F-Secure Oyj

Annual Report • Mar 14, 2018

ANNUAL REPORT 2017

A FRONT RUNNER IN CYBER SECURITY FOR 30 YEARS

Nobody knows cyber security like F-Secure. For three decades, F-Secure has driven innovations in cyber security, defending tens of thousands of companies and millions of people. With unsurpassed experience in endpoint protection as well as detection and response, F-Secure shields enterprises and consumers against everything from advanced cyber attacks and data breaches to widespread ransomware infections. F-Secure's sophisticated technology combines the power of machine learning with the human expertise of its world-renowned security labs. F-Secure's security experts have participated in more European cyber crime scene investigations than any other company in the market, and its products are sold all over the world by over 200 broadband and mobile operators and thousands of resellers. Founded in 1988, F-Secure is listed on the Nasdaq Helsinki.

WE ARE

F-SECURE

CONTENTS

01	Key figures 2017 01 F-Secure in brief 02 CEO letter 04
02	Board of Directors' Report 2017 06 Key figures 13 Calculation of key ratios 14
03	FINANCIAL STATEMENTS F-SECURE CONSOLIDATED 15 Statement of comprehensive income 15 Statement of financial position 16 Statement of cash flows 17 Statement of changes in equity 18 Notes to the Financial Statements 19
	F-SECURE CORPORATION 37 Income statement 37 Balance sheet 38 Cash flow statement 39 Notes to the
	parent company Financial Statements 40
	Auditor's Report 49
04	Statement of non-financial information 53
05	F-Secure's Corporate Governance Statement 61
	Board of directors 66 Leadership team 69

KEY FIGURES 2017

Revenues MEUR 169.7 Operating profit MEUR 11.1 Earnings per share EUR 0.07 Dividend per share EUR 0.06 Extra dividend per share EUR 0.06 Cash flow from operations MEUR 26.0 Equity ratio 61% Personnel 1,104 Revenue split by region 2017, %

l Operating profit margin

Revenue split by business 2017, MEUR

A FRONTRUNNER IN CYBER SECURITY

For 30 years, F-Secure has driven innovation in cyber security. We defend tens of thousands of companies and millions of people around the world through our network of over 200 telecommunications operators and thousands of IT service and retail partners. F-Secure's security experts have participated in more European cyber crime scene investigations than any other company in the industry.

Digitalization continues to increase cyber threats

Due to the explosive growth in the number of internet-connected devices both in business and in our private lives, society expects services and data to be accessible everywhere and on any device. Online business services are becoming the de-facto standard, but at the same time online crime has become ever present and globally connected.

As cyber threats grow in number, they also evolve in scope and sophistication. Protecting people and organizations from new types of attacks, as well as securing new areas of technology and business requires a move away from single solutions towards a broader cyber security portfolio.

Comprehensive offering for consumers and businesses

F-Secure's sophisticated technology combines the power of machine learning with the human expertise of its world-renowned security labs for a singular approach called Live Security. It covers all aspects of cyber security: prediction, prevention, detection and response.

In February 2017, F-Secure won the Best Protection award from the AV-TEST Institute for superior protection technology throughout 2016. The win makes F-Secure a five-time winner of the award, and it's the only company in the history of AV-TEST to achieve such a distinction.

OUR APPROACH TO CYBER SECURITY

Understanding your risk starts by mapping your attack surface – across

Cyber security moves too fast for silver bullets. It takes a combination of the latest human expertise and continuously improving technology to comprehensively predict, prevent, detect and respond to breaches.

Minimize your attack surface

This is where tried and tested endpoint protection tools and best practices come in – system hardening, firewall configurations, reputation analysis, access controls, antivirus scanning and automated patch management. With modern endpoint protection tools, you get smarter prevention capabilities including behavioral analytics, which are capable of blocking 0-day malware.

Recognize incidents and breaches

Using technology and human expertise to monitor your attack surface and heuristically detect, block and isolate suspicious behavior, it becomes possible to reduce harmful dwell time – the time it takes before a breach is detected.

React to incidents and breaches

Understand your attack surface

It takes IT forensic expertise to understand how the attackers got in and which systems and data were compromised. It also takes experience to know exactly how to react to the attack: how to escalate the issue, isolate corrupted machines, manage communications and remediate the damage.

Our business model

vulnerabilities.

Tens of millions of consumers

Our security advisory services help businesses analyze and predict threats. Our vulnerability assessment and management solution (F-Secure Radar) is an invaluable tool in spotting weaknesses and helping corporate customers fulfil their compliance needs. Our detection solution (Rapid Detection Service) enables companies to realize they've been breached in minutes instead of months. And for customers who have already been breached, F-Secure offers forensics and incident response services to enable swift recovery. In 2018, we look forward to launching our new fully automated Endpoint Detection & Response solution (EDR).

F-Secure's security solutions for endpoints (Protection Services for Business, Business Suite) feature multiple layers of protection technology to efficiently and effectively block zero day and advanced attacks. Our solutions also enable an additional layer of security for cloud platforms (e.g. F-Secure Cloud Protection for Salesforce).

For consumers, we offer total security and privacy to all connected devices (F-Secure TOTAL, F-Secure SAFE, F-Secure FREEDOME, F-Secure SENSE, F-Secure KEY). F-Secure helps people secure their devices and connections, protect their online life and enjoy it to the fullest without the fear of unwanted tracking, profiling or information theft.

Our strategy is driven by our aspiration to grow

We are transforming from an endpoint protection company to a cyber security leader with a broader set of products and services. As F-Secure seeks to accelerate growth, we continue to focus growth investments in corporate security.

We provide best-in-class services and solutions to the mid-market, especially for customers seeking to buy prevention, detection and response as a service. We foresee the market moving towards managed endpoint security, and see especially strong growth in detection and response services. As we expand our product and service offering, we are also making it more integrated in order to offer efficient and comprehensive turn-key solutions to our customers and partners

THERE'S A NEED FOR SPEED IN DETECTING AND REACTING TO CYBER ATTACKS

Since the company was founded 30 years ago, F-Secure has been driving innovation in cyber security. Many key security features that are considered as necessities in today's cyber security products, were originally developed at F-Secure Labs in Helsinki. We continue be a visionary in the industry, offering enterprise-grade cyber security products and services for companies, and peace of mind for consumers globally. In a world immersed in digitalization, cyber security can mean the difference between failure and success. Protecting our customers, we know that we are making a difference for millions of consumers and tens of thousands of businesses every single day.

The cyber security industry has never stopped evolving. What started in the 1990's as a sport for amateurs, has evolved into a serious business for organized crime and a theater for cyberwar between nation states. While malware was once created to achieve fame, today cyber attacks are chiefly motivated by financial or political gain.

For businesses, breaches are becoming even more crucial to prevent and manage. Last year's outbreaks of NotPetya and WannaCry again demonstrated how hacks can result in losses of hundreds of millions of euros, while doing catastrophic damage to brands. Additional pressure for increased resilience is coming from tightening regulation. This year the European General Data Protection Regulation (GDPR) will have a transformative effect on the way companies are required to manage and secure personal data. Among other things, companies must be able to notify the authorities once they have been breached.

In an environment like this, it's troubling to know that only a fraction of companies have successfully deployed modern detection systems, which are vital for ensuring rapid response to threats. Preventive measures can help avoid much harm from cyber threats, but more work is needed to improve detection capabilities, as breaches are bound to happen. In addition to new technical solutions, companies will need human expertise. Already today, there is a huge demand for prospective defenders. A recent report projects there will be 3.5 million vacant cyber security positions by the year 2021. Hundreds of thousands of those positions will be in Europe.

Enterprise-grade cyber security for the mid-market

As over the past three decades the cyber security industry has continually evolved, F-Secure has also continuously reinvented itself to match the needs of customers. We find ourselves again in the midst of such a transition. A transformation from an endpoint protection company into a provider of a broad offering of cyber security products and services.

F-Secure is focused on offering enterprise-grade solutions for the midmarket. Our solutions and services match the security needs of even the most demanding large corporations, but we have especially tailored them into comprehensive turn-key solutions for medium-sized companies and local enterprises. Through our extensive network of thousands of trusted partners we are able to reach out to companies globally. And while our focus is on corporate security, the shared technological platform behind all our products ensures that the solutions we develop for demanding corporate customers also end up benefiting the consumer customers for whom we provide security and privacy products for all connected devices.

Our product and service offering for businesses has never been more extensive. In addition to vulnerability management and award-winning endpoint security solutions, we have recently introduced cutting edge solutions for detection and response. While we are focused on product sales, we also have a strong service arm, and provide a vast range of best-in-class professional services from incident response, forensics and red teaming to security and risk management. Our unique combination of man and machine offers us clear competitive advantages, supporting product development and creating increased potential for cross-selling.

2017: Another strong year

Throughout 2017, we continued to win market share and push our new corporate security solutions to key markets in Europe and elsewhere. While our corporate endpoint protection business showed good growth, I was particularly pleased with the progress we made with Rapid Detection Service - our managed service designed to detect even the most skillful attackers. We only recently began offering this solution, but we have already won many

customers in demanding verticals – including finance, energy, media and IT – in European key markets. To further boost growth, this year we will launch a new fully automated Endpoint Detection and Response solution, which will increase our ability to scale much needed detection capabilities for small and medium sized companies.

Another strong growth driver has been our professional services, where we continue to see very strong demand. Last quarter, we signed our largest service contract ever. We also made two relatively small but important acquisitions last year – Inverse Path in Italy and Digital Assurance in the UK – to boost our presence in key markets and important industry verticals. Cyber security services are adjacent to our product sales.

Our consumer security business remained stable. The consumer business is crucial for F-Secure, as it is fueling our investments in corporate security, where we see the most growth potential. That said, the consumer business itself is also evolving. Last year, we saw increasing cross sales, as consumers are often buying not just endpoint security but also privacy and VPN products. Also, despite continued competition from freemium products and the fact that operating system providers are increasing their built-in capabilities in security, our renewal rates have never been higher. Completely new markets are also emerging. In the summer of 2017, we launched F-Secure SENSE, our new innovative solution for securing all connected devices at home.

F-Secure's competitiveness is built on strong values

While our business continues to evolve, our core DNA remains the same. F-Secure has a unique combination of advanced technology and fantastic people. From the very beginning, this has been a company built on strong values. Our employees are proud to be able to fight against the world's most advanced cyber criminals.

Our ambition of doing good and helping our customers is what drives us forward. We are a growth company, but with an ambition to grow even faster. To support this, we will continue to invest in the growth of the corporate business, both in the development of cyber security products and services as well as in sales and marketing of these solutions.

F-Secure's extensive experience, knowledge and insight in cyber security, combined with our global intelligence network, smart software and cutting edge artificial intelligence makes us the perfect trusted cyber security partner for companies of all sizes as well as individuals. Together with our employees, partners and customers, I'm certain we will continue to fight for cyber security for 30 years more!

Samu Konttinen

"We continued to win market share and push our new corporate security solutions to key markets in Europe and elsewhere."

05

F-SECURE 2017

CYBER

SECURITY

NEVER STOPS.

F-SECURE 2017 06

BOARD OF DIRECTORS' REPORT 2017

In 2017, F-Secure continued its transformation from an endpoint protection company into a provider of a broad offering of cyber security products and services. The company continued to prioritize growth over short term profitability. Building on significant investments in sales, marketing and product development and strong demand especially in the corporate security market, significant progress was made with both products and services.

In corporate security, F-Secure saw companies striving to improve their cyber resilience, and the expanded portfolio continued to create new business opportunities. Growth was driven by cyber security services and new products for detection and response, as well as vulnerability management. The company's traditional core business – endpoint protection – was also in above-market growth. To support further growth, F-Secure continued to develop the corporate reseller channel to better target larger corporate customers and increase cross-selling and upselling.

In consumer security, direct sales to consumers were in strong growth driven by high renewal rates and increased cross-selling. Revenue through operators remained almost at previous year's level, confirming the company's view of the overall stability of the consumer business.

Financially, F-Secure's year was solid, with strong cash flow and healthy profitability.

Financial performance and key figures

In January–December, total revenue grew by 7% year-on-year to EUR 169.7 million (158.3m), driven by corporate security.

Corporate security

Revenue from corporate security increased by 16% year-onyear to EUR 72.6 million (62.5m), and represented 43% (39%) of F-Secure's total revenue. The growth throughout the year stemmed both from increasing product sales through the

reseller channel, and from very strong performance in cyber security services. The revenue increase reflected significant investments in product development as well as recruiting in the sales organization during the past two years.

Consumer security

Revenue from consumer security increased 1% year-on-year to 97.1 million (95.8m), and represented 57% (61%) of F-Secure's total revenue. The direct consumer sales continued to show good growth, while revenue from the operator channel slightly decreased.

Deferred revenue

Deferred revenue increased by 13% (year-on-year) to EUR 61.1 million (54.3m), driven by the increased sales of corporate security products and services with multi-year contracts.

Costs

Fixed costs increased by 12% (year-on-year) to 153.8 million (137.6m). Key drivers behind the increase were recruitments in corporate security and the impact of share-based incentive programs. R&D costs and sales and marketing expenses related to corporate business increased significantly.

Profitability

EBIT was EUR 11.1 million and 7% of revenue (19.2m, 12%). Investments in corporate business related R&D and sales and marketing were the main factors behind the lower EBIT compared to previous year.

Cash flow

Cash flow from operations was EUR 26.0 million (21.9m). Cash flow was impacted by extraordinary tax payments both in 2017 and in the comparison year 2016. In 2016, the cash flow was negatively impacted by a residual tax payment of EUR 6.1 million resulting from the divestment of F-Secure's personal cloud storage business to Synchronoss in 2015 and the repayment of EUR 4.0 million in foreign tax credits on withholding

taxes from 2009–2011 based on debit decisions by the Finnish tax authority. Cash flow was positively impacted by the release of the EUR 4.5 million escrow account relating to the above mentioned divestment. In 2017, the company received a payment of EUR 3.1 million related to aforementioned foreign tax credits on withholding taxes from 2009–2011 based on debit decisions by the Finnish tax authority following F-Secure's appeal.

Taxes

In June, the Finnish Tax Administration's Board of Adjustment approved F-Secure's appeal related to withholding taxes. As a result EUR 3.1 million consisting of taxes, interests and late penalty payments was returned to the company, and the payment was recorded in financial items and income taxes in the second quarter. The payment relates to the decision of Finnish Tax Authority in 2015 to adjust taxation for tax years 2009–2011 based on a partial tax audit. F-Secure appealed the decision and the Finnish Tax Administration's Board of Adjustment approved the appeal. The approval does not have an impact on future taxation of the company. More information regarding the tax audit is available in the 2016 financial statements, disclosure 10, Income taxes.

Financing and Capital Structure

On 31 December 2017, the combined market value of cash and cash equivalents and short term investments in interest rate funds classified as available-for-sale assets was EUR 90.2 million (31 December 2016: 92.7m).

Cash and available-for-sale financial assets were impacted by paid dividends, amounting in total to EUR 18.8 million. In addition to a regular dividend of EUR 0.06 per share, an extra dividend of EUR 0.06 per share was paid following the sale of the personal cloud storage business to Synchronoss Technologies Inc for USD 60 million in February 2015.

In January–December the Company's capital expenditure amounted to EUR 9.3 million (6.9m). The capitalized development expenses were EUR 3.9 million (3.2m).

F-Secure's financial position remained solid. The Company's equity ratio on 31 December 2017 was 61% (67%) and its gearing ratio was 130% negative (122% negative).

F-Secure business in 2017

Corporate security

F-Secure provides a broad range of cyber security products and managed services through a large network of resellers and service partners. Products include both cloud-based (Protection Service for Business) and on premise (Business Suite) endpoint protection solutions, solutions for detecting and responding to advanced attacks (Rapid Detection Service, or RDS), vulnerability management (F-Secure Radar) and cloud protection (F-Secure Cloud Protection for Salesforce). The majority of corporate security revenue comes from the sale of endpoint protection solutions through resellers.

Revenue from endpoint security continued to grow at above-market pace during the full year, but country-specific performance was mixed especially in the second half of the year. New customer acquisition showed strong growth, and renewals and upsells also increased, despite some contract seasonality and performance issues in certain countries impacting the second half.

During the year, F-Secure continued to expand sales of new corporate products, especially in detection and response (RDS), and vulnerability management (F-Secure Radar) markets. While both solutions are still at an early stage of their life-cycle, revenue from RDS and F-Secure Radar showed strong growth during the year, and business expanded significantly regionally, with first deals signed already in 20 countries. To accelerate the growth, F-Secure continues to seek new reseller partners capable of pushing the full corporate security portfolio. With Cloud Protection for Salesforce, F-Secure continued close cooperation with SalesForce to expand sales of the new solution.

In November, F-Secure announced at Capital Markets Day that the company plans to launch a new fully automated endpoint detection and response (EDR) solution in 2018. The new solution will build on capabilities already utilized in F-Secure Rapid Detection Service (managed detection and response, MDR). This new solution will be tightly integrated with the company's endpoint protection solutions, and it will allow F-Secure to combine two important product categories. EDR will be a pure software product, and whereas RDS is a managed service aimed for larger companies, EDR will allow F-Secure to scale sales to a broader base of corporate customers while making detection capabilities more affordable also for small businesses and mid-market customers. Thus it will also support the growth of endpoint protection business.

