% 391% units 3,000 1,038 of salary of salary All employee schemes 4 – Total 4,683 1,664

Implementation of Policy in FY20

Salary Annual bonus No increase to salaries, which will remain at $740,000 Opportunities are reduced from FY19 at 150% and 120% for Kris Hagerman and £300,000 for Nick Bray. of salary for Kris Hagerman and Nick Bray, respectively. Payout will be based 80 per cent on Revenue and Adjusted Operating Profit, and 20 per cent on personal performance. Payable 100 per cent in cash. well as through the denomination of LTIP awards in stock units. stock in LTIP awards of denomination the through as well as ownership, share their through shareholders of those with closely aligned are EDs Group’s the of LTIP. interests the in The performance of measure astandalone as incorporated be will it awards, FY20 with beginning and creation value shareholder of measure akey is TSR stock ownership alignmentClose through significant since IPO Total (“TSR”) Return Shareholder Number of employees Accounts and Report Annual 2019 three years from grant. from years three vest awards RSU 2022. 31, March on ending period three-year the over TSR and growth Revenue on based vest will awards PSU limits. policy normal within shares, restricted and award) total the of 75% (at least units share performance over made be to awards FY20 LTIP £200 £250 £100 £150 3,300 £50 25.06.15 £0 FY18 £100 Invested on Sophos’ IPO Sophos’ on Invested £100 Sophos 31.03.16 3,400 FY19 FTSE250

31.03.17 Overall employeeOverall satisfaction Unchanged from FY19. Benefits 87 FY18 % 31.03.18

86 FY19

% 31.03.19

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 81 82 Cybersecurity evolved

DIRECTORS’ REMUNERATION POLICY

The overarching principles of the remuneration policy are to provide a competitive package of fixed and variable pay that will enable the Group to ensure it has executives with the right skills and experience to drive the success of the Company, and that their remuneration is linked to shareholder interests and the Company’s long-term success.

The remuneration philosophy is:

• to promote the long-term success of the Company, with stretching performance targets which are rigorously applied; • to provide appropriate alignment between the Company’s strategic goals, shareholder returns and executive reward; and, • t o have a competitive mix of base salary and short and long-term incentives, with an appropriate proportion of the package determined by stretching targets linked to the Company’s performance.

EDs’ fixed and variable remuneration arrangements have been determined taking into account:

• the role, experience in the role, and performance of the ED; • the location in which the ED is working; • remuneration arrangements at UK listed companies of a similar size and complexity; • remuneration arrangements at US high-technology companies of a similar size and complexity, including companies with which the Company competes for talent; and, • best practice guidelines for UK listed companies set by institutional investor bodies.

In advance of the expiry of our Policy (approved by shareholders at the 2016 AGM), the Remuneration Committee undertook a thorough review of our existing Policy in late 2018 to ensure that it would continue to enable Sophos to compete in the global market for senior executive talent, while reflecting investor feedback and developments in UK remuneration governance, as well as aligning more closely with UK market norms for established listed companies. This section describes the Group’s proposed remuneration policy for Directors which will be submitted to a binding shareholder vote at the Annual General Meeting on 25 September 2019. Set out below is a summary of the major changes proposed to the version approved by shareholders in 2016.

Key changes proposed to our Remuneration Policy 1. Incentive award opportunities • The maximum annual bonus opportunity will be 150 per cent of salary (previously 200 per cent of salary). The target annual bonus opportunity will be set at 67 per cent of maximum (to maintain the on-target total cash opportunity at current levels), with threshold performance paying 17 per cent of maximum.

• The maximum total long-term incentive opportunity in normal circumstances will be 300 per cent of salary (previously 500 per cent of salary), to more closely reflect UK market norms. Annual awards will continue to comprise a combination of Performance Stock Units (“PSU”) and Restricted Stock Units (“RSU”), with PSUs comprising at least 75 per cent of the award opportunity. The continuation of this policy reflects competitive practices in our major markets for talent, including other high-technology US West Coast companies. The maximum total long-term incentive opportunity in exceptional circumstances will be 500 per cent of salary (previously 750 per cent of salary). Exceptional circumstances include, but are not limited to, the recruitment of a new executive director.

2. Extension of long-term incentive time horizons • To support the principle of alignment of executive and long-term shareholder interests, RSU awards in the future will vest 100 per cent after three years (previous awards vest 25 per cent on the first anniversary of grant, with the remainder vesting on a quarterly basis over the following three years).

• I n addition, any net vested shares (i.e. excluding those sold to cover the tax liability arising when an award vests) from PSU or RSU awards made in the future will be required to be held for a further holding period of two years before being released to the individual. The holding period will also apply to awards held by leavers until its normal expiry date. • • linkage 3. Performance 2019 Annual Report and Accounts and Report Annual 2019 • 4. to Increase shareholding guidelines wider workforce. the of that with alignment in and manner cost-efficient in a participants for benefits Provide post-retirement Fixed pay: Pension the relevant talent market. in competitive are salaries base ensuring by strategy, to contribute to ability the with and calibre right the of talent retain and To attract salary Base pay: Fixed strategy to link and Purpose

alignment of interests with shareholders beyond cessation of employment is in line with the UK Corporate Governance Code. Governance Corporate UK the with line in is employment of cessation beyond shareholders with interests of alignment and ownership share sustained this that believes Committee The cent). per 500 (CFO: salary base of cent per 600 to up of value apre-tax have could awards vested-but-held leaver, abad is executive an Where cent). per 1,000 (CFO: salary base of cent per 1,200 to up be could employment of cessation at leaver agood for unvested) or vested-but-held value awards of outstanding (whether The pre-tax period). remaining over the performance subject to performance PSUs, of case the in and, time for pro-rated (albeit awards incentive long-term unvested in interest an retain will leavers good addition, In post-employment. retention share of principle the supports above) (see leavers by held awards to apply W for Directors). both salary of cent per 200 (previously: CFO Group the for salary of cent per 250 and CEO Group the for salary of cent per 300 i.e. I cycles: incentive future for used be measures following the that proposed is it However, cycle. each of start the at awards incentive long-term and bonus annual the to apply will O

t is proposed that the in-post shareholding guideline be calibrated as 1x the annual long-term incentive award opportunity, opportunity, award incentive long-term annual the 1x as calibrated be guideline shareholding in-post the that proposed t is – – ur proposed Policy continues to provide an appropriate degree of flexibility to determine the performance measures that that measures performance the determine to flexibility of degree appropriate an provide to continues Policy proposed ur ith regards to the post-employment shareholding requirement, our proposal for the two-year holding period to continue to to continue to period holding two-year the for proposal our requirement, shareholding post-employment the to regards ith

P and, target; hit metrics both until financial two The willmeasures Objectives. operate Personal independently, dotake not but accelerators effect A and 50 per cent on three-year relative TSR vs the FTSE250 index (excluding investment trusts). investment (excluding index FTSE250 the vs TSR relative three-year on cent per 50 and nnual bonus to be based: 40 per cent on Revenue, 40 per cent on Adjusted Operating Profit, and 20 per cent on cent per 20 and Profit, Operating Adjusted on cent per 40 Revenue, on cent per 40 based: be to bonus nnual SU awards to be based: 50 per cent on three-year Revenue growth (with an Adjusted Operating Profit underpin), underpin), Profit Operating Adjusted an (with growth Revenue three-year on cent per 50 based: be to awards SU pension scheme. employees or group personal US all for plan savings 401(k) US vehicles: funding of achoice with provided, arePension contributions 1July. from effective Any increases are generally business. the to andcompetence criticality holder’s experience, position the and Group the increases across salary talent, for markets relevant against competitiveness performance, Groupindividual performance, to reference with annually, reviewed are salaries Base Operation in the relevant market. relevant the in as the contribution rest of the Sophos workforce pension same the for eligible be will Policy this of date effective the from appointed Director Executive new Any widely. more organisation throughout the offered arrangements remain, the pension consistent with pension haveThese arrangements been, and to acontribution group pension personal scheme. a as salary of cent 5per to up receives CFO The for (US$24,500 FY18). maximum contribution applicable the to subject plan, savings 401(k) US his under salary of cent 3 per to up of contribution amatching receives currently CEO The misalignment. market asignificant or responsibilities or role in achange is there where made be may population. However, higher increases salary employee wider the for those with in-line be normally will increases salary Directors’ Executive Maximum opportunity None. levels. salary appropriate determining into account when is taken performance Group and Individual Performance metrics Performance

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 83 84 Cybersecurity evolved

DIRECTORS’ REMUNERATION POLICY CONTINUED

Purpose and link to strategy Operation Maximum opportunity Performance metrics

Fixed pay: Benefits To provide competitive Benefits currently include the There is no overall maximum None. benefits for each role. provision of medical and dental value set out for benefits. insurance, life and disability insurance, travel insurance, They are set at a level that is personal tax return preparation, comparable to market practice and car allowance. and appropriate for individual and Company circumstances. Reasonable relocation, travel and subsistence allowances (and, in The Committee retains the certain circumstances, cash discretion to amend benefits in allowances in respect of the exceptional circumstances or in associated tax charge) and other circumstances where factors benefits may be provided based outside of the Group’s control on individual circumstances. have materially changed (e.g. increases in insurance premiums).

Variable pay: Annual bonus Aims to focus executives Performance measures and The maximum bonus The annual bonus will be based on on achieving stretching targets are set prior to or shortly opportunity for EDs will be achievement of stretching financial financial targets relevant after the start of the relevant up to 150 per cent of salary. targets and personal performance. to the business priorities financial period. Personal performance will be for the financial period. Up to 67 per cent of maximum weighted at 20% of the annual At the end of the financial period, will vest for target performance. bonus opportunity for FY20 and for the Remuneration Committee will The Committee may award up future years for which this policy determine the extent to which the to 17 per cent of maximum for applies, personal performance will targets have been achieved. threshold performance. have a weighting of no more than a third of the bonus opportunity. Awards are typically delivered in cash; however, the Committee has Details of the measures used discretion to defer awards in cash during the period under review or in shares. are set out on pages 92 and 93.

The Committee has discretion to The Committee has discretion reduce the bonus in the event of to adjust the formulaic bonus serious financial misstatement or outcome downwards (or upwards misconduct. In extreme cases of with shareholder consultation) misstatement or misconduct, the within the limits of the plan, to Committee may claw back annual ensure alignment of pay with bonus payments previously made. the underlying performance of the business. 2019 Annual Report and Accounts and Report Annual 2019 of shareholders. interests long-term the with interests Directors’ To align Shareholding guidelines Other arrangements: business over the long-term. the of value the growing in shareholders with executives of interests the Aligns Variable incentive plan pay: Long-term (“LTIP”) strategy to link and Purpose in operation is set out on page 99. page on out set is operation in shareholding guideline currently of level the of details Further met. been the shareholding guideline has until years two of aminimum for LTIP the under tax) (after vesting shares of cent per 50 retain to required are and Company the in shareholding minimum a retain to required are EDs shares that vest. on period vesting the over paid been have would that dividends of value the to equal shares or cash receive to eligible are Participants awards. incentive long-term vested back claw may the Committee or misstatement, misconduct of cases extreme In or misstatement misconduct. financial serious of case the in awards, future for opportunities the vary to or awards, incentive long-term unvested any reduce to discretion has Committee The clawback/malus is appropriate. discretion, that determines absolute its at Committee, the where cases in except employment, leaves a participant if forfeitable not are period holding two-year the to subject Shares individual. the to released being before years two of period holding afurther for held be to required be will future the in made awards RSU or PSU from shares vested net Any performance. three-year on based is vesting shares, restricted for than Other grant. of anniversary third the on vest normally will future the in made Awards participants. shares to eligibleperformance and shares restricted of awards plan forThe annual provides Operation or options. shares restricted over be will year one any in awards aggregate of cent per 25 than more no that anticipated is It performance. vesting for achieving stretch full to basis a straight-line each then increase metric, on under threshold performance will vest for achievement of element each of cent per 25 to Up threshold. below vest will awards No performance-based grant. of advance in reviewed is size award The individual). an recruiting to, limited not but (including, circumstances exceptional in cent per 500 to up and in circumstances normal salary of cent per 300 of maximum a to up made be may Awards n/a Maximum opportunity – Policy: the of life the over made awards for follows as be to intended against measures, two which are employment and performance continued to subject is Vesting awards:Performance-based None. the business. of underlying performance the with pay of alignment ensure to plan, the of limits the shareholder consultation), within with (or upwards downwards award LTIP formulaic the adjust to discretion has Committee The years. three after cent per 100 vest will shares restricted awards: Time-based these metrics. with conjunction in used be may and business the of goals strategic the capture help to cycles future for other measures may be considered addition, In cycle. each of start theappropriate, weighting at the will consider, and adjust if deemed per cent each) but the Committee 50 (i.e. equal be will measures the of weighting the that intention the is It – Performance metrics Performance

R R investment trusts). investment (excluding index FTSE250 the to compared as Return underpin) ;and, profit operating adjusted an elative Total Shareholder to (subject growth evenue

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 85 86 Cybersecurity evolved

DIRECTORS’ REMUNERATION POLICY CONTINUED

Purpose and link to strategy Operation Maximum opportunity Performance metrics

Other arrangements: All-employee schemes To encourage share Save as You Earn (“SAYE”) and Participation is capped at the None. ownership across Employee Stock Purchase Plan prevailing approved limit at the the workforce. (“ESPP”) schemes are operated time eligible employees are by the Company for eligible invited to participate, or such employees, in which EDs may lower limit as determined by the participate on the same terms. Remuneration Committee.

Other arrangements: Non-Executive Directors’ fees To reflect the time Annual base fee for Chairman. Any increases to Non-Executive None. commitment in preparing for Director fees will be considered and attending meetings, the Annual base fee for Non-Executive as a result of the outcome of a duties and responsibilities of Directors. review process and taking into the role and the contribution account wider market factors, expected from the Additional fees paid to the e.g. inflation. There is no Non-Executive Directors. chairmen of Board Committees. prescribed individual maximum fee. Additional fees may be paid if there is a material increase in Further details are set out on time commitment required. page 96.

Non-Executive Directors do not participate in any incentive schemes, nor do they receive any pension or benefits (other than nominal travel expenses and, in certain circumstances, cash allowances in respect of the associated tax charge).

Notes to the policy table Performance measure selection and approach to target setting As the Group’s strategy has evolved and business priorities have changed, Revenue and Adjusted Operating Profit are considered to be the best measures of the Group’s annual performance.

Annual bonus targets will be set prior to, or shortly after, the start of the financial year. Targets will be based around the annual budget approved by the Board and take into account the Group’s performance over the prior year, as well as an appropriate degree of challenge to provide an incentive to outperform the annual budget. Threshold and stretch performance levels for performance-based awards under the LTIP will be set at the start of the three-year performance period. The Committee aims to set stretching but achievable financial targets, taking account of a range of reference points, including market consensus and the Group’s strategic plan. The level of TSR outperformance required for full vesting is set by reference to the level of outperformance that would have been equivalent to broadly upper quartile performance over rolling three-year periods historically.

Differences in Remuneration Policy operated for other employees The remuneration for other employees comprises the same components as set out in the policy, being base salary, annual bonus, long-term incentive participation, pension, life assurance, and benefit provision. Annual bonus and long-term incentive arrangements share a similar structure and pay-out arrangement, although the mix between performance-based and time-based awards, and the maximum award, varies by seniority and role.

Other Any commitment made prior to, but due to be fulfilled after, the approval and implementation of the policy detailed in this report will be honoured, including awards made to Directors (both Executive and Non-Executive) prior to the initial public offering of the Company’s shares in 2015 (“IPO”). The Committee also retains discretion to make minor, non-significant changes to the Policy without reverting to shareholders. Chief$000 Executive Officer remuneration, as follows: remuneration, of components existing the all of use make may Committee Remuneration the ED, anew appointing or hiring of cases the In appointments for new to remuneration Director Executive Approach below: table the in shown are opportunities reward potential illustrating in made assumptions The 2019. 1April at force in salaries base the to applied 2019, September 25 on AGM the at approval for presented be to policy the on based are illustrated opportunities reward potential The scenarios; ‘Minimum’, of elements remuneration performance underthe different between different three ‘Mid’ and split ‘Maximum’. potential the and EDs, for opportunities reward future potential the of estimates provide below graphs The Performance scenarios 2019 Annual Report and Accounts and Report Annual 2019 Maximum schemes All-employee LTIP bonus Annual Benefits Membership of pension scheme or supplement salary on a similar basis to other executives, Pension Approach salary Base Component share priceappreciation) cent per 50 assuming valued awards LTIP (with Maximum Maximum Mid Minimum scenario Performance Minimum Mid 58% 31% 15% 42% 30% 21% 1,306 other employees. as basis same the on schemes all-employee in participate to eligible be may appointees New table. policy the in described as executives, other as terms similar on LTIP the under awards granted be will appointees New year. the over employment of proportion the reflect to pro-rated being maximum relevant the with appointees new to apply will table policy the in described structure The insurance. life and insurance medical allowance, to) car limited not are (but include may which policy the with line in benefits receive to eligible be will appointees New salary. base of cent per 20 exceed would that Company the to acost at forarrangements new does not recruits) anticipateas the pension Committee being benefits existing replace to as (such cases exceptional in than Other table. policy the in described as salary. basic current their and data market relevant individual, the of skills and experience the on based determined be will appointees new of salaries base The 39% 2,462 financial period financial recent most the for as value pension and Benefits recent review date most at as Salary Fixed pay Fixed 64% 5,191 No annual bonus payable Maximum annual bonus payable Performance warrants warrants Performance annualMaximum bonus payable warrants Performance annualOn bonus target payable Annual bonus Chief£000 Financial Officer Minimum Mid Maximum 24% 64% 37% 36% 27% 21% 520 Threshold notThreshold achieved appreciation price share cent per 50 plus vesting, full warrants Performance vesting full vesting threshold based awards) LTIP (performance- 36% 900

In line with policy table policy with line In salary base of cent per 500 to Up salary base of cent per 150 n/a table policy with line In n/a Maximum opportunity 55% Full vesting Full appreciation price share cent per 50 plus vesting, Full based awards) (time- LTIP LTIP incentive Annual Fixed 1,370

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 87 88 Cybersecurity evolved

DIRECTORS’ REMUNERATION POLICY CONTINUED

In determining appropriate remuneration for a new ED, the Committee will take into consideration all relevant factors to ensure that arrangements are in the best interests of the Group and its shareholders. In addition to the remuneration arrangements set out above, the Committee may make an award in respect of a new appointment to ‘buy-out’ incentive arrangements forfeited on leaving a previous employer, using Listing Rule 9.4.2 R if necessary. In doing so, the Committee will take account of relevant factors including any performance conditions attached to these awards, the likelihood of those conditions being met, and the proportion of the vesting period remaining. The fair value of any ‘buy-out’ will not exceed that of the award being foregone.

In cases of appointing a new ED by way of internal promotion, the approach will be consistent with the policy for external appointees detailed above. Where an individual has contractual commitments made prior to their promotion to Board level, the Group will continue to honour these arrangements. Incentive opportunities for below Board employees are no higher than for EDs, but measures may vary.

In recruiting a new Non-Executive Director, the Committee will use the policy as set out in the table on page 86.

Service contracts and exit payment policy Non-Executive Directors (“NED”) The appointments of each of the Chairman and the NEDs are for a fixed-term of three years and subject to annual re-election by the Company at the AGM. Their letters of appointment set out the terms of their appointment and are available for inspection upon request. They are not eligible to participate in the annual bonus, nor do they receive any additional pension or benefits (other than nominal travel expenses) on top of the fees disclosed on page 96. NED appointments may be terminated at any time upon written notice or in accordance with the Articles and receive no compensation on termination.

NED Role Appointment date Term of appointment Peter Gyenes Chairman 4 June 2018 Three years Paul Walker Senior Independent Director 4 June 2018 Three years Sandra Bergeron Independent NED 4 June 2018 Three years Roy Mackenzie NED 4 June 2018 Three years Vin Murria Independent NED 3 January 2017 Three years Rick Medlock Independent NED 3 April 2017 Three years

Executive Directors On 11 June 2015, each of the EDs entered into a service agreement with the Company, which are available for inspection upon request.

ED Role Appointment date Term of appointment Kris Hagerman CEO 11 June 2015 12 months Nick Bray CFO 11 June 2015 12 months

The employer is entitled to terminate an ED’s employment by payment of a cash sum in lieu of notice, equal to (i) the basic salary that would have been payable, and (ii) the cost that would have been incurred in providing the ED with medical insurance benefits for any unexpired portion of the notice period (the ‘‘Payment in Lieu’’). The Company can alternatively choose to continue providing the medical insurance benefits under item (ii) instead of paying a cash sum representing their cost. The Payment in Lieu will be paid in monthly instalments over the notice period.

In specified circumstances (not involving a change of control, in which case the severance payment applicable is as described below), each ED is entitled to terminate his employment without notice and receive a severance payment. The severance payment will be equal to the Payment in Lieu and paid in a single lump sum. The specified circumstances are where either: (a) the employer terminates or gives notice to terminate the ED’s employment without cause; or (b) the ED terminates his employment in response to: a material diminution of his authority, duties, responsibilities or status in a manner inconsistent with his service agreement; a breach of a fundamental term of his service agreement; a material reduction in his annual basic salary or target bonus opportunity; or being required to relocate his place of work beyond a specified distance (each a ‘‘Good Leaver Reason’’). how incentives are typically treated in different circumstances: different in treated typically are incentives how summarises below table The mitigate. to duty any and termination of circumstances the terms, contractual executive’s the account into taking basis, acase-by-case on circumstances the consider to is payments termination on policy Company’s The located. is executive the that geography the in practice market prevailing account into taking time, that at provisions contractual the of appropriateness the consider will Committee the hires, future For triggered). be never may provision this (where Company the for cost increased an represent likely would contracts renegotiate to and located) are CEO, the including Team, Management Senior the of many (where US the in practice standard are provisions control of change Group’s The months. 12 of aperiod for agreement service his under entitled is he which to contributions) pension (including benefits the with ED the providing of cost total the (iii) and occurs; termination the which in year financial Company’s the for bonus target ED’s the of 150% (ii) salary; basic annual ED’s the of 150% (i) of: sum the to equal be will months prior to the announcement of such or general scheme of offer arrangement or compromise. payment severance The three beginning and compromise) or arrangement of ascheme or offer ageneral of way by (whether Company the of control of change any after months 18 ending aperiod during time any at Reason Leaver aGood for ED the by or cause without employer his by employment his of atermination of event the in sum, lump asingle in paid payment, aseverance to entitled is ED Each 2019 Annual Report and Accounts and Report Annual 2019 scheme rules. applicable with line in Treated All-employees schemes Change of control leaver Good resignation dismissal, Summary Long-term incentives Change of control leaver Good resignation dismissal, Summary Bonus Reason for leaving 18 months of a change of control. of achange of within 18 months employment of termination of case the in vesting additional for eligible be may Executives Committee discretion to otherwise. treat with served, period the of proportion the on based time for pro-rated be and of change to control, period the over performance for tested be and vest normally will awards Outstanding or whether have not criteria assess, been relevant met. performance treat to and discretion discretion to with at test either otherwise the end of or periods, relevant immediately performance Committee with leaving, of date the to pro-rated be normally will awards Outstanding Awards lapse. above. described as control, of achange of months 18 within employment of termination of case the in payment bonus enhanced an for eligible be may Executives to discretion otherwise. treat Committee with served, year financial the of proportion the for pro-rated change the control, to of up satisfied been have conditions performance that extent the to award an for Eligible the for todiscretiontreat of otherwise. pro-rated Committee the financialproportion with yearserved, satisfied, been have conditions performance that extent the to award an for Eligible Awards lapse. Treatment

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 89 90 Cybersecurity evolved

DIRECTORS’ REMUNERATION POLICY CONTINUED

External appointments of Executive Directors EDs may only accept external appointments with the prior approval of the Chairman, provided that such appointments do not prejudice the executive’s ability to fulfil their duties for the Group. Any fees for outside appointments would normally be retained by the Director.

Consideration of employment conditions elsewhere in Group The Committee takes into account the general basic salary increase being offered to employees elsewhere in the Group when annually reviewing the salary increases and remuneration for the EDs. The Committee is also informed of management decisions regarding incentive structures and remuneration arrangements for all other staff and considers these when making decisions in relation to ED remuneration. This approach ensures remuneration arrangements are appropriately cascaded across the Group to support our culture and delivery of our strategy, while differentiation by organisational level and/or geography ensures Sophos is able to compete effectively in all talent markets. Employees have not been consulted in respect of the design of the Group’s senior executive remuneration policy.

Consideration of shareholder views The Committee takes shareholder feedback into careful consideration when reviewing remuneration and regularly reviews the Remuneration policy in the context of key institutional shareholder guidelines and best practice. It is the Committee’s policy to consult with major shareholders prior to making any major changes to its executive remuneration structure. due diligence periodically. thatthe provided advice isby Mercer satisfied Kepler Committee isThe and independent, will such continue to undertake objective. and impartial is provided advice the that and Company the of independent remains Kepler Mercer that ensure to diligence due undertook Chairman Committee The CHRO. the to directly reported and analysis, Programme Pay and Gap Pay inrelation totheCompany’sFY19 to Sophos UK duringGender services provided independentandconsultation verification companies), of Group MMC the of part (also Mercer of department distinct and aseparate addition, In £52,681). (FY18: £136,622 totalled FY19 in Committee Remuneration the for out carried work of respect in Kepler Mercer to paid fees The found at www.remunerationconsultantsgroup.com). be can (which Consultants Remuneration for Conduct of Code the by abides and to asignatory is and Chairman Committee during continuedBoard, to act the year. as to the remuneration adviser the Committee to directly the Mercer Kepler reports the with consultation Mercer Kepler, after in appointed independent FY16 by remuneration consultants the Committee advisers External report. this throughout summarised is year the during undertaken Committee the of work The focus. to chosen has the Committee which on items governance or business topical and arising, matters specific any to addition in meeting, each at considers Committee the that items standing with reference, of terms its from developed agenda, forward annual an has Committee The Main activities • • • • • • to: include, Committee the of responsibilities key The guidance. associated and Code the of recommendations and provisions the requirements, regulatory and legal relevant for regard having practices and policy Remuneration Group’s the overseeing for responsible is Committee The andRole responsibilities not are they present whenbut their own remuneration is set. executives, senior other and (“CHRO”) Officer Resources Human Chief (“CEO”), Officer Executive Chief include the Committee, the from invitation upon and, time to time from differ may meetings Committee at attendees Other meetings. all attends and Committee the to secretary is Secretary Company The (“SID”). Director Independent Senior the Walker, Paul by chaired is Committee The appointment. his of time the at independence his to due Committee the of chair, not but amember, be may Group the of Chairman the that and Directors Non-Executive independent three least at comprise should members its that provides which Code, the of Provisions the with compliant is Committee the of composition The attendance and meeting composition Committee year. the during times three met Committee The Committee Remuneration The FY20. in implemented be will policy Remuneration the how and year, the during Board the on served who followingThe provides details section of for remuneration the financial outcomes year ended31 Marchfor2019 Directors REMUNERATION ON REPORT ANNUAL 2019 Annual Report and Accounts and Report Annual 2019

a r r s long-term performance; e consider; to designated is it team d eview remuneration trends across the Group and in the market in which Sophos operates; and, operates; Sophos which in market the in and Group the across trends remuneration eview contracts; service Directors’ eview the Executive et specific remuneration packages whichetremunerationpackages specific includesalary, annualbonus, pensionshare incentives, andbenefits; pprove employee share-based incentive plans and associated performance conditions and targets. and conditions performance associated and plans incentive share-based employee pprove sustainable and strategy business Sophos the support decisions reward and policy remuneration the that nsure etermine and and monitor the remuneration Directors policy the senior for management the Chairman, Executive

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 91 92 Cybersecurity evolved

ANNUAL REPORT ON REMUNERATION CONTINUED

Performance evaluation

The Remuneration Committee’s performance was assessed as part of the Board’s annual effectiveness review. It was concluded that the Committee operated effectively in FY19. In response to findings of the review, Committee members will continue to give significant weight to shareholder sentiment whilst balancing this with the recruitment and retention needs of the business and in particular, in their consideration of the Company’s remuneration policy as it is reviewed for renewed shareholder vote at the 2019 AGM.

The Committee also undertakes a review of its terms of reference and composition each year. A review was carried out in May 2019, with only minor updates. The full terms of reference of the Committee can be found on the Company’s website at: investors.sophos.com.

