September 14, 2019
A few days before taking a company public, the last thing a founder might hope for is a news cycle to kick off about how the company may have violated U.S. sanctions regulations. That happened this week to Cloudflare, a San Francisco-based network performance and cybersecurity firm.
“It’s one of those times when being in a quiet period sucks,” Matthew Prince, Cloudflare’s CEO and cofounder, told me on Friday afternoon, a few hours after his firm debuted on the New York Stock Exchange. An amendment to a filing with the Securities and Exchange Commission had recently disclosed that some customers of Cloudflare’s services may have been terrorists, drug traffickers, or agents of sanctioned governments.
Yet investors were not deterred. Cloudflare’s shares were set to open at $15 per share, marked up from an initial range of $10 to $12 per share and, later, an updated range of $12 to $14 per share. Upon the company’s debut, the price popped 20% to $18 per share, where it has since held steady.
The enthusiasm for Cloudflare’s offering, which raised around $525 million, is fueled by at least two hot trends. The first is business’ insatiable appetite for “cloud” software and services. The second is demand for new cybersecurity solutions (as we have seen in recent IPOs, like CrowdStrike’s whopper).
“What we set out to build at Cloudflare was a replacement for the network hardware that companies currently have to install to protect their on-premise data and applications,” Prince said. He referred to pieces of IT infrastructure with wonky names like load balancers and optimizers and firewalls and VPNs. “Ten years from now [those devices] are gonna look somewhat anachronistic,” he said.
On the subject of the potential sanctions violations, Prince said Cloudflare has always strived to do the right thing. “Whenever we see something that’s potentially problematic or illegal, we reach out to experts in organizations across the U.S. government and ask what they want us to do.” Some of those consulted preferred that Cloudflare continue to host unsavory customers, since the company at least responds to valid court orders—unlike some unscrupulous, overseas rivals, Prince said. Others objected.
“Since we couldn’t get a consistent answer across the government, we had to follow what the letter of the law was and, at that time, we kicked a bunch of organizations off the network,” Prince said. “Today have much more rigorous compliance process to make sure new sites signing up aren’t on a sanctions list.”
Cloudflare’s historically lax standards around customer acquisition, while fueling growth, has also caused a number of headaches for the company. A couple years ago, it pulled the plug on the Daily Stormer, a neo-Nazi site, after facing a public outcry. Earlier this year it booted 8chan, a haven for white supremacists and breeding ground for mass murderers, after a furor erupted in the wake of the multiple mass shootings linked to the site.
I asked Prince whether he plans to be more proactive about policing his platform in the future. A trained lawyer, he gave this reply: “From time to time there will be organizations like 8chan that are intentionally designed to thwart the law and, in those cases, it may require us to do something that, frankly, makes us uncomfortable, which is step beyond the law and make what is a discretionary judgment on our own.”
Now that the company is public, it will face greater scrutiny and have to placate a broader base of shareholders. At least for now though, many investors, using their own discretionary judgment, have indicated that they are prepared for these tribulations.
Robert Hackett | @rhhackett | email@example.com