Regionally most of the absolute product sales growth came from focus markets in Europe, with a fourth of the growth came from North America and Asia-Pacific. In Asia, absolute sales grew fastest in India and Malaysia. In Europe, growth was most strongest in Finland, Denmark, France, Germany, Austria and the Benelux countries.

F-Secure's cyber security consultancy had a very strong year. Several large deals were signed, including one particularly large deal in the fourth quarter. Overall, F-Secure continued to see strong demand in the market, and the company recruited more consultants and sales personnel to meet the rising demand. The majority of cyber security services order intake came from Denmark, Finland and UK, and the share of order intake coming from other regions within Europe continued to increase.

Consumer security

The majority of F-Secure's consumer security revenue comes from the sale of endpoint protection products (mainly F-Secure Safe) through the operator channel, with F-Secure Freedome (VPN, privacy and security) and F-Secure Key (password manager) increasingly being part of the offering. In June 2017, the company started the first deliveries of F-Secure Sense, an innovative security solution for protecting connected home devices. In addition to operator sales, F-Secure sells consumer products through various online and retail partners,

as well as the company's own web shop. F-Secure is increasingly offering consumer products as combined bundles, such as F-Secure Total (F-Secure Safe & F-Secure Freedome).

Revenue from the operator channel slightly decreased from the previous year's level during the full year, as the loss of single operator customer in Latin America caused the quarterly revenue to decline in the fourth quarter. This impact is expected to continue in the first half of 2018. Excluding Latin America, operator revenue increased slightly also in the fourth quarter, highlighting F-Secure's overall steady progress in increasing product activation rates together with our broad network of partners globally. Regionally, the majority of absolute growth came from the Nordics, Germany, the UK and the US.

In direct consumer sales, F-Secure continued to outpace the market, with solid double-digit order intake growth both in online and retail channels. Growth continued to be driven by the strong renewal rates and increased cross selling of the broad consumer portfolio. Consumers are increasingly buying both endpoint protection and privacy solutions, and upgrading their F-Secure SAFE or F-Secure FREEDOME subscriptions to F-Secure TOTAL – a commercial bundle of the two products. Additionally, order intake for F-Secure FREEDOME as a standalone product continued to show strong growth during the year, especially with new sales and renewals through app stores. Increased cross-selling and upselling helped the company generate higher annual average revenue per user.

The impact of F-Secure SENSE (an innovative security solution for connected home devices) on revenue was limited as expected. While the connected home market is at a very early stage, the company continues to see growing interest in the product among customers, operator partners and retailers, including the possibility of embedding Sense as software to customers' on premise equipment such as routers or digital home hub solutions. During the year F-Secure signed deals with several operators to distribute SENSE, and in December BestBuy started selling SENSE in the US, as did also Power (retail chain) in the Nordics.

Acquisitions and disposals

On 15 February 2017, F-Secure acquired 100% of the shares of Inverse Path S.r.l., a small privately held company based in Italy providing security services to the avionics, automotive, and industrial control sectors.

On 10 May 2017, F-Secure acquired 100% of the shares of Digital Assurance Consulting Limited, a privately held UK based security consultancy firm offering information security assessment services to governments and companies in financial, petrochemical, retail, communication, and defense industries.

Research and development

F-Secure's research and development activities in 2017 continued to focus on the development of new products and product amendments both for businesses and consumers. Key projects included RDS, EDR, F-Secure Sense, and improvements to several existing products. As an example, new types of sensors, such as a network sensor, were added to RDS. Work was done on new protection features and overall customer experience improvements.

On a more general level, F-Secure is working on simplifying and streamlining its product and service architecture as well as continuing its transition towards the use of cloud services. Multiple services were moved to the cloud. With all these activities the Company aims to improve product scalability, security, stability as well as speed of development and reduce time spend on maintenance. F-Secure also strives to become a truly data-driven company and invests in processing more data than before and increasingly using artificial intelligence for analysis. During 2017, F-Secure in particular increased focus on using machine learning for anomaly detection.

In 2017 F-Secure's research and development expenditure amounted to EUR 34.5 million, representing 20% of revenue (EUR 28.4m, 18%). The capitalized development expenses amounted to EUR 3.9 million (EUR 3.2 million).

Product and service announcements

New products launched in 2017

• F-Secure launched F-Secure Cloud Protection for SalesForce, a first-in-the-market concept for cloud security. The product offers an additional layer of security for Salesforce customers by automatically analyzing any files or links uploaded by users and then blocking malicious content.
• F-Secure launched F-Secure SENSE for the connected home and IoT protection. It is the first hardware product in F-Secure's consumer portfolio. F-Secure SENSE is a combination of a smart security router, an advanced security app and industry-leading cloud protection. SENSE protects every internet connected thing in homes.

Other significant product announcements

– In November, F-Secure announced its plans to launch a new Endpoint Detection and Response (EDR) product in 2018. More information is available in the F-Secure Business in 2017 section.

Updates for corporate products

• Protection Service for Business (PSB, cloud-based endpoint protection platform) was updated with several new capabilities. These included DataGuard (an additional layer of protection against threats like ransomware), XFENCE (for the Mac OS platform preventing ransomware and other malware), and a new Password Protection feature to make the use of strong and unique passwords easy for organizations.

• Business Suite (on-premise endpoint protection platform) was updated with new capabilities to support scalability to larger organizations including and advanced proxy functionality to reduce network bandwidth usage, and with new security capabilities like the DataGuard feature.

• Rapid Detection Service (RDS, managed detection and response service) was updated with new capabilities, including a new customer portal for efficient communication between Rapid Detection Center – our 24/7 monitoring center – experts and customers, and improved machine learning and artificial intelligence capabilities.

• F-Secure Radar (our vulnerability management solution) was updated with a web topology mapping feature that helps customers to discover their full attack surface, and with a new user interface bringing ease-of-use and improved productivity.

Updates for consumer security products

• F-Secure SAFE (multi-device security solution) was updated with new capabilities for protecting children online. The new remotely managed Family Rules enable parents to set boundaries for screen time, internet use, and on Android also for apps. For the operator partners new functionalities were also added, including lifecycle messaging, cross-sell and integration models. These make it easier for partners to offer the entire F-Secure's portfolio to consumers while improving channel efficiency, and customer experience.
• F-Secure KEY (password manager) was updated with a set of new tools for better password management. By improving the awareness of password quality, KEY helps users to improve their password practices.
• F-Secure FREEDOME (online privacy and security solution) introduced a VPN Software Development Kit (SDK) that enables operators and partners to integrate security and privacy into their own apps. Additionally, new features were introduced to support operator sales, including the capability to deploy operator on-site VPN gateways and smoother product deployment and installation experience.
• F-Secure TOTAL (offering consisting of SAFE and FREEDOME) was updated to improve usability and deepen the technical integration of the two embedded products.

Significant awards

• In February 2017, F-Secure was once again awarded the 2016 Best Protection Award by AV-TEST for the fifth time, as the first company in the test history
• In February, many media outlets around the world published news articles about a research study made by Australia's Commonwealth Scientific and Industrial Research Organization, the University of New South Wales, and the University of California at Berkeley. In the study, F-Secure FREEDOME was one of the few (out of 283 VPN Android apps) that was praised by a university study in keeping its marketing promises as a secure VPN.
• In March, F-Secure TOTAL won the Best Innovation 2017 award from Digital Citizen. The award was granted for combining an internet security product with a full VPN product.

After period-end, in January 2018, F-Secure was recognized as a 'Visionary' in Gartner's 2018 Magic Quadrant for Endpoint Protection Platforms report.

Shares, Shareholders' Equity, Own Shares

The total number of company shares is currently 158,798,739. The company's registered shareholders' equity is EUR 1,551,311.18. The company currently holds 2,085,029 of its own shares.

The company holds its own shares to be used in the incentive compensation plans, for making acquisitions or implementing other arrangements related to the company's business, to improve the company's financial structure, or to be otherwise assigned or cancelled.

The company currently has share-based incentive programs for key employees: performance-based long-term share-based programs and a restricted program (Stock exchange release, 16 February 2017).

In accordance with the decision by the Annual General Meeting, 40% of the fees paid to the Members of the Board of Directors in 2017 were paid in F-Secure shares. In total, 23 888

of F-Secure shares were assigned to the Members of the Board. The shares were purchased from the market.

Risks and uncertainties

The objective of F-Secure's risk management is to ensure a current, correct and holistic understanding and prioritized management of key uncertainties related to strategy implementation and business operations. The process and risk management methods in use are constantly developed to respond to the changing needs of the company.

F-Secure uses three categories to group the risks: strategic, business and operational risks. The most significant risks for F-Secure are related to the following factors.

Most significant risks

• Endpoint protection market disruption
• Market consolidation, and failure to successfully complete acquisitions or divestments
• Failure to innovate and develop new technologies
• Failure to attract and retain talent

Other risks that affect the F-Secure business include but are not limited to:

• Intellectual property (IPR) claims against F-Secure
• Risk exposure from contractual liability requirements
• Failure of new product launches
• Potential security threats related to F-Secure's products and services
• Credit risk due to regional political or financial climate and regulation
• Tax risk relating to changing laws and regulations and interpretations of said regulations by the relevant authorities

Organization and leadership

Personnel

At the end of December, F-Secure had 1,104 employees, which shows a net increase of 8% from the previous year (1,026 on 31 December in 2016). F-Secure continues to actively recruit security professionals, cyber security consultants and sales personnel especially in corporate security.

Leadership team

To accelerate strategy execution, F-Secure has made organizational changes as of Monday 5 February 2018. Corporate security has been moved from two business units in to a functional organization that elevates the key areas to Leadership Team and removes organization layers. Consumer cyber security will continue as a business unit of its own.

After the changes, the composition of the Leadership Team is the following:

Samu Konttinen (CEO, and acting Strategy & Corporate Development), Mari Heusala (HR & Office Services), Kristian Järnefelt (Consumer Cyber Security), Juha Kivikoski (Enterprise & Channel Sales as of 1 March 2018), Jyrki Rosenberg (Marketing & Communications), Jari Still (Information & Business Services), Mika Ståhlberg (Security Research & Technologies), Eriikka Söderström (CFO), and Jyrki Tulokas (Cyber Security Products & Services).

Juha Kivikoski is an industry veteran having previously served as Managing Director at Dustin Finland, Vice President Sales at McAfee/Intel Security and COO at Stonesoft. He has also held several senior leadership positions at large technology companies including Siemens and Cisco Systems.

Corporate Governance

F-Secure's corporate governance practices comply with Finnish laws and regulations, F-Secure's Articles of Association, the rules of Nasdaq Helsinki Oy and the Finnish Corporate Governance Code 2015 issued by the Securities Market Association of Finland. The code is publicly available at

http://cgfinland.fi/en/. F-Secure's Corporate Governance Statement for 2016 as well as up-to-date information about the Company's governance are available on the Company website. The Corporate Governance Statement for 2017 will be published at latest on 14 March 2018.

The Annual General Meeting

The Annual General Meeting of F-Secure Corporation was held on 5 April 2017. The Meeting confirmed the financial statements for the financial year 2016. The members of the Board and the President and CEO were granted discharge from liability. In addition, the Annual General Meeting made the following decisions:

The Annual General Meeting decided to distribute a dividend of EUR 0.06 per share and an extra dividend of EUR 0.06 per share, which was paid to those shareholders that on the record date of 7 April 2017 were registered in the Register of Shareholders held by Euroclear Finland Ltd. The dividend was paid on 20 April 2017.

It was decided that the annual compensation of Board members remains on a previous year's level: for the Chairman EUR 55,000, Chairmen of the Personal and Audit Committees EUR 40,000, members EUR 30,000 and member employed by F-Secure Corporation EUR 10,000. Approximately 40% of the annual remuneration will be paid as company shares.

It was decided that the number of Board members is seven (7). The following current members were re-elected: Pertti Ervi, Matti Heikkonen, Bruce Oreck and Risto Siilasmaa. Sofie Nystrøm, Päivi Rekonen and Ari Inki were elected as new members of the Board. The Board elected in its organizational meeting Siilasmaa as the Chairman of the Board. The Board nominated Siilasmaa as the Chairman of the Personal Committee and Bruce Oreck and Matti Heikkonen as members of the Personal Committee. Pertti Ervi was nominated as the Chairman of the Audit Committee and Sofie Nystrøm, Päivi Rekonen and Ari Inki were nominated as members of the Audit Committee.

It was decided that the Auditor's fee will be paid against approved invoice. PricewaterhouseCoopers Oy was elected the parent company's auditor. APA, Mr. Janne Rajalahti acts as the responsible partner.

It was decided that the Board of Directors may pass a resolution to repurchase a maximum of 10,000,000 own shares of the company in one or multiple tranches with the company's unrestricted equity. The authorization entitles the Board of Directors to decide on the repurchase also in deviation from the proportional holdings of the shareholders (directed repurchase). The authorization covers the repurchase of shares either in trading at the regulated market organized by Nasdaq Helsinki Ltd in accordance with its rules and guidelines, in which case the shares must be purchased at the prevailing market price at the time of repurchase, or through a public tender offer to the shareholders, in which case the price offered must be the same for all shareholders. The repurchased shares will be used for making acquisitions or implementing other arrangements related to the company's business, for improving the company's financial structure, for use as part of the company's incentive scheme or otherwise for further assigning or cancelling the shares. The authorization includes the right for the Board of Directors to decide upon all other terms and conditions related to the repurchase of the company's own shares. The authorization is valid until next Annual General meeting however not longer than until 30 June 2018 and the previous authorization granted to the Board of Directors by the 2016 Annual General Meeting regarding the repurchase of the company's own shares expired upon the new authorization.

The Annual General Meeting authorized the Board of Directors to decide on the issuance of a maximum of 31,000,000 shares, representing 19.5 per cent of the company's shares entered in the Trade Register, or the issuance of special rights entitling to shares referred to in Chapter 10, Section 1 of the Finnish Limited Liability Companies Act in one or multiple tranches. The authorization concerns both the issuance of new shares as well as the transfer of treasury shares. The

authorization includes the right for the Board of Directors to decide upon all terms and conditions related to the issuance of shares and special rights. The issuance of shares may be carried out in deviation from the shareholders' pre-emptive rights (directed issue). The authorization can be used for implementing potential acquisitions, other arrangements or equity-based incentive plans or for other purposes decided by the Board of Directors. The Board of Directors also has the right to decide on the sale of company shares at the regulated market in accordance with Nasdaq Helsinki Ltd's rules and regulations. The authorization is valid until next General Annual Meeting however not longer than until 30 June 2018, and the previous authorization granted to the Board of Directors by the 2016 Annual General Meeting regarding the issuance of shares and transfer of own shares expired upon the new authorization.

Market overview

The growing number and variety of connected devices as well as digital services continues to create security challenges for both businesses and individuals. Combined with the increasing complexity of IT systems, these trends are driving demand for security services. While advanced cyber-attacks are becoming more common and persistent, criminals are targeting companies of all sizes along with consumers by taking advantage of vulnerabilities in popular software, traditional and new connected devices as well as online services. Apart from pure criminal activity, governments and hacktivists use vulnerabilities and malware e.g. for espionage and surveillance.

Attacks against corporations often go undetected for months, which fuels demand for products and services for incident detection and response, supplementing the endpoint security market. Furthermore, as organizations are increasingly adopting cloud services, they seek managed security services and cloud-based delivery to help them maintain control of their security. In the long run, this trend is expected to shift investment away from on-premise security products, while new opportunities are emerging in securing the cloud platforms.

Larger organizations also remain interested in securing their mobile device fleets.

The consumer security software market continues to be impacted by the changing device landscape, as well as the increasing significance of app stores and online sales overall. While the sales of traditional PC's have declined slightly, the number of connected smart home devices is growing very rapidly. This creates opportunities for innovative new security products. There are also opportunities to capture market share from the competition with traditional security products.

The information security market overall was estimated to be worth USD 89.1 billion in 2017, and the market is expected to grow by 7.9% annually in 2016–2021*. The endpoint protection platforms (enterprise) market was worth USD 3.6 billion in 2017, and is expected to grow by 2.6% annually in 2016–2021*. The consumer security software market was worth USD 4.6 billion in 2017, and is expected to grow by 1.6% annually in 2016–2021*. The IT outsourcing market, including managed security services, was worth USD 16.7 billion in 2017, and is estimated to grow by 11.4% annually in 2016–2021 *.

Source: * Gartner, Forecast: Information Security, Worldwide, 2015–2021, 3Q17 Update, Ruggero Contu, Christian Canales, Sid Deshpande, Lawrence Pingree, 8 November 2017. Market size and growth rates in current dollars.

The Gartner Report(s) described herein, (the "Gartner Report(s)") represent(s) research opinion or viewpoints published, as part of a syndicated subscription service, by Gartner, Inc. ("Gartner"), and are not representations of fact. Each Gartner Report speaks as of its original publication date (and not as of the date of this Financial Report) and the opinions expressed in the Gartner Report(s) are subject to change without notice.