Single total figure of remuneration for Executive Directors (Audited)

The table below sets out the total single figure of remuneration received by each Executive Director who served during the year-ended 31 March 2019 and the prior-year:

Kris Hagerman ($000) Nick Bray (£000) FY19 FY18 FY19 FY18 Salary1 735 716 298 291 Taxable benefits2 2 3 17 16 Pension3 9 8 15 15 Single-year variable4 0 638 0 207 Restricted stock units5 933 877 296 283 Performance stock units6 3,000 6,458 1,038 2,186 All employee schemes 4 4 – – Total 4,683 8,704 1,664 2,998

1 Amount earned in respect of the year 2 T axable benefits include: Kris Hagerman: medical and dental, life and disability insurance and reimbursement of up to $10,000 per annum for the preparation of his tax returns; Nick Bray: Car allowance (FY19: £15K FY18: £14K), life, private medical and critical illness insurances, travel and personal accident insurances, and employee assistance programme arrangements 3 The Company’s pension contributions during the year of up to three per cent and five per cent of salary for Kris Hagerman and Nick Bray, respectively 4 Bonus payment for performance during the year 5 RSUs: The face value at grant, using market price on day of issue, of time-based RSUs 6 P SUs: The estimated value at vesting of PSUs for which the performance period ends at the end of the relevant financial year. For FY19, reflects the number of FY17 PSUs vesting in FY20 subject to performance over the three-year period ended 31 March 2019, valued using the average middle market quotation of the shares on the main market of the London Stock Exchange (“MMQ”) over the three-months to 31 March 2019 (converted at daily US dollar rates for Kris Hagerman), and including the estimated value of dividends accruing over the vesting period on this award

Base salary

In April 2019, the Remuneration Committee reviewed the salaries of Kris Hagerman and Nick Bray, with neither receiving an increase. Pay as of 1 July 2019 remains unchanged:

Executive Director July 2019 July 2018 Increase % Kris Hagerman $740,000 $740,000 0.0% Nick Bray £300,000 £300,000 0.0% alongside performance against these targets, below: against targets, alongsidefull, these performance in disclosed are and sensitive, commercially considered longer no are bonus annual FY19 the for targets financial The Financial performance EBITDA. and billings both on perform to required were executives element, this of vesting any achieve to so EBITDA, and billings for payouts implied the of lower the on based is payout element financial The threshold. the below remainingThe No bonus 20 is per is on cent based performance. of awarded personal the for bonus performance opportunity performance. target for cent per 50 and performance threshold for vesting maximum of cent per 12.5 with rules, scheme the by defined as EBITDA, and billings on cent per 80 based was bonus the FY19, In performance. personal and year the for targets financial pre-determined against performance Group on based is year one any in earned bonus annual of level The opportunity. maximum the of cent per Bray. 50 Nick was for Target bonus salary of cent per 160 and Hagerman Kris for salary of cent per 200 were FY19 for opportunities Bonus Directors. Executive including executives senior of anumber for scheme bonus performance-related annual an operates Group The bonus Annual FY19 for outcomes Incentive illness insurance, travel insurance, accident personal insurance and programme employee arrangements. assistance critical and medical private insurance, life monthly), (paid £15,000 of allowance car annual an received also he FY19 In scheme. pension personal group to a contribution as a salary base his of cent per five to up receive to entitled is Bray Nick $25,000. is maximum contribution employee annual this 2019, year calendar the For time. to time from plans savings 401(k) US to applicable contribution maximum annual any to subject salary, his of cent 3per to up of contribution amatching receive to entitled is employees, US all for plan savings 401(k) US standard employer’s his under and, returns tax his of preparation the for annum per up of $10,000 to areimbursement insurance, disability and life insurance, travel insurance, dental and medical receives Hagerman Kris Pension and benefits Accounts and Report Annual 2019 Company performance was assessed to warrant a payout of zero per cent for the personal element. element. personal the for cent per zero of apayout warrant to assessed was FY19 performance overall of Company respect in Directors Executive the of Performance objectives. Company with in-line and set year the of objectives start the at personal against performance Director’s Executive each assessed Committee the FY19, of end the Following performance Personal element. financial the for maximum of cent per zero therefore was and EBITDA, and billings for payouts implied the of lower the on based was payout bonus overall The basis. pro-rata astraight-line, on determined was payout bonus above, out table set the in points the between performance of levels For rates. exchange currency constant using measured was Performance Billings measure Performance EBITDA (12.5% payout) Threshold $866M $229M

(50% payout) $899M $238M Target Target (100% payout) $1,079M Stretch $285M Achievement 87% 71% (% of element) Vesting Vesting 0% 0%

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 93 94 Cybersecurity evolved

ANNUAL REPORT ON REMUNERATION CONTINUED

Long-Term Incentive Plan FY17 PSU awards vesting (audited) PSU awards were granted to Kris Hagerman and Nick Bray in FY17 (calendar year 2016). These awards are subject to performance against annual billings and cash EBITDA targets set for each of the financial years FY17, FY18 and FY19. Performance against each of these measures over the completed performance period is summarised in the table below: Initial Vesting Accelerator Vesting Vesting Threshold Stretch Super Maximum Financial outcome Weighting Performance (25% (100% Stretch (1 x (1.25 x year (out of Performance period (of max.) measure vesting) vesting) multiplier) multiplier) outcome 125%) FY17 One-third Billings $554M $615M $655M $706M $632M 100% Cash EBITDA $127M $142M $157M $169M $150M 100% FY18 One-third Billings $637M $707M $766M $826M $769M 101% Cash EBITDA $150M $166M $189M $204M $194M 107% FY19 One-third Billings $732M $814M $896M $967M $760M 51% Cash EBITDA $176M $195M $230M $284M $162M Nil Average of the lowest vesting outcomes in FY17, FY18 and FY19 67.0%

Overall vesting (based on the aggregate of the lowest vesting outcome for each performance period) For each performance year, the vesting outcome is based on the lower of that warranted by billings performance and cash EBITDA performance. Based on the performance outcomes set out above, 67.0 per cent of the FY17 PSU awards will vest, representing 53.60 per cent of the maximum opportunity. Details of the awards vesting to Executive Directors are set out in the table below:

Share price Value Executive Director Interests held % vesting Interests vesting Date of vesting at vesting1 (£000) Kris Hagerman 993,603 67.00% 665,714 14 Jun 2019 336.9p 2,243 Nick Bray 447,744 67.00% 299,988 14 Jun 2019 336.9p 1,011

1 T he estimated value of vested awards is calculated using the MMQ over the three months to 31 March 2019. The estimated value of dividends accruing over the vesting period on these awards for Kris Hagerman and Nick Bray are $81K (£62K) and £28K respectively, and will be paid in cash

The RSU awards are not subject to future performance conditions, and will vest over four years, subject to continued employment, with 25 per cent of the awards vesting on 1 June 2019 and the remainder vesting on a quarterly basis thereafter until 1 June 2022.

The PSU awards vest subject to the vesting outcome implied by performance against annual targets over the three years to the financial year-ending 31 March 2021, with the award vesting (to the extent that targets are met) on the third anniversary of grant. Targets for the three years are set at the start of the performance period. Vesting is based on the lower of the implied payouts for billings and cash EBITDA, with 25 per cent vesting for threshold performance, 100 per cent for stretch performance, and 125 per cent vesting for maximum performance. The table on page 95 sets out the face value of awards granted in FY19 which can vest, subject to performance set out above, and in the table below.

No awards will vest for performance below the threshold. approach to equity incentive grants following the IPO. the following grants incentive equity to approach front-loaded the reflect to continues and cent, per c.6.7 was schemes incentive our all under dilution 2019, March 31 At success. future Sophos’ secure to required executives and employees high-calibre the for companies international and US other with compete to able be to need the reflects and package, compensation employee Group’s the of part akey are plans incentive equity The employees). most to open schemes ESPP and SAYE (including employees our of proportion alarge to are provided shares which under plans, incentive equity our of nature based broad the of because part in necessary is operate we limit higher the believes Committee The schemes. all of respect in years 10 over cent per 10 and awards discretionary of respect in years 10 over cent 5per of investors institutional many by preferred and companies UK many by adopted limit the than higher is this that aware is Committee The IPO. at approved were plans incentive equity the since applied has that limit the years, five over limit cent per a10 within levels award maintaining of context the within dilution manage to continue will Sophos limits Dilution period. performance three-year the of end the until cent per known 125 be not will maximum the to up percentage applies vesting multiplier total a1.25 final and The are stretch, stretch. and measures above the threshold (i.e. performance EBITDA between for cash and applies vesting cent per billings for 100 and 25 payouts between implied the scale of lower asliding on the the on on Vesting based is and dependent is FY20 weighted). to vesting FY18 equally Actual years onwards. financial FY18 the of from each simplified. for made been has awards targets PSU all for against conditions removed been has performance performance targets awards’ PSU LTIP Stretch the for Super and structure Stretch the year, the previous the during between targets gap The billings external Company’s the of publication the following Note: awards PSU FY19 vesting total final The maximum. and stretch super and stretch, and billings threshold for between payouts applies implied the of vesting lower the scale percentage willon not be known until sliding thebased endis of period). the three-yearand performance FY20 weighted); to FY18 equally are years measures the financial the of (i.e. each for EBITDA cash and targets against performance the on dependent is vesting actual Note: FY18 PSU awards PSU FY18 these. against performance and awards, PSU outstanding to attaching targets financial annual the basis) (on aretrospective disclosing to committed remains Committee the However, requirements. disclosure subject not similar to are that competitors, held privately and international its to disadvantage acompetitive at Company report the this put in would FY21 and FY20 for targets performance financial annual individual the disclosing that believes Committee The awards PSU outstanding for targets Performance Accounts and Report Annual 2019 FY20 FY19 period Performance FY18 period Performance FY21 FY19 FY20 Weighting Weighting One-third One-third One-third One-third One-third One-third (of max.) (of max.) Cash EBITDA Cash Cash EBITDA Cash EBITDA Cash Cash EBITDA Cash Cash EBITDA Cash EBITDA Cash Performance Performance Performance measure measure Billings Billings Billings Billings Billings Billings Threshold Threshold Threshold Threshold $204.6M vesting) vesting) $663M $203M 81 $890M $801M $164M $772M Initial Vesting Initial Vesting (25% (25% (25% (25% To be disclosed in the FY20 Annual Report on Remuneration on Report Annual FY20 the in To disclosed be To be disclosed in the FY20 Annual Report on Remuneration on Report Annual FY20 the in To disclosed be To be disclosed in the FY21 Annual Report on Remuneration on Report Annual FY21 the in To disclosed be vesting) vesting) Stretch Stretch $226M (100% (100% (100% (100% Stretch (1 x (1 Stretch multiplier) Accelerator Vesting multiplier) 88 $989M $858M $182M $227M $736M Maximum Super Super $989M $259M (1.25 x (1.25 multiplier) Maximum 24 $194M $204M $825M $252M (1.25 x (1.25 performance to 31 March 31 to One-year One-year performance $162M $760M to 31 March 31 to 2018 Two-year Two-year $162M $760M $769M 2018 Vesting outcome (out of 125%) of (out outcome Vesting Vesting (out of of (out 125%) 109% 113% 0% 0% 0% 0%

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 95 96 Cybersecurity evolved

ANNUAL REPORT ON REMUNERATION CONTINUED

Single Total Figure of Remuneration for Non-Executive Directors (Audited)

The table below sets out the total single figure of remuneration received by each Non-Executive Director who served during the year-ended 31 March 2019 and the prior-year:

Base fee ($000) Additional fees ($000) Other ($000) Total ($000)

2019 2018 2019 2018 2019 2018 2019 2018 Peter Gyenes 250 250 5 5 – – 255 255 Sandra Bergeron 150 150 – – – – 150 150 Edwin Gillis – 66 – 7 – – – 73 Rick Medlock 150 150 15 8 – – 165 158 Steve Munford1 128 150 – – - – 128 150 Vin Murria 150 150 – – – – 150 150 Paul Walker 150 150 25 25 – – 175 175

1 Steve Munford stepped down 7 Feb 2019

Exit payments made in year (Audited)

No exit payments were made to Directors in FY19.

Payments to past Directors (Audited)

No payments were made to past Directors in FY19.

External directorships

In FY19 Nick Bray received £58K as a Non-Executive Director of De La Rue plc (FY18: £58K).

Remuneration for FY19 Base salary Salaries for Kris Hagerman and Nick Bray, effective from 1 July 2019, will be $740,000 and £300,000, respectively. This is lower than increases awarded to the broader employee population of c.3 per cent, representing a 0 per cent increase on previous year base.

Pension and benefits

In line with the Remuneration Policy, the Executive Directors will continue to receive pension contributions of 3 to 5 per cent of salary. They will also continue to receive benefits in line with the Policy.

Annual bonus For the year-ending 31 March 2020, the Committee will operate the annual bonus using an updated framework with new measures. Revenue and Adjusted Operating Profit targets have been set by the Committee and will require Executive Directors to deliver significant stretch performance to achieve full payout. Given the close link between these targets and Sophos’ competitive strategy, these financial targets are considered commercially sensitive and will not be disclosed in advance but will be disclosed on a retrospective basis in next year’s Annual Report on Remuneration.

All of the bonus will be paid in cash. Bonus payments are subject to malus and clawback provisions.

Long-Term Incentive Plan In FY20, the Committee intends to grant long-term incentive awards to Executive Directors in line with the amended remuneration policy following the 2019 AGM, see page 85. Full details of the awards will be set out in the Annual Report for the year-ending 31 March 2020. LTIP awards are subject to malus and clawback provisions. epresents dividendsepresents paid in each financial year 2 1 and changepercentage to in costs shareholders. distributions employee total in change percentage and expenditure actual the FY18, and FY19 for shows, table following The pay on spend of importance Relative populations. FY19 and FY18 the in appear individuals same the i.e. employees, of set aconsistent on based is analysis the comparison, ameaningful To provide employees. other all for remuneration in change percentage below table The shows change the percentage in the CEO’s remuneration from the prior-year to compared the average change in CEO remuneration Percentage FY20. for above out set policy fee NED the to change no be will There With effect from the IPO, the fees payable to the Chairman of the Board and other Non-Executive Directors (“NED”) are as follows: are (“NED”) Directors Non-Executive other and Board the of Chairman the to payable fees the IPO, the from effect With Chairman) the (including fees Director Non-Executive Accounts and Report Annual 2019 Total employee expenditure Shareholder – dividends distributions salary Base Additional fees: fee base NED Board the of Chairman Taxable benefits Single-year variable

Financial Statements T R otal employee expenditure includes wages and salaries, social security costs, pension and other costs and share-based payments, see note 10 of the the of 10 note see payments, share-based and costs other and pension costs, security social salaries, and wages includes expenditure employee otal 2 Senior Independent Director Chairman Nominations Committee Chairman Remuneration Committee Chairman Committee Risk and Audit 1 370.1 FY19 FY19 23.9 $M % change FY18 to FY19 to FY18 % change -100% CEO 0% – 361.9 FY18 FY18 21.8 $M Other employees $250,000 $150,000 $10,000 $15,000 $15,000 Fee p.a. Fee Change $5,000 -100% 10% 9% 2% % –

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 97 98 Cybersecurity evolved

ANNUAL REPORT ON REMUNERATION CONTINUED

Pay for performance

In line with the reporting regulations, Sophos is required to provide a graph showing the Company’s TSR performance (share price plus dividends paid) compared with the performance of a relevant comparator group since IPO, assuming a nominal £100 investment in both the Company and the comparator group at the start of the timeframe. Companies are also required to show the CEO’s single figure of remuneration and actual variable pay outcomes over the same period.

Sophos has chosen to compare its performance against the FTSE250 Index, as the Company became a constituent of the index on IPO. The table below details the CEO’s single figure of remuneration and actual variable pay outcomes over the same period. As Sophos completed its IPO in July 2015, TSR data and pay disclosure is available from this date to 31 March 2019 only.

£250 £200 £150 £100 £50 £0 25/06/2015 31/03/2016 31/03/2017 31/03/2018 31/03/2019 Sophos FTSE250

FY17 FY18 FY19 Incumbent Kris Hagerman Kris Hagerman Kris Hagerman CEO single figure of remuneration ($000) $2,322 $8,704 $4,683 Annual bonus outcomes (% of maximum) 55% 44% 0% PSU vesting outcome (% of maximum) n/a 93% 54%

Statement of shareholder voting

The following table shows the result of the advisory vote on the 2018 Annual Report on Remuneration at the 2018 AGM and the binding vote on the Remuneration Policy at the 2016 AGM. For Against Withheld Number % Number % Number Remuneration Policy (2016 AGM) 279,603,831 72.15% 107,903,661 27.85% 4,904,177 2018 Annual Report on Remuneration 267,403,495 67.62% 128,070,534 32.38% 5,171 of the Group, with the exception of Vin Murria who is also a Non-Executive Director of Softcat plc, with whom the Company maintains an ongoing relationship. customer Company the whom with plc, Softcat of Director aNon-Executive also is who Murria Vin of exception the with Group, the of contracts significant any in or Company the of undertaking subsidiary any of shares the in interest an had Directors the of None There have been no changes to shareholdings between 1 April 2019 and 15 May 2019. May 15 and 2019 1April between shareholdings to changes no been have There 2019. March 31 at as requirement shareholding respective their against Director each of shareholding the shows below table The (Audited) share ownership Directors’ of shareholders. support the on count can it that hopes Committee the and 2019 September 25 on AGM the at vote abinding to put be will Policy future shareholders for period indicated that responded those during changes. proposed The broad the proposed support the consultation Company, the of success long-term the drive ultimately to experience and skills right the with geographies, relevant in the executives retain and attract to Company the enable to necessary remains norms market UK from divergence some While months. recent in Policy proposed the on advisors proxy and shareholders largest its with consulting been has Company The report. this of 90 to 82 pages on Report the in Policy out set are Policy proposed the of Details governance. remuneration in developments recent to respond appropriately and norms market UK with closely more policy remuneration Director Executive Company’s the align to intended revisions of number has a conducted comprehensiveSince review AGM, the 2018 of the Remuneration Committee the Policy and is proposing a Group. the for markets talent relevant in practices competitive reflect but practice, UK generally-accepted from depart that reflected continued divergence in shareholder result views over several of of the features the Company’s remuneration executive arrangements disappointing This resolution. the against vote cent per a32.38 received which Remuneration, on Report Annual the on vote advisory the of result the to response in statement interim an published Company the AGM, 2018 the Following Accounts and Report Annual 2019 Paul Walker Paul Vin Murria Vin Rick Medlock Roy Mackenzie Sandra Bergeron Peter Gyenes Peter Bray Nick Hagerman Kris Beneficially Beneficially 2,722,605 381,138 190,695 190,695 286,631 286,631 214,974 214,974 50,000 owned Share and option awards – – performance ,2,6 932,350 1,822,166 Subject to to Subject 791,080 – – – – – – employment Subject to to Subject continued 410,617 410,617 only – – – – – – Vested but but Vested 3,908,352 3,908,352 exercised not yet yet not – – – – – – – Shareholding (% of salary) of (% required 200 200 200 200 shareholding (% of salary) of (% Current 1,442 1,442 391 391 Requirement

met

Yes Yes

Additional Information Financial Statements Corporate Governance Strategic Report Introduction 99 100 Cybersecurity evolved

ANNUAL REPORT ON REMUNERATION CONTINUED

Summary of outstanding share awards

The interests of the Directors in the Company’s share schemes as at 31 March 2019 are summarised in the table below.

Awards Granted Exercised Forfeited Awards Market Vesting Date of held at during during during held at Exercise price at Performance period/ Expiry Director award 1 Apr 18 the year the year the year 31 Mar 19 price1 grant period date date Kris Hagerman Pre–IPO 1 Aug 13 options 10 Oct 12 2,150,232 – (250,000) – 1,900,232 $ 0.598 $ 0.598 n/a – 1 Aug 17 10 Oct 22 Pre–IPO options 10 Oct 12 2,258,120 – (250,000) – 2,008,120 $ 0.598 $ 0.598 exit event 1 Jul 15 10 Oct 22 1 Apr 15 – LTIP – PSU 7 Aug 15 716,292 115,394 (831,686) – – – 265p 31 Mar 18 7 Aug 18 6 Aug 25 1 Apr 16 – LTIP – PSU 14 Jun 16 993,603 – – – 993,603 – 179p 31 Mar 19 14 Jun 19 13 Jun 26 1 Apr 17 – LTIP – PSU 16 Jun 17 478,272 – – – 478,272 – 436p 31 Mar 20 16 Jun 20 15 Jun 27 1 Apr 18 – LTIP – PSU 14 Jun 18 – 350,291 – – 350,291 – 596p 31 Mar 21 14 Jun 21 13 Jun 28 7 Aug 16 LTIP – RSU 7 Aug 15 104,460 – (74,614) – 29,846 – 265p n/a – 7 Aug 19 6 Aug 25 7 Aug 16 LTIP – RSU 7 Aug 15 1,081,461 – (491,573) – 589,888 – 265p n/a – 7 Aug 20 6 Aug 25 14 Jun 17 LTIP – RSU 14 Jun 16 207,001 – (103,500) – 103,501 – 179p n/a – 14 Jun 20 13 Jun 26 16 Jun 18 LTIP – RSU 16 Jun 17 159,424 – (69,748) – 89,676 – 436p n/a – 16 Jun 21 15 Jun 27 14 Jun 19 LTIP – RSU 14 Jun 18 – 116,763 – – 116,763 – 596p n/a – 14 Jun 22 13 Jun 28 ESPP 1 Jan 18 1,629 – (1,629) – – 482p 567p n/a 30 Jun 18 30 Jun 18 ESPP 2 Jul 18 – 1,498 (1,498) – – 311p 631p n/a 31 Dec 18 31 Dec 18 ESPP 1 Jan 19 – 2,676 – – 2,676 TBD 366p n/a 30 Jun 19 30 Jun 19

1 Under Group scheme rules exercise price is to be not less than 85 per cent of the lesser of market value on date of grant and market value on date of exercise 2019 Annual Report and Accounts and Report Annual 2019 15 May 2019 May 15 Chairman of the Remuneration Committee Paul Walker Board the of behalf On date. alater at exercised only be may performance to as vested is which option an of aportion that require may Company the participant, aMEP of of service length the on Depending vested. performance to subject awards the of cent per 66.2 Admission, On vesting. performance to subject is cent per 50 and vesting time to subject is option aMEP of cent per 50 that provide MEP the of rules The versa. vice and exercised been not has Option aLinked that extent the to exercised be only may Agreement a JOE under Rights Agreement. JOE the in specified aprice of participant the by payment upon vest, which shares owned in jointly any interest beneficial the of part that of agreement JOE the of Trustee the by him to transfer the for call to participant the entitle agreement aJOE under Awards Agreement. aJOE under award aparallel to linked were Option”) (a “Linked options MEP FY16) in agreement JOE the under exercised (until Bray’s Nick IPO. the to prior issued were that (“MEP”) Plan Equity Management Holdings Pentagon the under granted options share hold to continues Hagerman Kris prospectus, IPO the in outlined As SAYE LTIP – RSU 14 Jun 18 Jun 14 –RSU LTIP 17 Jun 16 –RSU LTIP TP–RU1 u 69,8 – – 93,280 49,158 16 Jun 14 15 7Aug –RSU LTIP 15 7Aug –RSU LTIP –RSU LTIP Director LTIP – PSU 7 Aug 15 7Aug –PSU LTIP Nick Bray TP–PU1 u 71495 – 18 Jun 14 194,985 –PSU LTIP 17 Jun 16 –PSU LTIP 16 Jun 14 –PSU LTIP 24 Jun 16 Jun 24 Date of of Date award 463,484 463,484 1 Apr 18 1 Apr 337,079 337,079 447,744 Awards 64,995 held at at held 11,111 – – the year Granted 148,351 148,351 54,303 54,303 49,451 49,451 during during – – – – Exercised Exercised (391,382) (210,674) the year (46,640) (28,435) (35,113) during during – – – – – – 148,351 – 596p 596p – 436p – 148,351 – 194,985 – – – – – Forfeited the year during during – 36,560 – 436p 436p – 36,560 – – 46,640 – 179p 179p – 46,640 – – 14,045 – 265p 265p – 14,045 – – 252,810 – 265p 265p – 252,810 – – 31 Mar 19 Mar 31 447,744 Awards held at at held 11,111 49,451 49,451 – – 265p 265p – – Exercise Exercise price 162p – 596p 596p – – 179p 179p – price at at price Market Market grant 202p Performance Performance 1 Apr 18 – 18 1 Apr 1 Apr 16 – 16 1 Apr 1 Apr 15 – 15 1 Apr 31 Mar 20 16 Jun 20 15 Jun 27 Jun 15 20 Jun 16 20 Mar 31 1 Apr 17 – 17 1 Apr 31 Mar 19 14 Jun 19 13 Jun 26 Jun 13 19 Jun 14 19 Mar 31 31 Mar 21 14 Jun 21 13 Jun 28 Jun 13 21 Jun 14 21 Mar 31 31 Mar 18 7 Aug 18 6 Aug 25 6Aug 18 7Aug 18 Mar 31 period n/a n/a n/a n/a n/a n/a – 14 Jun 20 13 Jun 26 Jun 13 20 Jun – 14 – 14 Jun 22 13 Jun 28 Jun 13 22 Jun – 14 – 16 Jun 21 15 Jun 27 Jun 15 21 Jun – 16 – 7 Aug 20 6 Aug 25 6Aug 20 – 7Aug – 7 Aug 19 6 Aug 25 6Aug 19 – 7Aug 16 Jun 18 18 Jun 16 14 Jun 19 19 Jun 14 14 Jun 17 17 Jun 14 8 Aug 19 8 Feb 20 8Feb 19 8 Aug 7 Aug 16 16 7 Aug 7 Aug 16 16 7 Aug Vesting Vesting period/ date

Expiry Expiry date 101 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 102 Cybersecurity evolved

DIRECTORS’ REPORT

The Directors of Sophos Group plc (“the Company”) present The majority of the disclosures required under LR 9.8.4 R their Annual Report on the affairs of the Group, together with are not applicable to the Group. The table below sets out the Consolidated Financial Statements and Auditor Report on the location of the disclosures for those requirements that the Group for the year-ended 31 March 2019. are applicable:

There are a number of legal and regulatory requirements with Applicable sub-paragraph Page number which the Company must comply, such as the Companies Publication of unaudited financial information 28 to 35 Act 2006 (“the Act”), the Listing Rules and the Disclosure Details of long-term incentive schemes 91 to 101 Guidance and Transparency Rules (“DTRs”), which are addressed in this section (together with the Corporate Allotment of equity securities 163 to 166 Governance Statement set out on pages 56 to 57, and Contracts of significance 103 committee reports on pages 68 to 101, that have been Agreements with controlling shareholders 103 incorporated into this Directors’ report by cross-reference). Articles of Association and Constitution Strategic report Sophos Group plc is domiciled in England and incorporated The Strategic report, which also forms part of this report and in England and Wales under Company Number 09608658. is presented on pages 8 to 39 of this Annual Report, includes a fair review of the business, a description of the principal The Articles of Association of the Company (“the Articles”) risks and uncertainties facing the Group and an indication may only be amended by a special resolution at a meeting of of likely future developments. the shareholders. The current Articles can be found on the Group’s website at: investors.sophos.com. A summary of general disclosures (incorporated in this Directors’ Report) Directors’ interests

The following information required to be disclosed in this A summary of the Directors’ remuneration, employment Directors’ report is set out on the pages listed below: contracts and interests in the shares of the Company are set out in the Annual Report on Remuneration on pages 91

Page Number to 101.

1 Likely future developments 22 to 27 None of the Directors had an interest in any significant Policy on disability1 41 contracts of the Group or its subsidiaries, except for Vin Employee engagement1 46 Murria who is also a Non-Executive Director of Softcat plc, Greenhouse gas emissions1 50 and 51 with whom the Company maintains an ongoing customer relationship. Names of Directors who served during 54 and 55 the year Directors’ indemnity and insurance Results 118 and 119 Details of employee share plans 85 and 86 Throughout the year, the Company has purchased and maintained Directors’ and Officers’ liability insurance in Subsidiary and associated undertaking 167 and 168 and branches respect of itself and its Directors, and the Directors of Group subsidiary companies. The Directors also have the benefit Financial risk management 36 to 39 of the indemnity provision contained in the Articles. 1 I nformation required by the Large and Medium-sized Companies (Accounts and Reports) Regulations 2008 are included in the Strategic report The Company has entered into qualifying third-party indemnity arrangements for the benefit of all its Directors in a form and scope which comply with the requirements of the Companies Act 2006 and which were in force throughout the year and remain in force. Share capital and substantial shareholders and substantial capital Share • • • thatthethroughoutperiod: can Board The confirm Listing Rules. “controlling in the shareholder”) with accordance (as the Apax and Company the between relationship ongoing the regulates which Agreement Relationship a into entered Apax and Company the 2015, June 26 On 2019. March 31 at as capital share ordinary issued the of cent per 10 than more hold still and Company the of capital share ordinary issued the of cent per 30 than more held previously “Apax”) (collectively Sarl US Lock Pentagon and 7-A Sarl Lock Pentagon Sarl, 6-A Lock Pentagon Sarl, Lock Pentagon Relationship Agreement Accounts and Report Annual 2019 capital of the Company, disclosable under the DTRs, has been notified to the Company between 31 March 2019 and 15 May 2019. May 15 and 2019 March 31 between Company the to notified been has DTRs, the under disclosable Company, the of capital share ordinary the in interests voting in change No below. table the in out set shares its in rights voting of holdings significant following the of 5 DTR under notified was Company the 2019 May 15 and 2019 March 31 at As issue. in share of class only the are each pence three of shares ordinary Statements; Financial the of 27 note in out set is Company the of capital share The Name Franklin Templeton LLC Institutional, Lammer Peter Jan Hruska Apax ODDO Meriten Asset Management ODDO Asset Meriten Old Mutual plc Limited (Holdings) Investments Life Standard

provisions. the agreement’sshareholders with independence controlling non-signing of compliance the procured has a independence provisions; and, agreement’s the with complied have associates its and a independence provisions; t he Company has complied with the agreement’s agreement’s the with complied has Company he s far as the Company is aware, the controlling shareholder shareholder controlling the aware, is Company the as s far shareholder controlling the aware, is Company the as s far in note 24 of the Financial Statements. Financial the of 24 note in details of financingFurther agreements in place are included • • • • bid: atakeover following Company the of control of change a upon agreements the terminate or alter to counterparties the enable would that provisions include which 2019, March 31 at as place in are agreements significant following The agreements Significant

$40.0 million entered into on 6 February 2017. 6February on into entered million $40.0 a r and, 2015; 1July on into entered million $30.0 a r 2015; 1July on into entered million €60.0 a s 2015; 1July on into entered million $235.0 a s evolving credit facility agreement (“RCF 2”) of of 2”) (“RCF agreement facility credit evolving 1”) of (“RCF agreement facility credit evolving yndicated secured term loan (“Facility B”) of of B”) (“Facility loan term secured yndicated A”) of (“Facility loan term secured yndicated Ordinary shares Ordinary 12,954,464 42,543,360 42,543,360 51,936,344 22,724,690 19,821,783 23,376,977 As at 31 March 2019 March 31 at As held Percentage of of Percentage total ordinary ordinary total shares 10.77 2.68 4.85 8.82 8.82 4.11 4.71 103 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 104 Cybersecurity evolved

DIRECTORS’ REPORT CONTINUED

Analysis of shares held as at 31 March 2019 Number of % of % of Number of shares held shareholders shareholders Holding total capital 100 33 3.2738 2,073 0.0004 200 35 3.4722 5,711 0.0012 500 72 7.1429 27,712 0.0058 1,000 113 11.2103 91,971 0.0191 2,000 93 9.2262 139,736 0.0290 5,000 147 14.5833 489,421 0.1016 10,000 79 7.8373 559,048 0.1160 50,000 156 15.4762 3,769,323 0.7822 100,000 72 7.1429 5,130,687 1.0647 500,000 105 10.4167 24,830,528 5.1530 1,000,000 34 3.3730 25,790,422 5.3522 5,000,000 49 4.8611 115,139,589 23.8943 10,000,000 9 0.8929 56,243,352 11.6719 50,000,000 10 0.9921 162,964,556 33.8192 99,999,999,999 1 0.0992 86,685,577 17.9895 Total 1,008 481,869,706

Voting rights At every Annual General Meeting (“AGM”) all the Directors at the date of the notice convening the AGM shall retire from All of the issued and outstanding ordinary shares of the office. If the Company does not fill the vacancy at the Company have equal voting rights, with one vote per share. meeting the retiring Director shall, if willing to act, be There are no special control rights attaching to them. deemed to have been re-appointed unless at the meeting it is resolved not to fill the vacancy or unless a resolution for the Transfer of shares reappointment of the Director is put to the meeting and lost. The transfer of shares is governed by the Articles which allows any member to transfer certificated shares in any A person ceases to be a Director as soon as: usual form or in any other form for which the Board may (i) n otification is received by the Company from the approve. The Board may, in its absolute discretion, refuse to Director that they are resigning or retiring from office; register a transfer of a certificated share that is not fully paid, provided that the refusal does not prevent dealings in the (ii) that person has been absent for more than six Company from taking place on an open and proper basis. consecutive months without permission of the Board The Board may also refuse to register the transfer of a and the Board resolves that their office be vacated; certificated share unless the instrument of transfer is (i) lodged, duly stamped (if stampable), at the office or at (iii) t he person has become physically or mentally incapable another place appointed by the Board, accompanied by the of acting as a Director and may remain so for more than certificate for the shares to which it relates and such other three months; evidence as the Board may reasonably require to show the (iv) a bankruptcy order is made against that person; right of the transferor to make the transfer; (ii) in respect of only one class of shares; and (iii) in favour of not more than (v) a composition is made with that person’s creditors four transferees. generally in satisfaction of that person’s debts;

Appointment and retirement of Directors (vi) t hat person ceases to be a Director by virtue of any provision of the Act or is prohibited from being a Director Unless otherwise determined by ordinary resolution, the by law; or, number of Directors shall be no less than three but is not subject to any maximum number. The Board may appoint a (vii) t hat person is removed from office pursuant to the person who is willing to act to be a Director, either to fill a Articles. vacancy or as an additional Director and in either case whether or not for a fixed term. policy to be and appropriate sustainable. consider reviewthe latest the Directors the current dividend of basis the On intentions. investment and commitments cash other of light in them of each on dividend proposed the of impact the as well as hand on available cash and reserves distributable the both review Directors the adividend of proposal the to Prior 101. page on disclosed statement and review viability Group’s the into factored are which 39 to 36 pages on discussed mitigations, their and risks, principal the by influenced is payments dividend future make to cash or reserves distributable of availability and policy dividend The Statements. Financial the of 33 note in included is hand on cash of details proposed, and made dividends the support to continuing activities trading with generative cash strongly is Group The proposed. being dividends the for cover significant having thereby reserves distributable the million, $21.8 totalling year that in dividends paying after million, $946.1 of earnings retained had plc Group Sophos prior-year the of end the At reserves. distributable the approximates which million, $919.4 of earnings retained has plc Group Sophos companies. Group by financed subsidiaries in investments a non-trading investment company for the Group, holding is and Group the of Company parent the is plc Group Sophos share). per cents US 4.9 (2018: 2019 for share per cents US 5.2 of Total dividend share). per cents US 3.5 (2018: 2019 October 11 on paid be to share per cents US 3.7 of Dividend Final Proposed share). per cents US 1.4 (2018: 2018 14 December paid share per cents US 1.5 of Dividend Interim shares Ordinary nature thecash-generative ofthe Group. reflecting annum, per growth cent per digit mid-single approximately targeting policy dividend aprogressive adopt to continue and below noted as dividends declared have Directors The Dividends Company. the of powers the all exercise may who Directors the by managed be shall Company the of business the resolution, special by given directions any to and Articles, the 2006, Act Companies the of provisions to Subject Directors the of Powers Accounts and Report Annual 2019 31 March 2019 (FY18: no political donations were made). were donations political no (FY18: 2019 March 31 Accordingly, no donations political were made in the year-ended donations. political any make to not is policy Group’s The donations Political included in note of 4.10 the Financial Statements. are details further met, been have 38 IAS of requirements the if capitalised is expenditure Development cent). per 18.3 (FY18: development and research on billings its of cent per 18.9 spent Group the 2019, March 31 year-ended the In activity relating to its principal activities. and research GroupThe development continues to undertake and development Research Abingdon, OX14 3YP. Abingdon Science Park, Pentagon, The at: 2019 September 25 on 3.00pm at held be will AGM 2019 The Accounts. and Report Annual this accompanies AGM 2019 the at proposed be to resolutions the out sets which AGM the of notice The Meeting General Annual published by the CMA on 26 September 2014. September 26 on CMA the by published 7.1), (Article 2014 Order Responsibilities) Committee Audit and Processes Competitive of Use (Mandatory Investigation Market Companies Large for Services Audit Statutory The with complied has it that confirms Company the 76, page on to referred process tender audit the of exception the With order (“CMA”) Authority Markets and Statement of compliance with the Competition bydirected theCompany. unless otherwise beneficiary any by held is interest beneficial no which in and them by held shares any of respect in rights other any exercising or voting from abstain will Trust Benefit Employee the of Trustees The heldShares in Trust the Employee Benefit in the AGM Notice. out set limits the within AGM, 2019 the at authorities these renew to seek will Company The acharge. of subject the shares any make or year the during shares repurchase not did Company The Articles. Company’s the under permitted as capital, share issued Company’s the of cent per 10 to up of purchases market make to also and shares allot to AGM 2018 the at shareholders by authorised was Company The purchase own shares to authority and shares issue to Authority

105 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 106 Cybersecurity evolved

DIRECTORS’ REPORT CONTINUED

Going concern Group, consideration was given to potential principal risk combinations. The process of identifying, assessing and Having made appropriate enquiries and considered the managing principal risks is set out in the Audit and Risk Group’s forecasts, the Directors consider that the Group has Committee report on pages 71 to 76. sufficient resources to continue for the foreseeable future. Accordingly, they continue to adopt the going concern basis Post balance sheet events in preparing the Financial Statements. There have been no material events from 31 March 2019 to Further details regarding the adoption of the going concern the date of this report. basis can be found in the viability statement below. Auditor Viability statement KPMG LLP has expressed their willingness to continue in The Directors have assessed the viability of the Group over office as auditor of the Company and accordingly a resolution a three-year period, taking into account the Group’s current for the re-appointment of KPMG LLP as auditor of the position and the potential impacts of the principal risks Company is to be proposed to the shareholders at the documented on pages 36 to 39 of the Annual Report. Based 2019 AGM. on this assessment, the Directors confirm that they have a reasonable expectation that the Company will be able to Disclosure of information to Auditor continue to operate and to meet its liabilities as they fall The Directors who held office at the date of approval of this due over the three years to 31 March 2022. Directors’ report confirm that, so far as they are each aware, The Group prepares annually, and on a rolling basis, a there is no relevant audit information of which the Company’s strategic plan, which is predicated on a detailed year one auditor is unaware and each Director has taken all the steps budget and higher-level forecasts thereafter. The output of that he or she ought to have taken as a Director to make them this plan is used to perform debt and associated covenant aware of any relevant audit information. headroom profile analysis, which includes sensitivity to business as usual risks such as billings and EBITDA impacts. Statement of Directors’ responsibilities in respect of A bottom-up operating plan is prepared on an annual basis the Annual Report and the Financial Statements for presentation to the Board. The Directors are responsible for preparing the Annual Report and the Group and parent Company Financial Statements in Following assessment of the planning process, the Directors accordance with applicable law and regulations. have determined that a three-year period is an appropriate period over which to assess the Group’s viability. Whilst the Company law requires the Directors to prepare Group and Directors have no reason to believe that the Group will not parent Company Financial Statements for each financial be viable over a longer period; the period of three years has year. Under that law they are required to prepare the Group been chosen as this matches the term of the majority of the Financial Statements in accordance with International Group’s sales (typically one to three years in duration, with Financial Reporting Standards as adopted by the European a weighted average contract life of around 26 months) which Union (IFRSs as adopted by the EU) and applicable law. therefore aids the accuracy of forecasting with a single As explained in note 4 to the Group Financial Statements, renewal cycle, thereby providing a greater degree of certainty the Group, in addition to complying with its legal obligation and, in the view of the Directors, still provides an appropriate to apply IFRSs as adopted by the EU, has also applied IFRSs long-term outlook. as issued by the International Accounting Standards Board (“IASB”). Under company law the Directors have elected In making this viability statement, the Board carried out a to prepare the parent Company Financial Statements in robust assessment of the principal risks facing the Group, accordance with UK accounting standards, including FRS including those that would threaten its business model, 102 The Financial Reporting Standard applicable in the UK future performance, solvency or liquidity. Where individual and Republic of Ireland. principal risks did not impact the future viability of the may differ from legislationmay in differ other jurisdictions. andthe preparation dissemination of Financial Statements governing UK the in Legislation website. Company’s the on and of financial the corporate integrity information included and maintenance the for responsible are Directors The regulations. those and law that with complies that Statement Governance and Corporate Remuneration report Directors’ report, Directors’ responsible for report, preparing a Strategic also are Directors the regulations, and law applicable Under irregularities. other and fraud detect and prevent to and Group the of assets the safeguard to them to open reasonably are as steps such taking for responsibility general have and error, or fraud to due whether misstatement, material from free are that Statements Financial of preparation the enable to necessary is determine they as control internal such for responsible are They 2006. Act Companies the with comply Statements Financial its that ensure to them enable and Company Parent the of position financial the time any at accuracy reasonable with disclose and transactions Company’s parent the explain and show to sufficient are that records accounting are Directors The responsible for keeping adequate • • • • • • to: required are Directors the Statements, Financial Company parent and Group the of each preparing In period. that for loss or profit their of and Company Parent and Group the of affairs of state the of view fair and a true give they that satisfied are they unless Statements Financial the approve not must Directors the law company Under Accounts and Report Annual 2019

to do so. do to but alternative realistic no have or operations cease to or Company parent the or Group the liquidate to intend either u and, concern; going to related matters applicable, as disclosing, concern, agoing as a Statements; Financial Company parent the in explained and disclosed departures material any to subject followed, been have standards accounting UK applicable whether f EU; the by adopted as IFRSs with accordance in prepared been have f reliablerelevant, and prudent; m consistently; s or the parent Company Financial Statements, state state Statements, Financial Company parent the or they whether or state the Group Financial Statements, elect suitable accounting policies and then apply them them apply then and policies accounting suitable elect ssess the Group and parent Company’s ability to continue continue to ability Company’s parent and Group the ssess se the going concern basis of accounting unless they they unless accounting of basis concern going the se ake judgements and estimates that are reasonable, reasonable, are that estimates and judgements ake

15 May 2019 May 15 Secretary Company Eleanor Lacey Board the of order By strategy. and model business performance, and position for the Group’s shareholders to assess information necessary the provides and understandable and balanced fair, is whole, a as taken Accounts, and Report Annual the We consider • • knowledge: our of best the to that We confirm Report Financial Annual the of respect in Directors the of statement Responsibility

of the principal risks and uncertainties that they face. they that uncertainties and risks principal the of adescription with together awhole, as taken consolidation the in included undertakings the and issuer the of position development of the business and and the performance t and, awhole; as taken consolidation the in included undertakings the and company the of loss or profit and position financial liabilities, assets, the of view fair and atrue give standards, accounting of set applicable t he Strategic report includes a fair review of the the of review afair includes report Strategic he prepared in the he with accordance Financial Statements,

107 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 108 Cybersecurity evolved

Sophos Mobile – secure unified endpoint management Imagine an attack that starts with a phishing email that you are just as likely to open on your mobile device, and tap the link with your finger, as you are to click it with a mouse on your laptop. Yet, it is estimated that more than half of businesses have no mobile security in place1 ”

As we move towards ‘zero trust’ With a rich set of device management networking, enhanced conditional access capabilities, containers, and market- is crucial. With remote working on the leading encryption, Sophos helps increase and the knock-on effect that has customers keep sensitive business email on corporate data access across a variety and documents protected on mobile of mobile devices, there is a growing devices, even for users working with requirement to enable user productivity personal devices. The Group’s leading without compromising data security. antivirus and ransomware protection safeguards users and devices from Sophos Mobile is a secure Unified malicious content and apps. Sophos Endpoint Management (“UEM”) solution Mobile includes phishing URL scanning that helps businesses spend less time as standard in addition to all the other and effort to manage and secure great protections like deep learning traditional and mobile endpoints. based malware detection. The only UEM solution that integrates natively with a leading next-gen 1 Verizon Mobile Security Index 2019 endpoint security platform, Sophos Mobile supports management of Windows 10, macOS, iOS, and Android Find out more at: devices. This is all managed via the www.sophos.com/mobile Group’s single, integrated cloud management console – Sophos Central. 2019 Annual Report and Accounts and Report Annual 2019 118 174 ndependent Auditor’s Report 110 Financial Statements

C  C I and Notes and Notes ompany Financial Statements Statements Financial ompany onsolidated Financial Statements

109 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 110 Cybersecurity evolved Independent Auditor’s Report to the members of Sophos Group plc only

1. Our opinion is unmodified Basis for opinion

We have audited the Financial Statements of Sophos Group We conducted our audit in accordance with International plc (“the Company”) for the year ended 31 March 2019 which Standards on Auditing (UK) (“ISAs (UK)”) and applicable law. comprise the Consolidated Statements of Profit and Loss, Our responsibilities are described below. We believe that the Comprehensive Income, Financial Position, Changes in Equity, audit evidence we have obtained is a sufficient and and Cash Flows, and the Company Only Statements of appropriate basis for our opinion. Our audit opinion is Financial Position and Changes in Equity and the related consistent with our report to the Audit Committee. notes, including the accounting policies in note 4. We were first appointed as auditor by the Directors on 25 In our opinion: January 2001. We were then subsequently appointed as auditors of the listed Group for EU PIE purposes. The period of • the Financial Statements give a true and fair view of the total uninterrupted engagement is for the 19 financial years state of the Group’s and of the parent Company’s affairs ended 31 March 2019. We have fulfilled our ethical as at 31 March 2019 and of the Group’s profit for the year responsibilities under, and we remain independent of the then ended; Group in accordance with, UK ethical requirements including • the Group Financial Statements have been properly the FRC Ethical Standard as applied to listed public interest prepared in accordance with International Financial entities. No non-audit services prohibited by that standard Reporting Standards as adopted by the European Union were provided. (IFRSs as adopted by the EU); • the parent Company Financial Statements have been Overview properly prepared in accordance with UK accounting Materiality: $6.8m (2018: $6.3m) standards, including FRS 102 The Financial Reporting group financial Standard applicable in the UK and Republic of Ireland; and statements as a whole 1% (2018: 1%) of Group revenue • the Financial Statements have been prepared in Coverage 98% (2018: 99%) of Group revenue accordance with the requirements of the Companies Act Key audit matters vs 2018 2006 and, as regards the Group Financial Statements, Article 4 of the IAS Regulation. Recurring Revenue recognition Recoverability of parent Company’s Additional opinion in relation to IFRSs as issued by the IASB investment in subsidiaries As explained in note 4 to the Consolidated Financial New Going Concern Statements, the Group, in addition to complying with its legal obligation to apply IFRSs as adopted by the EU, has also applied IFRSs as issued by the International Accounting Standards Board (IASB).

In our opinion, the Consolidated Financial Statements have been properly prepared in accordance with IFRSs as issued by the IASB. opinion on these matters. opinion on matters. these aseparate provide not do we and opinion, that to incidental are consequently and thereon, opinion our forming in and whole, a as Statements Financial the of audit of, our purpose the for solely of, and context the in undertaken, are procedures on results based our and addressed, were matters These procedures. those from results our entities, interest public for as required and, matters those address to procedures audit key our with together above, opinion audit our at arriving in significance, audit of order decreasing in matters, audit key the below We summarise team. engagement the of efforts the and directing audit; the in resources of allocation the strategy; audit overall the on: effect greatest the had which those including us, by identified fraud) to due not or (whether misstatement material of risks assessed significant most the include and Financial Statements the of audit the in significance most of were misstatement judgement, material of risks of professional our in assessment our including that, matters: audit ey matters those are matters audit Key 2. Accounts and Report Annual 2019 (financial disclosures). 143 page and policy) (accounting 129 page Report), Committee (Audit 73 page to Refer million) $639.0 (restated: 2018 million; ($710.6 Revenue recognition

K Group audit. Group the on effect greatest the had that area an be to considered is this Consequently, revenue recognised in each period. of quantum and timing the affect obligations couldperformance materially separate to discounts of allocation This judgement contract. aroundtotal obligations and given discounts on the prices of separate performance list the to reference makes Group The respective stand-alone selling prices. arrangement and their estimating obligation ofperformance the each determining in required is Judgementpromised goods or services. containing multipleon contracts revenue recognising with associated risk evolve, there isportfolios considerable product and expands Group the As Accounting treatment: The risk The • • included: Our procedures Our response • • Our results • •

contract terms which terms contract may impact revenue recognition; standard non of approval and review ensuring control the of C C accounting standards; and obligations and revenue against recognition the relevant performance separate to allocation price transaction of 31 March to 2019 be (2018: acceptable acceptable). W selling prices. obligations andperformance of determination stand-alone separate of identification the regarding disclosure Group’s A Ac the impactassessing of on terms contract revenue recognition; year, the in contracts of asample inspected also We Policy. Group with line in was obligation performance separate each of the of whether determination to stand-alone assess selling price prices selling stand-alone the recalculated we given, discounts and prices list to reference with and year the throughout T alone selling prices; order which system impact directly of determination stand- sales the in prices list of establishment the over controls IT of We selected a sample of Group billings from from billings Group of asample selected We details: of ests ontrol operation: ontrol design:ontrols ssessing transparency: ssessing e found the amount of revenue recognised in the year as at at as year the in recognised revenue of amount the e found counting analysis: We evaluated the design and implementation We evaluated the operating effectiveness We assessed the Group’s policy in respect respect in policy Group’s the assessed We We assessed the adequacy of the the of adequacy the assessed We

111 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 112 Cybersecurity evolved

INDEPENDENT AUDITOR’S REPORT CONTINUED to the members of Sophos Group plc only

2. Key audit matters: including our assessment of risks of material misstatement continued

The risk Our response

Going Concern Disclosure quality Our procedures included: Refer to page 106 The Financial Statements explain how Funding assessment: (Directors’ Report), the Board has formed a judgement that • For existing lenders that are due to provide refinancing under a new page 126 it is appropriate to adopt the going facility, we requested confirmations as to their attitude to participate. (accounting policy) concern basis of preparation for the • We assessed the current facility covenant requirements and and page 158 group and parent Company. the adherence to these as at the balance sheet date. (financial That judgement is based on an disclosures). Historical comparisons: evaluation of the inherent risks to the • We assessed the historical accuracy of the Group’s forecasts, as well Group’s and Company’s business model as challenging the forecasting process in place. and how those risks might affect the Group’s and Company’s financial Sensitivity analysis: resources or ability to continue • We considered sensitivities over the level of available financial operations over a period of at least a resources indicated by the Group’s financial forecasts taking account year from the date of approval of the of reasonably possible (but not unrealistic) adverse effects that could Financial Statements. arise from these risks individually and collectively; The risk identified as most likely to Benchmarking assumptions: adversely affect the Group’s and • We compared the Group’s assumptions to externally derived data in Company’s available financial resources relation to key inputs such as growth rates; over this period was the ongoing refinancing negotiations. Assessing transparency: • We assessed the adequacy of the Group’s disclosure regarding the The risk for our audit was whether or not determination of the going concern assessment with reference to those risks were such that they the dependence of the cash flow forecast on refinancing activities. amounted to a material uncertainty that may have cast significant doubt about Our results: the ability to continue as a going We found the disclosure of going concern without any material concern. Had they been such, then that uncertainty to be acceptable (2018 result: acceptable). fact would have been required to have been disclosed. it is not separately identified in our report this year. this report our in identified separately not is it therefore, and, audit year current our in risks significant most the of one as this assessed not have we disclosures, related and performance measures. alternative Following and updates expenses to the presentation of exceptional of exceptional expenses, alternative presentation performance the of measures appropriateness the over procedures perform to We continue 2019 Annual Report and Accounts and Report Annual 2019 disclosures). (financial 177 page and (accounting policy) 176 page Report), Committee (Audit 73 page to Refer million) $1,099.1 2018: million; ($1,130.6 subsidiaries investment in company’sparent Recoverability of The risk The audit concentrates on. our that areas judgemental key the of one is this model, VIU a for flows cash future discounting and forecasting in involved Due(“VIU”). to the inherent uncertainty use in value calculate to model flow cash adiscounted using recoverability for assessed is and awhole, as Group the of assets net the of excess in significantly is in subsidiaries investments Company’s parent the of amount carrying The based valuation: Forecast Our response subsidiaries to be (2018: acceptable acceptable). in investment Company’s parent the of amount carrying the found We results Our flows. cash those of reasonableness the assess to capitalisation market Group’s the to flows valuations: Comparing and forecasts; bybudgets considering the accuracy of historical the previous comparison: Historical comparable listed companies; by used those against these benchmarking by rates, discount and growth economic term long projected as such inputs, external assumptions: Benchmarking market; the and Group the of knowledge our examining the post year end management and accounts considering by activity, in adownturn of indications any identifying including through experience evaluatingsector the current level of trading, our using by model flow cash discounted the in included flows cash Our experience: sector included:Our procedures we compared the sum of the discounted cash cash discounted the of sum the compared we we challenged the assumptions used in the the in used assumptions the challenged we we assessed the reasonableness of the the of reasonableness the assessed we we assessed the reasonableness of key key of reasonableness the assessed we 113 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 114 Cybersecurity evolved

INDEPENDENT AUDITOR’S REPORT CONTINUED to the members of Sophos Group plc only

3. Our application of materiality and an Group Revenue Group Materiality overview of the scope of our audit $710.6m (2018: $639.0m) $6.8m (2018: $6.3m)

Materiality for the Group Financial Statements as a whole was set at $6.8m (2018: $6.3m), determined with reference to a $6.8m Whole Financial benchmark of Group revenue of which it represents 1% (2018: Statements materiality 1%). We consider Group revenue to be the most appropriate (2018: $6.3m) benchmark as it provides a more stable measure year on year than Group profit before tax. £710.6m (99%) Materiality for the parent Company Financial Statements as a whole was set at $6.6m (2018: $5.9m), determined £6.8m (1%) $5.1m with reference to a benchmark of total assets, of which it Range of materiality represents 0.6% (2018: 0.6%). at 13 components ($2m–$5.1m) We agreed to report to the Audit Committee any corrected (2018: $4.4m–$5.9m at 9 components) or uncorrected identified misstatements exceeding $340k, Group revenue in addition to other identified misstatements that warranted Group materiality $0.34m reporting on qualitative grounds. Misstatements reported to the audit committee Of the Group’s 27 (2018: 27) reporting components, we (2018: $0.31m) subjected 4 (2018: 7) to full scope audits for Group purposes and 2 (2018: 2) to specified risk-focused audit procedures. Group Revenue Group Billings The latter were not individually financially significant enough to require a full scope audit for group purposes, but did 2% 1% present specific individual risks that needed to be addressed. 1% 0% The components within the scope of our work accounted for the percentages illustrated opposite. 98% 99% The remaining 2% of total Group revenue, 10% of Group profit 2018: 99% 2018: 100% before tax and 17% of total Group assets is represented by 21 reporting components, none of which individually represented 99% 100% more than 2% of any of total Group revenue, Group profit 98% 99% before tax or total Group assets. For these residual components, we performed analysis at an aggregated Group level to re-examine our assessment that there were no Group Total Assets Group Profit Before Tax significant risks of material misstatement within these.