Strategy 2018–2021

F-Secure has updated the strategy as communicated at the Capital Markets Day on 22 November 2017:

The world is becoming digitalized and connected. Due to this, cyber-attacks and cyber-crime continue to be among

the most critical challenges the world is facing. While the complexity and magnitude of problems increases, expertise is concentrating into a limited number of specialized security companies.

For three decades, F-Secure has driven innovations in cyber security, defending tens of thousands of companies and millions of people. We are transforming from an endpoint protection company to a cyber security leader with a broader set of products and services.

F-Secure's competitiveness is based on extensive experience in cyber security, and a unique combination of man and machine. Our extensive experience, knowledge and insight in cyber security, combined with our global intelligence network, smart software and cutting edge artificial intelligence makes us the perfect trusted cyber security partner for companies of all sizes as well as individuals. We are the proud security advisor to many of the world's largest and demanding organizations e.g. in the banking, automotive and airline industries as well as the military and law enforcement sector. Our expertise is continuously developed, as we take on the toughest of assignments.

As F-Secure seeks to accelerate growth, we continue to focus growth investments in corporate security. We provide best-in-class services and solutions to the mid-market, especially for customers seeking to buy prevention, detection and response as a service. We foresee the market moving towards managed endpoint security, and see especially strong growth in detection and response services. As we expand our product and service offering, we are also making it more integrated in order to offer efficient and comprehensive turn-key solutions to our customers and partners.

F-Secure's corporate security products and services are sold through the channel. Our growing network of thousands of partners are key to our strategic expansion. F-Secure's products are designed to be delivered from the cloud, and to support partners as they develop managed service provider business models. Ease of use both for end-customers as well as partners is critical aspect of all product design.

F-Secure also provides a comprehensive set of digital safety solutions to consumers, protecting their information, identities, devices, smart homes and families. F-Secure is the world's leading provider of consumer security solutions through telecommunications operators. Together, we protect tens of millions of consumers and their digital lives. In consumer security, F-Secure continues with its existing sales channels aiming at profitable growth.

Outlook for 2018

F-Secure continues to invest in the growth of the corporate business, both the development of cyber security products and services as well as sales and marketing of these solutions. The company's outlook for 2018:

• Revenue from corporate security is expected to grow by over 15% compared to 2017
• Revenue from consumer security to stay at the same level as in 2017.
• EBIT is expected to be in the range of 8–12M€

Outlook for strategy period 2018–2021

The demand for corporate cyber security products and services is expected to grow strongly. F-Secure aims to grow faster than the market, with revenue from corporate security expected to grow above 15% annually during our strategy period 2018–2021.

Driven by the anticipated revenue growth and scalable business model, the company's profitability is expected to improve significantly in the long-term. The board and the management continuously seek to balance growth investments and profitability to optimize long-term value creation for the shareholders.

Proposal for dividend distribution

The Board of Directors is proposing to the Annual General Meeting, to be held on 4 April 2018, that a dividend of EUR 0.04 per share be paid based on the adopted balance sheet for the

financial year 2017. The suggested dividend record date is 6 April 2018 and the suggested payment date 18 April 2018.

The dividend per earnings is approximately 57% of the parent company's result. On 31 December 2017, the parent company's distributable equity amounted to a total of EUR 49.6 million. Events after period-end do not weaken the Company's financial position nor does the proposed dividend pose any risk to the company's financial standing.

Events after period-end

No material changes regarding the Company's business or financial position have occurred after the end of the year.

Helsinki, 8 February 2018 F-Secure Corporation Board of Directors Risto Siilasmaa Pertti Ervi Matti Heikkonen Ari Inki Sofie Nystrøm Bruce Oreck Päivi Rekonen

President and CEO Samu Konttinen

KEY FIGURES

Economic indicators	IFRS 2017	IFRS 2016	IFRS 2015	IFRS 2014	IFRS 2013
Economic indicators
Net sales (MEUR) *	169.7	158.3	147.6	137.4	155.1
Net sales growth %	7%	7%	7%	–11%	–1%
Operating result (MEUR) *	11.1	19.2	20.0	22.3	27.1
% of net sales	6.5%	12.1%	13.6%	16.2%	17.5%
Result before taxes *	11.9	20.8	20.7	23.4	26.3
% of net sales	7.0%	13.1%	14.0%	17.0%	17.0%
ROE (%)	14.8%	19.9%	28.1%	20.7%	24.9%
ROI (%)	19.7%	28.6%	52.1%	26.7%	40.9%
Equity ratio (%)	61.3%	66.7%	64.1%	74.9%	74.3%
Investments (MEUR)	9.3	6.9	14.6	5.8	3.7
% of net sales	5.5%	4.4%	9.9%	4.2%	2.4%
R&D costs (MEUR) *	34.5	28.4	26.9	30.1	41.7
% of net sales	20.4%	17.9%	18.2%	21.9%	26.9%
Capitalized development (MEUR)	3.9	3.2	2.3	2.3	0.3
Gearing %	–129.9%	–122.1%	–122.4%	–76.6%	–65.6%
Wages and salaries (MEUR)	70.8	61.8	56.8	57.4	54.1
Personnel on average	1,067	981	894	937	949
Personnel on Dec 31	1,104	1,026	926	921	939

Key ratios	IFRS 2017	IFRS 2016	IFRS 2015	IFRS 2014	IFRS 2013
Earnings / share (EUR)	0.07	0.10	0.14	0.10	0.11
Earnings / share (EUR) continuing operations	0.07	0.10	0.08	0.12
Earnings / share diluted	0.07	0.10	0.14	0.10	0.11
Earnings / share diluted continuing operations	0.07	0.10	0.08	0.12
Shareholders' equity per share	0.44	0.49	0.49	0.50	0.46
Dividend per share *)	0.04	0.12	0.12	0.16	0.06
Dividend per earnings (%)	57.1%	122.8%	85.7%	160.0%	54.5%
Effective dividends (%)	1.0%	3.4%	4.7%	7.1%	3.2%
P/E ratio	56.6	35.6	18.2	22.2	17.6
Share price, lowest (EUR)	3.17	2.19	2.08	1.78	1.55
Share price, highest (EUR)	4.84	3.60	3.84	2.90	2.15
Share price, average (EUR)	3.94	2.87	2.71	2.03	1.81
Share price Dec 31	3.89	3.48	2.58	2.25	1.87
Market capitalization (MEUR)	617.7	552.6	409.7	357.3	297.0
Trading volume (millions)	27.8	35.9	61.2	44.3	31.8
Trading volume (%)	17.5%	22.6%	39.3%	28.4%	20.5%

* Board proposal

* For 2016, 2015, and 2014, only continuing operations.

Adjusted number of shares	IFRS 2017	IFRS 2016	IFRS 2015	IFRS 2014	IFRS 2013
Average during the period*	156,502,983	156,022,774	155,801,466	155,756,751	155,374,231
Average during the period, diluted*	156,502,983	156,022,774	155,801,466	155,756,751	155,382,904
Dec 31	158,798,739	158,798,739	158,798,739	158,798,739	158,798,739
Dec 31, diluted	158,798,739	158,798,739	158,798,739	158,798,739	159,178,330

* For 2016, 2015, and 2014, only continuing operations.

Turnover and average share price per month 2017

l Turnover EUR

l Average price

13

F-SECURE 2017

CALCULATION OF KEY RATIOS

Equity ratio, %	Total equity	� 100
	Total assets – advance payments received
ROI, %	Result before taxes + financial expenses	� 100
	Total assets – non-interest bearing liabilities (average)
ROE, %	Result for the period	� 100
	Total equity (average)
Gearing, %	Interest bearing liabilities – cash and bank and AFS financial assets	� 100
	Total equity
Earnings per share, euro	Profit attributable to equity holders of the company
	Weighted average number of outstanding shares
Shareholders' equity	Equity attributable to equity holders of the company
per share, EUR	Number of outstanding shares at the end of period
P/E ratio	Closing price of the share, end of period
	Earnings per share
Dividend per earnings, %	Dividend per share	� 100
	Earnings per share
Effective dividends, %	Dividend per share	� 100
	Closing price of the share, end of period

STATEMENT OF COMPREHENSIVE INCOME JAN 1–DEC 31, 2017

EUR 1,000	Note	Consolidated, IFRS 2017	Consolidated, IFRS 2016
NET SALES	(1)	169,695	158,289
Material and services		–6,645	–5,762
GROSS MARGIN Other operating income	(4)	163,051 1,895	152,526 4,309
Sales and marketing	(5, 6)	–104,969	–95,487
Research and development	(5, 6)	–34,545	–28,396
Administration	(5, 6)	–14,321	–13,720
OPERATING RESULT		11,111	19,231
Financial income	(8)	3,213	3,269
Financial expenses	(8)	–2,383	–1,722
PROFIT (LOSS) BEFORE TAXES		11,941	20,778
Income tax	(10)	–1,181	–5,053
Result for the financial period from the continuing operations		10,760	15,725
Result for the financial period from the discontinued operations			–484
RESULT FOR THE FINANCIAL YEAR		10,760	15,241
Other comprehensive income
Other comprehensive income to be reclassified to profit or loss in subsequent periods
Exchange difference on translation of foreign operations		–839	–339
Available-for-sale financial assets	(9)	–117	901
Taxes related to components of other comprehensive income	(10)	23	–180
COMPREHENSIVE INCOME FOR THE YEAR		9,827	15,624
Result of the financial year is attributable to: Equity holders of the parent		10,760	15,241
Comprehensive income for the year is attributable to:
Equity holders of the parent Earnings per share continuing operations		9,827	15,624
– basic and diluted Earnings per share discontinued operations	(11)	0.07	0.10
– basic and diluted	(11)		0.00

16

STATEMENT OF FINANCIAL POSITION DEC 31, 2017

EUR 1,000	Note	Consolidated, IFRS 2017	Consolidated, IFRS 2016
ASSETS
NON-CURRENT ASSETS
Tangible assets	(12)	3,214	3,332
Intangible assets	(12)	14,733	13,400
Goodwill	(3, 13)	10,070	7,632
Deferred tax assets	(14)	3,528	2,734
Other receivables	(16)	666	77
Total non-current assets		32,211	27,175
CURRENT ASSETS
Inventories	(15)	588	109
Trade and other receivables	(16, 22)	50,061	46,182
Income tax receivables	(16)	1,435	342
Available-for-sale financial assets	(17, 22)	53,924	63,671
Cash and bank accounts	(18, 22)	36,300	29,050
Total current assets		142,309	139,354
Discontinued operations			1,534
TOTAL ASSETS		174,520	168,064

EUR 1,000	Note	Consolidated, IFRS 2017	Consolidated, IFRS 2016
SHAREHOLDERS' EQUITY AND LIABILITIES
SHAREHOLDERS' EQUITY	(19)
Share capital		1,551	1,551
Share premium		165	165
Treasury shares		–4,575	–5,741
Fair value reserve		983	1,077
Translation differences		–554	284
Reserve for invested unrestricted equity		5,378	5,211
Retained earnings		66,520	73,365
Equity attributable to equity holders of the parent		69,468	75,912
NON-CURRENT LIABILITIES
Deferred tax liabilities	(14)	357	361
Other non-current liabilities	(21)	17,502	13,916
Provisions	(21)	1,173	158
Total non-current liabilities		19,032	14,436
CURRENT LIABILITIES	(21)
Trade and other payables	(22)	37,950	32,088
Income tax liabilities		1,945	2,516
Other current liabilities		46,126	40,514
Total current liabilities		86,020	75,117
Discontinued operations			2,599
TOTAL SHAREHOLDERS' EQUITY AND LIABILITIES		174,520	168,064

17

STATEMENT OF CASH FLOWS JAN 1–DEC 31, 2017

EUR 1,000 Note	Consolidated, IFRS 2017	Consolidated, IFRS 2016	EUR 1,000 Note	Consolidated, IFRS 2017	Consolidated, IFRS 2016
Cash flow from operations			Cash flow from investments
Result for the financial year	10,760	15,241	Investments in intangible and tangible assets	–7,106	–6,890
Adjustments			Investments in subsidiary shares,
Depreciation and amortization	6,296	5,610	net of cash acquired (3)	–2,205
Profit / loss on sale of fixed assets	45	183	Investments in available-for-sale financial assets (17)	–7,742	–9,527
Other adjustments	1,938	4,663	Proceeds from sale of intangible and
Financial income and expenses	–830	–1,547	tangible assets (2)	46	44
Income taxes	1,181	4,932	Proceeds from available-for-sale
Cash flow from operations before change in working capital*	19,389	29,082	financial assets (17) Cash flow from investments	18,410 1,402	11,742 –4,630
Change in net working capital
Current receivables, increase (–), decrease (+)	–3,158	1,280	Cash flow from financing activities Dividends paid	–18,751	–18,696
Inventories, increase (–), decrease (+)	–457	26	Cash flow from financing activities	–18,751	–18,696
Non-interest bearing debt, increase (+), decrease (–)*	13,885	6,784
Provisions, increase (+), decrease (–)	–158	158	Change in cash	8,687	–1,434
Cash flow from operations before financial items and taxes	29,501	37,330	Cash and bank at the beginning of the period	29,050	29,919
Interest expenses paid	–74	–1,010	Effects of exchange rate changes	–1,437	565
Interest income received	1,032	93
Other financial income and expenses	–376	–731	Cash and bank at period end	36,300	29,050
Income taxes paid	–4,046	–13,790
Cash flow from operations	26,036	21,892

* Presentation of deferred revenue has been changed and the comparative year has been adjusted accordingly.

STATEMENT OF CHANGES IN EQUITY

Attributable to the equity holders of the parent

EUR 1,000	Share capital	Share premium fund	Treasury shares	Available for-sale	Translation diff.	Unrestricted equity reserve	Retained earn- ings	Total equity
Equity December 31, 2015	1,551	165	–6,966	355	623	5,102	76,224	77,055
Available-for-sale financial assets, net				721				721
Translation difference					–339			–339
Result of the financial year							15,241	15,241
Total comprehensive income for the year	0	0		721	–339	0	15,241	15,624
Dividends							–18,696	–18,696
Cost of share based payments			1,224			109	596	1,929
Other changes
Equity December 31, 2016	1,551	165	–5,741	1,077	284	5,211	73,365	75,912
Available-for-sale financial assets, net				–93				–93
Translation difference					–839			–839
Result of the financial year							10,760	10,760
Total comprehensive income for the year	0	0		–93	–839	0	10,760	9,827
Dividends							–18,751	–18,751
Cost of share based payments			1,166			167	1,147	2,480
Equity December 31, 2017	1,551	165	–4,575	983	–554	5,378	66,520	69,468

More information in note 19. Shareholders' equity.

NOTES TO THE FINANCIAL STATEMENTS

ACCOUNTING PRINCIPLES FOR THE CONSOLIDATED FINANCIAL STATEMENTS

Basic information

F-Secure produces online security and privacy services for consumers and businesses against malware and other threats.

The parent company of the Group is F-Secure Corporation incorporated in Finland and domiciled in Helsinki. Company's registered address is Tammasaarenkatu 7, 00180 Helsinki. A copy of consolidated financial statements can be downloaded on www.f-secure.com or can be received from the parent company's registered address.

These financial statements were authorized for issue by the Board of Directors on 8 February 2018. According to the Finnish Companies Act, the Annual General Meeting can confirm or reject the consolidated financial statements after publication. The Annual General Meeting can also decide to change the financial statements.

ACCOUNTING PRINCIPLES

The consolidated financial statements of F-Secure Corporation of 2017 have been prepared in accordance with International Financial Reporting Standards (IFRS), applying the IAS and IFRS standards as well as SIC and IFRIC interpretations that were in force and had been approved by the EU by 31 December 2017. The disclosures comply also with the Finnish accounting and corporate legislation.

Management judgment on significant accounting principles and use of estimates and assumptions

The preparation of consolidated financial statements requires the use of estimates and assumptions as well as the use of judgment when applying accounting principles. These affect the contents of the financial statements and it is possible that actual results may differ from estimates.

Estimates made in connection with the preparation of financial statements are based on management's best knowledge at the reporting date. Estimates build upon past experience as well as assumptions of the future development of the economic environment of the Group. Possible changes in estimates and assumptions are recognized in the period they occur and in all future periods.

The key assumptions concerning the future of the Group and estimates at the reporting date are related to:

• Revenue recognition: Judgment is applied related to timing of revenue recognition of fixed priced operator agreements as those contracts are typically negotiated separately and different contract terms could have significant impact on revenue recognition. In addition, there is judgement involved in assessing timing of revenue recognition for other contracts especially related to allocation of license agreement revenues between license revenue and maintenance revenue.
• Impairment of assets: At each reporting date, the Group assesses whether there is any indication that an asset may be impaired. In impairment testing, recoverable amount is determined based on value in use calculations. The key variables used in the calculations are profitability, growth rate and the discount rate. The key assumptions used to determine the recoverable amount for goodwill, including sensitivity analysis, are further explained in note 13;
• Deferred tax assets: The Group has assessed how much unused tax losses can be utilized in the future. Further details are disclosed in note 14;
• Development expenditures carried forward: Initial capitalization of cost is based on management's judgment on technological and economic feasibility. The Group has made assumptions regarding the expected future cash generation of the projects. Further details are disclosed in note 12.
• Recognizing share-based payment transactions: The cost of share-based payment transactions are based on the fair value at the date at which they were granted. The cost of

cash-settled transactions is measured by reference to the fair value at the date of balance sheet. The assumptions and models used for estimating fair value for share-based payment transactions are disclosed in note 20.

Principles of consolidation

Companies controlled directly or indirectly by F-Secure Corporation are consolidated in the financial statements using the acquisition method. Subsidiaries are consolidated from the date on which the Group obtains control on them. The consolidation stops when the control ceases. The Group does not have any associated companies nor is there any noncontrolling interest in the Group.

All intra-group transactions and balances, including unrealized profits arising from intra-group transactions, have been eliminated on consolidation. Where necessary, accounting policies of the subsidiaries have been adjusted to ensure consistency with the policies adopted by the Group.

Segment reporting

The Group has one segment, data security. Segment reporting is consistent with the internal reporting submitted to the chief operating decision-maker. The Leadership Team has been appointed the chief operating decision-maker, responsible for allocating resources and assessing performance as well as making strategic decisions.

Transactions in foreign currency

The consolidated financial statements of F-Secure Group are presented in euros, which is the parent company's functional currency. The income statements of foreign Group companies are translated at the average exchange rates for the financial year. The balance sheets are translated using the European Central Bank's exchange rates prevailing on the balance sheet date. Translation differences are recognized in shareholders' equity and the change in other comprehensive income.

The consolidated statement of cash flows is prepared by combining each subsidiary's individual cash flow statements and eliminating intra group cash flows. Individual cash flows are translated into Euros using average exchange rates for the financial year.

Foreign currency transactions are translated using the exchange rates prevailing at the dates of the transactions. At the balance sheet date, assets and liabilities denominated in foreign currencies are translated using the European Central Bank's exchange rates prevailing at that date. Exchange rate gains and losses of financial transactions are recognized in financial items in the income statement.

INTANGIBLE ASSETS

Goodwill

Goodwill is formed in a business combination, and it is measured as the amount by which the consideration transferred, the non-controlling interest in the acquiree and the previously held equity interest in the acquiree exceed the fair value of the net assets acquired.

Goodwill is not amortized but is instead tested for impairment yearly and whenever there is an indication that it may be impaired. For this purpose goodwill has been allocated to cash-generating units. Goodwill is recorded at historical cost less accumulated impairment losses.

Research and development costs

Research expenditure is recognized as an expense at the time it is incurred. Development expenditures on new products or product versions with significant new features are recognized as intangible assets when they fulfill the requirements set out in IAS 38. Amortization is recorded on a straight-line basis over the estimated useful life, which is 3–8 years for these assets.

Other intangible assets

Other intangible assets include intangible rights, software licenses and customer relationships, all with a finite useful life. Customer relationships have been acquired in a business combination, and they were originally valued using Multi-Period Excess Earnings model.

Other intangible assets with finite useful life are recorded at historical cost less accumulated amortization and possible impairment. Amortization is recorded on a straight-line basis over the estimated useful life of an asset. The estimated useful lives of other intangible assets are as follows:

Intangible rights	3–8 years
Other intangible assets	5–10 years
Customer relationships	8 years

Tangible assets

Tangible assets are recorded at historical cost less accumulated depreciation and possible impairment. Depreciation is recorded on a straight-line basis over the estimated useful life of an asset. The estimated useful lives of tangible assets are as follows:

Machinery and equipment	3–8 years
Other tangible assets	5–10 years

Other tangible assets include renovation costs of rented office space.

Gains or losses on disposal of tangible assets are shown in other operating income or expense.

Government grants

Government grants are recognized as income over those periods in which the corresponding expenses arise. These grants are recognized as other operating income in the income statement.

Inventories

Inventories are valued at the lower of cost and net realizable value. Cost is determined by first-in first-out method. Net realizable value is the estimated selling price that is obtainable, less estimated costs of completion and the estimated costs necessary to make the sale.

Leases

Leases where the lessor retains substantially all the risks and benefits of ownership of the asset are classified as operating leases. Operating lease payments are recognized as an expense in the income statement on a straight-line basis over the lease term. The Group has only operating leases.

Impairment of assets

At each reporting date, the Group assesses whether there is any indication that an asset may be impaired. Where an indicator of impairment exists, the Group makes a formal estimate of recoverable amount. The recoverable amount is estimated annually for the following assets regardless of whether any indication of impairment: goodwill, intangible assets with an indefinite useful life and intangible assets under construction.

Where the carrying amount of an asset exceeds its recoverable amount the asset is considered impaired and written down to its recoverable amount. The recoverable amount is the fair value of an asset less costs to sell or its value in use, whichever is higher. An impairment loss is recorded in the income statement.

A previously recognized impairment loss is reversed only if there has been a change in the estimates used to determine the asset's recoverable amount since the last impairment loss was recognized. The maximum reversal of an impairment loss amounts to no more than the carrying amount of the asset if no impairment loss had been recognized, net of depreciation. Impairment losses relating to goodwill cannot be reversed in future periods.

Pensions

All of F-Secure Group's pension arrangements are in accordance with local statutory requirements, and they are defined contribution plans. Contributions to defined contribution plans are recognized in the income statement in the period to which the contributions relate. The Group recognizes disability commitment of Finnish TyEL pension plan when disability appears.

Share-based payment transactions

In F-Secure's industry it is common practice that incentives are provided to employees in the form of equity-settled share-based instruments. The Company has two kinds of incentive programs; a synthetic warrant-based program and a share-based program.

F-Secure's synthetic warrant-based programs cover the Group's key personnel. The synthetic warrant-based program is settled as cash-settled payments. The liability is valued at fair value at grant date and the expense is recognized evenly in the income statement over the vesting period. The Group revalues the liability to fair value at each reporting date. The fair value is determined by using the binomial model. The cumulative expense recognized at grant date is based on the Group's estimate of the number of warrants that will ultimately vest at the end of the vesting period. If a person leaves the company before vesting, the warrant is forfeited. The Group updates its estimate of the ultimate number of warrants at each reporting date. Changes in the estimate are recorded in the income statement.

F-Secure's share-based incentive program is targeted to the Group's key personnel. The program is divided into an equity-settled and a cash-settled part. The equity-settled part is valued at fair value at grant date, and the expense is recognized evenly in the income statement over the vesting period with the counter-entry in retained earnings. Fair value is determined using the market value of the share of F-Secure Corporation. The cash-settled part is valued at fair value at grant date, and the expense is recognized evenly in the income statement over the vesting period with the counter-entry in liabilities. The cash-settled part is revalued to fair value at each reporting date. The cumulative expense recognized at grant date is based on the Group's estimate of the number of shares that will ultimately vest at the end of the vesting period. If a person leaves the company before vesting, the reward is forfeited. The Group updates its estimate of the ultimate number of shares at each reporting date. These changes in the estimate are recorded in the income statement.

Provisions

Provisions are recognized when the Group has a present obligation (legal or constructive) as a result of a past event, the outflow of resources is probable, and a reliable estimate of the amount of the obligation can be made.

Income taxes

Current income taxes are calculated on the taxable income in all Group companies in accordance with the local tax rules. Deferred taxes, resulting from temporary differences between the financial statement and the income tax basis of assets and liabilities, use the enacted tax rates in effect in the years in which the differences are expected to reverse. Deferred tax assets are recognized to the extent that it is probable that future taxable profit will be available.

Revenue recognition

Revenue is derived from corporate and consumer businesses. Corporate security business revenue includes cyber security products, managed services, and cyber security consulting. Cyber security products comprise endpoint protection solutions (Protection Service for Business, Business Suite), as well as solutions targeted at detecting and responding to advanced attacks (Rapid Detection Service, RDS) and vulnerability management (F-Secure Radar), which may be sold either as cyber security products or as managed services. Consumer security business revenue comes through operator and direct consumer channels, and the main products include F-Secure SAFE, F-Secure Freedome, and F-Secure KEY.

Cyber security product sales include license sales. In the corporate and direct consumer businesses, license agreements consist of initial license agreements and periodic maintenance agreements covering product updates and customer support. License fee revenue included in those agreements is recognized when the product is initially delivered, whereas the license agreements' maintenance revenue is recognized over the maintenance period. In the operator business, most of the license sales are usage-based and booked based on usage

reports, but there are also fixed price operator agreements. The terms of these agreements vary significantly and their revenue recognition is therefore defined case-by-case.

Service revenue, including cyber security consulting and managed services, is recognized at the time of delivery of the service.

Revenue and costs of fixed-price consulting projects are recognized as revenue and expenditure on the basis of the percentage of completion when the outcome of the project can be reliably estimated. The percentage of completion of the project is specified as the proportion of cost occurred compared to total estimated contract costs. When it is likely that the total costs required for completing the project exceed the total revenue from the transaction, the expected loss is recognized as an expense immediately.

Other operating income

Other operating income includes e.g. gain on sale of fixed assets, rental revenue, and government grants received for research and development projects.

Presentation of expenses

Classification of the functionally presented expenses has been made by presenting direct expenses in their respective functions and by allocating other expenses to operations on the basis of average headcount in each function.

Operating result

IAS 1 Presentation of Financial Statements standard does not define the concept of operating result. The Group has defined it as follows: operating result is the net amount, which consists of the net sales and other operating income less cost of purchase which is adjusted for changes in inventories, employee benefit costs, depreciation and amortization, possible impairment losses, and other operating expenses.

Treasury shares

Parent company has acquired treasury shares in 2008–2011. The purchase price of the shares has been deducted from equity.

Financial assets

According to IAS 39 standard, financial assets have been classified into financial assets at fair value through profit or loss, held-to-maturity, loans and receivables, and available-for-sale financial assets. The classification is made at original acquisition based on the purpose for which the assets were acquired. The cost of purchase includes transaction costs for other than assets at fair value through profit or loss. Purchases and sales of financial assets are recognized on the trade date. F-Secure currently has loans and receivables, available-for-sale financial assets, and financial assets at fair value through profit or loss (derivatives).

Loans and receivables originated by the enterprise are measured at amortized cost. Trade receivables are carried at the original invoice amount to customers less an estimate made for doubtful receivables. The Group records an impairment when there is objective evidence that the trade receivables will not be recovered in full. Evidence of impairment include debtor's significant financial difficulty, probability of bankruptcy, non-payments, and delay of payment for more than 90 days. Outstanding receivables are reviewed periodically and bad debts are written off when identified.

Available-for-sale financial assets consist mainly of interestbearing debt securities and shares in mutual funds invested in similar instruments. For assets that are actively traded in organized financial markets, fair value is determined by reference to Stock Exchange quoted market prices. Assets, the fair value of which cannot be measured reliably, are recognized at cost less impairment. The fair value changes of availablefor-sale financial assets are recognized in shareholders' equity under fair value reserve. When financial assets recognized as available-for-sale are sold or impaired, the accumulated fair

value changes are released from equity and recognized in the income statement.

Cash and cash equivalents in the Consolidated Statement of Financial position comprise cash at bank and in hand and other highly liquid short-term investments.

Financial liabilities

According to IAS 39 standard, financial liabilities are classified into financial liabilities at fair value through profit or loss, and loans and liabilities. Financial liabilities are initially recognized at fair value. The Group's financial liabilities consist of short-term trade payables and derivatives.

Derivative financial instruments and hedging

The Group uses derivative financial instruments such as forward currency contracts to hedge its risks associated with foreign currency fluctuations. Derivatives are valued at fair value. The fair value of forward currency contracts is calculated based on current forward exchange rates at the reporting date for contracts with similar maturity profiles. The gains and losses arising from the change of fair value are booked through the income statement as the Group does apply hedge accounting.

Discontinued operations

The result of discontinued operations is presented as a separate item in the consolidated statement of comprehensive income. Assets and liabilities of discontinued operations are presented separately from other items in balance sheet. Further details are disclosed in note 2.

THE NEW AND AMENDED STANDARDS ADOPTED BY THE GROUP

The Group has not applied new IFRS standards or interpretations during 2017.

New standards and interpretations not yet adopted

The Group has not yet adopted the following new and amended standards and interpretations already issued by the IASB:

– IFRS 15 Revenue from Customer Contracts requires that revenue is recognized when an entity satisfies performance obligations towards its customers. It has been concluded that the revenue from customer contracts shall mainly be recognized over time, as the nature of the performance obligation is such that F-Secure satisfies it throughout customer contract duration. The analysis has concluded that, cyber security software and services are, by large, considered as one performance obligation that is satisfied over time. The implementation of the new standard impacts mostly B2B and consumer e-commerce contracts of which a portion of the revenue was recognized upfront. Operator Contracts are not impacted.

F-Secure will adopt the IFRS15 revenue recognition standard as of 1 January 2018. The Group will be using the full retrospective method and the IFRS 15 restated figures for 2017 will be published in Q1 2018 Interim report. During last quarter of 2017, F-Secure completed the necessary calculations and adjustments as well as the system changes, that are in compliance with IFRS15 standard.

It is estimated that the impact of the IFRS15 standard on the restated 2017 revenue will be immaterial due to offsetting effect of the historical recognized revenue and deferral of the new sales. The standard impacts mainly contracts with upfront revenue recognition. Majority of the contracts are already recognized over time prior to application of the IFRS15 standard.

IFRS 15 standard impacts also the recognition of the incremental costs of obtaining contracts with customers. F-Secure will defer the recognition of the sales commissions. Impact of sales commissions deferral on 2017 is also low as

historical costs recognized are compensated by deferral of the new costs.

On the equity, we expect approximately EUR 0.8 million increase on opening retained earnings as of 1 January 2017 due to IFRS 15 implementation adjustment. The credit position of EUR 0.8 million, that is the net result of historical revenue deferral carry forward and deferral of commissions in excess of revenue impact.

– IFRS 9 Financial Instruments and subsequent amendments (effective for financial years beginning on or after 1 January 2018). The new standard replaces IAS 39 Financial Instruments: Recognition and Measurement. IFRS 9 changes the classification and valuation of financial assets and includes a new model for estimating impairment of financial assets, which is based on expected credit losses.

F-Secure has significant investments in fixed income funds, classified as available-for-sale financial assets under IAS 39. F-Secure is planning to classify these as fair value through profit or loss under IFRS 9. The classification change would result in increased volatility of the net result. However, this increase is not expected to be significant due to the nature of the funds. In the balance sheet perspective impact is limited only to a reclassification of fair value fund to retained earnings. F-Secure will adopt the new standard on the required effective date 1 January 2018.

The new impairment model requires the recognition of impairment provisions based on expected credit losses rather than only incurred credit losses as is the case under IAS 39. F-Secure does not expect the expected credit loss model to have a material impact on the consolidated financial statements.

– IFRS 16 – Leases (effective for financial year beginning on or after 1 January 2019, not yet endorsed for use by the European Union). IFRS 16 will result in almost all leases being recognized on the balance sheet, as the distinction between operating and finance leases is removed. Under the new standard, an asset (the right to use the leased item) and a financial liability to pay rentals are recognized. The only exceptions are short-term and low-value leases.

F-Secure currently has only operating leases, which consist mainly of rented office premises and leased cars. As at the reporting date, the group has non-cancellable operating lease commitments of EUR 13.7 million, see note 24. The new standard will increase both assets and liabilities significantly, and operating profit will improve as part of the lease-related expense will be reported as financial costs. The effects of the changes have not yet been quantified.

Other new or amended standards or interpretations are not expected to have an impact on the consolidated financial statements.

1. SEGMENT INFORMATION

The Group has one business segment, security. The chief operating decision maker i.e. the Leadership team gets financial information on a monthly basis of the revenue by sales channel. For the geographical information, revenue is presented based on the location of the customer and the long-term assets based on the location of the assets.

	Consolidated 2017	Consolidated 2016
Sales channels
Revenue from external customers
Consumer security	97,143	95,780
Corporate security	72,552	62,509
Total	169,695	158,289

Geographical information

Revenue from external customers

Total	28,017	24,364
Rest of world	413	562
North America	114	265
Rest of Europe	3,321	357
Nordic countries	24,170	23,179
Long-term assets
Total	169,695	158,289
Rest of world	20,952	21,238
North America	16,427	14,583
Rest of Europe	69,401	65,019
Nordic countries	62,916	57,449

2. DISCONTINUED OPERATIONS

OnF-Secure's personal cloud storage business (younited) was sold to Synchronoss Technologies in February 2015 and is reported as discontinued operations 2015–2016. The value of the transaction was USD 60 million in cash. As a part of the transaction, the companies also agreed on certain intellectual property and patent rights. The Group has classified the personal cloud storage business as discontinued operations.