The Group team instructed component auditors as to the 10% 17% significant areas to be covered, including the relevant risks % 15 20% detailed above and the information to be reported back. The 16% % Group team approved the component materialities, which ranged 5 % % % from $2m to $5.1m, having regard to the mix of size and risk 83 7 74 2018: 80% 2018: 73% profile of the Group across the components. The work on one of the four components (2018: five of the seven components) was performed by component auditors and the rest, including the 80% 73%

audit of the parent Company, was performed by the Group team. 83% 74%

The Group team visited 1 (2018: 2) component location in Germany (2018: Germany and India) to assess the audit risk Full scope for Group audit purposes 2019 and strategy. Video and telephone conference meetings Specified risk-focused audit procedures 2019 were also held with these component auditors and the Full scope for Group audit purposes 2018 majority of the others that were not physically visited. Specified risk-focused audit procedures 2018 At these visits and meetings, the findings reported to the Residual components Group team were discussed in more detail, and any further work required by the Group team was then performed by the component auditor. • • if: you to report to required are we matter, audit key that to response our in described work the on Based report). this 2 of section (see matter audit key as a concern going We identified Company will continue in operation. the and Group the that aguarantee not is report auditor’s this in uncertainty amaterial to reference of absence the made, were they time the at reasonable were that judgements with inconsistent are that outcomes in result may events subsequent as and conditions or events future all predict cannot we as However, report. audit this in that to reference make to concern, going to related uncertainty conclusionsDirectors’ and, had been there a material the of appropriateness the on conclude to is responsibility Our (“the going the period”). Financial concern Statements of approval of date the from ayear least at for concern going as a continue to ability their over doubt significant cast have thatconcluded could that are there no material uncertainties Theyhave also this isthatrealistic. means position financial Group’s the and Company’s the that concluded have they as and operations, their cease to or Group the or Company the liquidate to intend not do they as basis concern going concern going on report to nothing e have have on Directors The the prepared the Financial Statements 4. Accounts and Report Annual 2019 We have nothing to report in these respects. these in report to nothing We have

approval of the Financial Statements; or Statements; Financial the of approval of date the from months twelve least at of aperiod for basis that of use Company’s and Group the over doubt significant cast may that uncertainties material no with accounting of basis concern going the of use the on Statements Financial the to 4.2 Note in statement directors’ the to relation w page 106 is materially inconsistent with our audit knowledge. audit our with inconsistent materially is 106 page t

he related statement under the Listing Rules set out on on out set Rules Listing the under statement related he W e have anything material to add or draw attention to in in to attention draw or add to material anything e have • to: relation in to attention draw or add to material nothing have we audit, Statements Financial our during acquired we knowledge the on Based viability longer-term and risks principal of Disclosures 2006. Act Companies the with accordance in prepared properly been has audited be to In our opinion of Remuneration Report the Directors’ the part Report Remuneration Directors’ • • solely onBased our work on the other information: Report Directors’ and report Strategic in the other information. material misstatements identified not have we work that on solely Based knowledge. or our the Financialinconsistent audit with Statements or misstated materially is therein information the work, audit so, consider whether, on based our Financial Statements doing in and, information other the read to is responsibility Our any form of conclusion assurance thereon. below, stated explicitly as or, except opinion audit an express not cover the other information and, accordingly, we do not Our opinion does onStatements. the Financial Statements Financial the with together Report Annual the in presented are Directors The responsible for the other information other the on report to nothing e have Report Annual the in information 5. • • •

accordance with the Companies Act 2006. Act Companies the with accordance and Report; the Directors’ report strategic w qualifications or assumptions. necessary any to attention drawing disclosures related any including assessment, their of period the over due fall they as liabilities its meet and operation in continue to able be will Group the that expectation areasonable have they whether to as statement their and appropriate, be to period that considered they why and so done have they period what over Group, the of prospects the assessed have they how of Statement t and mitigated; and managed being are they how explaining t solvency and liquidity; performance, future model, business its threaten would that those including Group, the facing risks principal the of assessment arobust out carried have they that 106) (page Statement t i and Statements; Financial the with consistent is year financial i n our opinion for the the information given in reports those n our opinion those reports have been prepared in in prepared been have reports those opinion n our he Directors’ explanation in the Directors’ Viability Viability Directors’ the in explanation Directors’ he and risks these describing disclosures Risks Principal he Viability the within Directors’ he confirmation Directors’ W e have not identified material misstatements in the the in misstatements material identified not e have 115 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 116 Cybersecurity evolved

INDEPENDENT AUDITOR’S REPORT CONTINUED to the members of Sophos Group plc only

5. We have nothing to report on the other 7. Respective responsibilities continued information in the Annual Report Directors’ responsibilities Under the Listing Rules we are required to review the As explained more fully in their statement set out on page Directors’ Viability Statement. We have nothing to report 107, the Directors are responsible for: the preparation of the in this respect. Financial Statements including being satisfied that they give a true and fair view; such internal control as they determine is Our work is limited to assessing these matters in the necessary to enable the preparation of Financial Statements context of only the knowledge acquired during our Financial that are free from material misstatement, whether due to Statements audit. As we cannot predict all future events or fraud or error; assessing the Group and parent Company’s conditions and as subsequent events may result in outcomes ability to continue as a going concern, disclosing, as that are inconsistent with judgements that were reasonable applicable, matters related to going concern; and using the at the time they were made, the absence of anything to report going concern basis of accounting unless they either intend on these statements is not a guarantee as to the Group’s and to liquidate the Group or the parent Company or to cease Company’s longer-term viability. operations, or have no realistic alternative but to do so. Corporate governance disclosures Auditor’s responsibilities We are required to report to you if: Our objectives are to obtain reasonable assurance about • we have identified material inconsistencies between the whether the Financial Statements as a whole are free from knowledge we acquired during our Financial Statements audit material misstatement, whether due to fraud or other and the Directors’ statement that they consider that the irregularities (see below), or error, and to issue our opinion Annual Report and Accounts taken as a whole is fair, balanced in an auditor’s report. Reasonable assurance is a high level and understandable and provides the information necessary of assurance, but does not guarantee that an audit conducted for shareholders to assess the Group’s position and in accordance with ISAs (UK) will always detect a material performance, business model and strategy; or misstatement when it exists. Misstatements can arise from fraud, other irregularities or error and are considered material the section of the Annual Report describing the work of the • if, individually or in aggregate, they could reasonably be Audit Committee does not appropriately address matters expected to influence the economic decisions of users communicated by us to the Audit Committee. taken on the basis of the Financial Statements. We are required to report to you if the Corporate Governance Statement does not properly disclose a departure from the A fuller description of our responsibilities is provided on the eleven provisions of the UK Corporate Governance Code FRC’s website at www.frc.org.uk/auditorsresponsibilities. specified by the Listing Rules for our review. Irregularities – ability to detect We have nothing to report in these respects. We identified areas of laws and regulations that could reasonably be expected to have a material effect on the 6. We have nothing to report on the other matters Financial Statements from our sector experience, through on which we are required to report by exception discussion with the Directors (as required by auditing standards), from inspection of the Group’s regulatory and legal Under the Companies Act 2006, we are required to report to correspondence and discussed with the Directors the policies you if, in our opinion: and procedures regarding compliance with laws and • adequate accounting records have not been kept by the regulations. We communicated identified laws and regulations parent Company, or returns adequate for our audit have not throughout our team and remained alert to any indications of been received from branches not visited by us; or non-compliance throughout the audit. This included communication from the Group to component audit teams • the parent Company Financial Statements and the part of of relevant laws and regulations identified at Group level. the Directors’ Remuneration Report to be audited are not in agreement with the accounting records and returns; or The potential effect of these laws and regulations on the • certain disclosures of Directors’ remuneration specified by Financial Statements varies considerably. law are not made; or • we have not received all the information and explanations we require for our audit. We have nothing to report in these respects. espective responsibilities 7. Accounts and Report Annual 2019 all laws and regulations. with non-compliance detect to expected be cannot and We are not responsible for preventing non-compliance controls. of internal override or the misrepresentations, omissions, intentional forgery, involve collusion, may these as irregularities, of non-detection of risk higher a remained there audit, any with as addition, In it. identify would standards auditing by required procedures limited inherently the likely less the Statements, Financial the in reflected transactions and events the from is (irregularities) regulations and laws with non-compliance removed further the example, For standards. auditing with accordance in audit our performed and planned properly have we though even Statements, in Financial the misstatements material some detected have not may we that risk unavoidable an is there audit, an of limitations inherent the to Owing matter. audit key as a identified being response our in result to audit our to significant sufficiently actual or non-complianceidentified suspected was not The items. statement financial related the on procedures our of part as effect the considered and non-compliance actual of aware became we procedures, these Through any. if correspondence, legal and regulatory of inspection and regulations to of enquiry and the Directors other management and laws these with non-compliance identify to procedures audit required the limit standards Auditing activities. Group’s the of nature the recognising legislation company of aspects certain and law, employment anti-bribery, safety, and health property, intellectual effect: an such have to likely most those as areas following the We identified operate. to licence Group’s the of loss the or litigation fines, of imposition the through instance for Statements, Financial the in disclosures or amounts on effect amaterial have could regulations of where non-compliance the consequences and laws other many to subject is Group the Secondly, items. statement financial related the on procedures our of part as regulations and laws these with compliance of extent the assessed we and legislation taxation and legislation profits distributable legislation), (including legislation companies related reporting financial including Statements Financial the affect directly that regulations and laws to subject is Group the Firstly,

R continued 15 May 2019 May 15 5GL E14 London Square Canada 15 Chartered Accountants Auditor LLP, Statutory KPMG of behalf on and for Auditor) Statutory (Senior Seale Robert have formed. we opinions the for or report, this for work, audit our for body, a as members, Company’s the and Company the than other anyone to responsibility assume or accept not do we law, by permitted extent To fullest the purpose. other no for and report auditor’s an in them to state to required are we matters those members Company’s the to state might we that so undertaken been has work audit Our 2006. Act Companies the of 16 Part 3of Chapter with accordance in abody, as members, Company’s the to solely made is report This whom to and work audit our of purpose he we owe our responsibilities 8.

T

117 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 118 Cybersecurity evolved

CONSOLIDATED STATEMENT OF PROFIT OR LOSS For the year-ended 31 March 2019

Year-ended Year-ended 31 March 2019 31 March 2018 Restated See note 2 Note $M $M Revenue 7 710.6 639.0 Cost of sales (146.4) (144.0) Gross profit 564.2 495.0

Sales and marketing (259.9) (239.9) Research and development (143.9) (140.3)

General finance and administration: (99.5) (134.5) – Underlying (51.0) (46.9) – Share–based payments (36.9) (42.3) – Exceptional items 8 3.8 (13.2) – Amortisation of intangible assets (16.9) (25.2) – Foreign exchange gain / (loss) 1.5 (6.9) Operating profit / (loss) 60.9 (19.7)

Finance income 13 0.9 0.3 Finance expense 13 (8.2) (21.6) Profit / (loss) before taxation 53.6 (41.0)

Income tax charge 14 (26.7) (19.9) Profit / (loss) for the year 26.9 (60.9)

Earnings per share ($ cents) Basic and diluted EPS 15 5.6 (13.2) Diluted EPS 15 5.4 n/a Adjusted operating EPS 15 14.4 3.6 Diluted adjusted operating EPS 15 13.9 3.4

All of the loss for the year is attributable to equity holders of the parent Company. For the year-ended 31 March 2019 March 31 year-ended the For CONSOLIDATED STATEMENT INCOME COMPREHENSIVE OF 2019 Annual Report and Accounts and Report Annual 2019 xchange difference arising on translation of foreign operations for the year-ended 31 March 2019 of $33.7M include a loss of $39.5M in respect of a re-denomination of of Company. parent the of holders are-denomination of equity to respect in $39.5M of attributable is aloss year the for include loss $33.7M of 2019 comprehensive the of March 31 All year-ended the for operations foreign of translation on arising difference xchange 1 Total losses other comprehensive arising– on Exchange differences of translation foreign operations loss: or profit to subsequently reclassified be may that Items loss: or profit to subsequently reclassified be not will that Items : losses Other comprehensive year the for (loss) / Profit Comprehensive loss for theComprehensive year

E goodwill as set out in note 16 note in out set as goodwill 1

31 March 2019 Year-ended (33.7) (33.7) 26.9 26.9 (6.8) $M –

31 March 2018 Year-ended See note 2 note See Restated (60.9) (63.5) (2.6) (2.6) $M – 119 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 120 Cybersecurity evolved

CONSOLIDATED STATEMENT OF FINANCIAL POSITION At 31 March 2019

31 March 2019 31 March 2018 31 March 2017 Restated Restated See note 2 See note 2 Company registered number: 09608658 Note $M $M $M Non-current assets Intangible assets 16 837.0 869.9 856.0 Property, plant and equipment 18 23.9 25.4 23.4 Deferred tax asset 14 115.0 120.7 100.1 Other receivables 20 16.4 17.5 28.8 992.3 1,033.5 1,008.3 Current assets Tax assets 5.6 3.7 3.9 Inventories 19 10.6 16.0 16.2 Trade and other receivables 20 195.3 210.8 157.8 Cash and cash equivalents 21 172.1 120.0 68.1 383.6 350.5 246.0 Total assets 1,375.9 1,384.0 1,254.3

Current liabilities Trade and other payables 22 102.2 134.1 107.3 Deferred revenue 23 428.6 407.9 315.0 Tax liabilities 36.3 21.1 20.0 Financial liabilities 24 4.5 17.4 71.1 Provisions 25 0.1 – 0.4 571.7 580.5 513.8 Non-current liabilities Trade and other payables 22 10.1 8.2 3.9 Deferred revenue 23 313.5 320.7 238.8 Financial liabilities 24 302.8 306.8 296.3 Provisions 25 7.5 3.3 2.1 Deferred tax liabilities 14 14.6 14.5 21.3 648.5 653.5 562.4 Total liabilities 1,220.2 1,234.0 1,076.2

Net assets 155.7 150.0 178.1

Represented by: Share capital 27 22.5 22.0 21.6 Share premium 126.6 122.3 118.4 Merger reserve (200.9) (200.9) (200.9) Retained earnings 119.8 116.8 199.5 Share-based payment reserve 153.4 121.8 68.9 Translation reserve (65.7) (32.0) (29.4) Total equity 155.7 150.0 178.1

These Consolidated Financial Statements were approved by the Board of Directors on 15 May 2019 and were signed on its behalf by:

Nick Bray Chief Financial Officer For the year-ended 31 March 2019 March 31 year-ended the For CONSOLIDATED STATEMENT IN EQUITY CHANGES OF 2019 Annual Report and Accounts and Report Annual 2019 At 31 March 2019 March 31 At Cash dividends (see note 28) Share-based taxation payments Share-based expense payments Share options exercised Total comprehensive loss Other comprehensive loss Other Profit for the period: the for Profit At 31 March 2018 March 31 At Cash dividends (see note 28) Share-based deferred payments tax Share-based expense payments Share options exercised Total comprehensive loss Loss for the period: the for Loss restated 2017 March 31 At 2) note (see Adjustments As previously reported Other comprehensive loss Other Capital Capital Share Share 20 122.3 22.0 22.5 21.6 118.4 118.4 118.4 21.6 21.6 0.4 0.4 0.5 0.5 $M – – – – – – – – – – – – Premium Share Share 126.6 126.6 4.3 4.3 3.9 3.9 $M – – – – – – – – – – – – Reserve Reserve Merger (200.9) (200.9) (200.9) (200.9) $M – – – – 26.9 26.9 – – – – 26.9 26.9 – – – – – – – – Retained Earnings 119.8 153.4 153.4 119.8 116.8 116.8 199.5 68.9 68.9 199.5 148.1 148.1 (21.8) (60.9) (60.9) (23.9) 51.4 $M (3.4) – – 35.0 35.0 – – – – 13.3 13.3 – – – – Share-Based Share-Based Payment Reserve Reserve 121.8 68.9 68.9 39.6 39.6 $M – – – – – – – – – – Translation Translation Reserve Reserve (32.0) (29.4) (29.4) (33.7) 3.)(33.7) (33.7) (65.7) (2.6) 26 (2.6) (2.6) $M – (3.4) – – 35.0 35.0 – – – 26.9 26.9 – – – 13.3 13.3 – – – – 150.0 150.0 126.7 126.7 155.7 178.1 (21.8) (60.9) (23.9) (63.5) Total Total 39.6 39.6 (6.8) 4.8 4.8 4.3 4.3 $M 121 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 122 Cybersecurity evolved

CONSOLIDATED STATEMENT OF CASH FLOWS For the year-ended 31 March 2019

Year-ended Year-ended 31 March 2019 31 March 2018 Restated See note 2 Note $M $M Profit / (loss) for the year 26.9 (60.9) Adjusted for: Depreciation 11.8 11.6 Amortisation of intangible assets 16.9 25.2 Amortisation of fair value adjustment on deferred income (0.1) 1.0 Fair value adjustment on contingent consideration (6.9) 0.2 Foreign exchange expense (1.5) 8.1 Share-based payments expense 29 35.0 39.6 Finance income 13 (0.9) (0.3) Finance expense 13 8.2 21.6 Profit on disposal of assets (0.2) – Income tax charge 26.7 19.9 115.9 66.0

Decrease in inventories 4.7 1.7 Decrease / (increase) in trade and other receivables 8.3 (32.6) (Decrease) / increase in trade and other payables (20.1) 10.4 Increase in deferred revenue 23 49.9 128.7 Increase / (decrease) in provisions 0.9 (0.2) Cash generated from continuing operations 159.6 174.0

Income taxes paid (16.7) (26.3) Net cash flow from operating activities 142.9 147.7

Investing activities Purchase of property, plant and equipment 18 (12.8) (10.0) Acquisition of subsidiaries net of cash acquired 33 (30.9) (4.9) Purchase of intangible assets - software 16 (9.7) (11.1) Proceeds on sale of assets 0.3 – Finance income 13 0.9 0.3 Net cash flow from investing activities (52.2) (25.7)

Financing activities Proceeds from issue of shares 4.8 4.2 Dividends paid (23.9) (21.8) Repayment of borrowings 33 – (50.0) Transaction costs related to borrowings 33 – (0.1) Finance lease payments – (0.1) Finance costs (10.9) (9.1) Net cash flow from financing activities (30.0) (76.9)

Increase in cash and cash equivalents 60.7 45.1 Net foreign exchange differences (8.6) 6.8 Cash and cash equivalents at the start of the period 120.0 68.1 Cash and cash equivalents at the end of the period 21 172.1 120.0 There was no material impact on the Group’s consolidated statement of cash flows. cash of statement consolidated Group’s the on impact material no was There information. comparative 2018 March 31 year-ended the for position financial of statement consolidated the and loss or profit of statement consolidated Group’s the of item line each for changes these of impact the summarises tables following The – – – follows: as Group the impacted principally accounting in change The basis. aconsistent on it present to restated been has information comparative 2018 March 31 year-ended the Consequently, charge. tax income the of part integral an as them recognises and longer no items separate two these of respect in accounting its reconsidered has Group the practice, best with accordance In of computation. resolution the open tax final on payable interest any for aprovision make may it (“UTP”) position tax uncertain an has Group the where Separately, authorities. tax the via expenditure development and research its of percentage certain a reclaim to companies UK enables which one is (“RDEC”) scheme credit tax expenditure development and research The of the Components Income Tax ofRe-allocation Certain Charge – – – ways: three in Group the impacted principally 15 IFRS of adoption The basis. same the on restated been has information comparative 2018 March 31 year-ended the Consequently, in standard. the included expedients practical the of any applying without approach transition retrospective the applied has so doing in and 2019 March 31 year-ended the in 15”) (“IFRS Customers with Contracts from Revenue 15 IFRS adopted has Group The policies accounting in hanges 15 IFRS of Adoption 2 solutions. security network and enduser cloud-enabled of provider aleading is Group The Group”). “the as to referred (together subsidiaries its and Company the comprise 2019 March 31 year-ended the for and at as Company the of Statements Financial OX14 3YP, Abingdon, Oxfordshire, Group Abingdon plc, Science Park, Pentagon, The Consolidated The United Kingdom. Sophos is office registered Company’s The Kingdom. United the in domiciled acompany is Company”) (“the plc Group Sophos information eneral Reporting entity 1 2019 March 31 year-ended the For STATEMENTS CONSOLIDATED THE FINANCIAL TO NOTES 2019 Annual Report and Accounts and Report Annual 2019

recognition of revenue, which were also previously recognised at the point of sale, and expensed as incurred. as expensed and sale, of point the at recognised previously also were which revenue, of recognition t and, sale; of point the at recognised t licence; the of life the obligation of the benefit element ownership atthe thatdistinct performance transfers point ofsalethanrather over t T T E C G he deferral of commissions and other incremental costs incurred to obtain a contract with a customer in line with the the with line in acustomer with acontract obtain to incurred costs incremental other and commissions of deferral he previously were which sold, licences the of term the over revenue of recognition the with line in rebates of recognition he he earlier recognition of revenue on certain termed licence software products; where they are adjudged to have a have to adjudged are they where products; software licence termed certain on revenue of recognition earlier he he charge income no tax longer includes of either the above items. he finance expense now reflects the provision for interest on uncertain tax positions; and, positions; tax uncertain on interest for provision the reflects now expense finance he xpenditure on research and development now includes the RDEC credit; credit; RDEC the includes now development and research on xpenditure

123 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 124 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

2 Changes in Accounting Policies continued Consolidated statement of profit or loss for the year-ended 31 March 2018

As previously IFRS 15 RDEC / reported Adjustment Interest on UTP Restated $M $M $M $M Revenue 640.7 (1.7) – 639.0 Cost of sales (143.3) (0.7) – (144.0) Gross profit 497.4 (2.4) – 495.0 Sales and marketing (249.0) 9.1 – (239.9) Research and development (145.8) – 5.5 (140.3) General finance and administration: (134.5) – – (134.5) Operating loss (31.9) 6.7 5.5 (19.7) Finance income 0.3 – – 0.3 Finance expense (20.7) – (0.9) (21.6) Loss before taxation (52.3) 6.7 4.6 (41.0) Income tax charge (14.0) (1.3) (4.6) (19.9) Loss for the period (66.3) 5.4 – (60.9)

Earnings per share (US cents) Basic and diluted EPS (14.4) 1.2 – (13.2) Adjusted operating EPS 10.0 1.5 1.2 12.7 Diluted Adjusted operating EPS 9.5 1.3 1.1 11.9

Consolidated statement of financial position as at 31 March 2018

As previously IFRS 15 RDEC / reported Adjustment Interest on UTP Restated $M $M $M $M Non-current assets Deferred tax asset 125.8 (5.1) – 120.7 Other non-current assets 896.6 16.2 – 912.8 1,022.4 11.1 – 1,033.5 Current assets Tax assets 8.2 – (4.5) 3.7 Trade and other receivables 17 7.8 28.5 4.5 210.8 Other current assets 136.0 – – 136.0 322.0 28.5 – 350.5 Current liabilities Deferred revenue 423.9 (16.0) – 407.9 Income tax payable 23.0 – (1.9) 21.1 Other current liabilities 151.5 – – 151.5 598.4 (16.0) (1.9) 580.5 Non-current liabilities Deferred revenue 331.8 (11.1) – 320.7 Provisions 1.4 – 1.9 3.3 Deferred tax liabilities 6.0 8.5 – 14.5 Other non-current liabilities 315.0 – – 315.0 654.2 (2.6) 1.9 653.5 Net assets 91.8 58.2 – 150.0 Consolidated statement of financialposition as statement at Consolidated 31 March2017 2019 Annual Report and Accounts and Report Annual 2019 increased outflow in “Net cash flow from financing activities”. activities”. financing from flow cash “Net in outflow increased corresponding a with adjustment, depreciation the of because improvement an see will activities” operating from flow cash “Net Flows, Cash of Statement Consolidated the In charge. lease operating the of removal the through 16 IFRS of adoption whichmeasures excludeperformance will depreciation,from theROU Alternative abenefit finance with the together expense. asset of depreciation by replaced be will expenditure lease operating the Loss, or Profit of Statement Consolidated the In information. of no comparative restatement with 2019, 1April on earnings retained of balance opening the to adjustment an as recognised be will 16 IFRS adopting of effect cumulative the whereby approach retrospective modified the using 2019 1April on initially 16 IFRS apply will Group The months. 12 than less of aterm with leases and short-term computers) personal (e.g. assets” value “low lessees; for exemptions recognition two includes standard The payments. lease make to obligation the representing lessor, the to liability financial acorresponding and asset (“ROU”) a right-of-use recognises lessee the whereby model accounting lease sheet on-balance asingle, introduces 16 IFRS aLease. of Form Legal the Involving Transactions of Substance the Evaluating SIC27 and –Incentives Leases Operating ISC-15 aLease, contains Arrangement an whether 4–Determining IFRIC Leases, 17 IAS including leases, on guidance existing replaces 16 IFRS 2019. 1April from Group the for effective become will 2016, January in issued was which –Leases, 16 IFRS –Leases 16 IFRS of introduction The the new had standard no material impact on the Group. 2018. 1April from Group the for effective became 2014, July in issued was which Instruments 9–Financial IFRS (“IFRSs”) Standards Reporting Financial International Revised and New of pplication Instruments 9–Financial IFRS 3 Net assets Other current liabilities current Other Income payable tax revenue Deferred liabilities Current Deferred revenue Deferred liabilities Non-current Other current assets Other Other non-current liabilities non-current Other liabilities tax Deferred Provisions Trade and other receivables Tax assets Tax Current assets non-currentOther assets Deferred tax asset Deferred tax assets Non-current

A

As previously reported 300.2 300.2 986.0 330.6 330.6 530.4 530.4 250.4 250.4 566.1 566.1 105.3 145.2 145.2 880.7 880.7 126.7 126.7 178.8 178.8 237.2 237.2 84.3 84.3 21.0 21.0 14.4 14.4 1.1 1.1 $M 7.7 7.7 Adjustment IFRS 15 IFRS (11.6) (15.6) (15.6) 22.3 51.4 51.4 27.5 27.5 (5.2) (4.7) 6.9 6.9 8.8 8.8 8.8 8.8 $M – – – – – – Interest on UTP on Interest RDEC / RDEC (1.0) (1.0) (3.8) 1.0 1.0 1.0 1.0 3.8 3.8 $M – – – – – – – – – – – Restated 1,008.3 300.2 300.2 908.2 908.2 562.4 562.4 238.8 238.8 246.0 246.0 315.0 315.0 100.1 100.1 513.8 513.8 178.8 178.8 178.1 157.8 157.8 84.3 84.3 20.0 20.0 21.3 21.3 3.9 3.9 2.1 2.1 $M

125 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 126 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

3 Application of New and Revised International Financial Reporting Standards (“IFRSs”) continued

The adoption of IFRS 16 is not expected to have an impact on the Group’s ability to comply with loan covenants under the Senior Facilities Agreement dated 6 February 2017; as that agreement is drafted on a “frozen GAAP” basis.

The Directors have completed an initial assessment of the estimated impact on the Consolidated Financial Statements. Based on the information currently available, the Group expects to recognise additional lease liabilities of $68.9M together with ROU assets comprising offices and plant and equipment of $61.3M. However, the actual impacts of adopting the standard on 1 April 2019 may change because:

– i nterpretation of new accounting policies are subject to change until the Group presents its first Financial Statements that include the date of initial application; and, – t he impact will depend on future economic conditions including the Group’s borrowing rate and the extent to which the Directors choose to use the available practical expedients and recognition exemptions.

The Group has not applied the following new and revised IFRSs that have been issued but are not yet effective. The Directors do not anticipate that these IFRSs will have a significant effect on the Group’s consolidated financial information:

Effective for annual periods beginning on or after January 2019: IFRIC 23 – Uncertainty over Income Tax Treatments Amendments to IFRS 9 – Prepayment features with negative compensation Amendments to IAS 28 – Long-term interests in Associates and Joint Ventures Amendments to IAS 19 – Plan amendment, curtailment or settlement Various – Annual improvements to IFRS standards 2015 – 2017

Effective for annual periods beginning on or after January 2020: Amendments to references to conceptional framework in IFRS standards

Effective for annual periods beginning on or after January 2021: IFRS 17 – Insurance Contracts

4 Significant Accounting Policies 4.1 Statement Of Compliance The Consolidated Financial Statements have been prepared using International Financial Reporting Standards as adopted by the European Union (“EU”) as they apply to the Group. In addition to complying with its legal obligation to apply IFRSs as adopted by the EU, the Group has also applied IFRSs as issued by the International Accounting Standards Board; collectively “IFRS”. 4.2 Going Concern The Group has considerable financial resources together with contracts with a large number of customers and across different geographic areas and industries. As a consequence, the Directors believe that the Group is well placed to manage its business risks successfully.

The Group has reported a net profit of $26.9M for the year-ended 31 March 2019 (2018: Loss of $60.9M), a net cash flow from operating activities of $142.9M (2018: $147.7M) and at 31 March 2019 has net current liabilities of $188.1M (2018: $230.0M). After excluding short-term deferred revenue from current liabilities, the Group has net current assets of $240.5M including significant cash and cash equivalent balances of $172.1M and, given the cash-generative nature of the Group’s operations and the visibility of future renewals, the Directors have a reasonable expectation that the Group has adequate resources to continue in operational existence for the foreseeable future.

The Group meets its current funding requirements through a five-year facility which at 31 March 2019 amounted to $302.4M that is repayable in July 2020. The nature of the Group’s subscription business is such that there is good visibility in the timing of cash inflows. Based, in part, on the phasing of the renewal base, the Directors have prepared projected cash flow information for the three-year period from the date of their approval of these Financial Statements. On the basis of this cash flow information and discussions with the Group’s bankers, the Directors expect that the current loan facilities will be renewed on the majority of the Group’s borrowings (which, based on the cash flow projections, will be sufficient to cover cash flow requirements) on or before expiry and accordingly, this has been reflected in the cash flow forecast. operation is recognised in the Consolidated Statement of Profit or Loss. or Profit of Statement Consolidated the in recognised is operation foreign particular that to relating equity in recognised amount accumulated deferred the entity, aforeign of disposal On equity. to taken are date, reporting the rate at exchange prevailing the to rates actual or average at results net the of translation the from arising differences with US together not is dollars, currency functional whose entities of assets net opening of translation the on arising differences Exchange dates. transaction the at exchange of rate the approximate they because place took transaction the which in that to rate closing prior-month the at dollars US into translated are items expense and Income date. reporting the at prevailing rate the at exchange dollars) (US currency presentation the into translated are subsidiaries foreign of liabilities and assets consolidation, On rate. closing the at translated and operation foreign the of liabilities and assets as treated are acquisition the on arising liabilities and assets of amounts carrying the to adjustments value fair any and operation a foreign of acquisition the on arising goodwill Any transactions. initial the of dates the at as rates exchange the using translated are currency aforeign in cost historical of terms in measured are that items Non-monetary equity. in with dealt borrowings also are those on differences exchange to attributable credits and charges Tax Loss. or Profit of Statement the in Consolidated recognised are they time which at investment, net the of disposal the until equity to directly taken are These operation. aforeign in investment net Group’s the of part form that liabilities and assets monetary on differences for except Profit of Loss, or Statement Consolidated the to taken are differences exchange All date. reporting the at prevailing rate at exchange the translated are currencies foreign in liabilities and assets Monetary transaction. the of date the at prevailing rate exchange of the at recorded are currencies foreign in transactions companies, individual the of information financial the preparing In currency. functional that using measured are entity each of information financial historical the in included items and environment currency). in functional in which currency own the Group (its Each it functional entity operates its determines economic primary the of currency the in prepared is company Group each of information financial historical individual The 4.4 Foreign Translation Currency consolidation. on full in eliminated are entities, reporting individual the of position financial of that statement the in transactions recognised are intra-group from resulting losses and profits and expenses and income transactions, balances, intra-group All ceases. control such that date the until consolidated be to continue and control, obtains Group the which on date the being acquisition, of date the from consolidated fully are Subsidiaries policies. accounting consistent using Company, parent the as period reporting same the for prepared is subsidiaries the of information financial The activities. its from benefits obtain to as so entity investee an of policies operating and financial the govern to power the has Company the where achieved is Control 2019. March 31 at (its subsidiaries) controls it entities the and plc Group Sophos of information financial the consolidates information financial historical The below. out set are and presented years all to applied consistently been have 2019 March 31 year-ended the for information financial historical consolidated the preparing in used policies accounting The dollars. US in presented generally is information whose industry; the and peers its of that with information financial its of comparability aid to currency presentation its as dollars US uses Group The dollars. US is plc Group Sophos of currency functional The indicated. otherwise unless ($M) million 0.1 nearest the to rounded are values All dollars. US in financial consolidatedThe historical has information been preparedconvention undercost the andhistorical is presented 4.3 Basis of Consolidation risk. liquidity and risk exposures credit its to and objectives, management risk financial its capital, its managing for processe 2019 Annual Report and Accounts and Report Annual 2019

127 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 128 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

4 Significant Accounting Policies continued 4.5 Critical Accounting Judgements and Key Sources of Estimation Uncertainty The preparation of Consolidated Financial Statements requires Directors to make estimates and assumptions that affect the amounts reported for assets and liabilities as at the reporting date and the amounts reported for revenues and expenses during the period.

Judgements In the process of applying the Group’s accounting policies described in this note, the Directors have made the following judgements that have a significant effect on the amounts recognised in the historical financial information.