Result for the financial period of the personal cloud business	Consolidated 2017	Consolidated 2016
Revenues		3,275
Expenses		–3,880
Result before taxes		–605
Taxes		121
Result for the period		–484
Net gain on disposal
Attributable taxes
Result after taxes		–484
Earnings per share, discontinued operations, EUR		0.00
Earnings per share, discontinued operations, diluted, EUR		0.00
Cash flow statement
Cash flow from operations		2,667
Cash flow from investments
Change in cash		2,667

3. ACQUISITIONS

On 15 February 2017, F-Secure acquired 100% of the shares of Inverse Path S.r.l., a small privately held company based in Italy providing security services to the avionics, automotive, and industrial control sectors. Goodwill arising on the acquisition is attributable to the know-how and expertise in the company, and it is not tax deductible.

On 10 May 2017, F-Secure acquired 100% of the shares of Digital Assurance Consulting Limited, a privately held UK based security consultancy firm offering information security assessment services to governments and companies in financial, petrochemical, retail, communication, and defense industries. The acquired intangible assets relate to existing customer relationships. Goodwill arising on the acquisition is attributable to the know-how and expertise in the company, and it is not tax deductible.

The acquisitions are individually immaterial to the consolidated financial statements.

Total consideration paid, aggregate value of intangible assets, other net assets acquired and resulting goodwill as of each acquisition date:

Other intangible assets	552
Other net assets	407
Total identifiable net assets	960
Goodwill	2,540
Total purchase consideration	3,499

24

4. OTHER OPERATING INCOME

EUR 1,000	Consolidated 2017	Consolidated 2016
Government grants	1,423	3,797
Rental revenue	390	319
Other	81	193
Total	1,895	4,309

5. DEPRECIATION, AMORTIZATION, AND IMPAIRMENT

EUR 1,000	Consolidated 2017	Consolidated 2016
Depreciation and amortization of non-current assets
Other intangible assets	–1,575	–1,355
Capitalized development	–3,234	–2,250
Intangible assets	–4,809	–3,605
Machinery and equipment	–1,371	–1,479
Other tangible assets	–116	–188
Tangible assets	–1,487	–1,668
Total depreciation and amortization	–6,296	–5,272
Depreciation and amortization by function
Sales and marketing	–3,978	–2,203
Research and development	–1,616	–2,831
Administration	–701	–238
Total depreciation and amortization	–6,296	–5,272

6. PERSONNEL EXPENSES

EUR 1,000	Consolidated 2017	Consolidated 2016
Personnel expenses
Wages and salaries	–70,824	–61,754
Pension expenses – defined contribution plan	–9,236	–8,375
Share-based payments	–3,717	–2,522
Other social expenses	–5,727	–8,545
Total	–89,503	–81,196

Employee benefits of the management are stated in disclosure 26. Related party transactions. Share-based payments are stated in disclosure 20. Share-based payment transactions.

Average number of personnel	1,067	981
Personnel by function December 31
Sales and marketing	636	570
Research and development	360	325
Administration	108	131
Total	1,104	1,026

7. AUDIT FEES

EUR 1,000	Consolidated 2017	Consolidated 2016
Group auditor
Audit fees, PricewaterhouseCoopers	–178	–145
Audit related fees, PricewaterhouseCoopers	–9
Audit fees, Ernst&Young		–89
Tax consulting, Ernst&Young		–65
Other consulting, PricewaterhouseCoopers	–97	–77
Other consulting, Ernst&Young		–43
Total	–284	–419

PricewaterhouseCoopers Oy has provided non-audit services to entities of F-Secure Group in total 106 thousand euros during the financial year 2017. These services included auditors' statements (9 thousand euros) and other services (97 thousand euros).

Other auditors
Audit fees	–79	–46
Tax consulting		–38
Total	–79	–84

8. FINANCIAL INCOME AND EXPENSES

EUR 1,000	Consolidated 2017	Consolidated 2016
Financial income
Dividends from available-for-sale financial assets	7	11
Other financial income from available-for-sale financial assets	872	579
Interest income from loans and receivables	997	93
Exchange gains	1,171	2,576
Other financial income	165	10
Total	3,213	3,269
Financial expenses
Interest expense from loans and liabilities	–72	–9
Exchange losses	–2,332	–1,635
Other financial expenses	21	–78
Total	–2,383	–1,722

Interest income in 2017 includes EUR 0.9 million refund of late payment interest related to withholding taxes from 2009–2011.

9. FINANCIAL INCOME AND EXPENSES IN OTHER COMPREHENSIVE INCOME

EUR 1,000	Consolidated 2017	Consolidated 2016
Components of other comprehensive income
Available-for-sale financial assets
Gains/(losses) arising during the year	677	954
Reclassification to profit or loss	–793	–52
Total	–117	901

10. INCOME TAX

EUR 1,000	Consolidated 2017	Consolidated 2016
Current income tax for the year	–2,159	–7,137
Adjustments for current tax of prior periods	54	–58
Change in deferred tax	924	2,142
Total	–1,181	–5,053
Components of other comprehensive income
Available-for-sale financial assests	23	–180

A reconciliation of income tax expense in the income statement and income tax calculated at the parent company's country of residence income tax rate (20%):

Result before taxes	11,941	20,778
Income tax at Finnish tax rate of 20%	–2,389	–4,156
Effect of overseas tax rates	–270	–90
Effect of changes in tax rates	41	30
Non-deductible expenses/tax-exempt revenue	–225	–788
Unrecognised tax losses	253	–17
Adjustments for prior period tax	54	866
Other	1,355	–899
Total	–1,181	–5,053

Other taxes in 2017 mainly consist returned withholding taxes EUR 2.1 million by offsetting EUR 0.5 million non-creditable withholding taxes. The 2016 adjustments for prior period tax include a positive EUR 0.9 million correction to the 2015 deferred tax asset in Japan. The misstatement is not considered material and has been booked through the change in deferred tax in the income statement in 2016. Other taxes in 2016 consist mainly of non-creditable withholding taxes.

In June, the Finnish Tax Administration's Board of Adjustment approved F-Secure's appeal related to withholding taxes. As a result EUR 3.1 million consisting of taxes, interests and late penalty payments was returned to the Company, and the payment was recorded in financial items and income taxes in the second quarter. The payment relates to the decision of Finnish Tax Authority in 2015 to adjust taxation for tax years 2009–2011 based on a partial tax audit. F-Secure appealed the decision and the Finnish Tax Administration's Board of Adjustment approved the appeal. The approval does not have an impact on future taxation of the Company. More information regarding the tax audit is available in the 2016 financial statements, disclosure 10, Income taxes.

26

11. EARNINGS PER SHARE

Basic earnings per share amounts are calculated by dividing net profit for the year attributable to ordinary equity holders of the parent by the weighted average number of ordinary shares outstanding during the year. Diluted earnings per share amounts are calculated by dividing the net profit attributable to ordinary shareholders by the weighted average number of ordinary shares outstanding during the year adjusted for the effects of dilutive options.

EUR 1,000	Consolidated 2017	Consolidated 2016
Net profit attributable to equity holders from continuing operations	10,760	15,241
Weighted average number of ordinary shares (1,000)	156,503	156,023
Adjusted weighted average number of ordinary shares for diluted earning per share	156,503	156,023
Basic and diluted earnings per share (EUR/share), continuing operations	0.07	0.10
Basic and diluted earnings per share (EUR/share), discontinued operations		0.00

The weighted average number of shares take into account the effect of change in treasury shares.

12. NON-CURRENT ASSETS

	INTANGIBLE ASSETS				TANGIBLE ASSETS
	Other Intangible	Capitalized development	Goodwill	Advance payments	Total	Machinery & equipment	Other tangible	Advance payments	Total
Acquisition cost Jan 1, 2016	19,923	12,369	7,599	3,044	42,936	29,065	3,635		32,700
Translation difference	3		32		36	95	10		105
Additions	174	69		4,586	4,828	1,987	112		2,098
Transfers		3,526		–3,526		30	–30		0
Disposals	–2,036	–1,310			–3,346	–3,376	–562		–3,938
Acquisition cost Dec 31, 2016	18,064	14,654	7,632	4,104	44,454	27,800	3,165		30,965
Translation difference	–6		–14		–20	–376	–41		–418
Acquisitions and divestments	532				532	100	11		111
Additions	499	68	2,453	5,011	8,031	1,068	470	2	1,540
Transfers	3,555	3,458	0	–7,013	0	–74	74		0
Disposals	–8,930	–1,453	0		–10,383	–15,590	–2,048		–17,638
Acquisition cost Dec 31, 2017	13,715	16,727	10,070	2,102	42,615	12,928	1,631	2	14,560
Acc. depreciation Jan 1, 2016	–15,649	–7,517			–23,166	–25,995	–3,298		–29,293
Translation difference	8	–2			6	–71	3		–69
Depreciation for the period	–1,355	–2,250			–3,605	–1,824	–188		–2,013
Depreciation of disposals	1,301	2,041			3,342	3,188	554		3,741
Acc. depreciation Dec 31, 2016	–15,694	–7,728			–23,423	–24,703	–2,930		–27,633
Translation difference	5	0			5	311	34		345
Acquisitions and divestments	–65				–65	–75			–75
Transfers	153	–153				–136	136		0
Depreciation for the period	–1,478	–3,233			–4,711	–1,357	–133		–1,491
Depreciation of disposals	8,929	1,453			10,382	15,485	2,021		17,506
Acc. depreciation Dec 31, 2017	–8,150	–9,661			–17,812	–10,475	–873		–11,347
Book value as at Dec 31, 2016	2,370	6,926	7,632	4,104	21,031	3,097	236		3,332
Book value as at Dec 31, 2017	5,565	7,066	10,070	2,102	24,803	2,453	759	2	3,214

FINANCIAL STATEMENTS F-SECURE CONSOLIDATED F-SECURE 2017

13. IMPAIRMENT TESTING OF GOODWILL

In impairment testing the Group's assets are tested against cash flow generated by the Group's Cyber Security Service and licenses sales.

The cash flow estimates have been reviewed by the management and cover the next four years. The estimates are based on value in use calculation using cash flow projections from the 2018 budgets and financial forecasts for years 2019–2021. Cash flows after the forecast period are taken into account by a terminal value calulated assuming a steady 1% per annum growth. The forecast profitability level is based on 2017 profitability, 2018 budget and longer term communicated profitability target level. The used discount rate is 8.5% before taxes. The impairment test, based on these assumptions, show no need to impair assets and/or goodwill.

Sensitivity to changes in assumptions

The main parameters in the calculations are profitability, growth rate and discount rate. If any of the main parameters would change so that the discounted cash flows would meet the book value, need for impairment would arise. However, the Group estimates such a change not to be reasonably possible.

14. DEFERRED TAX

EUR 1,000	Consolidated 2017	Consolidated 2016
Deferred tax assets relate to following:
Fixed assets	735	841
Accruals and provisions	3,075	2,289
Tax losses carried forward	67	88
Total	3,876	3,218
Offset against deferred tax liabilities	–349	–483
Net deferred tax assets	3,528	2,734
Change in deferred tax assets:
Recognized in profit or loss	–659	1,887
Deferred tax liabilities relate to the following:
Fixed assets	460	576
Available-for-sale financial assets	246	269
Total	706	845
Offset against deferred tax assets	–349	–483
Net deferred tax liabilities	357	361
Change in deferred tax liabilities:
Recognized in profit or loss	116	259
Recognized in other comprehensive income	23	–180

At December 31, 2017 the Group had 0.5 million euro losses carried forward that are available for offset against future taxable profits in the companies in which the losses arose.

15. INVENTORIES

EUR 1,000	Consolidated 2017	Consolidated 2016
Inventories	588	109

No impairment was recognized for inventories in years 2017 and 2016.

16. RECEIVABLES

EUR 1,000	Consolidated 2017	Consolidated 2016
Non-current receivables
Other receivables	666	77
Current receivables
Trade receivables	41,365	36,390
Loan receivables	10	15
Other receivables	1,155	2,364
Prepaid expenses and accrued income	7,532	7,413
Accrued income tax	1,435	342
Total	51,496	46,524

Ageing of trade receivables (including discontinued operations)

Not fallen due	27,329	26,339
1–90 days past due	10,840	10,051
Over 90 days past due	5,014	2,624
Less provision for bad debt	–1,818	–1,090
Total	41,365	37,924

Movements in the provision for impairment of trade receivables

Book value as at Jan 1	1,090	2,550
Change for the year	983	–460
Receivables written off during the year	–256	–1,000
Book value as at Dec 31	1,818	1,090

Material items included in prepaid expenses and accrued income

Prepaid royalty	2,507	2,982
Grant receivables	1,637	2,722
Other prepaid expenses	3,388	1,709
Total	7,532	7,413

29

17. AVAILABLE-FOR-SALE FINANCIAL ASSETS

Available-for-sale financial assets consist mainly of interest-bearing debt securities and shares in funds invested in similar instruments. For assets that are actively traded in organized financial markets, fair value is determined by reference to Stock Exchange quoted market bid prices at the close of business on the balance sheet date. Net asset value (NAV) is used as a practical expedient to measure fair value for the investments in non-listed funds. Assets, for which fair value cannot be measured reliably, are recognized at cost less impairment. The fair value changes of available-for-sale financial assets are recognized in shareholders' equity under fair value reserve.

EUR 1,000	Consolidated 2017	Consolidated 2016
Fair value as at Jan 1	63,671	64,437
Additions	7,742	9,527
Decreases	–18,403	–11,731
Gain on sale in the income statement	1,030	579
Change in fair value	–117	901
Impairment	0	–43
Fair value as at Dec 31	53,924	63,671
Shares – unlisted	26	27
Shares – listed	0	157
Funds	53,898	63,487
Fair value as at Dec 31	53,924	63,671

18. CASH AND SHORT-TERM DEPOSITS

EUR 1,000	Consolidated 2017	Consolidated 2016
Cash at bank and in hand	36,300	29,050

Available-for-sale financial assets are considered a part of the Group's ongoing cash management activities. See note 23. Financial risk management objectives and policies.

19. SHAREHOLDERS' EQUITY

Issued and fully paid

EUR 1,000	Number of shares	Share capital	Share premium fund	Unrestricted equity reserve	Treasury shares
Dec 31, 2015	155,802,690	1,551	165	5,102	–6,966
Deferred payment	455,510			109	1,224
Dec 31, 2016	156,258,200	1,551	165	5,211	–5,741
Deferred payment	455,510			167	1,166
Dec 31, 2017	156,713,710	1,551	165	5,378	–4,575

The share capital amounted to 1,551,311 euro and the number of shares was 158,798,739 (including own shares 2,085,029) at the end of 2017. A share has no nominal value. Accountable par value is EUR 0.01.

Share premium fund

Proceeds from exercised warrants were recognized under the share capital and share premium fund until March 26, 2008.

Unrestricted equity reserve

On March 20, 2007, the shareholders' meeting decided to decrease the share premium fund. The decreased amount of 33,582 thousand euro was transferred to unrestricted equity reserve. On March 26, 2008, the shareholders' meeting decided that the total amount of the subscription prices paid for new shares issued after the date of the meeting, based on stock options under the F-Secure Stock Option Plan 2005, be recorded in Companys' unrestricted equity reserve. Any excess after settling treasury shares as share based incentive and as board compensation is recorded in unrestricted equity reserve.

Translation differences

The translation difference is used to record exchange difference arising from the translation of the financial statements of foreign subsidiaries.

Dividends proposed and paid

Proposed for approval at AGM for financial year 2017 is 0,04 euro per share (6,268,548.40 euro in total). Final dividend for financial year 2016 was 0.12 euro per share, paid during 2017 (18,750,984.00 euro in total). Final dividend for financial year 2015 was 0.12 euro per share, paid during 2016 (18,696,322.80 euro in total).

Treasury shares

Treasury shares contains the purchase value of own shares owned by the Group. The cost of acquisition is reported as a deduction in shareholders' equity. The shares were acquired through

31

public trading on NASDAQ OMX Helsinki. The parent company has not acquired treasury shares during the period. The parent companys' treasury shares were used in a deferred payment of the 2015 acquisition.

The total number of acquired treasury shares was 2,085,029 at the end of 2017. This represents 1.3% of the Company's voting power on December 31, 2017.

Fair value reserve

The reserve is used to record increments and decrements in the fair value of available-for-sale financial assets.

	Before tax	Tax	After tax	Total
Fair value reserve Dec 31, 2015	444	–89	355	355
Available-for-sale, net	954	–191	763	763
Fair value gains/losses to PL	–52	10	–42	–42
Fair value reserve Dec 31, 2016	1,346	–269	1,077	1,077
Available-for-sale, net	677	–135	541	541
Fair value gains/losses to PL	–793	159	–634	–634
Fair value reserve Dec 31, 2017	1,229	–246	983	983

20. SHARE-BASED PAYMENT TRANSACTIONS

During the period the Group has had four different incentive plans which cover the key personnel of the Group.

Synthetic option-based incentive program

The synthetic option-based incentive program has been established on and April 2015 as part of the key employee incentive and retention system within F-Secure Group. The program offer for the participants a possibility to receive synthetic options of F-Secure Corporation as a longterm incentive compensation. No reward can be given to any participating employee, whose employment has terminated before the end of the vesting period.