Revenue The Group sells software products under fixed term contracts and perpetual licences. Where there is a multi-element arrangement, the consideration receivable is allocated to each performance obligation of the arrangement and this is done on the basis of an estimate of their respective transaction price. In determining the standalone selling price of each performance obligation, Directors make reference to current prices of individual elements and adjust this by its relative share of discounts applied to the entire sale, regardless of any separate prices stated within the contract. See note 7.

Classification of exceptional items and presentation of non-GAAP measures The Directors exercise their judgement in the classification of certain items as exceptional and outside of the Group’s underlying results. The determination of whether an item should be separately disclosed as an exceptional item or other adjustments requires judgement on its materiality, nature and incidence, as well as whether it provides clarity on the Group’s underlying trading performance. In exercising this judgement, the Directors take appropriate regard of IAS 1 “Presentation of Financial Statements’’ as well as guidance issued by the Financial Reporting Council and the European Securities and Market Authority on the reporting of exceptional items and alternative performance measures. The overall goal of the Directors is to present the Group’s underlying performance without distortion from one-off or non-trading events regardless of whether they be favourable or unfavourable to the underlying result. Further details of the individual exceptional items, and the reasons for their disclosure treatment, are set out in note 8.

Research and development costs Development costs will be capitalised in accordance with the accounting policy set out in this note. Determining the amounts to be capitalised requires the Directors to make assumptions regarding the capitalisation criteria requirements of IAS 38 – Intangible assets. See note 16.

Legal proceedings The Directors’ at the reporting date form a judgement in relation to the probable outcome of ongoing litigation against the Group. These judgements take account of available information, historical experience and the likelihood of different possible outcomes. See note 34.

Estimates The key assumptions concerning the future, and other key sources of estimation uncertainty at the reporting date, that have a significant risk of causing a material adjustment to the carrying amounts of assets and liabilities within the next financial year, are discussed below. The nature of estimation means that actual outcomes could differ from those estimates.

Business combinations Where a business combination includes a contingent consideration, the Directors are required to make an assessment at the time of the acquisition of the most likely amount required to be settled. This will include estimates of the outcome of future performance measures as agreed between the parties. Note 24 sets out the financial liability at the end of the period and details the method of calculation as estimated at the balance sheet date. The Group considers perpetual licences as a right-of-use licences which are recognised at the time of Billing. of time the at recognised are which licences aright-of-use as licences perpetual considers Group The products. termed for licence agreed the of life the over and licences perpetual for components relevant all of is delivery on which services, or product the to relation in obligation its met has Group the when recognised is contracts service and andlicences under Revenueunder products fixed-termcontracts perpetual licences. on GroupThe software sells software contracts service and licences software from Revenue 2. note in out set is year prior the in customers with contracts from Revenue 15 IFRS of adoption the of impact The contract. the within stated prices separate any of regardless sale, entire the to applied discounts of share relative its by this adjust and elements individual of prices current to reference make Directors the obligation, performance each of price selling standalone the determining In price. transaction respective their of estimate an of basis the obligation is receivable the consideration of allocated toarrangement, each the arrangement performance and this is done on multi-element is a there where recognised: is revenue before met be also must criteria recognition specific following The duty. or taxes sales VAT other and excluding but rebates discounts and after received, consideration the of price transaction the at measured is Revenue measured. reliably be can revenue the and Group the to flow will benefits economic the that probable is it that extent the to recognised therefore is Revenue met. been have completed be to licences software or hardware of control, of transfer consequently and delivery, requiring criteria the until Revenue nor Billings recognise not does Group The Revenue. of recognition appropriate the considering when account into taken are rights return limited very These returns. limited some for allow do agreements cases, of aminority In purchased. have they that licences software or hardware the on product undelivered for aright have refund only of customers practice, industry with accordance in and rights; return include not do contracts sales Standard licence. the of term the over updates provide to obligations ongoing the of because time, over recognised is Revenue whilst one day on occur Billings licences, right-of-access aresult, these As for time. of aperiod over performed being service licence software the in resulting subscribed, has customer the which to licence the of term the through continues and customer the to provided is alicence point the at to granted is which access the updates, product frequent and support to rights include licences software Group’s the of majority vast The and malicious viruses. malware ransomware, against things other amongst protection security provide Group the by sold licences Software customer. the with relationship the of nature the changes this Directors The consider not do distributors. and partners channel with than rather Group the with remains updates, definition and maintenance providing products all for and support, that providing for responsibility the purchased, been has support where cases In agent. an not and aprincipal as itself regards Group the cases all in and same, the is contracts sales of treatment accounting the scenarios, both In user. end the with not therefore are contracts sales and models respective Consequently, in the judgement under of the Group’s the the Directors, and are partners customers distributors both user. end the with end the ultimate Under who user. with will the one-tier transact arrangement the Group the partner with will transact transact ultimately will who partners, with transact turn in will who distributors, invoice and with contract around the exceptionthe world, of with the UK the Group Under where a it will operates arrangement, one-tier the two-tier structure. structure distribution channel atwo-tier using model distribution achannel through exclusively operates Group The 4.6 Revenue Recognition 14 below. note and 4.16 in discussed actual the further are and from outcome differ may estimates These authorities. tax the with agreed be to remain liabilities the where computations tax open on 2019 Annual Report and Accounts and Report Annual 2019

129 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 130 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

4 Significant Accounting Policies continued 4.6 Revenue Recognition continued Fixed-term contracts - subscriptions End users who receive software products at the start of the contract under a fixed-term licence are entitled to receive regular updates and upgrades for the duration of the licence term which usually run for periods ranging up to five years.

Revenue for these fixed-term contracts is recognised rateably over the period that the contractual obligation exists.

Accrued and deferred revenue arising on long-term contracts is included in receivables as accrued income and payables as deferred revenue, as appropriate.

Where the Group contracts with an original equipment manufacturer (“OEM”) or a service provider, rather than an end user, it mirrors the above policy and recognises the revenue in line with the contractual terms granted to the end user.

Perpetual licences Revenue is recognised immediately where customers purchase software products under a perpetual licence. Revenue in respect of support and maintenance contracts associated with perpetual licences is recognised rateably over the life of the support / maintenance contract. Revenue from perpetual licences is recognised as part of Other Revenue, see note 7.

Sale of goods - hardware appliances Where software licences and hardware are sold together, if the software is not essential to the functionality of the tangible product, then the revenue from the sale of goods is recognised immediately. However, where the software is essential to the functionality of the tangible product and the hardware cannot function without the software, revenue from the sale of goods is recognised rateably over the period of the associated software licence contract.

Interest income Interest income is recognised as interest accrues.

4.7 Property, Plant and Equipment Property, plant and equipment is stated at cost less accumulated depreciation and accumulated impairment losses. Cost comprises the aggregate amount paid and the fair value of any other consideration given to acquire the asset and includes costs directly attributable to making the asset capable of operating as intended.

Except for freehold land, depreciation is provided to write off the cost less the estimated residual values of all property, plant and equipment on a straight-line basis over their estimated useful life as follows:

Freehold buildings 25 years Leasehold improvements Over the lease period Computer equipment 3 – 5 years Other plant and equipment 5 years Motor vehicles 4 years Fixtures and fittings 6 – 10 years

The carrying values of property, plant and equipment are reviewed for impairment if events or changes in circumstances indicate the carrying value may not be recoverable and are written down immediately to their recoverable amount.

An item of property, plant and equipment is de-recognised upon disposal or when no future economic benefits are expected to arise from the continued use of the asset. Any gain or loss arising on de-recognition of the asset is included in the Consolidated Statement of Profit or Loss in the period of de-recognition.

The residual values, useful lives and methods of depreciation of the assets are reviewed, and adjusted if appropriate, at each financial year-end. life assessment continues to be appropriate. appropriate. be to continues assessment life indefinite whether determine to annually reviewed is life useful their of term The amortised. not are intangibles Such level. unit cash-generating the at or individually either annually impairment for tested are lives useful indefinite with assets Intangible recoverable. be not may value the carrying indicate circumstances in changes or events whenever impairment for reviewed is assets intangible of value carrying The annually. least at reviewed are life useful afinite with asset intangible an for method amortisation the and period The Sales. amortisation of Cost in reflected not functions by used are assets intangible the of most as cost, a administration as and Loss or finance Profit of general Statement Consolidated the in recognised is lives finite with assets intangible on expense amortisation The S intangible purchased Other assets base Customer names Brand property Intellectual arising onIntangible assets acquisition of subsidiaries follows: as lives useful expected their over amortised are and value residual no have life afinite with assets Intangible use. internal intended its for ready and complete substantially is software the at which point the than later no ceases costs these of Capitalisation projects. implementation to employees of assignment the from arising costs payroll-related and payroll incremental and software, the obtaining or developing services in and consumed materials of costs direct external include use internal for software of costs capitalised The asset. an as intangible classified is software the hardware, computer of item arelated of part integral an not is software computer Where under and research development costs. capitalisation for qualify not does expenditure the that extent the to incurred is it which in period the in Loss or Profit of Statement Consolidated the to taken is assets intangible developed internally on Expenditure reliably. measured be can value fair rights its and legal other or contractual from arises or separable is asset the if goodwill of outside recognised is a of combination part as business acquired asset intangible An cost. at initially carried are abusiness from separately acquired assets Intangible losses. impairment accumulated and amortisation accumulated less cost at carried are assets Intangible Assets 4.9 Intangible it. within operation an of or unit, the of disposal on loss or gain the determining when account into taken is unit acash-generating to allocated goodwill of amount carrying The Loss. or Profit of Statement Consolidated the in recognised is loss impairment an goodwill, including amount carrying its than less is been have allocated or to units cash-generating groups the Where recoverableassets of amount units. cash-generating of unit such the cash-generating of amount carrying total Company’s the to comparison in significant considered assets Goodwill impaired. be may value carrying the that indicate circumstances in changes or events whenever and annually least at reviewed being value impairment, for carrying the with losses, impairment accumulated any less cost at stated is goodwill recognition, initial After amortised. not is and GAAP UK under amount carrying previous its at recorded is 2004 March 31 at as an as asset recognised Goodwill Loss. or Profit of Statement Consolidated the in immediately recognised is again the of cost investment, the than greater is liabilities contingent and liabilities assets, identifiable entity’s acquired the of value fair net the that To extent the amortised. not is and goodwill as Position Financial of Statement Consolidated the in recognised is liabilities contingent and liabilities assets, identifiable the of value fair net the in interest Group’s the over combination business the of cost the of excess Any 3. IFRS under for accounted are 2004 1April after or on combinations Business value. fair at business acquired the of restructuring) (including intangible unrecognised previously assets)assets and liabilities (including contingent liabilities and excluding identifiable future recognising involves This method. accounting acquisition the using for accounted are combinations Business 4.8 Business Combinations and Goodwill 2019 Annual Report and Accounts and Report Annual 2019 oftware oftware

– – – –

3 y 6 –1 1 5 –1 5 – 20 years reducing balance basis balance reducing years 5 –20 ears straight-line basis straight-line ears 4 years reducing balance basis balance reducing 4 years 5 years reducing balance basis balance reducing 5 years

131 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 132 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

4 Significant Accounting Policies continued 4.10 Research and Development Costs Expenditure on research activities is expensed as incurred.

Development expenditure is recognised as an intangible asset when its future recoverability can reasonably be regarded as assured and technical feasibility and commercial viability can be demonstrated.

During the period of development, the asset is tested for impairment annually. Following the initial recognition of the development expenditure, the cost model is applied requiring the asset to be carried at cost less any accumulated amortisation and accumulated impairment losses. Amortisation of the asset begins when development is complete and the asset is available for use. It is amortised over the period of expected future sales.

Development expenditure incurred on minor or major upgrades, product fixes and updates or other changes in software functionalities does not satisfy the criteria, as the product is not substantially new in its design or functional characteristics. Such expenditure is therefore recognised as an expense in the Consolidated Statement of Profit or Loss as incurred.

4.11 Impairment of Assets At least annually, or when otherwise required, Directors review the carrying amounts of the Group’s tangible and intangible assets to determine whether there is any indication that those assets have suffered an impairment loss. If any such indication exists, the recoverable amount or value in use of the asset is estimated in order to determine the extent of any impairment loss.

Where the asset does not generate cash flows that are independent from other assets, the Group estimates the recoverable amount of the cash-generating unit to which the asset belongs.

The recoverable amount is the higher of fair value less costs to sell and value in use. In assessing value in use, the estimated future cash flows are discounted to their present value using a pre-tax discount rate that reflects current market assessments of the time value of money as well as risks specific to the asset for which the estimates of future cash flows have not been adjusted.

If the recoverable amount of an asset or cash-generating unit is estimated to be less than its carrying amount, the carrying amount of the asset or cash-generating unit is reduced to its recoverable amount. An impairment loss is recognised as an expense immediately in the Consolidated Statement of Profit or Loss.

Where an impairment loss subsequently reverses, the carrying amount of the asset is increased to the revised estimate of its recoverable amount, but not beyond the carrying amount that would have been determined had no impairment loss been recognised for the asset in prior years. A reversal of an impairment loss is recognised immediately as income in the Consolidated Statement of Profit or Loss, although impairment losses relating to goodwill may not be reversed.

4.12 Inventories Inventories are stated at the lower of cost and net realisable value. Cost includes all costs incurred in bringing each product to its present location and condition. The cost of raw materials, consumables and goods for resale is based on the purchase cost and is determined on a first-in, first-out basis.

Net realisable value is based on estimated selling price less any further costs expected to be incurred to completion and disposal. does not hold or issue derivatives for speculative or trading purposes. purposes. trading or speculative for derivatives issue or hold not Group does The rates. interest fluctuating to exposure its reduce to caps rate interest and movements rate exchange to exposure to its reduce foreign principally financialcontracts forward currency GroupThe uses derivative sometimes instruments, financialDerivative instruments expense. finance in recognised are currency functional entity’s the than other currencies in denominated borrowings and loans of revaluation the on arising losses and Gains in finance income and finance expense. respectively recognised are liabilities of cancellation other or settlement re-purchase, the on arising losses and Gains method. interest the using effective cost amortised at measured subsequently are borrowings and loans bearing interest recognition, initial After costs. transactions attributable directly less value fair at initially measured are and contracts related the to party becomes Group the when recognised are borrowings and loans for Obligations loans bearing and borrowings Interest instruments entered into. arearrangements of accordingtheto thecontractual classified substance Equity costs. issue direct of net received, proceeds the as recorded are Company the by issued instruments Equity Loss. or Profit of Statement Consolidated the in expense interest as charged are component liability the to relating dividends corresponding The redemption. or conversion on extinguished until cost amortised at thereafter and costs transaction of net value fair at initially measured Position; Financial of Statement Consolidated the in liability as a presented is Group the of liability afinancial creates that component any issued, are instruments equity When liabilities. its of all deducting after Group the of assets the in interest aresidual evidences that contract any is instrument equity An into. entered arrangements contractual the of substance the to according classified are instruments equity and liabilities Financial equity or debt as instruments equity of Classification value. fair the as same the materially be to deemed is which cost, at recognised are Trade payables Trade payables bank overdrafts. outstanding of net deposits bank and hand in cash of consist equivalents cash and cash Flows, Cash of Statement Consolidated the of purpose the For less. or days 90 in repayable deposits bank and hand in cash comprise equivalents cash and Cash andCash equivalents cash identified. are they which in period the in made is debts bad for Provision period-end. the at amounts outstanding any of areview through model loss credit an on expected based receivables doubtful for made estimate an less taxes, sales other and tax added value including amount, invoice original at carried are jurisdiction, the on depending mainly terms payment day 30-90 have generally which Trade receivables, Trade receivables costs. transaction attributable directly or loss, profit through value fair at not liabilities financial and assets financial of case the in plus, price transaction the fair at being value, measured are they initially recognised are instruments financial When instrument. the of provisions contractual the to party becomes Group the when position financial of statement Group’s the in recognised are liabilities and assets Financial Financial4.13 Instruments 2019 Annual Report and Accounts and Report Annual 2019 133 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 134 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

4 Significant Accounting Policies continued 4.13 Financial Instruments continued Derivative financial instruments are recognised as assets and liabilities measured at their fair values at the reporting date. Changes in the fair values are recognised in the Consolidated Statement of Profit or Loss and this is likely to cause volatility in situations where the carrying value of the hedged item is either not adjusted to reflect fair value changes arising from the hedged risk or is so adjusted but that adjustment is not recognised in the Consolidated Statement of Profit or Loss. Provided the conditions specified by IFRS 9 — Financial Instruments are met, hedge accounting may be used to mitigate this volatility.

4.14 Leases Prior to the adoption of IFRS 16 Leases, which applies form 1 April 2019, leases are classified as finance leases whenever the terms of the lease transfer substantially all the risks and rewards of ownership to the lessee. All other leases are classified as operating leases.

Rentals payable under operating leases are charged to income on a straight-line basis over the term of the relevant lease. Benefits received and receivable as an incentive to enter into an operating lease are also spread on a straight-line basis over the lease term.

4.15 Provisions A provision is recognised when the Group has a legal or constructive obligation as a result of a past event and it is probable that an outflow of economic benefits will be required to settle the obligation and a reliable estimate can be made of the amount of the obligation. If the effect is material, expected future cash flows are discounted using a current pre-tax rate that reflects, where appropriate, the risks specific to the liability.

Where the Group expects some or all of a provision to be reimbursed, for example under an insurance policy, the reimbursement is recognised as a separate asset but only when recovery is virtually certain.

The expense relating to any provision is presented in the Consolidated Statement of Profit or Loss net of any reimbursement.

Where discounting is used, the increase in the provision due to unwinding the discount is recognised as a finance expense.

4.16 Taxation The income tax charge represents the sum of current and deferred taxes. Current tax payable or recoverable is based on the taxable profit for the period. Taxable profit differs from profit reported in the Consolidated Statement of Profit or Loss because some items of income or expense are taxable in different periods or may never be taxable or deductible. The Group’s liability for current tax is calculated using UK and foreign rates and laws that have been enacted or substantively enacted by the reporting period date.

A current tax provision is recognised when the Group has a present obligation as a result of a past event and it is probable that the Group will be required to settle that obligation. Tax liabilities are recognised when it is considered probable that there will be a future outflow of funds to a taxing authority. They are measured using one of the following methods, depending on which of the methods the Directors expect will better reflect the amount the Group will pay to the tax authority.

The single best estimate method is used where there is a single outcome that is more likely than not to occur. This will happen, for example, where the tax outcome is binary or the range of possible outcomes is limited. The most likely outcome may be that no tax is expected to be payable, in which case the provision is nil.

Alternatively, a probability weighted expected value is used where, on the balance of probabilities, something will be paid to the tax authority but the possible outcomes are widely dispersed with low individual probabilities (i.e. there is no single outcome more likely than not to occur). In this case, the provision is the sum of the probability-weighted amounts in the range. In assessing provisions against uncertain tax positions, management uses in-house tax experts, professional firms and previous experience of the taxing authority to evaluate the risk. However, it remains possible that uncertainties will ultimately be resolved at amounts greater or smaller than the liabilities provided. in the Consolidated Statement of Profit or Loss in the period in which they become payable. become they which in period the in Loss or Profit of Statement Consolidated the in offrom those the Groupschemes are in torecognised contribution defined independently administered Contributions funds. oftheschemespension The areschemes Group employees.forassets The contribution held definedits separately operates 4.17 Pensions and Other Post-Retirement Benefits 14. note in out set are tax to relating Disclosures liabilities and basis. assets anet on tax current the settle to intend which entities taxable different on or entity same the either on taxation authority same the in levied taxes income the to relate taxes deferred the and liabilities tax current against assets tax off set to current exists right enforceable alegally if offset are liabilities tax deferred and assets tax Deferred equity. in or income to other comprehensive incomecredited or toor directly equity, in is in which dealt tax with the deferred other comprehensive case charged items to relates it when except Loss, or Profit of Statement Consolidated the in credited or charged Deferred is tax date. period reporting the by enacted substantively or enacted been have that rates tax on based is rate The is asset realised. the or settled is liability the when period the in apply to expected are that rates tax the at calculated is tax Deferred recovered. be to asset the of part or all allow to available be will profits taxable sufficient that probable extent longer no the is to it that reduced and date reporting each at reviewed is assets tax deferred of amount carrying The future. in reverse not foreseeable will the difference temporary the that probable is it and difference temporary the of reversal the the where control except to able is Group subsidiaries, in investments on arising differences temporary taxable for recognised are liabilities tax Deferred profit. accounting the nor profit tax neither the affects that atransaction in liabilities and assets other of combination) abusiness in than (other from or recognition initial goodwill of the recognition initial the from arises difference temporary the if recognised not are liabilities and assets Such utilised. be can differences temporary deductible which against available be will profits is taxable it that that probable extent the to recognised are assets tax deferred and differences temporary taxable all for are recognised generally liabilities tax Deferred method. liability sheet balance the using for accounted is It profit. taxable of used computation bases the in tax corresponding the and Statements Financial Consolidated the in liabilities and assets of amounts the between carrying differences temporary from arising future the in recoverable or payable be to expected tax the is tax Deferred result. to expected is Group the of profitability the on impact significant no predicted, reliably be cannot positions tax uncertain these of resolution final of amount and timing the Although jurisdictions. trading major Group’s the of several in ongoing are matters other and transactions cross-border to relating authorities tax with Discussions examination. on sustained be will basis returns tax the that certain be to impossible is it that means This views. reasonable and legitimate of arange be to there for possible frequently is it and estimates of making the on relies pricing transfer However, guidelines. OECD with accordance in returns tax in basis final Group the subsidiaries between on an undertaken may arm’s-lengthoutcome cross-border vary. transactions Group The reports matters, tax open of conclusion on date, afuture at that possible is it items, such with associated to Due uncertainty the business. of course ordinary the in into entered arrangements impacting legislation tax of interpretation the to 13), relate note (see made is provision which for items tax uncertain The authorities. with agreed be to remain liabilities the where computations tax open on payable tax of amount the of estimate Directors’ the to relates provision tax current Group’s The 2019 Annual Report and Accounts and Report Annual 2019 135 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 136 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

4 Significant Accounting Policies continued 4.18 Share-Based Payments Employees (including senior executives and Directors) of the Group receive remuneration in the form of share-based payment transactions, whereby employees render services as consideration for equity instruments (“equity-settled transactions”). The Group also grants cash-settled awards in certain jurisdictions in order to ensure compliance with tax, regulatory or legal country specific requirements.

Equity-settled transactions The cost of equity-settled transactions with employees is measured by reference to the fair value at the date on which they are granted. The fair value is determined by using an appropriate pricing model, further details of which are given in note 29.

The cost of equity-settled transactions is recognised, together with a corresponding increase in equity, ending on the date on which the relevant employees become fully entitled to the award.

At each reporting date before vesting, the cumulative expense is calculated, representing the extent to which the vesting period has expired and the Directors best estimate of the achievement or otherwise of non-market conditions and of the number of equity instruments that will ultimately vest or, in the case of an instrument subject to a market condition, be treated as vesting as described above. The movement in cumulative expense since the previous reporting date is recognised in the Consolidated Statement of Profit or Loss, with a corresponding entry in equity.

Where the terms of an equity-settled award are modified or a new award is designated as replacing a cancelled or settled award, the cost based on the original award terms continues to be recognised over the original vesting period. In addition, an expense is recognised over the remainder of the new vesting period for the incremental fair value of any modification, based on the difference between the fair value of the original award and the fair value of the modified award, both as measured on the date of the modification. No reduction is recognised if this difference is negative.

Where an equity-settled award is cancelled, it is treated as if it had vested on the date of cancellation, and any cost not yet recognised in the Consolidated Statement of Profit or Loss for the award is expensed immediately. Any compensation paid up to the fair value of the award at the cancellation or settlement date is deducted from equity, with any excess over fair value being treated as an expense in the Consolidated Statement of Profit or Loss.

Cash-settled transactions A liability is recognised for the fair value of cash-settled transactions. The fair value is measured at grant and each subsequent reporting date up to and including the settlement date. The change in fair value is recognised in the Consolidated Statement of Profit or Loss with a corresponding entry in liabilities for cash-settled transactions.

4.19 Exceptional Items Exceptional items are those that in the judgement of the Directors need to be disclosed by virtue of their size, nature or incidence, in order to draw the attention of the reader and to report the underlying business performance of the Group. Such items are included within the income statement caption to which they relate, and are separately disclosed either in the notes to the Consolidated Financial Statements or on the face of the Consolidated Statement of Profit or Loss.

4.20 Events After the Reporting Date Events between the reporting date and the date on which the Consolidated Financial Statements are approved, favourable and unfavourable, providing evidence of conditions that existed at the reporting date, adjust the amounts recognised in the Consolidate Financial Statements. Those that indicate conditions arising after the reporting date are disclosed but are not recognised within the Consolidated Financial Statements. to statutory revenue. to statutory equate not do Billings arefund. to right no is there which for or them, to services and products delivering and customer the from order apurchase receiving after customers to invoiced services and products of value the represent Billings Billings measures is set outmeasures below. to GAAP non-GAAP of reconciliation The 2018. March 31 year-ended the for presented those with consistent is 2019 March 31 year-ended the in measures non-GAAP of definition the 15), note (see EPS operating adjusted of calculation the for than Other with IFRS. accordance in rates exchange foreign actual at prepared information financial Group’s the evaluating also without basis currency aconstant on performance and results Group’s the evaluate not do a significant constitute element may oftheGroup’s revenue and andcould expenses eliminated materiallytheThe impactGroup’s are Directors performance. that effects currency the as particularly limitations, have measures currency Constant measures to for purposes the Group. different such use may or differently them calculate may companies other IFRS, by defined not are measures the as However similar use metrics. who industry, cybersecurity the in particularly companies, other with comparability in aid also can The measures performance. business current its evaluating in aid to business the within indicators performance key as used are Group and the of results the of understanding afurther providing in help to measures GAAP supplement measures non-GAAP these that believe Directors The IFRS. under recognised or (“APM’s”) defined Measures not are that Performance measures lternative financial certain uses Group The 5 2019 Annual Report and Accounts and Report Annual 2019 Revenue Constant currency billings currency Constant revaluation Currency Billings Net of deferral revenue (see note 23)

A

31 March 2019 Year-ended 786.2 760.3 710.6 710.6 25.9 25.9 49.7 49.7 $M

31 March 2018 Year-ended See note 2 note See Restated 639.0 639.0 129.6 129.6 768.6 768.6 787.3

18.7 18.7 $M 137 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 138 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

5 Alternative Performance Measures (“APM’s”) continued Adjusted Operating Profit and Cash EBITDA Adjusted Operating Profit (“AOP”) provides a supplemental measure of earnings that facilitates review of operating performance on a period-to-period basis by excluding non-recurring and other items that are not indicative of the Group’s underlying operating performance.

Adjusted Operating Profit is a key profit measure used by the Board to assess the underlying financial performance of the Group. Adjusted Operating Profit is stated before the following items for the following reasons:

• Exceptional items, as set out in note 8, are one of the items that in the judgement of the Directors should be disclosed separately by virtue of their size, nature or incidence, in order to show the underlying business performance of the Group. • Charges for the amortisation of acquired intangibles are excluded from the calculation of adjusted Operating Profit. This is because these charges are based on judgements about their value and economic life, are the result of the application of acquisition accounting rather than core operations, and whilst revenue recognised in the income statement does benefit from the underlying technology that has been acquired, the amortisation costs bear no relation to the Group’s underlying ongoing operational performance. In addition, amortisation of acquired intangibles is not included in the analysis of segment performance used by the chief operating decision maker. • Share-based payment charges are similarly excluded from the calculation of adjusted Operating Profit because these represent a non-cash accounting charge for transactions that could otherwise have been settled in cash or not be limited to employee compensation. These charges also represent long-term incentives designed for long-term employee retention, rather than reflecting the short-term underlying operations of the Group’s business. The Directors acknowledge that there is an ongoing professional debate on the add-back of share-based payment charges but believe that as they are not included in the analysis of segment performance used by the chief operating decision maker and their add-back is consistent with metrics used by a number of other companies in the global cybersecurity industry, that this treatment remains appropriate.

Cash earnings before interest, taxation, depreciation and amortisation (“Cash EBITDA”) is defined as the Group’s Operating Profit / (loss) adjusted for depreciation and amortisation charges, any gain or loss on the sale of tangible and intangible assets, share option charges, unrealised foreign exchange differences (on the basis that they are non-cash income and expenses) and exceptional items, with billings replacing recognised revenue. The unrealised foreign exchange differences are included within the foreign exchange gain of $1.5M (2018: loss of $6.9M) disclosed on the face of the Consolidated Statement of Profit or Loss. The Directors consider this metric a useful supplemental measure of earnings that provides visibility on actual cash earned in the year. The replacement of revenue with billings adjusts for the net deferral of revenue, whereas the weighted average contract term is around 28 months, a more material adjustment is generated than for the short-term working capital variations derived from the application of the accruals concept. Therefore, whilst Cash EBITDA is not a pure cash flow metric, it represents a closer approximation to cash earned in the period from the trading that has taken place. Depreciation and unrealised foreign exchange differences are adjusted as they do not represent cash costs of the business. 2019 Annual Report and Accounts and Report Annual 2019 comparative information. 2018 March 31 year-ended the for EBITDA Cash and Profit Operating adjusted Group’s the of item line each for changes these of impact the summarises table following The charge. tax income the of components certain and Revenue 15 – IFRS of respect in policies accounting significant its to period the in changes made Company the 2, note in out set As Net of deferral revenue Revenue Billings Share-based expense payments of intangible purchased assets Amortisation Cash EBITDA Net of deferral related selling expenses Net of deferral revenue exchange foreign loss Unrealised Depreciation Profit Operating Adjusted items Exceptional Net of deferral revenue Revenue Billings Depreciation Profit Operating Adjusted items Exceptional Share-based expense payments of intangible purchased assets Amortisation (loss) / profit Operating Operating loss Operating Cash EBITDA 20) note (see expenses selling related of deferral Net Net of deferral revenue exchange foreign loss Unrealised As previously reported (640.7) 768.6 768.6 193.7 193.7 127.9 127.9 127.9 127.9 (31.9) 39.6 39.6 11.6 11.6 25.2 25.2 46.1 46.1 13.2 13.2 8.1 8.1 $M –

Adjustment IFRS 15 IFRS (8.4) 6.7 6.7 6.7 6.7 1.7 1.7 1.7 1.7 1.7 1.7 $M – – – – – – –

Interest on UTP on Interest 31 March 2019 Year-ended RDEC / RDEC (710.6) 109.0 109.0 760.3 167.9 167.9 60.9 60.9 35.0 35.0 11.6 11.6 16.9 16.9 49.7 49.7 49.7 49.7 (1.5) (0.9) (3.8) 5.5 5.5 5.5 5.5 5.5 5.5 $M $M – – – – – – – – – –

31 March 2018 Year-ended See note 2 note See Restated Restated (639.0) (639.0) 129.6 129.6 129.6 129.6 129.6 129.6 199.2 199.2 129.6 129.6 199.2 199.2 768.6 768.6 768.6 768.6 (19.7) (19.7) 39.6 39.6 39.6 39.6 58.3 58.3 58.3 58.3 11.6 11.6 11.6 11.6 25.2 25.2 25.2 25.2 13.2 13.2 13.2 13.2 (8.4) (8.4) 8.1 8.1 8.1 8.1 $M $M 139 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 140 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

5 Alternative Performance Measures (“APM’s”) continued Unlevered Free Cash Flow Unlevered free cash flow represents net cash flow from operating activities adjusted for exceptional items and net capital expenditure. Unlevered free cash flow provides an understanding of the Group’s cash generation and is a supplemental measure of liquidity in respect of the Group’s operations without the distortions of exceptional and other non-operating items.

Year-ended Year-ended 31 March 2019 31 March 2018 $M $M Net cash flow from operating activities 142.9 147.7 Exceptional items 3.1 13.0 Net capital expenditure (22.2) (21.1) Unlevered free cash flow 123.8 139.6

Year-ended Year-ended 31 March 2019 31 March 2018 $M $M Cash EBITDA 167.9 199.2 Net capital expenditure (22.2) (21.1) Change in working capital (5.2) (12.2) Corporation tax paid (16.7) (26.3) Unlevered free cash flow 123.8 139.6

6 Segment Information

For internal management reporting purposes, the operating segments are determined to be geographic segments as the Group’s risks and rates of return are affected predominantly by the different economic environments. This is consistent with the information provided to the Chief Operating Decision Maker. The Group has only one operating segment based on product on the basis that the products and services offered to external customers are very similar and therefore do not result in different risks and rates of return for the Group.

The Group’s geographical segments are based on the location of the Group’s operations consisting of Europe, Middle East and Africa (“EMEA”), The Americas and Asia Pacific and Japan (“APJ”).

Billings are the value of products and services invoiced to customers after receiving a purchase order from the customer and delivering products and services to them, or for which there is no right to a refund. Billings does not equate to statutory revenue.

Billings are classified by the geographic location of direct customers, OEMs and the distributors which purchase our products. The geographic location of OEMs or distributors may be different from that of end customers. A disclosure of billings and revenue by region is included in the Financial Review on page 28.

The accounting policies of the reportable segments are the same as the Group’s accounting policies described in note 4. Segment profits represent the profit earned by each segment without allocation of central administration costs including Directors’ salaries, finance expenses and income tax expense. This is the measure reported to the Chief Operating Decision Maker, the Chief Executive Officer, and Senior Management Team for the purposes of resource allocation and assessment of segment performance.

Transfer prices between geographical segments are set on an arm’s length basis in a manner similar to transactions with third parties. for the year-ended 31 March 2019 and 31 March 2018. 2018. March 31 and 2019 March 31 year-ended the for segments geographical Group’s the regarding information asset certain and expenditure billings, present tables following The segments Geographical 2019 Annual Report and Accounts and Report Annual 2019 Unallocated assets relate to deferred tax, as the segment assets reviewed by the Chief Operating Decision Maker does not not include does tax. deferred Maker Decision Operating Chief the by reviewed assets segment the as tax, deferred to relate assets Unallocated segment information Other Regional gross margin gross Regional Loss before taxation before Loss Net finance expense Depreciation Amortisation Central costs Revenue deferral Regional sales and marketing expense marketing and sales Regional Restated (see note 2) Year-ended 31 March 2018 sales of cost Regional 5) note (see Billings Year-ended 31 March 2019 Regional Operating Profit Operating Regional margin gross Regional Regional sales and marketing expense marketing and sales Regional 5) note (see Billings APJ EMEA Americas Segment assets Consolidated total assets assets Unallocated Profit beforetaxation Profit Net finance expense Depreciation Amortisation Central costs Revenue deferral Profit Operating Regional Regional cost of sales of cost Regional Total segment assets segment Total Americas Americas 255.3 255.3 270.0 270.0 255.1 255.1 178.6 178.6 267.9 267.9 17 7.3 7.3 17 (12.8) (14.7) (76.7) 77.8) (7 $M $M

359.0 359.0 395.2 395.2 395.1 395.1 278.0 278.0 273.1 273.1 EMEA EMEA 357.0 (36.2) (85.9) (38.1) (79.0) $M $M

31 March 2019 1,260.9 1,260.9 1,375.9 1,375.9 150.3 150.3 115.0 115.0 103.5 103.5 373.3 373.3 737.3 737.3 (12.9) (16.2) (32.0) (31.4) 84.3 84.3 52.9 52.9 55.3 55.3 97.2 97.2 87.3 87.3 APJ APJ $M $M $M

31 March 2018 See note 2 note See Restated 1,384.0 1,384.0 1,263.3 1,263.3 (364.0) (129.6) (365.2) (195.1) (187.7) 698.4 698.4 699.6 699.6 503.3 503.3 393.5 393.5 511.9 511.9 760.3 768.6 768.6 713.1 713.1 120.7 120.7 156.7 156.7 (11.6) (11.8) (16.9) (21.3) (69.0) (25.2) (61.9) (41.0) (49.7) Total Total 53.6 (7.3) $M $M $M 141 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 142 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

6 Segment Information continued

Year-ended Year-ended 31 March 2019 31 March 2018 Depreciation and amortisation $M $M Americas 6.6 7.5 EMEA 18.1 24.9 APJ 4.0 4.4 Total depreciation and amortisation 28.7 36.8

31 March 2019 31 March 2018 Restated See note 2 Non-current assets by country $M $M UK 42.5 43.4 USA 22.0 18.5 Germany 5.1 5.9 Other countries 22.4 19.0 Total non-current assets by country 92.0 86.8

Non-current assets by country excludes deferred tax assets and goodwill. Goodwill has been excluded as a split by country is not available and the Directors consider that the cost to develop such analysis would be excessive.

Year-ended Year-ended 31 March 2019 31 March 2018 Restated See note 2 Revenue from external customers by country $M $M UK 83.2 73.5 USA 222.2 199.0 Germany 143.5 128.4 Other countries 261.7 238.1 Total revenue from external customers by country 710.6 639.0

The Group’s revenue is diversified across its entire end customer base and no single end user accounted for greater than 10 per cent of the Group’s revenue in either 2018 or 2019. In 2019 two distributors accounted for 15 per cent each, and one distributor for 11 per cent of Group billings which were attributable to all segments of the Group (2018: three distributors accounted for 15 per cent, 14 per cent and 12 per cent each). Cost of $13.2M). Tax relief on these exceptional items amounted to $0.5M (2018: $2.6M). (2018: $0.5M to amounted items exceptional these on Tax relief $13.2M). of Cost (2018: $3.8M of income exceptional total in a resulted This item. exceptional an as released been has $6.9M of liability excess an financial Inc., Invincea, of acquisition the of respect in consideration contingent of settlement final the following addition, In territories. overseas certain in products Group’s the of some of use the to pertaining procedures and policies sales Group’s the of review strategic aone-off with connection in Nil) (2018: $1.7M of fees legal and $3.0M), (2018: arising $0.6M of claims years previous in property intellectual certain of defence the to relation in incurred costs litigation $10.2M), (2018: project FY18 of a finalisation the in $0.8M of costs integration and restructuring incurred Group the 2019, March 31 year-ended the During Loss. or Profit of Statement Consolidated the of face the on disclosed separately are and relate they which to caption statement income the within included are items incidence, in order or to of draw the reader and the attention of to the Group. show Such nature the underlying business performance size, their of virtue by disclosed be to need Directors the of judgement the in Items that xceptional those are items Exceptional 8 follows: as analysed is Loss or Profit of Statement Consolidated the in recognised Revenue 7 2019 Annual Report and Accounts and Report Annual 2019 Other Hardware Subscription Type: by Revenue Total Other Enduser Network Product: by Revenue Total

E Revenue 31 March 2019 2019 March 31 31 March 2019 Year-ended Year-ended 348.4 348.4 593.9 593.9 106.8 328.5 328.5 710.6 710.6 710.6 710.6 33.7 33.7 9.9 9.9 $M $M 31 March 2018 2018 March 31 31 March 2018 Year-ended Year-ended See note 2 note See 2 note See Restated Restated 639.0 639.0 639.0 291.8 291.8 512.4 512.4 316.5 115.1 115.1 11.5 11.5 30.7 30.7 $M $M 143 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 144 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

9 Profit / (loss) on Ordinary Activities

The profit (2018: loss) on ordinary activities before taxation is stated after charging:

Year-ended Year-ended 31 March 2019 31 March 2018 Restated See note 2 $M $M Depreciation of property, plant and equipment 11.8 11.6 Amortisation of intangible assets 16.9 25.2 Research and development expenditure (143.9) (140.3) Operating lease rentals: Property 14.0 12.5 Other 1.6 1.6 Pension scheme contributions 8.9 8.4 Impairment of trade receivables 0.6 0.6 Net foreign currency differences (1.5) 6.9

10 Auditor’s Remuneration

The Group paid the following amounts to its auditor in respect of the audit of the historical financial information and for other non-audit services provided to the Group.

Year-ended Year-ended 31 March 2019 31 March 2018 $M $M Audit of the Financial Statements 0.4 0.4 Subsidiary local statutory audits 0.2 0.3 Total audit fees 0.6 0.7

Other assurance services 0.1 0.1 Total non-audit fees 0.1 0.1 mployee Costs mployee 11 The average number of employees during the period, analysed by category, was as follows: as was category, by analysed period, the during employees of number average The combinations. business on arising payments retention to relating $4.0M) (2018: $4.2M are above salaries and wages in Included Accounts and Report Annual 2019 rectors’ Remuneration rectors’ 12 91 to 101. to 91 pages on Report Remuneration Group’s the in found be can details Further subsidiaries. its and plc Group Sophos of Director a as year the during made schemes pension to contributions aggregate and earnings all represent emoluments Directors’ Total remuneration Directors’ Total employee costs costs Other Pension costs costs security Social Gains on vesting of LTIP awards LTIP of vesting on Gains Gains on exercise of share options Wages and salaries Share-based payments (see note 29) note (see payments Share-based Total average number of employees Administration andSales marketing Technical Directors’ emoluments

E Di

31 March 2019 2019 March 31 31 March 2019 31 March 2019 Year-ended Year-ended Year-ended 1,934 1,934 286.0 286.0 333.2 3,503 3,503 1,211 1,211 370.1 370.1 20.4 20.4 36.9 36.9 25.6 25.6 14.5 12.7 12.7 358 358 8.9 8.9 2.3 2.3 3.6 3.6 $M $M 31 March 2018 31 March 2018 31 March 2018 Year-ended Year-ended Year-ended See note 2 note See Restated 1,868 1,868 361.9 361.9 1,124 1,124 3,319 271.8 271.8 319.6 319.6 42.3 42.3 11.0 12.1 12.1 27.3 27.3 327 327 4.2 8.4 8.4 3.3 3.3 3.5 3.5 $M $M 145 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 146 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

13 Finance Income and Expense

Year-ended Year-ended 31 March 2019 31 March 2018 Finance income $M $M Interest on bank deposits 0.9 0.3

Year-ended Year-ended 31 March 2019 31 March 2018 Restated See note 2 Finance expense $M $M Interest expense on loans and borrowings 9.3 8.7 Other interest and bank charges 0.5 0.3 9.8 9.0 Accretion on contingent consideration 0.1 0.9 Interest on uncertain tax positions (see note 25) 3.5 0.9 Foreign exchange (gain) / loss on borrowings (6.4) 9.6 Amortisation of facility fees 1.2 1.2 Total finance expense 8.2 21.6

14 Taxation

UK corporation tax for the year-ended 31 March 2019 is calculated at 19% (2018: 19%) of the estimated assessable loss for the period.

Year-ended Year-ended 31 March 2019 31 March 2018 Restated See note 2 $M $M Current income tax: UK corporation tax 1.3 1.2 Adjustments in respect of previous years UK tax 0.3 0.3 Overseas tax before exceptional items 22.2 23.0 Adjustment in respect of previous years 13.1 10.2 Total current tax charge 36.9 34.7

Deferred tax: Origination and reversal of temporary differences 2.5 (16.7) Impact of changes in US tax rate - 5.4 Adjustment in respect of previous years (12.7) (3.5) Total deferred tax credit (10.2) (14.8)

Total income tax charge 26.7 19.9 rate. The reconciling items represent the impact of rate differentials in tax jurisdictions and the impact of non-taxable benefits benefits Financial and base Statements. the local the reported tax between and arising non-deductible expenses from differences non-taxable of impact the and jurisdictions tax in differentials rate of impact the represent items tax reconciling The corporation UK the rate. using expense tax reported the to expense tax corporation theoretical the reconciles table following The of this current liability will be available to utilise against a tax liability in the UK so a deferred tax asset has been recognised. recognised. been has asset tax adeferred so UK the in liability atax against utilise to available be will $Nil) (2018 liability current $11.3M this of that anticipated is it procedures relief authority tax bilateral Following authorities. tax relevant the with procedure agreement mutual of a part as resolved be to likely are and Group the to across profits of authorities tax allocation from challenge geographic of the risk the to relates which of majority the positions, tax uncertain for liabilities of respect in $20.0M) (2018: $35M is liabilities current Within 4.16. note in out set is liabilities estimate to used methodology The authority. taxing to a funds of outflow afuture be will there that probable considered is it when recognised are Tax liabilities years. future in applicable be to continue will incentives these that guarantee no is There 2). note see restatement, through $4.5M (2018: $5.7M by increasing charge tax the in resulting organisations comparable in treatment accounting the to align closely more to policy accounting the in achange was there FY19 In expense. development and research appropriate the to acredit as for claimed is accounted is and Credit Expenditure &Development Research the UK, the In jurisdictions. certain in incentives receives Group The territories. other in between in lie that rates other and US and UK the in rate alower India, and Germany as such jurisdictions, certain in rates higher of combination a reflects and profits of mix geographic the to sensitive is rate tax Group’s The Key Influences appropriate. where accounts the in made aprovision and regularly monitored are positions tax Uncertain assessed. being tax additional to lead may regulations complex of interpretation that accepted is it and company a Group by adopted position filing the to adjustment seek may authority atax However, Group. the affect would proposals those how understand can they and it that so measures, tax proposed on input informed provide to institutions industry international and bodies administrators, tax makers, policy with engages actively Group The operations. cross-border significant of mitigate to risks tax authorities tax with pricing length arm’s agree to seeks proactively Group The legislation. tax current with complies Group the that ensuring in vigilant is and authorities revenue all with relationship transparent and open an for strives professionals. Sophos tax of team global by a supported strategy tax for responsible is Officer Financial Chief The Committee. Risk Audit and the of remit the within is taxation of Oversight needs. operational and strategy business its to aligned is and fy19.pdf is Group’sThe published strategy at www.sophos.com/en-us/medialibrary/PDFs/legal/sophos-group-tax-policy- taxation Accounts and Report Annual 2019 Adjustments in respect of previous years previous of respect in Adjustments of: Effects 19%) (2018: 19% of UK the in tax corporation of rate standard the by multiplied taxation before year the for Loss taxation before year the for (loss) / Profit Impact of US tax reform on deferred tax deferred on reform tax US of Impact Charge for taxation on profit / (loss) for the year the for (loss) / profit on taxation for Charge movements Other earnings overseas on rates tax Higher Losses not recognised not deductible for purposes tax Expenses year the during rate tax in Change Research andResearch development and credits other tax

31 March 2019 Year-ended 11.8 11.8 53.6 53.6 10.2 26.7 (1.9) (1.9) (2.4) (2.4) (0.9) (0.9) 0.8 0.8 1.4 1.4 $M 7.7 7.7 – 31 March 2018 Year-ended See note 2 note See Restated (41.0) 19.9 (1.1) (0.6) (7.7) 9.4 9.4 3.8 3.8 3.6 3.6 5.4 5.4 $M 7.1 7.1 –

147 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 148 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

14 Taxation continued

Consequently, the net tax balance sheet position for uncertain tax positions is $23.7M (2018 $20M). The Group anticipates that a number of tax audits are likely to conclude in the next 12 to 24 months. Due to the uncertainty associated with such tax items, it is possible at a future date, on the conclusion of open tax matters, the final outcome may vary significantly.

The change in tax rate during the year occurs in respect of the re-measurement of a deferred tax asset due to the future reduction of the UK tax rate.

Expected Future Rate Over the medium-term the tax rate is likely to stabilise as the integration of acquisitions in higher rate jurisdictions are completed. However, the tax rate may fluctuate if business changes are implemented in response to legislation arising from the OECD’s Base Erosion & Profit Shifting Project. Legislative change in key territories is being monitored and acted upon.

The Group does not anticipate any significant impact on the future tax charge, liabilities or assets, as a result of the triggering of Article 50(2) of the Treaty on European Union, but cannot rule out the possibility that, for example, a failure to reach satisfactory arrangements for the UK’s future relationship with the European Union, could have an impact on such matters.

The European Commission has concluded its investigation into the UK’s controlled foreign company (“CFC”) rules. The CFC rules levy a charge on foreign entities controlled by the UK that are subject to a lower rate of tax, however there is currently an exemption available for 75% of this charge if the activities being undertaken by the CFC relate to financing. The EC concluded that this exemption is in breach of EU State Aid rules. However, whilst we are awaiting further detail from HMRC, the position has not changed from a tax accounting perspective. The risk is possible, but not probable. UK ministers have yet to decide on whether to pursue an appeal. No provision for this potential liability of $3.6M has been provided in these Consolidated Financial Statements as it is not clear what, if any, the ultimate financial result will be.

Deferred tax assets and liabilities are attributable to the following:

31 March 2019 31 March 2018 Restated See note 2 $M $M Deferred income tax assets in relation to: Deferred revenue 40.9 40.0 Tax value of carry forward losses of UK subsidiaries 37.0 24.2 Tax value of carry forward losses of overseas subsidiaries 6.2 6.4 Advanced capital allowances 7.5 7.7 Share-based payments 11.6 27.7 Other temporary differences 11.8 14.7 Total 115.0 120.7

Deferred income tax liabilities in relation to: Intangible assets 6.1 5.9 Deferred selling cost 8.5 8.5 Other temporary differences - 0.1 Total 14.6 14.5 during the period. the during held shares own of number average weighted the account into takes shares of number average weighted the case, each In period. the during outstanding shares ordinary of number average weighted the by parent the of holders equity to taxation attributable for adjusting after period the for Profit Operating adjusted the dividing by calculated is EPS operating Adjusted anti-dilutive. be would impact the when shares outstanding of respect in adjustments to share reference per without earnings are dilutive the 33, IAS with accordance In shares. ordinary into converted were shares ordinary potential dilutive all if issued be would that shares of number average weighted the plus period the during outstanding shares ordinary of average number weighted the by parent the of holders equity to attributable period the for profit the dividing by calculated is EPS Diluted period. the during outstanding shares ordinary of number average weighted parent the the by of holders equity to attributable period the for profit the dividing by calculated Share is Per arnings (“EPS”) share per earnings Basic 15 expected. are deductions tax future which in jurisdictions in only have recognised been assets tax Deferred earnings. retained in recorded also is rate statutory the at expense remuneration the of amount cumulative the of excess in relief tax current Similarly, earnings. retained against equity, in directly recorded is excess the rate, statutory the at expense remuneration the of amount cumulative the exceeds amount this If period. vesting the over rendered been have employee the of services the that extent the to pro-rated is and movement price share by impacted be will so date reporting the at price share Group’s the on based is This future. the in obtained be to deduction tax of amount estimated as the calculated is awards option share on arising asset tax deferred Any recorded. be may asset tax adeferred bases, tax and accounting the between difference atemporary is there Where options. relevant the of date vesting the to date award the period from the over Loss or Profit of Statement Consolidated the in recorded is payments share-based for expense A remuneration Payments Share-Based recognition. and offset permit to necessary entities correct the in available profits non-trading or trading future of type required the be will there that probable considered not is it as $334.0M) (2018: $298.7M remaining the of respect in recognised been has asset tax deferred No losses. such of $166.4M) of (2018: respect in $241.4M recognised been has asset tax deferred A profits. future against offset for available $500.4M) (2018: $540.1M of losses tax unused has Group the date sheet balance the At offset. be will recognised losses the which against forecast the in period arise will profits indicate forecasts current where losses of respect in recognised been has asset tax A deferred Losses position. loss tax UK to due paid isn’t that Credit Expenditure &Development Research UK the and differences timing short-term on current arisingperiod primarily due to in the the decrease differences short-term It includes balances. temporary timing during differences decreased $14.7m) has (2018: $11.8M of differences temporary other to relating asset tax deferred The timing differences temporary Other date. reporting the at enacted substantively or enacted been have that rates tax on based settled, liability the or is realised asset the when period the in apply to expected are that rates tax the at measured are liabilities and assets tax Deferred the in foreseeable reverse not future. will differences such that probable is it and differences temporary of reversal the control to is aposition in Group the because recognised been has liability No $Nil). (2018: $Nil was recognised been have liabilities tax for deferred which subsidiaries of earnings undistributed with associated differences temporary of amount aggregate the 2019 March 31 at As 2019 Annual Report and Accounts and Report Annual 2019

E 149 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 150 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

15 Earnings Per Share continued

The following reflects the income and share data used in calculating EPS:

Year-ended Year-ended 31 March 2019 31 March 2018 Restated See note 2 $M $M Profit / (loss) for the period attributable to the equity holders of the Company 26.9 (60.9)

Adjusted Operating Profit for the period attributable to the equity holders of the Company (see note 5) 109.0 58.3 Total tax charge (26.7) (19.9) Reverse tax impact of: Net finance expense (2.5) (5.9) Amortisation (3.1) (4.8) Share-based payments (7.4) (8.5) Exceptional items (0.5) (2.6) Adjusted Operating Profit after tax 68.8 16.6

Year-ended Year-ended 31 March 2019 31 March 2018 Weighted average number of shares (000’s): 476,320 459,969 Effects of dilution from: Share options 7,039 11,475 Restricted Share Units 10,397 17,125 Diluted 493,756 488,569

$ Cents $ Cents Basic and diluted EPS 5.6 (13.2) Diluted EPS 5.4 n/a Adjusted operating EPS 14.4 3.6 Diluted adjusted operating EPS 13.9 3.4 tangible Assets tangible 16 2019 Annual Report and Accounts and Report Annual 2019 There has been no impairment to intangible assets held by the Group during the year. the during Group the by held assets intangible to impairment no been has There Cost At 31 March 2018 March 31 At rates exchange in movements of Effect Additions 2017 March 31 At At 31 March 2019 March 31 At 2018 March 31 At Net book value 2019 March 31 At rates exchange in movements of Effect rates exchange in movements of Effect year the for Charge 2017 March 31 At Amortisation/Impairment loss Amortisation/Impairment 2019 March 31 At Acquired through business combinations Additions Charge for the period 2018 March 31 At Effect of movements in exchange rates exchange in movements of Effect

In

Goodwill Goodwill 826.0 826.0 826.2 826.2 809.5 809.5 785.3 785.3 785.5 785.5 (52.9) 12.2 12.2 16.7 16.7 0.2 0.2 0.2 0.2 0.2 $M – – – – – –

Intellectual Intellectual Property Property 408.2 408.2 380.0 380.0 388.3 388.3 385.9 385.9 361.6 361.6 425.3 425.3 20.8 20.8 28.2 28.2 39.4 39.4 13.4 13.4 14.8 14.8 (3.7) (3.7) 5.0 5.0 9.6 5.1 5.1 $M –

Software Software 39.3 39.3 36.5 36.5 25.3 25.3 49.1 49.1 11.1 11.1 47.6 47.6 37.1 37.1 (3.2) (2.5) 4.4 4.4 9.8 9.8 6.1 6.1 5.3 5.3 8.1 8.1 3.1 3.1 4.7 4.7 $M –

264.4 264.4 266.9 266.9 268.3 268.3 265.3 265.3 272.9 1,554.9 1,554.9 272.9 Other 257.1 257.1 (6.0) (5.9) 2.0 2.0 4.6 4.6 2.5 2.5 3.7 3.7 $M 7.6 7.6 7.5 7.5 – – –

1,500.2 1,500.2 1,526.8 644.2 644.2 685.0 689.8 689.8 869.9 869.9 837.0 837.0 (12.1) (65.8) Total Total 20.9 20.9 33.0 33.0 33.8 33.8 25.2 25.2 16.9 16.9 15.6 15.6 4.7 4.7 $M

151 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 152 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

16 Intangible Assets continued Goodwill Following a review of the allocation of goodwill to foreign operations, the Directors have determined that goodwill of $543.1M which arose on the acquisition of the Group by APAX on 15 June 2010 should have been allocated differently. This element of the goodwill was previously denominated in US dollars and has now been allocated into functional currencies of the underlying foreign operations.

The re-denomination has given rise to a total reduction in the carrying value of goodwill of $39.3M, that has been recognised in the year-ended 31 March 2019. Had this allocation taken place from acquisition, a $36.0M increase in the carrying value would have been recognised in the year-ended 31 March 2018 and a cumulative decrease of $50.0M in the carrying value would have been recognised as at 31 March 2017. As this change has no impact on either the statement of profit or loss nor the statement of cash flows and as the net prior-period impact of $14.0M is not material in the context of the overall value of goodwill or net assets, it is, in the judgement of the Directors, appropriate to affect the change in allocation in the current period.

This change in the carrying value of $39.3M is a part of the $52.9M reflected in the line “effect of movements in exchange rates” in the table above. An equal and opposite entry is a part of the $33.7M recognised as “exchange differences arising on translation of foreign operations” in other comprehensive income, and subsequently the translation reserve in equity.

This adjustment has had no impact on the conclusion of the Group’s annual impairment review.

Other intangible assets Intellectual property is amortised on a reducing balance basis over its estimated useful life of up to 15 years.

Software is amortised on a straight-line basis over three years.

Other intangibles comprise customer relationships, with a gross value of $247.4M and a net book value of $1.0M, and brand names with a gross value of $22.5M and a net book value of $1.5M.

Customer relationships are amortised on a reducing balance basis over a period of up to 14 years and brand names on a reducing balance basis over a period of up to 20 years.

The Group does not have any intangible assets with indefinite useful lives.

The Group has not capitalised development costs in the year-ended 31 March 2019 (2018: $Nil) as the Directors believe the criteria set out in IAS 38 have not been met. See note 4.

rate upward by thirty per cent of the above rates, and noted that this still did not give any indication of impairment. of indication any give not did still this that noted and rates, above the of cent per thirty by upward discount the rate flexed have Directors the made, assumptions the in sensitivity the assess to order In recoverable. not are assets long-lived Group’s the of amounts carrying the suggested that impairment of indicators no were there 2019, March 31 at As follows: as were 2018 March 31 year-ended the in assessments the in used assumptions key The Intangibles follows: and as Goodwill of allocated pairment been had goodwill of amount carrying the losses, impairment of recognition Before 17 The key assumptions used in the assessments in the year-ended 31 March 2019 are as follows: as are 2019 March 31 year-ended the in assessments the in used assumptions key The capital. of cost average weighted Group’s the of assessments market current reflect that rates on based estimated been have rates Discount experience. past with line in are and regional considerations specific and market the in growth forecasts, industry share, market in growth planned unit, cash-generating the of performance operating medium-term the of expectations Directors’ on based are period five-year the for rates years. five growth The following the for forecasts financial recent most Directors’ the from derived forecasts flow cash prepares Group The period. the costs during direct and billings to changes expected and rates growth rates, discount are calculations these for assumptions key The calculations. use in value internal on based goodwill of value the reviewed have Directors the 2019, March 31 year-ended the For use. in value the and disposal of costs less value fair of higher the than greater is relates it which to unit cash-generating the of value carrying the if impaired considered is Goodwill Loss. or of Profit Statement Consolidated the in immediately expense an as recognised is loss impairment An amount. recoverable its reduced to is unit cash-generating or asset the of amount carrying the amount, carrying its than less be to estimated is unit cash-generating or asset an of amount recoverable the If belongs. asset the which to unit cash-generating the of amount does not theWhere asset that generatethe cash flowsthe recoverable areGroup estimates independent from otherassets, impairment. of indication is there where frequently more or annually, tested is assets intangible and goodwill of Impairment Accounts and Report Annual 2019 Discount rate Discount years five beyond rate growth regional Long-term rate Discount years five beyond rate growth regional Long-term Americas APJ EMEA

Im Americas Americas Americas Americas 9.0% 2.5% 2.5% 9.5%

31 March 413.0 413.0 273.6 273.6 785.3 785.3 EMEA EMEA EMEA 2019 9.0% 9.5% 1.5% 1.5% 98.7 98.7 $M

31 March 10.0% 10.5% 434.2 434.2 826.0 288.2 288.2 103.6 103.6 2018 2.0% 2.0% APJ APJ APJ APJ $M

153 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 154 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

18 Property, Plant and Equipment

Land and Plant and Fixtures and Buildings Machinery Fittings Total $M $M $M $M Cost As at 31 March 2017 15.0 36.9 4.9 56.8 Additions 0.9 7.8 1.3 10.0 Disposals – (0.4) – (0.4) Effect of movements in exchange rates 5.4 4.0 0.6 10.0 As at 31 March 2018 21.3 48.3 6.8 76.4 Additions 2.6 8.6 1.6 12.8 Disposals (0.1) (0.3) (0.1) (0.5) Effect of movements in exchange rates (3.7) (3.2) (0.6) (7.5) As at 31 March 2019 20.1 53.4 7.7 81.2

Depreciation As at 31 March 2017 8.2 23.0 2.2 33.4 Charge for the year 2.6 8.1 0.9 11.6 Disposals – (0.3) – (0.3) Effect of movements in exchange rates 3.1 2.8 0.4 6.3 As at 31 March 2018 13.9 33.6 3.5 51.0 Charge for the year 2.7 8.2 0.9 11.8 Disposals – (0.3) – (0.3) Effect of movements in exchange rates (2.2) (2.6) (0.4) (5.2) As at 31 March 2019 14.4 38.9 4.0 57.3

Net book value As at 31 March 2018 7.4 14.7 3.3 25.4 As at 31 March 2019 5.7 14.5 3.7 23.9

There has been no impairment to the property, plant and equipment held by the Group during the year.