The synthetic option-based incentive program will last five years. Program comprise three granting periods and a subsequent vesting period of two years after each granting year. The program 2015–2017 ends on December 31, 2019. Within the framework of program, the aggregate number of options to be given as reward cannot exceed 5 million. The actual compensation is the difference of subscription price and the vesting price, and will be paid to the participating employees as a cash-settled payment.

The subscription price of the synthetic option is the weighted average share price in the period of October to December prior to the granting year. The vesting price is the weighted average share price in period of September to November prior to the payment month.

The subscription price for the granting period 2015 is 2.01.The subscription price for the granting period of 2016 is 2.65.

Options outstanding

EUR 1,000	2017				2016
Outstanding Jan 1	1,480,000	Outstanding Jan 1	1,455,000
Granted	0	Granted	715,000
Forfeited	–210,000	Forfeited	–95,000
Exercised	–600,000	Exercised	–595,000
Expired	0	Expired	0
Outstanding Dec 31	670,000	Outstanding Dec 31	1,480,000

Expense arising from share-based payment transactions during the period was 1,001 thousand euro (1,121 thousand euro in 2016). The carrying amount of liability at December 31, 2017 was 1,856 thousand euro.

The fair value of options granted during the period was determined by using the Binomial model.

Parameters used:		Synthetic option program
	2017	2016
Weighted average share price EUR	–	2.78
Weighted average exercise price EUR	–	–
Expected volatility	–	29.00%
Option life in years	–	2.0
Risk-free interest rate	–	0.63%
Expected dividends		–

No options was granted during the period 2017.

Expected volatility reflects the assumption that the historical volatility is indicative of future trends, which may also not necessarily be the actual outcome. Based on previous years, the company has estimated that 2–3% of granted options will be forfeited.

Share-based incentive programs

During the period the Group had three share-based incentive programs. The share-based incentive programs has been established as part of the key employee incentive and retention system within F-Secure Group. The program will offer for the participants a possibility to receive shares of F-Secure Corporation as an incentive reward if the Company's financial targets set for the earning period have been achieved. No reward can be given to any participating employee, whose employment has terminated before the end of the lock-up period.

The share-based incentive program 2014–2016 has been established in March 2014. The program will last five years. It comprises three earning periods. Each earning period lasts three years. The program ends on December 31, 2018. The rewards will be settled in two phases so that one part is settled as equity-settled payment and one part as cash-settled payment. On the basis of the program maximum total of 10,000,000 shares and a cash payment corresponding to the

32

registration date value of the shares shall be given as reward. The Board approves the metrics, targets and participants on annual basis for each earning period.

The share-based incentive program 2017–2019 has been established in February 2017. The program will last five years. It comprises three earning periods. Each earning period lasts three years. The program ends on December 31, 2021. The rewards will be settled in two phases so that one part is settled as equity-settled payment and one part as cash-settled payment. On the basis of the program maximum total of 10,000,000 shares and a cash payment corresponding to the registration date value of the shares shall be given as reward. The Board approves the metrics, targets and participants on annual basis for each earning period.

The restricted share-based incentive program 2017–2019 has been established in February 2017. The program is divided into individual restricted share plans. The program includes individual earning periods for each plan. Earning periods will commence based on the decision of the Board of Directors. The program ends on December 31, 2019. The rewards will be settled in two phases so that one part is settled as equity-settled payment and one part as cash-settled payment. On the basis of the program maximum total of 600,000 shares and a cash payment corresponding to the registration date value of the shares shall be given as reward. The Board of Directors shall determine the amount of the maximum reward for each individual plan and participant.

The participating employee shall be entitled to the shareholder rights of the reward shares (e.g. dividend) from the moment the shares have been entered into the participating employee's book-entry account.

Expense arising from the share-based payment transactions during the period was 2,793 thousand euro (1,356 thousand euro in year 2016). The costs of equity-settled transactions are measured by reference to the fair value of the F-Secure Corporation share at the date on which they are granted. The costs of cash-settled transactions are measured by reference to the fair value of the F-Secure Corporation share on date of balance sheet.The Group updates the estimate of the number of equity instruments that will ultimately vest at each reporting date.

21. LIABILITIES

EUR 1,000	Consolidated 2017	Consolidated 2016
Non-current liabilities
Deferred tax liability	357	361
Deferred revenue	15,006	13,737
Other non-current liability	2,495	179
Provisions	1,173	158
Total	19,032	14,436
Current liabilities
Deferred revenue	46,126	40,514
Trade payables	6,220	6,556
Other liabilities	5,297	5,058
Accrued expenses	26,433	20,474
Income tax liabilities	1,945	2,516
Total	86,020	75,117
Material amounts shown under accruals and deferred income
Accrued personnel expenses	15,409	14,984
Deferred royalty	1,695	980
Other accrued expenses	9,330	4,510
Total	26,433	20,474
Provisions
Book value as at 1.1.	158
Arising during the year		158
Used during the year	–158
Transfer from discontinued operations	1,173
Book value as at 31.12.	1,173	158

A French service provider has issued claims against F-Secure based on a contract relating to purchase of services. The matter is subject of an ongoing appeal process in a French court instance. A provision of EUR 1.2 million has been recognized in the discontinued operations in previous years based on the ongoing litigation. F-Secure does not anticipate the presented claims and the eventual outcome of the dispute to materially impact its financial position.

22. FINANCIAL ASSETS AND LIABILITIES

EUR 1,000	Consolidated 2017	Consolidated 2016
Loans and other receivables	10	15
Trade receivables	41,365	36,390
Available-for-sale financial assets	53,924	63,671
Cash and bank accounts	36,300	29,050
Trade payables	–6,220	–6,556
Total	125,379	122,570

The carrying amounts of the Group's financial instruments are equivalent to fair values.

Fair value hierarchy

The Group uses the following hierarchy for determining and disclosing the fair value of financial intruments by valuation technique

Level 1: quoted prices in active markets for indentical assets or liabilities

Level 2: other techniques for which all inputs which have a significant effect on the recorded fair value are observable, either directly or indirectly

Level 3: techinques which use inputs which have a significant effect on the recorded fair value that are not based on observable market data

Assets measured at fair value	Total	Level 1	Level 2	Level 3
Available-for-sale financial assets Dec 31, 2017	53,924	0	53,898	26
Available-for-sale financial assets Dec 31, 2016	63,671	157	63,487	27

23. FINANCIAL RISK MANAGEMENT OBJECTIVES AND POLICIES

General

The goal of risk management is to identify risks that may hinder the Group from achieving its business objectives. The responsibility for the Company's risk management lies with the CEO, the management and ultimately with the Board of Directors. The risks related to the Group's financial instruments are mainly related to credit risks and foreign currency fluctuations. The Group's available-for-sale assets are also exposed to interest rate fluctuations.

Credit risk

The Group trades only with recognized, creditworthy third parties. Receivable balances are monitored and collected on an ongoing basis. The maximum exposure to credit risk at the reporting date is the carrying value of financial assets. There are no significant concentrations of credit risk within the Group. See notes 16. Receivables and 22. Financial assets and liabilities.

Liquidity risk

Economic situation improved and the Group's liquidity remained good level. At the end of the year the market value of the available-for-sale financial assets was 53.9 million euro (63.7 million euro in 2016) and cash and bank 36.3 million euro (29.0 million euro in 2016). The Group's financial management makes cash flow forecasts regularly to ensure the financial needs of the business operations are met. The management has not identified any significant concentrations of liquidity risks in the financial assets or in sources of finance.

Foreign currency risk

The Group invoices mainly in Euros. However, there are some transactional currency exposures that arise from sales or purchasing in other currencies. The other main measurement currencies are USD, JPY, SEK, GBP and BRL. In order to minimize the impact of the fluctuation of the exchange rates, the goal is to use forward currency contracts to eliminate the currency exposure of the estimated cash flow of these currencies for a period of three months.

Derivatives Currency instruments – Currency forward contracts

EUR 1,000	Consolidated 2017	Consolidated 2016
Nominal value	448	2,970
Fair value	5	14

F-Secure Corporation has hedged receivables denominated in GBP with forward rate contracts. The forward rate contracts expire on January 15, 2018. The company does not have other derivatives.

F-Secure Corporation does not hedge investements made in its subsidiaries because the impact of changes of exchange rates would not be relevant in the Group's balance sheet.

34

FINANCIAL STATEMENTS F-SECURE CONSOLIDATED F-SECURE 2017

	Consolidated 2017	Consolidated 2016
Sales in different currencies	%	%
EUR	69	69
SEK, GBP	7	7
USD, JPY	17	16
Other currencies	7	7
	100	100

The risk involved in the sales in foreign currency is notabaly diminished by the operational expenses in subsidiaries that use the same currency.

Financial assets and liablilities in

different currencies	%	%
EUR	70	75
SEK, GBP	5	5
USD, JPY	14	12
Other currencies	10	8
	100	100

The table below demonstrates how sensitive the Group's profit before taxes is to reasonably possible changes in the USD, JPY, SEK, GBP and BRL exchange rate, assuming that all other variables are held constant. The analysis is based +/– 10% exchange rate change on trade receivables and does not include forward currency contracts.

USD, JPY	+672/–672	+550/–550
GBP, SEK	+316/–316	+293/–293
BRL	+8/–8	+237/–237

Interest rate risk

The Group does not have any interest bearing liabilities. Based on the Group's conservative investment policy, it invests its cash mainly in short term and low risk funds. Investments are made in creditworthy funds. These available-for-sale investments are exposed to market risk for changes in interest risks.

The Group's objective is to maintain a balance between continuity of funding and flexibility through the use of cash and available-for-sale financial assets. See note 17 and 18.

Capital management

The Group's shareholders' equity is managed as capital. There are no external capital requirements related to the equity. The objective of the Group's capital management is to maintain an efficient capital structure that ensures the functioning of business operations and promotes shareholder value. The Group's capital structure is reviewed as a part of financial performance monitoring.

The capital structure can be adjusted among other things by distribution of dividends, share repurchase or capital repayment. The dividend policy of F-secure Corporation is to pay approximately half of its annual profit as dividend. Subject to circumstances, the Company may deviate from its policy.

24. OPERATING LEASE COMMITMENTS

The Group has entered into commercial leases on office space and on motor vehicles. Motor vehicle leases have an average life of three years and office space between two and six years with renewal terms included in the contracts.

Future minimum rentals payable under non-cancellable operating leases as at 31 December 2017 are as follows

As lessee

EUR 1,000	Consolidated 2017	Consolidated 2016
Within one year	5,924	5,989
After one year but not more than five years	7,777	11,482
Total	13,702	17,470
Rents during the period	5,180	5,569

25. CONTINGENT LIABILITIES

EUR 1,000	Consolidated 2017	Consolidated 2016
Other liabilities
Others	173	222

F-Secure is a party in some disputes and is defending itself accordingly. Currently the Company is not able to give an exact estimate of the likelihood or the amount of possible damages. Taking into account all available information to date the outcome is not expected to have a material impact on the financial position of the Group.

FINANCIAL STATEMENTS F-SECURE CONSOLIDATED F-SECURE 2017

26. RELATED PARTY DISCLOSURES

The Group's related parties include Parent Company and subsidiaries, as well as members of the Board, Managing Director and members of the Leadership Team.

Compensation of key management personnel of the Group

EUR 1,000	Consolidated 2017	Consolidated 2016
Wages and other short-term employee benefits	2,319	2,423
Share-based payments	1,014	768
Total	3,333	3,191

Wages and other short-term employee benefits

EUR 1,000	Consolidated 2017	Consolidated 2016
Managing Director	407	631
Leadership Team	1,687	1,513
Members of the Boards of Directors	225	279
	2,319	2,423

Board of Directors 2017 and Managing Director

EUR 1,000	Wages	Fees	Incentive reward
Samu Konttinen, Managing Director	407		312
Risto Siilasmaa, Chairman of the Board		55
Pertti Ervi		40
Matti Heikkonen		30
Sofie Nystrøm		30
Päivi Rekonen		30
Bruce Oreck		30
Ari Inki		10
Total	407	225	312

Incentive reward granted to Managing Director is measured as following; the equity-settled part to the fair value of the F-Secure Corporation share at the date which it was granted and cashsettled part to the fair value of the share on the date of balance sheet. The cost is recognized over the period in which the performance conditions are fullfilled 5 October 2017–31 December 2019.

The Managing Director's retirement age and the determination of his pension conform to the standard rules specified by Finland's Employee Pension Act (TYEL). The pension cost of the Managing Director over the period was 73 thousand euro (117 thousand euro in year 2016). The period of notice for the Managing Director is six (6) months both ways and Managing Director is entitled to severance payment equivalent of six (6) months' salary.

27. SUBSIDIARIES

Company	Country of incorporation	Group (%)
Parent F-Secure Corporation, Helsinki	Finland
DF-Data Oy, Helsinki	Finland	100
F-Secure Inc., San Jose	United States	100
F-Secure (UK) Ltd, London	United Kingdom	100
F-Secure KK, Tokyo	Japan	100
F-Secure GmbH, Munich	Germany	100
F-Secure eStore GmbH, Munich	Germany	100
F-Secure SARL, Maisons-Laffitte	France	100
F-Secure SDC SAS, Bordeaux	France	100
F-Secure BVBA, Heverlee-Leuven	Belgium	100
F-Secure AB, Stockholm	Sweden	100
F-Secure Srl, Milano	Italy	100
F-Secure SP z.o.o.,Warsaw	Poland	100
F-Secure Corporation (M) Sdn Bhd, Kuala Lumpur	Malaysia	100
F-Secure Pvt Ltd, New Delhi	India	100
F-Secure Pte Ltd, Singapore	Singapore	100
F-Secure B.V., Utrecht	The Netherlands	100
F-Secure Limited, Hong Kong	Hong Kong	100
F-Secure Pty Limited, Sydney	Australia	100
F-Secure Iberia SL, Barcelona	Spain	100
F-Secure do Brasil Tecnol. da Informãcao Ltda, Saõ Paulo	Brazil	100
F-Secure Chile Limitada, Santiago	Chile	100
F-Secure Informatica S de RL de CV, Mexico City	Mexico	100
F-Secure Software (Shanghai) Co Ltd, Shanghai	China	100
F-Secure Danmark A/S, Copenhagen	Denmark	100
F-Secure Cyber Security Services Oy, Helsinki	Finland	100
nSense Polska Sa, Poznan	Poland	100
nSense Estonia OÛ, Tartu	Estonia	100
F-Secure Norge AS, Baerum	Norway	100
F-Secure Argentina S.R.L., Buenos Aires	Argentina	100
Inverse Path S.r.l., Trieste	Italy	100
Digital Assurance Consulting Limited, London	United Kingdom	100

35

FINANCIAL STATEMENTS F-SECURE CONSOLIDATED F-SECURE 2017

28. SHARES AND SHAREHOLDERS

Shares and share ownership distribution, December 31, 2017

Shares	Number of shareholders	% of share- holders	Total shares	% of shares
1–100	4,359	19.81%	246,560	0.16%
101–1,000	13,631	61.95%	5,008,317	3.15%
1,001–50,000	3,946	17.93%	15,666,899	9.87%
50,001–100,000	28	0.13%	1,927,551	1.21%
100,001–	41	0.19%	135,949,412	85.61%
Total	22,005	100.00%	158,798,739	100.00%

Shareholders by category, December 31, 2017	Total shares	% of shares
Corporations	6,779,286	4.27%
Financial and insurance institutions	51,792,681	32.62%
General government	16,427,310	10.34%
Non-profit organizations	409,342	0.26%
Households	82,374,471	51.87%
Other countries and international organizations	1,015,649	0.64%
Total	158,798,739	100.00%

Largest shareholders and administrative register

Owner	Shares	% of shares	% of votes
Risto Siilasmaa	59,969,896	37.76%	38.27%
Nordea Nordic Small Cap Fund	8,074,856	5.08%	5.15%
Mandatum Life Insurance Company	6,791,936	4.28%	4.33%
Elo Mutual Pension Insurance Company	6,726,000	4.24%	4.29%
The State Pension Fund	3,500,000	2.20%	2.23%
Varma Mutual Pension Insurance Company	3,470,660	2.19%	2.21%
Kaleva Mutual Insurance Company	1,836,073	1.16%	1.17%
Nordea Pro Suomi Fund	1,602,616	1.01%	1.02%
Ilmarinen Mutual Pension Insurance Company	1,502,835	0.95%	0.96%
Taaleritehdas Mikro Markka Fund	1,325,557	0.83%	0.85%

Administrative register

Skandinaviska Enskilda Banken	15,905,641	10.02%	10.15%
Nordea Bank Ab Finnish Branch	12,280,695	7.73%	7.84%
Other registers	2,645,860	1.67%	1.69%
Other shareholders	31,081,085	19.57%	19.83%
Total	156,713,710	98.69%	100.00%
Own shares F-Secure Corporation	2,085,029	1.31%
Total	158,798,739	100.00%

Ownership of management

Board of Directors	Shares	% of shares
Risto Siilasmaa	59,969,896	37.76%
Pertti Ervi	51,036	0.03%
Matti Heikkonen	23,565	0.01%
Bruce Oreck	8,123	0.01%
Ari Inki	6,856	0.00%
Sofie Nystrøm	2,830	0.00%
Päivi Rekonen	2,830	0.00%
Total	60,065,136	37.82%

Executive team	Shares	% of shares
Samu Konttinen	82,103	0.05%
Mari Heusala	1,800	0.00%
Jari Still	100,657	0.06%
Mika Ståhlberg	29,263	0.02%
Eriikka Söderström	40,000	0.03%
Jens Thonke	166,359	0.10%
Total	420,182	0.26%

Ownership of management

The Board of Directors owned a total of 60,065,136 shares on December 31, 2017. This represents 37.8 percent of the Company's shares and 38.3 percent of votes.