19 Inventories

31 March 2019 31 March 2018 $M $M Finished goods and goods for resale 10.6 16.0

The amount of write-down of inventories included as an expense within the Consolidated Statement of Profit or Loss was $2.0M (2018: $1.4M). Movements in the provision for impairment of receivables were as follows: as were receivables of impairment for provision the in Movements for. provided fully and impaired were $0.9M) (2018: $1.2M of value anominal at receivables trade 2019, March 31 At /$239.9M). $8.4M (2018: costs Marketing and Sales of total the $259.9M of $0.9M was Loss or Profit of Statement Consolidated the within deferred expense acquisition contract net The expenses against receivables. operating in recognised was $0.6M) (2018: $0.6M of impairment for aprovision 2019 March 31 year-ended the value. fair During their represents also receivables other and trade of value carrying The generated. are sales which in territory Receivables andrade Other Trade are receivables non interest-bearing and are generally on 30–90 day payment depending terms on the geographical 20 2019 Annual Report and Accounts and Report Annual 2019 The analysis of trade receivables that were past due, but not impaired is as follows: as is impaired not but due, past were that receivables trade of analysis The Total Greater than six months months six to Three March 31 At rates exchange in movements of Effects off written Amounts year the for Charge Total non-current and trade other receivables receivables Other of acquisitionDeferral costs contract Non-current Total current and trade other receivables Up to three months three to Up 1April At Trade receivables Current Prepayments Other receivables Other of acquisitionDeferral costs contract

T

31 March 2019 31 March 2019 195.3 195.3 128.7 128.7 26.9 26.9 16.4 16.4 31.5 31.5 15.1 15.1 (0.2) (0.1) 0.9 0.9 0.9 0.6 0.3 0.3 0.6 0.6 8.2 8.2 1.2 1.3 1.3 $M $M – 31 March 2018 31 March 2018 See note 2 note See Restated 210.8 210.8 151.8 151.8 29.5 29.5 16.2 16.2 23.1 23.1 17.5 17.5 (0.1) 0.2 0.2 0.9 0.9 0.4 0.4 0.6 0.6 6.4 6.4 1.0 1.0 1.3 1.3 1.5 1.5 2.7 2.7 $M $M – 155 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 156 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

21 Cash and Cash Equivalents

31 March 2019 31 March 2018 $M $M Cash at bank and in hand 134.3 67.2 Short-term deposits 37.8 52.8 Total cash and cash equivalent 172.1 120.0

Cash at bank earns interest at floating rates based on daily bank deposit rates. Short-term deposits are made for varying periods of between one day and three months, depending on the immediate cash requirements of the Group, and earn interest at the respective short-term deposit rates.

22 Trade and Other Payables

31 March 2019 31 March 2018 $M $M Current Trade payables 35.8 39.6 Accruals 46.6 68.4 Social security and other taxes 12.7 14.9 Other payables 7.1 11.2 Total current trade and other payables 102.2 134.1

Non-current Other payables 10.1 8.2 Total non-current trade and other payables 10.1 8.2

Trade payables are non interest-bearing and are normally settled on 30-day terms or as otherwise agreed with suppliers.

23 Deferred Revenue

31 March 2019 31 March 2018 Restated See note 2 $M $M Current 407.9 315.0 Non-current 320.7 238.8 At 1 April 728.6 553.8

Billings deferred during the year 760.3 768.6 Revenue released to the Consolidated Statement of Profit or Loss (710.6) (639.0) Net deferral 49.7 129.6 Acquired through business combinations 0.2 – Translation and other adjustments (36.4) 45.2

Current 428.6 407.9 Non-current 313.5 320.7 At 31 March 742.1 728.6 Total financial liabilities at the end of the reporting period were as follows: as were period reporting the of end the at liabilities Total financial /(higher). lower was rate discount adjusted risk the or /(lower) higher was rate growth revenue the if /(decrease) increase would value fair estimated The (4.0%). rate discount adjusted risk the and rate (47%) growth billings aggregate cumulative and $10.0M) to ($Nil billings forecast the comprise inputs unobservable primary The date. acquisition the to back discounted outcomes of average aprobability-weighted using determined is consideration contingent of value fair $17.9M). The (2018: 2019 March 31 at loss and profit through value fair at measured consideration $7.5Mcontingent of of liability 3financial aLevel had Group The • • • hierarchy: following the into classified be should measurement their values fair at measured are liabilities and assets financial Where • • • • values: fair the estimate to used are assumptions and following methods The period. reporting the of end the at participants market between transaction orderly an in aliability, transfer to paid or asset, an sell to received be would that price the at included are liabilities and assets financial of values fair The 24 2019 Annual Report and Accounts and Report Annual 2019 Non-current due instalments on bank loans Total financial liabilities current Contingent consideration Total financial liabilities non-current Contingent consideration fees facility Unamortised Total financial liabilities

L prices) from derived (i.e. indirectly or prices) as (i.e. directly either L L R B F C

evel 3 – inputs for the asset or liability that are not based on observable market data market observable on based not are that liability or asset the for 3–inputs evel liability, or asset the for observable are 1that level within included prices quoted than other 2–inputs evel liabilities or assets identical from markets active in (unadjusted) prices 1–quoted evel inance leases inance ash and cash equivalents equivalents cash and ash Financial Liabilities Liabilities Financial eceivables and payables payables and eceivables ank loans loans ank

– – – –

a a a a pproximates to the carrying amount carrying the to pproximates amount carrying the to pproximates amount carrying the to pproximates amount carrying the to pproximates

31 March 302.4 302.8 307.3 307.3 2019 (2.6) 3.0 4.5 4.5 4.5 $M 31 March 308.8 306.8 324.2 324.2 2018 17.4 17.4 17.4 (2.5) 0.5 $M 157 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 158 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

24 Financial Liabilities continued Loans and Borrowings Included in borrowings are bank loans of $302.4M (2018: $308.8M) as analysed below. This note provides information about the contractual terms of the Group’s interest-bearing loans and borrowings, which are measured at amortised cost. For more information about the Group’s exposure to interest rate, foreign currency and liquidity risk, see note 26.

31 March 2019 31 March 2018 $M $M Current instalments due on bank loans – – Non-current instalments due on bank loans 302.4 308.8 Total bank loans 302.4 308.8

The bank loans are repayable as follows:

31 March 2019 31 March 2018 $M $M Due within one year – – Due between two and five years 302.4 308.8 Total bank loans 302.4 308.8

The Group entered into an amended Senior Facilities agreement on 6 February 2017, whereby an additional Revolving Credit Facility was added to the existing agreement. Following the amendment, the following terms apply to the bank loans outstanding at 31 March 2019:

Principal Principal Facility Interest Margin M $M Facility – A Libor 1.25% $235.0 235.0 Facility – B Euribor 1.25% €60.0 67.4 Revolving Credit Facility 1 Libor 1.25% – – Revolving Credit Facility 2 Libor 2.25% – – 302.4

Repayment and Maturity Facility A ($235.0M), Facility B (€60.0M), Revolving Credit Facility 1 (multicurrency up to $30.0M) are repayable in full on the termination date at the end of the 60-month term on 1 July 2020. Revolving Credit Facility 2 (multicurrency up to $40.0M) is repayable in full on the termination date on 2 July 2020.

Any utilisation of a Revolving Credit Facility is repayable on the last day of its interest period, any amount repaid may be re-borrowed. The margin payable on the facilities is dependent upon the ratio of the Group’s net debt to Cash EBITDA as defined in the facility agreement.

The bank loans are secured by fixed and floating charges over the assets of certain Group companies including businesses, undertakings, securities, properties, revenues or rights of every description. sellers on 28 February 2018, 2019 and 2020 respectively. 2020 and 2019 2018, February 28 on sellers contingent at The consideration is consideration the acquisition date at due was $1.2M. estimated for measurement to the contingent the of value fair The $2.0M. of payout amaximum with 2020 February 28 on ending and 2017 1March commencing periods annual three for range product “PhishThreat” the of billings the on dependent is consideration The agreed. been has consideration acontingent technology, “PhishThreat” the of owners previous the with agreement purchase the of part As LLC Break Silent 2019. March 31 year-ended the in paid was instalment final The respectively. 2018 March 21 and 2017 2017, December 31 2017, September 30 June 30 on acquisition date atthe contingent was The $19.3M. is consideration estimated due for measurement to the former shareholders at consideration contingent the of value fair The $20.0M. of payout amaximum with 2018 March 21 to period 12-month the is consideration The dependent on the billings agreed. of including acquired Invincea, Inc. products been with for the intellectual has property consideration acontingent Inc., Invincea, of owners previous the with agreement purchase the of part As Inc. Invincea, 2021. 5 January to 2020 October 1 from is period measurement final The December. 31 and September 30 June, 30 March, 31 on quarterly the acquisition date at was $6.4M. estimated at contingent The is consideration due for measurement to the former shareholders consideration contingent the of value fair The $6.7M. of payout amaximum with 2021, 5January to period 24-month the is consideration The dependent on the billings agreed. of including acquired Avid products with been the intellectual Secure Inc. property for has consideration acontingent Inc., Secure Avid of owners previous the with agreement purchase the of part As Inc. Secure Avid undiscountedThe contingent is consideration due as follows: Movements in contingent during consideration the year-ended 31 March were 2019 as follows: Contingent Consideration 2019 Annual Report and Accounts and Report Annual 2019 Total undiscounted contingent consideration years five and two between Due year one within Due paid Cash Accretion Fair value contingent consideration 2017 March 31 At Contingent Consideration At 31 March 2019 March 31 At 2018 March 31 At Cash paid Cash Accretion onAssumed business combination Fair value contingent consideration Avid Secure Inc. 6.4 6.4 6.4 6.4 $M – – – – – – – – Invincea, Inc. Invincea, 16.3 16.3 19.4 19.4 (9.4) (6.9) (3.7) 0.6 0.6 $M – – – – Security LLC Silent Break (0.6) 0.2 0.2 0.2 1.2 1.2 1.6 1.6 0.1 0.1 1.1 1.1 $M – – –

31 March 2019 Networks Inc. Reflexion Reflexion (1.2) 4.0 4.0 3.9 3.9 0.1 0.1 1.1 1.1 $M $M 7.9 7.9 – – – – – – – 31 March 2018 (10.0) Total 18.0 18.0 21.7 21.7 17.9 17.9 17.4 17.4 (6.9) (4.9) 0.2 0.2 0.9 0.9 0.6 0.6 6.4 6.4 0.1 0.1 $M $M 7.5 7.5 159 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 160 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

25 Provisions

Total $M At 31 March 2017 – restated (see note 2) 2.5 Arising during the year 1.1 Released during the year (0.4) Exchange differences 0.1 At 31 March 2018 3.3 Arising during the year 4.4 Exchange differences (0.1) At 31 March 2019 7.6

31 March 2019 Current 0.1 Non-current 7.5 Total provisions 7.6

31 March 2018 Current – Non-current 3.3 Total provisions 3.3

Included in the carried forward provisions are $5.4M relating to provisions for interest on uncertain tax positions and $2.2M of other provisions.

Provision for Interest on Uncertain Tax Positions A change in accounting policy adopted in FY19 resulted in interest on uncertain tax positions being accounted for within the interest charge instead of within the tax charge. An amount of $3.5M was charged in the current-year, compared to $0.9M in the prior-year, the increase consequent upon tax being provided on various open audits. Interest has been accrued from the point when the current tax charge arose.

Other Provisions The opening provisions of $1.4M related to the Group’s obligations to make good the dilapidations of various leasehold premises at the end of the lease periods and an unfunded, compulsory retirement indemnity plan in France, payable only if the employees are working for the Group when they retire. The provision arising in the year-ended 31 March 2019 related to further dilapidation charges of $0.9M (2018: $Nil) and in the year-ended March 2018 related to the retirement indemnity plan of $0.2M (2019: $Nil).

26 Financial Risk Management

Financial risk management is conducted at a Group level, applying treasury policies which have been approved by the Board. The major financial risks to which the Group is exposed relate to interest rate risk, credit risk and movements in foreign currency exchange rates. Where appropriate, cost effective and practicable, the Group uses various financial instruments to manage these risks. The main purpose of these financial instruments is to reduce the impact on the Group operations of changes in market rates. No speculative use of derivatives, currency or other instruments is permitted. amounts shown below. below. shown amounts the by loss and profit and equity increased/(decreased) have would rates interest market in points basis 100 of A change Interest Rate Sensitivity interest. of rates floating with obligations debt long-term the to due primarily risk rate interest to exposed is Group The Risk Rate Interest Group. the to lenders also are that banks with possible wherever institutions, separate of anumber balances with holding by deposits and cash in risk credit of concentrations the reduces Group The institutions. banking reputable with held only are deposits and cash risk, this To mitigate assets. these of amount carrying the to equal exposure with a maximum counterparty the by default of risk the from arises risk credit to exposure Group’s the deposits, and cash to respect With and customers. counterparties of number large a over spread is exposure receivables; trade in risk credit of concentration significant no has Group The 9. note in disclosed is period the during debts doubtful of Loss respect in or Profit of Statement Consolidated the in recognised expense The flows. cash of recoverability the in areduction of evidence is experience, previous on based which, event loss identified an is there where made is impairment for allowance An debts. doubtful for allowance of net are Position Financial of Statement Consolidated the in presented amounts The history. collection and ageing debt with conjunction in basis aregular on controller the by credit reviewed are limits Credit references. credit party third and history payment of acombination on based limits set customers for Directors the risk, credit manage to order In receivables. trade its to attributable primarily is risk credit Group’s The receivables. other and trade and deposits bank and cash are assets financial principal Group’s The Risk Credit class of capital. each with associated risks the and capital of cost the considers and basis aregular on structure capital the Group reviews The conditions. economic in changes of light in it, to adjustments makes and structure, capital its manages Group The Equity. in Changes of Statement as Consolidated the in earnings, disclosed retained and reserves capital, issued comprising parent, the of holders equity to attributable in equity and 24 note disclosed as borrowings 21, note in disclosed as equivalents cash and cash of consists Group the of structure capital The value. shareholder maximise and business its support to order in ratios capital healthy and rating credit astrong maintains it that ensure to is management capital Group’s the of objective primary The Management Capital throughthe flexibility use of short-term and deposits intra-group loan arrangements. maintaining and costs finance minimising funding, of continuity between abalance maintain to is objective Group’s The meetings. Board quarterly at Directors the by monitored and performed are tests covenant Quarterly profitably. and assets safely cash surplus any invest to and obligations financial needs, foreseeable meet to available is liquidity sufficient ensure to and anticipated be to requirements flow cash operating Group’s the enables This advance. in annually budgets prepares Group The Risk Liquidity below: summarised as risks these of each managing for policies agree and review Directors The 2019 Annual Report and Accounts and Report Annual 2019 Decrease in interest rates Increase in interest rates

Year-ended 31 March 2019 (3.1) 3.1 $M Year-ended 31 March 2018 (3.3) 3.3 3.3 $M 161 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 162 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

26 Financial Risk Management continued Foreign Currency Risk The Group is exposed to translation and transaction foreign exchange risk. Several other currencies in addition to the reporting currency of US dollar are used, including sterling and the euro. The Group experiences currency exchange differences arising upon retranslation of monetary items (primarily short-term inter-Company balances and long-term borrowings), which are recognised as an expense in the period the difference occurs. The Group endeavours to match cash inflows and outflows in the various currencies; the Group typically invoices its customers in their local currency and pays its local expenses in local currency, as a means to mitigate this risk.

The Group is also exposed to exchange differences arising from the translation of its subsidiaries’ Financial Statements into the Group’s reporting currency of US dollar, with the corresponding exchange differences taken directly to equity.

The following table illustrates the movement that ten per cent in the value of sterling or the euro against the US dollar would have had on the Group’s profit or loss for the period and on the Group’s equity as at the end of the period.

Year-ended Year-ended 31 March 2019 31 March 2018 $M $M 10% movement in sterling to US dollar value Profit or loss 1.7 5.1 Equity 33.8 37.4

10% movement in euro to US dollar value Profit or loss 1.5 7.5 Equity (9.8) (10.8)

Any foreign exchange variance would be recognised as unrealised foreign exchange in the Consolidated Statement of Profit or Loss and have no impact on cash flows.

27 Share Capital

Year-ended Year-ended 31 March 2019 31 March 2018 Shares issued and fully paid 000’s $M 000’s $M At 1 April of £0.03 each 468,488 22.0 459,642 21.6 Issued for cash on exercise of options 3,631 0.5 3,445 0.4 Issued under the Sophos Group Long Term Incentive Plan 2015 9,751 – 5,401 – At 31 March, Ordinary shares of £0.03 481,870 22.5 468,488 22.0 stributions Made and Proposed stributions 28 US by offering options to buy shares at a discount following a pre-set savings period. savings apre-set following adiscount at shares buy to options offering by US and UK the of outside employees Group’s the amongst ownership share wider encourage to aims plan SAYE International The Sophos Group International SAYE Option Scheme “(International SAYE”) 2015 period. savings apre-set following adiscount at shares buy to options offered are Employees Code. Revenue Internal the of 423 Section with compliant options offering by Group the of employees US amongst ownership share wider encourage to aims plan ESPP The EmployeeSophos Group Plan 2015 (“ESPP”) Purchase Stock period. savings apre-set following adiscount at shares buy to options offered are employees whereby scheme, save share approved HMRC an offering by Group the of employees UK amongst ownership share wider encourage to aims plan SAYE The (“SAYE”) 2015 Scheme Option SAYE Group Sophos Share Share Units, Options, Conditional Share Awards, Restricted Awards Cash-Based Shares. or Forfeitable Units, Share Performance awards: of types following the award can Board the of Committee Remuneration the plan the Under shareholders. with interest their align and employees retain and motivate to aims LTIP plan 2015 The LTIP”) (“2015 2015, Plan Term Incentive Long Group Sophos The plans: payment share-based following the approved Directors of Board Company’s the Exchange, Stock London the on trading for shares Company’s the of admission the with connection in and 2015, June 11 On plc. Group Sophos in shares over options new for options their exchange to offered were plans share Holdings approved SARL Pentagon the under outstanding options existing with participants Exchange, Stock London the on trading for shares Company’s the of admission to prior immediately Group the of reorganisation the with connection in and 2015, June 25 On 29 2019. March 31 at aliability as recognised not consequently are and 25 August 2019, on held be to Meeting, General Annual the at approval to subject are shares ordinary on dividends final Proposed share). per cents US 3.5 (2018: share per cents US 3.7 to amounting 2019 March 31 year-ended the for dividend afull-year pay will Company the that proposed have Directors The Accounts and Report Annual 2019 Cash dividends on shares declared ordinary and paid Total cash dividends paid Interim dividend for the year-ended 31 March at 2019 per $0.015 share Final dividend for the year-ended 31 March at 2018 per $0.035 share Interim dividend for the year-ended 31 March at 2018 $0.014 per share Final dividend for the year-ended 31 March 2017 at per $0.033 share

Di Share-Based Payments Share-Based 31 March 2019 Year-ended 23.9 23.9 16.7 16.7 $M 7.2 7.2 – – 31 March 2018 Year-ended 21.8 21.8 15.3 15.3 6.5 6.5 $M – – 163 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 164 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

29 Share-Based Payments continued Share-Based Payment Expense The expense recognised for employee services received during the year is as follows:

Year-ended Year-ended 31 March 2019 31 March 2018 $M $M Cash-settled transactions 1.9 2.7 Equity-settled transactions 35.0 39.6 Total share-based payment expense 36.9 42.3

The cash-settled expense comprises cash-based awards together with certain social security taxes. The carrying value of the liability as at 31 March 2019 was $1.6M (2018: $3.1M).

Share Options The fair value of equity-settled share options granted is measured as at the date of grant using a Black-Scholes model, taking into account the terms and conditions upon which the options were granted.

The following table illustrates the weighted average inputs into the Black-Scholes model in the year:

Year-ended Year-ended 31 March 2019 31 March 2018 Weighted average share price ($ cents) 676.10 628.23 Weighted average exercise price ($ cents) 558.54 516.70 Expected volatility 54.91% 38.20% Expected life of options (years) 1.69 2.08 Risk free rate 1.56% 1.49% Dividend yield 0.81% 0.70%

The weighted average fair value of options granted during the year was $ cents 220.53 (2018: $ cents 185.33).

The expected volatility reflects the assumption that the historical share price volatility is indicative of future trends, which may not necessarily be the actual outcome. An increase in the expected volatility will increase the estimated fair value.

The expected life of the options is based on historical data and is not necessarily indicative of exercise patterns that may occur. The expected life used in the model has been adjusted, based on the Director’s best estimate, taking into account the effects of exercise restrictions, non-transferability and behavioural considerations. An increase in the expected life will increase the estimated fair value. contractual terms (“WARCT”): terms contractual remaining average weighted and prices exercise of range following the had year the of end the at outstanding Options 512). £pence (2018: 506 £pence was year the during exercised options for price share average weighted The below: out set are year the during options share in, movements of, and (“WAEP”) prices exercise average weighted and number The 2019 Annual Report and Accounts and Report Annual 2019 Exercised Exercised Exercisable at the end of the year the of end the at Exercisable year the of end the at Outstanding Forfeited Forfeited Awarded year the of start the at Outstanding Outstanding at the end of the year the of end the at Outstanding $ cents /£pence $ cents £ 462.0000 £ 162.0000 £ 311.0000 £ 371.0000 £ 371.0000 $ 210.8078 $ 210.8078 £ 367.8800 £ 367.8800 $ 155.7461 $ 155.7461 $ 91.2452 $ 91.2452 $ 59.7813 $ 59.7813 $ 47.5891 $ 47.5891 $ 70.7937 $ 70.7937 Exercise price

Number Number 11,206 11,206 11,206 11,206 14,224 14,224 (3,840) 2,109 2,109 31 March 2019 1,258 1,258 5,566 5,566 1,452 1,452 31 March 2019 000’s 000’s 7,718 7,718 (436) Year-ended 204 204 440 440 453 453 523 523 355 355 87 87 17 17 – £ pence WARCT WAEP 120.8 14,224 14,224 120.8 283.3 283.3 Years 37 7.8 7.8 37 94.0 16,973 16,973 94.0 65.2 10,030 10,030 65.2 98.3 98.3 0.9 0.9 2.9 2.9 0.3 0.3 1.2 1.2 1.9 1.9 5.2 5.2 5.2 5.2 5.9 5.9 5.5 5.5 3.7 3.7 –

Number Number 14,224 14,224 (3,768) 8,134 8,134 1,667 1,667 1,537 1,537 31 March 2018 31 March 2018 000’s 000’s 2,742 2,742 (648) Year-ended 300 300 620 620 238 238 259 259 371 371 23 23 – – £ pence WARCT WAEP 138.6 138.6 Years 317.2 317.2 94.0 94.0 58.3 58.3 79.9 79.9 92.7 92.7

2.2 2.2 6.2 6.2 6.2 6.2 6.9 6.9 2.9 2.9 4.6 0.3 0.3 1.9 1.9 6.5 6.5 4.7 4.7 – – 165 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 166 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

29 Share-Based Payments continued Restricted Shares The following table illustrates the number and weighted average share price (“WASP”) on date of award of, and movements in, non-vested restricted shares in the year:

Year-ended Year-ended 31 March 2019 31 March 2018 Number WASP Number WASP Restricted shares 000’s $ cents 000’s $ cents Outstanding at the start of the year 64 155.75 127 155.75 Awarded – – – – Forfeited – – – – Vested (64) 155.75 (63) 155.75 Outstanding at the end of the year – – 64 155.75

Restricted Share Units The following table illustrates the number and WASP on date of award, and movements in, restricted share units (“RSUs”) and cash-based awards granted under the 2015 LTIP:

Year-ended Year-ended 31 March 2019 31 March 2018 Number WASP Number WASP Restricted share units 000’s £ pence 000’s £ pence Outstanding at the start of the year 14,840 316.09 15,350 215.92 Awarded 8,749 478.44 6,337 453.14 Forfeited (1,421) 426.11 (1,421) 284.15 Released (6,822) 309.77 (5,426) 218.49 Outstanding at the end of the year 15,346 401.27 14,840 316.09

RSUs and cash-based awards have a vesting period between two to five years, with no award vesting within the first 12 months of the grant.

Performance Share Units The following table illustrates the number and WASP on date of award, and movements in, performance share units (“PSUs”) granted under the 2015 LTIP:

Year-ended Year-ended 31 March 2019 31 March 2018 Number WASP Number WASP Performance share units 000’s £ pence 000’s £ pence Outstanding at the start of the year 7,546 269.65 6,024 219.41 Awarded 1,721 506.74 1,719 440.50 Forfeited (2,234) 414.51 (197) 223.96 Released (2,949) 262.64 – – Outstanding at the end of the year 4,084 295.41 7,546 269.65

PSUs vest on one vesting date following a three year vesting period which will comprise three financial years. The awards are divided into three equal parts which will each be subject to a separate annual performance condition linked to the financial performance of the Group. The consolidated financial information includes the financial information of Sophos Group plc and the subsidiaries listed in the following table: in listed subsidiaries the and plc Group Sophos of information financial the includes Transactions Party elated information financial consolidated The 31 2019. 31 March of $0.9Mpension but (2018: notContributions scheme to $1.3M) contribution the defined overdue, were outstanding, at $8.4M). (2018: $8.9M to amounted and funds the to Group the by payable contributions represents period the for charge cost pension The funds independentin from the Group. bodies other or trusts by administered are schemes the of assets The Directors. and employees the of benefit the for pension schemes to contribution definedinthe GroupThe UK contributes andto similarpension orschemesstate overseas 30 2019 Annual Report and Accounts and Report Annual 2019

Luxembourg Japan Italy Ireland India Hungary Hong Kong Germany France Canada undertaking Subsidiary incorporation of Country Australia

Pension Schemes Pension R

Avidsecure India Private Limited Limited Private India Avidsecure Sophos Technology GmbH Aspen Finance Co Sarl Sarl Co Finance Aspen KK Sophos Srl Italia Sophos Ltd Technology Security Sophos Ltd Private Technologies Sophos Kft Hungary Sophos Ltd Co Kong Hong Sophos Sophos Holdings GmbH Sarl Sophos Sophos Inc Sophos Pty Ltd Ltd Pty Sophos 3 3 3 3 3 3 2 3 3 4 3 11 9 Sophos House, Saigulshan Complex, Beside White House, Panchwati Cross Road, Ahmedabad 380006, Gujarat, India Gujarat, 380006, Ahmedabad Road, Cross Panchwati House, White Beside Complex, Company Services Saigulshan Hungary House, Sophos Budapest, 1117 Epulet, A solutions security IT Selling Irodahaz Kong Garden, Hong Office 1 Central, Utca, Road Aliz Queen’s 15 Landmark, Research and Development The Tower, Edinburgh Floor, 18th Germany solutions Karlsruhe, security IT Selling 76227 52 Bau 41/ Germany Amalienbadstr. Wiesbaden, 65189 1, Research and Development Gustav-Stresemann-Ring France Bezons, Holding Company 95870 Voltaire, Quai 80 Ouest, River Canada 3N9, solutions T2P security IT Selling AB Calgary SW, Ave 350-7th Australia 3400, 2060, NSW solutions Sydney, security IT Selling North Plaza, Elizabeth 1 11, Level solutions security IT Selling 1–3, Boulevard de la Foire, L-1528, Luxembourg L-1528, Foire, la Japan de Boulevard 106-6010 1–3, Tokyo Minato-ku Financing Company Roppongi, 1-6-1 10F, Tower Garden Izumi solutions security IT Italy Selling Milano, 20122, 2, Europa Corso Ireland 2, solutions security IT Dublin Selling Square, Canal Grand 2 Floor, India 6th 122001, HR Gurgaon, Research and Development Gurugram, 7 Sector No.140/7, H. Principal activity /Principal address activity registered Ordinary Ordinary Ordinary Ordinary Ordinary Ordinary Ordinary Common Ordinary Ordinary Ordinary Ordinary Ordinary shares held of Class 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% of shares held Percentage

167 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 168 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

31 Related Party Transactions continued

Country of Class of Percentage incorporation Subsidiary undertaking Principal activity / registered address shares held of shares held

Netherlands Sophos BV 3 Selling IT security solutions Ordinary 100%

Hoevestein 11B, 4903 SE Oosterhout NB, Netherlands

SurfRight BV 8 Selling IT security solutions Ordinary 100%

Lansinkesweg 4, 7553 AE Hengelo, Netherlands

Singapore Sophos Computer Security Pte Ltd 3 Selling IT security solutions Ordinary 100%

60 Paya Lebar Road, #08-13 Paya Lebar Square, Singapore 409051

Spain Sophos Iberia Srl 3 Selling IT security solutions Ordinary 100%

Ava Del General Peron, 38 – 8a Planta, Madrid 28020, Spain

Sweden Sophos AB 3 Selling IT security solutions Ordinary 100%

Färögatan 33, 164 51 Kista, Stockholms län, Sweden

Switzerland Sophos Schweiz AG 3 Selling IT security solutions Ordinary 100%

Bernstrasse 390, 8953 Dietikon, Switzerland

Astaro Trading AG 5 Historical purchasing entity Ordinary 100%

c/o RA lic. jur. Hans Rudi Alder, Pestalozzistrasse 2 8200 Schaffhausen, Switzerland

Taiwan Sophos Taiwan Ltd 3 Services Company Ordinary 100%

5F-4, No. 57, Sec. 1 Chongqing S. Road, Zhongzheng Dist., Taipei City 100 Taiwan (R.O.C.)