FINANCIAL STATEMENTS F-SECURE CORPORATION FINANCIAL STATEMENTS F-SECURE CORPORATION F-SECURE 2017

37

INCOME STATEMENT JAN 1–DEC 31, 2017

EUR 1,000		FAS 2017	FAS 2016
NET SALES	(1)	135,732	134,108
Material and service		–6,676	–6,550
GROSS MARGIN		129,056	127,558
Other operating income	(2)	3,907	5,947
Sales and marketing	(3, 4)	–79,944	–75,781
Research and development	(3, 4)	–31,517	–26,233
Administration	(3, 4)	–12,330	–10,237
OPERATING RESULT		9,173	21,254
Financial income and expenses	(6)	1,039	1,403
PROFIT (LOSS) BEFORE APPROPRIATIONS AND TAXES		10,212	22,657
Change in depreciation reserve		542	–145
Income taxes	(7)	–558	–5,828
RESULT FOR THE FINANCIAL YEAR		10,196	16,684

BALANCE SHEET DEC 31, 2017

EUR 1,000		FAS 2017	FAS 2016
ASSETS
NON-CURRENT ASSETS
Intangible assets	(8)	14,735	13,456
Tangible assets	(8)	1,610	1,947
Investments in group companies	(9)	23,353	18,581
Total non-current assets		39,698	33,984
CURRENT ASSETS
Inventories	(10)	588	109
Long-term receivables	(11)	69	740
Short-term receivables	(11)	52,901	45,768
Short-term investments	(12)	53,924	63,670
Cash and bank accounts	(13)	16,071	15,141
Total current assets		123,553	125,429
TOTAL ASSETS		163,251	159,413

EUR 1,000		FAS 2017	FAS 2016
SHAREHOLDERS' EQUITY AND LIABILITIES
SHAREHOLDERS' EQUITY	(14, 15)
Share capital		1,551	1,551
Share premium		165	165
Treasury shares		–4,575	–5,741
Fair value reserve		983	1,077
Reserve for invested unrestricted equity		5,378	5,211
Retained earnings		45,377	47,443
Profit for the financial year		10,196	16,684
Total shareholders' equity		59,075	66,390
APPROPRIATIONS
Depreciation reserve		514	1,056
LIABILITIES
Deferred tax liabilities	(17)	246	269
Long-term liabilities	(17)	14,467	12,629
Short-term liabilities	(17)	88,949	79,069
Total liabilities		103,662	91,967
TOTAL SHAREHOLDERS' EQUITY AND LIABILITIES		163,251	159,413

39

CASH FLOW STATEMENT JAN 1–DEC 31, 2017

EUR 1,000	FAS 2017	FAS 2016	EUR 1,000	FAS 2017	FAS 2016
Cash flow from operations			Cash flow from investments
Result for the financial year	10,196	16,684	Investments in intangible and tangible assets	–6,536	–8,073
Adjustments			Investments in subsidiary shares	–4,939
Depreciation and amortization	5,597	4,257	Other investments	–7,742	–9,527
Profit / loss on sale of fixed assets	–49	31	Proceeds from sale of intangible and
Other adjustments	–260	2,373	tangible assets	46	22
Financial income and expenses	–1,039	–1,403	Proceeds from sale of other investments	18,397	11,731
Income taxes	568	5,828	Intercompany loans granted	–80
Adjustments*	4,817	11,086	Dividends received	7	11
Cash flow from operations before change in working capital	15,013	27,770	Cash flow from investments	–847	–5,837
Change in net working capital			Cash flow from financing activities
Current receivables, increase (–), decrease (+)	–5,560	482	Dividends paid	–18,751	–18,696
Inventories, increase (–), decrease (+)	–479	26
Non-interest bearing debt, increase (+), decrease (–) *	13,291	7,011	Cash flow from financing activities	–18,751	–18,696
			Change in cash	949	–3,531
Cash flow from operations before financial items and taxes	22,265	35,289
			Cash and bank at the beginning of the period	15,141	18,672
Interest expenses paid	–13	–1,003
Interest income received	996	83	Cash and bank at period end	16,090	15,141
Other financial income and expenses	–59	–613
Income taxes paid	–2,642	–12,753
Cash flow from operations	20,547	21,002

* Presentation of deferred revenue has been changed and the comparative year has been adjusted accordingly.

Basic information

F-Secure produces online security and privacy services for consumers and businesses against malware and other threats.

F-Secure Corporation is the parent company of F-Secure Group, incorporated in Finland and domiciled in Helsinki. Company's registered address is Tammasaarenkatu 7, 00180 Helsinki. Copy of consolidated financial statements can be downloaded from www.f-secure.com or can be received from the Company's registered address.

ACCOUNTING PRINCIPLES

The financial statement of F-Secure Corporation has been prepared in accordance with Finnish Accounting Standards (FAS).

Foreign currency translation

Foreign currency transactions are translated into the local currency using fixed monthly exchange rates. At the balance sheet date, assets and liabilities denominated in foreign currencies are translated at the European Central Bank rates of exchange prevailing at that date. Exchange rate gains and losses of financial transactions are recognized in the income statement under financial items. Forward rate contracts for hedging purposes are recognized using the exchange rate prevailing at the balance sheet date.

Tangible and intangible assets

Intangible assets include intangible rights and software licenses. Intangible assets recognized on merger consist of technology-based intangible assets. Tangible and intangible assets are recorded at historical cost less accumulated depreciation, amortization, and possible impairment. Depreciation and amortization is recorded on a straight-line basis over the estimated useful life of an asset. The estimated useful lives of tangible and intangible assets are as follows:

Machinery and equipment	3–8 years
Capitalized development costs	3–8 years
Intangible rights	3–8 years
Intangible assets	5–10 years

Ordinary repairs and maintenance costs are charged to the income statement during the financial period in which they are incurred. The cost of major renovations is included in the assets' carrying amount when it is probable that the Company will derive future economic benefits in excess of the originally assessed standard or performance of the existing asset. Any gain or loss arising on derecognition of the asset (calculated as the difference between the net disposal proceeds and the carrying amount of the asset) is included in the income statement in the year the asset is derecognized.

Research and development costs

Research expenditure is recognized as an expense at the time it is incurred. Development expenditures incurred on individual projects of totally new products or product versions with significant new features are capitalized.

Inventories

Inventories are valued either by cost or net realizable value, whichever is lower. Cost is determined by first-in first-out method. Net realizable value is the estimated selling price that is obtainable, less estimated costs of completion and the estimated costs necessary to make the sale.

Leases

Leases where the lessor retains substantially all the risks and benefits of ownership of the asset are classified as operating leases. Operating lease payments are recognized as an expense in the income statement on a straight-line basis over the lease term. The Company has only operating leases.

Pensions

Pension arrangement is a local statutory arrangement, which is a defined contribution plan. Contributions to defined contribution plans are recognized in income statement in the period to which the contributions relate. The Company recognizes the disability commitment of TyEL pension plan when disability appears.

Share-based payment transactions

In F-Secure's industry it is common practice that incentives are provided to employees in the form of equity-settled share-based instruments. The Company has two kinds of incentive programs; a synthetic warrant-based program and a share-based program.

F-Secure's synthetic warrant-based programs cover the Group's key personnel. The synthetic warrant-based program is settled as cash-settled payments. The liability is valued at fair value at grant date and the expense is recognized evenly in the income statement over the vesting period. The Group revalues the liability to fair value at each reporting date. The fair value is determined by using the binomial model. The cumulative expense recognized at grant date is based on the Group's estimate of the number of warrants that will ultimately vest at the end of the vesting period. If a person leaves the company before vesting, the warrant is forfeited. The Group updates its estimate of the ultimate number of warrants at each reporting date. Changes in the estimate are recorded in the income statement.

The share-based incentive program is targeted to the Company's key personnel. The program is divided into an equity-settled and a cash-settled part. The cash-settled part is valued at fair value at grant date, and the expense is recognized evenly in the income statement over the vesting period with the counter-entry in liabilities. The cash-settled part is revalued to fair value at each reporting date. The cumulative expense recognized at grant date is based on the Group's estimate of the number of shares that will ultimately vest at the end of the vesting period. If a person leaves the company before vesting, the reward is forfeited. The Group updates its estimate of the ultimate number of shares at each reporting date. These changes in the estimate are recorded in the income statement. The share-settled part is valued at fair value and recorded as an expense in the income statement at the end of the vesting period. Fair value is defined using the market value of the share of F-Secure Corporation.

40

Income taxes

Current income taxes are calculated in accordance with the local tax and accounting rules. Deferred taxes, resulting from temporary differences between the financial statement and the income tax basis of assets and liabilities, use the enacted tax rates in effect in the years in which the differences are expected to reverse.

Revenue recognition

Revenue is derived from corporate and consumer businesses. Corporate security business revenue includes cyber security products, managed services, and cyber security consulting. Cyber security products comprise endpoint protection solutions (Protection Service for Business, Business Suite), as well as solutions targeted at detecting and responding to advanced attacks (Rapid Detection Service, RDS) and vulnerability management (F-Secure Radar), which may be sold either as cyber security products or as managed services. Consumer security business revenue comes through operator and direct consumer channels, and the main products include F-Secure SAFE, F-Secure Freedome, F-Secure KEY, and F-Secure SENSE.

Cyber security product sales include license sales. In the corporate and direct consumer businesses, license agreements consist of initial license agreements and periodic maintenance agreements covering product updates and customer support. License fee revenue included in those agreements is recognized when the product is initially delivered, whereas the license agreements' maintenance revenue is recognized over the maintenance period. In the operator business, most of the license sales are usage-based and booked based on usage reports, but there are also fixed price operator agreements. The terms of these agreements vary significantly and their revenue recognition is therefore defined case-by-case.

Revenue and costs of fixed-price consulting projects are recognized as revenue and expenditure on the basis of the percentage of completion when the outcome of the project can be reliably estimated. The percentage of completion of the project is specified as the proportion of cost occurred

compared to total estimated contract costs. When it is likely that the total costs required for completing the project exceed the total revenue from the transaction, the expected loss is recognized as an expense immediately.

Service revenue, including cyber security consulting and managed services, is recognized at the time of delivery of the service.

Other operating income

Other operating income includes e.g. profits from the sales of fixed assets, rental revenue, and government grants received for research and development projects.

Presentation of expenses

Classification of the functionally presented expenses has been made by presenting direct expenses in their respective functions and by allocating other expenses to operations on the basis of average headcount in each function.

Treasury shares

The company has acquired treasury shares in 2008–2011. The purchase price of the shares has been deducted from equity.

Financial assets

Short-term investments are measured at fair value. Short-term investments consist of interest-bearing debt securities and shares in mutual funds invested in similar instruments. For assets that are actively traded in organized financial markets, fair value is determined by reference to Stock Exchange quoted market bid prices at the close of business on the balance sheet date. Assets, for which the fair value of which cannot be measured reliably, are recognized at cost less impairment. The fair value changes of short-term investments are recognized in shareholders' equity under fair value reserve. When financial assets recognized as available-for-sale are sold, the accumulated fair value changes are released from equity and recognized in the income statement.

Cash and cash equivalents in the balance sheet comprise cash at bank and in hand and other highly liquid short-term investments.

FINANCIAL STATEMENTS F-SECURE CORPORATION F-SECURE 2017

1. NET SALES

EUR 1,000	FAS 2017	FAS 2016
Geographical information
Nordic countries	44,098	43,380
Rest of Europe	68,400	68,294
North America	9,358	8,354
Rest of the world	13,876	14,080
Total	135,732	134,108

2. OTHER OPERATING INCOME

EUR 1,000	FAS 2017	FAS 2016
Rental revenue	65	67
Government grants	1,423	3,759
Other	2,419	2,121
Total	3,907	5,947

3. DEPRECIATION, AMORTIZATION, AND IMPAIRMENT

EUR 1,000	FAS 2017	FAS 2016
Depreciation and amortization of non-current assets
Other intangible assets	–1,582	–993
Capitalized development	–3,021	–2,001
Intangible assets	–4,603	–2,995
Machinery and equipment	–994	–1,262
Tangible assets	–994	–1,262
Total depreciation and amortization	–5,597	–4,257
Depreciation and amortization by function
Sales and marketing	–3,437	–1,613
Research and development	–1,502	–2,509
Administration	–658	–135
Total depreciation and amortization	–5,597	–4,257

4. PERSONNEL EXPENSES

EUR 1,000	FAS 2017	FAS 2016
Personnel expenses
Wages and salaries	–37,873	–34,408
Pension expenses	–6,272	–6,019
Other social expenses	–1,558	–2,130
Total	–45,703	–42,557
Compensation of key management personnel
Wages and other short-term employee benefits	–2,129	–2,240
Wages and other short-term employee benefits
Managing Directors	–407	–631
Members of the Board of Directors	–225	–279

Wages and other short-term employee benefits of the Board of Directors and Managing Director: see group disclosure 26. Related party disclosure.

The Managing Director's retirement age and the determination of his pension conform to the standard rules specified by Finland's Employee Pension Act (TYEL). The pension cost of the Managing Director over the period was 73 thousand euro (117 thousand euro in year 2016). The period of notice for the Managing Director is six (6) months both ways and Managing Director is entitled to severance payment equivalent of six (6) months' salary.

	FAS 2017	FAS 2016
Average number of personnel	541	555
Personnel by function Dec 31
Sales and marketing	244	230
Research and development	258	253
Administration	50	47
Total	552	530

5. AUDIT FEES

FAS 2017	FAS 2016
–173	–139
–9
	–78
0	–65
–97	–77
	–43
–279	–403

FINANCIAL STATEMENTS F-SECURE CORPORATION F-SECURE 2017

43

6. FINANCIAL INCOME AND EXPENSES

7. INCOME TAXES

EUR 1,000	FAS 2017	FAS 2016
Interest income	996	83
Interest expense	–13	–11
Other financial income	1,025	581
Dividends	7	11
Exchange gains and losses	–1,050	724
Other financial expenses	74	15
Total	1,039	1,403

FAS 2017	FAS 2016
–487	–5,740
–71	–87
–558	–5,828

8. NON-CURRENT ASSETS
------------------------------	--

8. NON-CURRENT ASSETS	INTANGIBLE ASSETS						TANGIBLE ASSETS
	Other intangible	Capitalized development	Advance payments	Total	Machinery & equipment	Other tangible	Total
Acquisition cost Jan 1, 2016	18,536	9,633	3,044	31,214	21,288	5	21,293
Additions	2,312	211	4,586	7,109	1,001		1,001
Transfers		3,526	–3,526	0
Disposals	–1,125	–731		–1,856	–238		–238
Acquisition cost Dec 31, 2016	19,723	12,639	4,104	36,466	22,051	5	22,056
Additions	800	68	5,011	5,879	657		657
Transfers	2,966	4,047	–7,013	0
Disposals	–10,045	–1,453		–11,498	–13,339		–13,338
Acquisition cost Dec 31, 2017	13,444	15,301	2,102	30,847	9,368	5	9,374
Acc. depreciation Jan 1, 2016	–16,142	–5,731	0	–21,871	–19,085	0	–19,085
Depreciation for the period	–993	–2,001		–2,995	–1,262		–1,262
Acc. depreciation of disposals	1,125	731		1,856	238		238
Acc. depreciation Dec 31, 2016	–16,010	–7,001	0	–23,010	–20,108	0	–20,108
Depreciation for the period	–1,582	–3,021		–4,603	–994		–994
Acc. depreciation of disposals	10,048	1,453		11,501	13,339		13,339
Acc. depreciation Dec 31, 2017	–7,544	–8,569	0	–16,112	–7,763	0	–7,763
Book value as at Dec 31, 2016	3,713	5,638	4,104	13,456	1,942	5	1,947
Book value as at Dec 31, 2017	5,900	6,734	2,102	14,735	1,605	5	1,610

FINANCIAL STATEMENTS F-SECURE CORPORATION F-SECURE 2017

9. INVESTMENTS IN GROUP COMPANIES

EUR 1,000	Shares in group companies	Total
Book value as at Jan 1	18,581	18,581
Additions	5,072	5,072
Impairment	–300	–300
Book value as at Dec 31	23,353	23,353