Turkey Sophos Turkey Technoji Ltd Sirketi 3 Services Company Ordinary 100%

Barbaros Mah. Halk Cad., Palladium Residence (A Blok) Apt. No: 8 A / 4, Atasehir/Istanbul, Turkey

UK Sophos Holdings Ltd 1 Holding Company Ordinary 100%

Sophos Treasury Ltd 2 Financing Company Ordinary 100%

Sophos Limited 2 Selling IT security solutions Ordinary 100%

Sophos Nominees Limited 3 Share nominee company Ordinary 100%

The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK

USA Sophos Inc 3 Selling IT security solutions Ordinary 100%

3 Van de Graaff Drive, 2nd Floor, Burlington, MA 01803, USA

Cyberoam Inc 6 Services Company Ordinary 100%

Corporation Service Company, Princeton South Corporate Ctr, Suite 100, Charles Ewing Blvd, Ewing, 08628, USA

Reflexion Networks Inc7 Selling IT security solutions Ordinary 100%

1209 Orange St, Wilmington, County of New Castle DE 19801, USA

Invincea, Inc 7 Selling IT security solutions Ordinary 100%

Sandboxie Holdings, LLC 10 Services Company Ordinary 100%

Avid Secure Inc. 7 Services Company Ordinary 100%

Corporation Service Company, 251 Little Falls Drive, Wilmington, DE 19808, USA

Darkbytes, Inc. 7 Services Company Ordinary 100%

22390 Ortega Dr, Salinas CA 93908, USA

1 Shares held by Sophos Group Plc 7 Shares held by Sophos Inc 2 Shares held by Sophos Holdings Ltd 8 Shares held by Sophos BV 3 Shares held by Sophos Limited 9 Shares held by Sophos Limited and Sophos Nominees Limited 4 Shares held by Sophos Holdings GmbH 10 Shares held by Invincea, Inc 5 Shares held by Sophos Technology GmbH 11 Shares held by Avidsecure Inc. 6 Shares held by Sophos Technologies Private Ltd Compensation of Key Compensation (Including Management Personnel Directors) facilities. financing Group’s the to relating $308.8M) (2018: $302.4M totalled guarantees these 2019, March 31 at As facilities. borrowing Group’s the of some of respect in lenders certain of favour in were which of majority the course business, normal of the within parties third certain to guarantees unsecured provided have subsidiaries certain and Company The payables. or receivables party related any for guarantees any from benefitted or provided not has Group The with no specified credit period. accounts inter-company on placed are balances that exception the with same, the are subsidiaries with transactions for conditions Terms and invoice. of days 60 within expected is settlement cash and free interest unsecured, are other subsidiaries than entities with balances Outstanding prices. market normal at made are parties related between purchases and Sales $Nil). (2018: companies subsidiary than other parties related from or to owed were amounts no 2019 March 31 at As $Nil). (2018: parties related by owed amounts to 9relating IFRS under debts doubtful for made were provisions no 2019, March 31 year-ended the During parties. related other with business of course ordinary the in transactions, into entered Group the year the During Parties Related Other as measured by the fair value of awards in accordance with IFRS2. with accordance in awards of value fair the by measured period as the for plans payment share-based in participation management’s senior of cost the comprise payments Share-based the current period. thePost-employmentcost ofcomprise providing pensions senior contribution benefits defined to management respect in of benefits. monetary non- as well as year the during earned bonuses and benefits salaries, fees, comprise benefits employee Short-term Accounts and Report Annual 2019 Total Share-based - payments equity-settled Post-employment benefits Short-term employee benefits

31 March 2019 Year-ended 10.4 10.4 17.1 17.1 6.6 6.6 0.1 0.1 $M 31 March 2018 Year-ended 26.9 17.7 17.7 0.1 0.1 9.1 9.1 $M 169 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 170 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

32 Business Combinations

On 5 January 2019, Sophos Inc. acquired for cash 100 per cent of the share capital of Avid Secure Inc., a company incorporated in Delaware, United States. The acquisition is significantly strengthening the Group’s portfolio of cloud protection technology including cloud governance, risk and compliance.

Acquisition-related expenses of $0.3M have been excluded from the consideration transferred and have been recognised as an expense within General finance and administration.

Assets acquired and liabilities assumed on the day of acquisition were as follows:

Book value Adjustment Fair value $M $M $M Non-current assets: Intangible assets Intellectual property – 14.6 14.6

Current assets: Trade and other receivables 0.2 – 0.2 Cash and cash equivalents 0.4 – 0.4

Non-current liabilities: Deferred tax liability – 2.7 2.7

Current liabilities: Deferred revenues 0.2 – 0.2 Trade and other payables 0.1 – 0.1 Net assets recognised at the date of acquisition 0.3 11.9 12.2 Cash paid 13.9 Contingent consideration 6.4 Goodwill arising on acquisition – Avid Secure Inc. 8.1

Prior to the acquisition, Avid Secure Inc. operated in a complimentary market sector to the Group and, accordingly, the operations of Avid Secure Inc. are incremental to those of the Group. The impact of the acquisition of Avid Secure Inc. on the Operating Profit of the Group for the period-ended 31 March 2019 was insignificant. Had Avid Secure Inc. been owned since 1 April 2018, revenue for the year-ended 31 March 2019 would have increased over the reported revenue by approximately $0.3M. The impact on the Operating Profit of the Group would have been approximately $0.1M.

On 28 January 2019, Sophos Inc. acquired for cash 100% of the share capital of Darkbytes, Inc., a company incorporated in California, United States. The acquisition is significantly strengthening the Group’s foundational technology for a Managed Detection and Response (“MDR”) solution.

Acquisition-related expenses of $0.2M have been excluded from the consideration transferred and have been recognised as an expense within General finance and administration. Assets acquired and liabilities assumed on the day of acquisition were as follows: as were acquisition of day the on assumed liabilities and acquired Assets 2019 Annual Report and Accounts and Report Annual 2019 otes to the Consolidated Statement of Cash Flows Cash of Statement Consolidated the to otes 33 2018. March 31 year-ended the during combinations business any into enter not did Group The purposes. tax income for deductible be to expected is recognised the of None goodwill assets. intangible identifiable for criteria recognition the meet not do they because goodwill from recognised not separately are benefits These workforce. assembled the and development market future synergies, expected of benefit the to relation in amounts included combination the of cost the because combinations business above the all in arose Goodwill immaterial. been have would 2019 March 31 year-ended the for Profit Operating and revenue both on impact the 2018, April 1 since owned been Inc. Darkbytes, Had insignificant. was 2019 March 31 for period-ended the Group the of Profit Operating the on Inc. Darkbytes, of acquisition the of impact The Group. the of those to Inc. incremental are Darkbytes, of operations the accordingly, and, start-up atechnology as operated Inc. Darkbytes, acquisition, the to Prior Acquisition of subsidiaries net of of cash subsidiaries Acquisition Net cash purchased Inc. – Reflexion Networks Security Break –Silent Property – Intellectual – Invincea, Inc. – Invincea, Intangible assets assets: Non-current Deferred tax liability tax Deferred liabilities: Non-current equivalents cash and Cash Current assets: Acquisition of subsidiaries net of cash acquired – Avid Secure Inc. Secure – Avid Inc. – Darkbytes, cash: in satisfied paid, Consideration Trade and other payables Current liabilities: Goodwill arisingGoodwill on Inc. acquisition – Darkbytes, consideration Deferred paid Cash at recognised theNet assets date of acquisition

N Intellectual property Book value $M 0.1 0.1 0.1 0.1 – – –

31 March 2019 Adjustment Year-ended 30.9 30.9 13.9 13.9 (0.5) 6.2 6.2 0.6 0.6 9.4 9.4 1.1 1.1 5.1 5.1 $M $M 7.5 7.5 – – –

31 March 2018 Year-ended Fair value 4.9 4.9 6.2 6.2 1.2 1.2 0.1 0.1 0.1 0.1 4.1 4.1 1.1 1.1 5.1 5.1 3.7 3.7 1.7 1.7 $M $M 7.5 7.5 – – – – 171 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 172 Cybersecurity evolved

NOTES TO THE CONSOLIDATED FINANCIAL STATEMENTS CONTINUED For the year-ended 31 March 2019

33 Notes to the Consolidated Statement of Cash Flows continued

Effect of movements Non-cash in exchange 31 March 2018 Cash flow movements rates 31 March 2019 Movement in net debt $M $M $M $M $M Cash and cash equivalents (120.1) (60.7) – 8.7 (172.1) Obligations under finance leases – – – – – Bank loans 306.3 – (0.1) (6.4) 299.8 Gross debt 306.3 – (0.1) (6.4) 299.8 Net debt 186.2 (60.7) (0.1) 2.3 127.7

Effect of movements Non-cash in exchange 31 March 2017 Cash flow movements rates 31 March 2018 Movement in net debt $M $M $M $M $M Cash and cash equivalents (68.1) (45.2) – (6.8) (120.1) Obligations under finance leases 0.1 (0.1) – – – Bank loans 345.6 (50.1) 1.1 9.7 306.3 Gross debt 345.7 (50.2) 1.1 9.7 306.3 Net debt 27 7.6 (95.4) 1.1 2.9 186.2

34 Commitments and Contingent Liabilities

Year-ended Year-ended 31 March 2019 31 March 2018 Operating lease arrangements $M $M Amount recognised for the year: Property 14.0 12.5 Other 1.6 1.6 Total 15.6 14.1

At the reporting date, the Group had outstanding commitments for future minimum lease payments under non-cancellable operating leases, which fall due as follows:

31 March 2019 31 March 2018 $M $M Within one year 15.3 14.0 In the second to fifth years inclusive 41.3 34.8 After five years 21.1 19.7 Total 7 7.7 68.5

Commitments for the Acquisition of Property, Plant and Equipment At 31 March 2019 the Group had entered into contractual commitments for the acquisition of property, plant and equipment amounting to $0.5M (2018: $Nil)

Guarantees At 31 March 2019 the Group had outstanding guarantees provided to third parties of $1.6M (2018: $1.3M). rincipal Exchange Rates Exchange rincipal 35 non-compliance. regulatory apparent of matters any to relation in bodies regulatory relevant the with co-operating fully is and resisted; successfully be can Group the against claims current the that opinion the of are Directors The litigation. the of outcome the prejudice seriously could this that grounds the on information further provide not does Group the 37.92, IAS with accordance In overseas territories. certain in products Group’s the of some of use the to pertaining matters regulatory certain with non-compliance apparent investigating also is Group The addition, In damages. unspecified for claims with made been have related patents to Allegations Group. the within entities various against process in currently is litigation periods, previous with line In a have to material impact on the business. expected not is aggregate, the in or individually proceedings, these of outcome final The losses. or loss potential the estimate to possible currently not is it cases, the of more or one in occur may (or settlements) decisions adverse that possible is it Although business. our to incidental are that proceedings compliance and legal of anumber in involved is Group The Proceedings Legal When calculating performance measures on a constant currency basis, the Group uses the closing balance sheet rate of the year.previous the of rate sheet balance closing the uses Group the basis, currency aconstant on measures performance calculating When Accounts and Report Annual 2019 There are no material events after the reporting period which require disclosure in accordance with IAS10. IAS10. with accordance in disclosure require which period reporting the after events material no are There 36 Average ($:£1.00) dollar US into sterling of Translation Principal exchange rates Closing Average ($:€1.00) dollar US into euro of Translation Closing

P Events After the Reporting Period Reporting the After Events 31 March 2019 Year-ended 1.1229 1.1636 1.3031 1.3183

31 March 2018 Year-ended 1.3264 1.2299 1.1664 1.4028 173 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 174 Cybersecurity evolved

COMPANY ONLY STATEMENT OF FINANCIAL POSITION At 31 March 2019

31 March 2019 31 March 2018 Company registered number: 09608658 Note $M $M Non-current assets Deferred tax asset 7.5 8.8 Investments in subsidiary undertakings 3 1,130.6 1,099.1 Loan due from subsidiary 4 93.5 93.5 1,231.6 1,201.4 Current assets Amounts due from subsidiaries 30.0 27.8 Total current assets 30.0 27.8 Total assets 1,261.6 1,229.2

Current liabilities Amounts due to subsidiaries 67.4 46.7 Total current liabilities 67.4 46.7

Net assets 1,194.2 1,182.5

Represented by: Share capital 5 22.5 22.0 Share premium 126.6 122.3 Retained earnings 919.4 946.1 Share-based payment reserve 125.7 92.1 Total equity 1,194.2 1,182.5

These Financial Statements were approved by the Board of Directors on 15 May 2019 and were signed on its behalf by:

Nick Bray Chief Financial Officer The Directors believe that the retained earnings of the Company are all distributable. all are Company the of earnings retained the that believe Directors The 2019 March 31 At ONLYCOMPANY STATEMENT IN EQUITY CHANGES OF 2019 Annual Report and Accounts and Report Annual 2019 At 31 March 2019 March 31 At Cash dividend Share-based - payments tax Share-based - payments expense Share options exercised Total comprehensive loss comprehensive or profit Other loss: period: the for Loss Share-based - payments expense Share options exercised Total comprehensive loss comprehensive or profit Other loss: period: the for Loss 2017 March 31 At At 31 March 2018 March 31 At Cash dividend Share-based - payments tax

Capital Share Share 22.0 21.6 21.6 22.5 0.4 0.4 0.5 0.5 $M – – – – – – – – – – – – Premium Share Share 122.3 126.6 126.6 118.4 118.4 4.3 4.3 3.9 3.9 $M – – – – – – – – – – – – Retained Earnings 946.1 946.1 919.4 919.4 97 7.1 7.1 97 (21.8) (23.9) (9.2) (9.2) (2.8) (2.8) $M – – – – – – – – Share-Based Share-Based Payment Reserve 125.7 1,194.2 1,194.2 125.7 35.0 35.0 39.6 39.6 92.1 92.1 55.6 55.6 (1.4) (3.1) $M – – – – – – – – – – 1,182.5 1,172.7 (21.8) (23.9) Total 35.0 35.0 39.6 39.6 (1.4) (9.2) (9.2) (2.8) (2.8) (3.1) 4.8 4.8 4.3 4.3 $M – – 175 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 176 Cybersecurity evolved

NOTES TO THE COMPANY ONLY STATEMENTS For the year-ended 31 March 2019

1 Principal Accounting Policies

The following accounting policies have been applied consistently in dealing with items which are considered material in relation to the Company’s Financial Statements.

Basis of Preparation The Company and its trading subsidiaries have considerable financial resources and a large number of customer contracts across different geographic areas and industries. As a consequence, the Directors believe the Company is well placed to manage its business risks successfully.

The Company operates as an investment company for the Sophos Group, holding investments in subsidiaries financed by Group companies. As the Company is an intrinsic part of the Group’s structure, the Directors have a reasonable expectation that Group companies will continue to support the Company through trading and cash generated from trading for the foreseeable future. Thus the Group continues to adopt the going concern basis in preparing the Financial Statements.

The Financial Statements have been prepared in accordance with Financial Reporting Standard 102 (“FRS 102”) and under the historical cost accounting rules.

Under section 408 of the Companies Act 2006, the Company is exempt from the requirement to present its own profit and loss account.

The Company is considered to be a qualifying entity for the purposes of FRS 102 and has applied the exemptions available under FRS 102 in respect of the cash flow statement and key management personnel compensation.

As the Consolidated Financial Statements of the Company include the equivalent disclosures, the Company has also taken the exemptions available under FRS 102 in respect of disclosures in respect of share-based payments, financial instruments and the requirements of Section 33 Related Party Disclosures paragraph 33.7.

Investments Investments in subsidiary undertakings are stated at cost less any provision for impairment.

Foreign Currencies Transactions in foreign currencies are recorded using the rate of exchange ruling at the date of the transaction. Monetary assets and liabilities denominated in foreign currencies are translated using the rate of exchange ruling at the balance sheet date and the gains or losses on translation are included in the profit and loss account. Non-monetary assets and liabilities denominated in foreign currencies are stated at historical foreign exchange rates.

Interest-Bearing Loans and Borrowings Obligations for loans and borrowings are recognised when the Company becomes party to the related contracts and are measured initially at fair value less directly attributable transactions costs. After initial recognition, interest-bearing loans and borrowings are subsequently measured at amortised cost using the effective interest method. Gains and losses arising on the repurchase, settlement or otherwise cancellation of liabilities are recognised respectively in finance income and finance expense.

Going Concern Basis The Company operates as an investment company for the Sophos Group, holding investments in subsidiaries financed by Group companies. As the Company is an intrinsic part of the Group’s structure, the Directors have a reasonable expectation that Group companies will continue to support the Company through distribution or debt/financing supported by trading and cash generated. Thus the Group continues to adopt the going concern basis in preparing the Financial Statements. hare Capital Capital hare 5 2020. 1July on term a60-month of end the at full in repayable is and 0.1% of amargin plus Aloan Facility Senior Group’s the on based rate interest avariable carries loan The subsidiary. owned wholly a Limited, Holdings Sophos to $93.5M lent Company the 2015, July on 1 Group the Subsidiary of From Due oan re-financing the of part As 4 subsidiaries. its and Limited Sophos by employed participants to granted awards equity for expenses payment share-based comprises Limited Sophos in investment The share capital. ordinary the of 100% comprises Group, Sophos the for company aholding Limited, Holdings Sophos in investment The 3 account. loss and profit own its present to requirement the from exempt is Company the 2006 Act Companies the of 408 section Under $9.2M). (2018: $2.8M was Company the of Account books Loss and the in rofit with dealt tax after loss The 2 Accounts and Report Annual 2019 Sophos Group plc is registered in England and Wales and has a functional currency of US dollars. US of currency afunctional has and Wales and England in Currency unctional registered is plc Group Sophos 6 At 31 March, Ordinary shares of £0.03 of shares Ordinary March, 31 At Issued under the Sophos Group Long Term Incentive Plan 2015 March 31 At Investment in Sophos Limited Sophos in Investment Limited Holdings Sophos in Investment Issued for cash on exercise of options of exercise on cash for Issued each £0.03 of 1April At paid fully and issued Shares

F S L P Investments 468,488 468,488 481,870 481,870 3,631 3,631 000’s 31 March 2019 9,751 9,751 Year-ended

22.0 22.5 0.5 0.5 $M 31 March 2019 – 1,035.8 1,035.8 1,130.6 1,130.6 94.8 94.8 468,488 468,488 459,642 459,642 $M 3,445 3,445 5,401 5,401 31 March 2018 000’s Year-ended 31 March 2018 1,035.8 1,035.8 1,099.1

22.0 63.3 63.3 21.6 21.6 0.4 0.4 $M $M – 177 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 178 Cybersecurity evolved

GLOSSARY

Adjusted Adjusted Operating Profit represents the Group’s Operating Profit/(loss) adjusted for amortisation charges, share Operating Profit option charges and exceptional items AES Advanced Encryption Standard Americas North and South America APJ Asia-Pacific and Japan ARR Annual Recurring Revenue, being the annualised equivalent of term licenses, subscription agreements and maintenance contracts including OEM and MSP but excluding perpetual licenses Billings Billings represents the value of products and services invoiced to customers after receiving a purchase order from the customer and delivering products and services to them, or for which there is no right to a refund Blue chip Channel partners who transact five or more deals in a trailing six-month period Board The Board of Directors of Sophos Group plc BYOD Bring Your Own Device CAGR Compound annual growth rate Cash EBITDA Cash EBITDA is defined as the Group's Operating Profit adjusted for depreciation and amortisation charges, any gains or losses on the sale of tangible and intangible assets, share option charges, unrealised foreign exchange differences and exceptional items with billings replacing revenue Cash EBITDA margin Cash EBITDA margin is calculated as Cash EBITDA as a percentage of Billings Channel first The distribution model used by the Group, where products are sold to end customers through a network of channel partners and distributors Company Sophos Group plc Constant currency The group uses US dollar-based constant currency models to measure performance. These are calculated by applying a single exchange rate to local currency transactions for both the current and prior-year. This gives US dollar denominated measures that exclude variances attributable to foreign exchange rate movements Deep Learning An advanced form of machine learning inspired by the way the human brain works. It is the same type of machine learning often used for facial recognition, natural language processing, self-driving cars, and other advanced fields of computer science and research Directors The Executive and Non-Executive Directors of the Company DPI Deep Packet Inspection EBITDA Earnings before interest, taxation, depreciation and amortisation EMEA Europe, Middle East and Africa Enduser / end user Enduser being a sub-set of the Group’s products; end user being the ultimate user and customer of the Group’s products GHG Greenhouse gas Group The group of companies owned by Sophos Group plc HTML5 The fifth revision of the HyperText Markup Language of the internet used for structuring and presenting content for the world wide web IASB International Accounting Standards Board IFRS International Financial Reporting Standards KPI Key Performance Indicator MSP Managed Service Provider Next-gen The Group’s most advanced products, managed in Sophos Central, notably including Sophos Intercept X for endpoint protection and the Sophos XG Firewall OEM Original Equipment Manufacturer RED Remote Ethernet Device Renewal rate Renewal rates are calculated by comparing the US dollar amount of contracts renewed in a period (including instances of cross-sell and upsell) to the US dollar amount of contracts available for renewal in the period Retention rate Retention rates are calculated by comparing the US dollar amount of contracts renewed in a period (including instances of cross-sell and upsell) to the US dollar amount of total contracts at the start of the period Secure SSL Secure Sockets Layer, a standard security technology for establishing an encrypted link between a server and a client Unlevered free Unlevered free cash flow represents cash EBITDA less purchases of property, plant and equipment and intangibles, plus cash flows in cash flow relation to changes in working capital and taxation UTM/NGFW Unified Threat Management/Next-Generation Firewall VAR Value-Added Reseller VPN Virtual Private Network Weighted average Weighted average contract length is calculated on a last 12-month basis, at constant currency and provides an indication of the period contract length over which future revenue will be recognised Registered in England and Wales and England in Registered 09608658 number: Registered www.sophos.com 559933 1235 Tel: +44 Kingdom. United Abingdon, OX14 3YP, Abingdon Science Park, Pentagon, The Sophos Group plc headquarters and corporate office Registered WalkerPaul Vin Murria Rick Medlock Roy Mackenzie Bergeron Sandra Bray Nick Hagerman Kris Gyenes Peter Directors INFORMATIONCOMPANY 2019 Annual Report and Accounts and Report Annual 2019

E14 5GL. E14 London, Square, Canada 15 KPMG LLP Auditor 1AE. EC4Y London, Street, Fleet 85 Tulchan Communications Relations Public [email protected] investors.sophos.com Relations Investor BR3 4TU. Beckenham, Road, Beckenham 34 Link Asset Services Services Registrar

179 Additional Information Financial Statements Corporate Governance Strategic Report Introduction 180 Cybersecurity evolved

SHAREHOLDER INFORMATION

Share listings Be scam smart

The Ordinary shares are listed on the London Stock Exchange Investment scams are designed to look like genuine under the symbol SOPH: www.londonstockexchange.com investments.

Shareholder services Spot the warning signs Have you been: Shareholder Portal To access online information about your shareholdings • contacted out of the blue? visit www.signalshares.com. The website also provides • promised tempting returns and told the investment is safe? information useful to the management of investments together with an extensive schedule of frequently asked • called repeatedly? questions. In order to view your shareholdings the • told the offer is only available for a limited time? If so, you shareholder reference number is required which can be might have been contacted by fraudsters. found at the top of the share certificate or on the last dividend tax voucher. Avoid investment fraud Reject cold calls: Alternatively, you can contact Link’s Customer Support If you have received unsolicited contact about an Centre which is available to answer any queries you have investment opportunity, the chances are it is a high-risk in relation to your shareholding: investment or a scam. You should treat the call with extreme caution. The safest thing to do is to hang up. • By email [email protected] Check the FCA Warning List: • By post The FCA Warning List is a list of firms and individuals they Link Asset Services, The Registry, 34 Beckenham Road, know are operating without their authorisation. Beckenham, Kent, BR3 4TU. Get impartial advice: • By phone Think about getting impartial financial advice before you UK – 0871 664 0300, from overseas call +44 (0) 371 664 hand over any money. Seek advice from someone 0300 calls cost 12p per minute plus your phone company’s unconnected to the firm that has approached you. access charge. Calls outside the United Kingdom will be charged at the applicable international rate. Link are open Report a scam between 09:00–17:30, Monday to Friday excluding public If you suspect that you have been approached by fraudsters holidays in England and Wales. please tell the FCA using the reporting form at www.fca.org. Share price information uk/ consumers/report-scam-unauthorised-firm. You can also call the FCA Consumer Helpline on 0800 111 6768. The latest information on Sophos Group plc share price can be found on the Company’s website: investors.sophos.com. If you have lost money to investment fraud, you should report it to Action Fraud on 0300 123 2040 or online at Electronic communications www.actionfraud.police.uk Receiving the Company’s communications electronically allows the Company to communicate with its shareholders Find out more at www.fca.org.uk/scamsmart in a more environmentally friendly way which supports our commitments to sustainability. Cybersecurity evolved 2019 Annual Report and Accounts 181

Innovative, simple and highly effective cybersecurity Introduction solutions, for organisations Financial calendar of any size Announcement of results The results of the Group are normally published at the following times:

Sophos delivers award-winning At Sophos we know that the • Half-year results for the six months to 30 September endpoint protection harnessing the solution to complexity is not more in mid-November. power of artificial intelligence (“AI”), complexity. We tackle security Preliminary announcement for the year to 31 March enabling unmatched defence challenges with clarity and • in late May. against malware, exploits, and confidence, knowing that simple ransomware. Our network security security is better security. • Annual Report and Accounts for the year to 31 March offers the world’s best visibility, in mid-June. protection, and response, powered Find out more at ReportStrategic Dividend payments by deep learning and synchronized www.sophos.com security. And we combine the Our current policy is to make dividend payments at the power of AI and automation to following times: simplify compliance, governance, • Interim dividend in December. and security monitoring in the public cloud. • Final dividend as reasonably practicable following the AGM, which in 2019 is on 25 September.

2019 final dividend timetable: • Record date: 20 September. • Dividend paid: 11 October. Corporate Governance 2019 Highlights Cautionary statement This Annual Report and Accounts has been prepared for, and Revenue Adjusted Operating Profit only for, the members of Sophos Group plc (“the Company”), as a body, and no other persons. The Company, its Directors, employees, agents or advisers do not accept or assume responsibility to any other person to whom this document is +11% +87% shown or into whose hands it may come and any such responsibility or liability is expressly disclaimed. By their Business Highlights nature, the statements concerning the risks and uncertainties facing the Group in this Annual Report and • Strong growth in subscription • Renewal rates within the Group’s Accounts involve uncertainty since future events and revenue, up 16% year-on-year subscription business remain circumstances can cause results and developments to differ at healthy levels at 124% StatementsFinancial • Strong demand for our cloud solutions, materially from those anticipated. The forward-looking with over 135,000 of our customers • The Group remains well-positioned statements reflect knowledge and information available at managing their security via the Sophos competitively, with industry-leading the date of preparation of this Annual Report and Accounts Central cloud platform technology and a differentiated and the Company undertakes no obligation to update these strategy for synchronized security forward-looking statements. Nothing in this Annual Report • Sophos is now established as and Accounts should be construed as a profit forecast. a leader in the fast-growing market • Step change in profitability, for next-gen cybersecurity solutions, reflecting good revenue growth founded on powerful artificial and operating leverage intelligence capabilities Additional InformationAdditional 2019 Annual Report and Accounts 2019 Annual Report and Ac and Report Annual 2019 counts

Sophos Group plc The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom.

Tel: +44 1235 559933 www.sophos.com