Name	Country of incorporation	Share of ownership (%)
Parent F-Secure Corporation, Helsinki	Finland
DF-Data Oy, Helsinki	Finland	100
F-Secure Inc., San Jose	United States	100
F-Secure (UK) Ltd, London	United Kingdom	100
F-Secure KK, Tokyo	Japan	100
F-Secure GmbH, München	Germany	100
F-Secure eStore GmbH, München	Germany	100
F-Secure SARL, Maisons-Laffitte	France	98
F-Secure SDC SAS, Bordeaux	France	100
F-Secure BVBA, Heverlee-Leuven	Belgium	100
F-Secure AB, Stockholm	Sweden	100
F-Secure Srl, Milano	Italy	100
F-Secure SP z.o.o.,Warsaw	Poland	100
F-Secure Corporation (M) Sdn Bhd, Kuala Lumpur	Malaysia	100
F-Secure Pvt Ltd, New Delhi	India	100
F-Secure Pte Ltd, Singapore	Singapore	100
F-Secure B.V., Utrecht	Netherlands	100
F-Secure Limited, Hong Kong	Hong Kong	100
F-Secure Pty Limited, Sydney	Australia	100
F-Secure Iberia SL, Barcelona	Spain	100
F-Secure Chile Limitada, Santiago	Chile	99
F-Secure Informática S. de R.L. de C.V, Mexico City	Mexico	99
F-Secure Danmark A/S, Copenhagen	Denmark	100
Inverse Path Srl, Trieste	Italy	100
Digital Assurance Consulting Ltd, London	United Kingdom	100

10. INVENTORIES

EUR 1,000	FAS 2017	FAS 2016
Other inventories	588	109

45

11. RECEIVABLES

EUR 1,000	FAS 2017	FAS 2016
Non-current
Trade receivables
Other receivables	69	69
Total	69	69
Receivables from group companies
Other receivables		671
Total	0	671
Non-current receivables total	69	740
Current receivables
Trade receivables	27,678	24,270
Loan receivables	6	15
Other receivables	89	532
Prepaid expenses and accrued income	7,742	6,947
Total	35,515	31,764
Receivables from group companies
Trade receivables	16,851	14,004
Loan receivables	79	0
Other receivables	456
Prepaid expenses and accrued income	0	0
Total	17,386	14,004
Current receivables total	52,901	45,768
Material items included in prepaid expenses and accrued income
Prepaid royalty	2,507	2,982
Grant receivables	1,637	2,657
Other prepaid expenses	3,598	1,308
Total	7,742	6,947

12. SHORT-TERM INVESTMENTS

Short-term investments consist of interest-bearing debt securities and shares in funds invested in similar instruments. For assets that are actively traded in organized financial markets, fair value is determined by reference to Stock Exchange quoted market bid prices at the close of business on the balance sheet date. Net asset value (NAV) is used as a practical expedient to measure fair value for the investments in non-listed funds. Assets, for which fair value cannot be measured reliably, are recognized at cost less impairment. The fair value changes of short-term investments are recognized in shareholders' equity under fair value reserve.

EUR 1,000	FAS 2017	FAS 2016
Fair value as at Jan 1	63,670	64,437
Additions	7,742	9,527
Decreases	–17,372	–11,152
Change in fair value	–117	901
Impairment		–43
Fair value as at Dec 31	53,924	63,670
Shares – unlisted	26	26
Shares – listed		157
Funds	53,898	63,487
Fair value as at Dec 31	53,924	63,670
Original purchase price as at Dec 31	52,695	62,325

13. CASH AND SHORT-TERM DEPOSITS

EUR 1,000	FAS 2017	FAS 2016
Cash at bank and in hand	16,071	15,141

46

14. STATEMENT OF CHANGES IN SHAREHOLDERS' EQUITY

Parent Company FAS					Unrestricted
EUR 1,000	Share capital	Share premium fund	Treasury shares	Fair value reserve	equity reserve	Retained earnings	Total equity
Equity Dec 31, 2015	1,551	165	–6,965	355	5,102	66,140	66,348
Available-for-sale financial assets, net				721			721
Result of the financial year						16,684	16,684
Dividend						–18,696	–18,696
Other change			1,224		109		1,333
Equity Dec 31, 2016	1,551	165	–5,741	1,077	5,211	64,128	66,390
Available-for-sale financial assets, net				–93			–93
Result of the financial year						10,196	10,196
Dividend						–18,751	–18,751
Other change			1,166		167		1,333
Equity Dec 31, 2017	1,551	165	–4,575	983	5,378	55,573	59,075

FINANCIAL STATEMENTS F-SECURE CORPORATION F-SECURE 2017

15. SHAREHOLDERS' EQUITY

The Company's share capital amounted to 1,551,311 euro and the number of shares was 158,798,739 at the end of the year 2017. See group disclosure 19. Shareholders' Equity.

Treasury shares

See group disclosure 19. Shareholders' Equity.

Distributable shareholders' equity on December 31, 2017

EUR 1,000
Unrestricted equity reserve	5,379
Retained earnings	40,803
Result of the financial year	10,196
Less capitalized development expense	–6,734
Distributable shareholders' equity on December 31, 2017	49,644

16. SHARE-BASED PAYMENT TRANSACTIONS

See group disclosure 20. Share-based payment transactions.

17. LIABILITIES

EUR 1,000	FAS 2017	FAS 2016
Non-current liabilities
Deferred revenues	9,567	10,224
Deferred tax liabilites
Tax charged to shareholders' equity
– Change in fair value, available-for-sale	246	269
Other liabilities	3,217
Total	13,030	10,493
Liabilities to the group companies
Other liabilities	1,683	2,405
Total	1,683	2,405
Total non-current liabilities	14,713	12,898

EUR 1,000	FAS 2017	FAS 2016
Current liabilities
Deferred revenues	36,427	30,647
Trade payables	5,236	4,275
Other liabilities	3,548	6,402
Accrued expenses	19,418	17,112
Total	64,628	58,437

Other liabilites includes the purchase price of nSense as a deferred payment of EUR 1.3 million in shares.

Liabilities to the group companies
Advance payments	7,984	6,563
Trade payables	16,236	14,069
Other liabilities	101
Total	24,320	20,632
Total current liabilities	88,949	79,069
Material amounts shown under accruals and deferred income
Accrued personnel expenses	11,845	10,639
Deferred royalty	1,695	980
Accrued expenses	4,923	3,637
Accrued tax	956	1,856
Total	19,418	17,112

18. FINANCIAL RISK MANAGEMENT OBJECTIVES AND POLICIES

See Group disclosure 23. Financial risk management objectives and policies.

47

19. OPERATING LEASE COMMITMENTS

The Group has entered into commercial leases on office space and on motor vehicles. Motor vehicle leases have an average life of three years and office space between two and five years with renewal terms included in the contracts.

Future minimum rentals payable under non-cancellable operating leases as at 31 December are as follows:

As lessee

EUR 1,000	FAS 2017	FAS 2016
Within one year	3,106	3,262
After one year but not more than five years	5,406	8,078
Total	8,512	11,340

20. CONTINGENT LIABILITIES

EUR 1,000	FAS 2017	FAS 2016
Guarantees for other group companies	149	101
Other liabilities
Others	24	121

Derivatives see Group disclosure 23. Financial risk management objectives and policies.

21. SHARES AND SHAREHOLDERS

See Group disclosure 28. Shares and shareholders.

AUDITOR'S REPORT

(Translation from the Finnish Original)

To the Annual General Meeting of F-Secure Oyj

Report on the Audit of the Financial Statements

Opinion

In our opinion

• the consolidated financial statements give a true and fair view of the group's financial position and financial performance and cash flows in accordance with International Financial Reporting Standards (IFRS) as adopted by the EU
• the financial statements give a true and fair view of the parent company's financial performance and financial position in accordance with the laws and regulations governing the preparation of the financial statements in Finland and comply with statutory requirements.

Our opinion is consistent with the additional report to the Audit Committee.

What we have audited

We have audited the financial statements of F-Secure Oyj (business identity code 0705579–2) for the year ended 31 December 2017. The financial statements comprise:

• the consolidated balance sheet, statement of comprehensive income, statement of changes in equity, statement of cash flows and notes, including a summary of significant accounting policies
• the parent company's balance sheet, income statement, statement of cash flows and notes.

Basis for Opinion

We conducted our audit in accordance with good auditing practice in Finland. Our responsibilities under good auditing practice are further described in the Auditor's Responsibilities for the Audit of the Financial Statements section of our report.

We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our opinion.

Independence

We are independent of the parent company and of the group companies in accordance with the ethical requirements that are applicable in Finland and are relevant to our audit, and we have fulfilled our other ethical responsibilities in accordance with these requirements.

To the best of our knowledge and belief, the non-audit services that we have provided to the parent company and to the group companies are in accordance with the applicable law and regulations in Finland and we have not provided non-audit services that are prohibited under

Article 5(1) of Regulation (EU) No 537/2014. The non-audit services that we have provided are disclosed in note 7 to the Financial Statements.

Our Audit Approach

Overview

– Capitalization of R&D costs

As part of designing our audit, we determined materiality and assessed the risks of material misstatement in the financial statements. In particular, we considered where management made subjective judgements; for example, in respect of significant accounting estimates that involved making assumptions and considering future events that are inherently uncertain.

Materiality

The scope of our audit was influenced by our application of materiality. An audit is designed to obtain reasonable assurance whether the financial statements are free from material misstatement. Misstatements may arise due to fraud or error. They are considered material if individually or in aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.

Based on our professional judgement, we determined certain quantitative thresholds for materiality, including the overall group materiality for the consolidated financial statements as set out in the table below. These, together with qualitative considerations, helped us to determine the scope of our audit and the nature, timing and extent of our audit procedures and to evaluate the effect of misstatements on the financial statements as a whole.

Overall group materiality	€ 1 000 000 (previous year € 1 200 000)
How we determined it	5% of average adjusted profit before tax for the last 3 years. Profit before tax is adjusted for accrued costs of earn-out payments related to acquisitions as those costs are considered as non recurring in nature.
Rationale for the materiality benchmark applied	The group's profitability decreased compared to the prior year due to significant investments in both product development and go-to-market strategy in 2017 to improve long-term profitability. Therefore, we chose average adjusted profit before tax for the last 3 years as the benchmark because, in our view, it is the benchmark against which the performance of the Group is most commonly measured by users, and is a generally accepted benchmark. We chose 5% which is within the range of acceptable quantitative materiality thresholds in auditing standards.

How we tailored our group audit scope

We tailored the scope of our audit, taking into account the structure of the Group, the accounting processes and controls, and the industry in which the Group operates.

Group operates globally through several legal entities. Group's sales are mainly generated by the parent company and we have audited the parent company as part of our audit of the consolidated financial statements. In addition, we have performed audit procedures related to the most significant subsidiary. We have considered that the remaining subsidiaries don't present a reasonable risk of material misstatement for consolidated financial statements and thus our procedures have been limited to targeted audit procedures over significant balances and to analytical procedures performed at Group level.

By performing the procedures above at legal entities, combined with additional procedures at the Group level, we have obtained sufficient and appropriate evidence regarding the financial information of the Group as a whole to provide a basis for our opinion on the consolidated financial statements.

Key Audit Matters

Key audit matters are those matters that, in our professional judgment, were of most significance in our audit of the financial statements of the current period. These matters were addressed in the context of our audit of the financial statements as a whole, and in forming our opinion thereon, and we do not provide a separate opinion on these matters.

As in all of our audits, we also addressed the risk of management override of internal controls, including among other matters consideration of whether there was evidence of bias that represented a risk of material misstatement due to fraud.

Key audit matter in the audit of the group

Revenue recognition

Refer to note 1 to the consolidated financial statements for the related disclosures.

Revenue is derived from corporate and consumer businesses. Corporate security business revenue includes cyber security products, managed services, and cyber security consulting. Consumer security business revenue comes through operator and direct consumer channels.

In the corporate and direct consumer businesses, license agreements consist of initial license agreements and periodic maintenance agreements covering product updates and customer support. License fee revenue included in those agreements is recognized when the product is initially delivered, whereas the license agreements' maintenance revenue is recognized over the maintenance period. In the operator business, most of the license sales are usage-based and booked based on usage reports, but there are also fixed price operator agreements. The terms of these agreements vary significantly and their revenue recognition is therefore defined case-by-case.

Service revenue, including cyber security consulting and managed services, is recognized at the time of delivery of the service.

Judgment is applied related to timing of revenue recognition of fixed priced operator agreements as those contracts are typically negotiated separately and different contract terms could have significant impact on revenue recognition. In addition, there is judgement involved in assessing timing of revenue recognition for other contracts especially related to allocation of license agreement revenues between license revenue and maintenance revenue.

Due to materiality and judgment associated with the timing of revenue recognition we have considered timing of revenue recognition as key audit matter in the audit of the Group.

This matter is a significant risks of material misstatement referred to in Article 10(2c) of Regulation (EU) No 537/2014.

How our audit addressed the key audit matter

We evaluated the design and tested the operating effectiveness of controls over revenue recognition.

We tested sample of invoices recognized during the year.

We assessed appropriateness of the company's revenue recognition policy and tested sample of revenue agreements to ensure those have been recognized based on contractual terms and based on the company's revenue recognition policy. We have also tested deferred revenue on a sample basis to assess appropriateness of revenue recognition.

In addition, we tested sample of fixed priced agreements.

50

51

Key audit matter in the audit of the group

Capitalization of R&D costs

Refer to note 12 to the consolidated financial statements for the related disclosures.

Company's research and development activities have increased due to focus on the development of new products and product amendments both for corporate and consumer customers.

Capitalization of R&D costs requires use of judgment as capitalization requires estimating technical and economical feasibility of the product developed. In addition, there is judgement involved in assessing recoverability of capitalized R&D costs as future cash flows generated by these intangible assets needs to be estimated.

Due to materiality and judgment associated with capitalization of R&D costs, we have considered capitalization of R&D as key audit matter in the audit of the Group.

How our audit addressed the key audit matter

We assessed appropriateness of the company's R&D capitalization policy.

We evaluated the design and operating effectiveness of controls over R&D capitalization. We assessed whether capitalization criteria for R&D projects are met.

We tested a sample of invoices and personnel related costs capitalized during the year.

We evaluated the relevant assumptions used in the impairment testing of intangible assets, focusing on the reasonableness of the forecasted economic information.

We tested the accuracy of the management's earlier estimates by performing subsequent review.

We have no key audit matters to report with respect to our audit of the parent company financial statements.

There are no significant risks of material misstatement referred to in Article 10(2c) of Regulation (EU) No 537/2014 with respect to the consolidated financial statements or the parent company financial statements.

Responsibilities of the Board of Directors and the Managing Director for the Financial Statements

The Board of Directors and the Managing Director are responsible for the preparation of consolidated financial statements that give a true and fair view in accordance with International Financial Reporting Standards (IFRS) as adopted by the EU, and of financial statements that give a true and fair view in accordance with the laws and regulations governing the preparation of financial statements in Finland and comply with statutory requirements. The Board of Directors and the Managing Director are also responsible for such internal control as they determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error.

In preparing the financial statements, the Board of Directors and the Managing Director are responsible for assessing the parent company's and the group's ability to continue as a going

concern, disclosing, as applicable, matters relating to going concern and using the going concern basis of accounting. The financial statements are prepared using the going concern basis of accounting unless there is an intention to liquidate the parent company or the group or to cease operations, or there is no realistic alternative but to do so.

Auditor's Responsibilities for the Audit of the Financial Statements

Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor's report that includes our opinion. Reasonable assurance is a high level of assurance, but is not a guarantee that an audit conducted in accordance with good auditing practice will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of these financial statements.

As part of an audit in accordance with good auditing practice, we exercise professional judgment and maintain professional skepticism throughout the audit. We also:

• Identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error, design and perform audit procedures responsive to those risks, and obtain audit evidence that is sufficient and appropriate to provide a basis for our opinion. The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control.
• Obtain an understanding of internal control relevant to the audit in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the parent company's or the group's internal control.
• Evaluate the appropriateness of accounting policies used and the reasonableness of accounting estimates and related disclosures made by management.
• Conclude on the appropriateness of the Board of Directors' and the Managing Director's use of the going concern basis of accounting and based on the audit evidence obtained, whether a material uncertainty exists related to events or conditions that may cast significant doubt on the parent company's or the group's ability to continue as a going concern. If we conclude that a material uncertainty exists, we are required to draw attention in our auditor's report to the related disclosures in the financial statements or, if such disclosures are inadequate, to modify our opinion. Our conclusions are based on the audit evidence obtained up to the date of our auditor's report. However, future events or conditions may cause the parent company or the group to cease to continue as a going concern.
• Evaluate the overall presentation, structure and content of the financial statements, including the disclosures, and whether the financial statements represent the underlying transactions and events so that the financial statements give a true and fair view.
• Obtain sufficient appropriate audit evidence regarding the financial information of the entities or business activities within the group to express an opinion on the consolidated financial

statements. We are responsible for the direction, supervision and performance of the group audit. We remain solely responsible for our audit opinion.

We communicate with those charged with governance regarding, among other matters, the planned scope and timing of the audit and significant audit findings, including any significant deficiencies in internal control that we identify during our audit.

We also provide those charged with governance with a statement that we have complied with relevant ethical requirements regarding independence, and to communicate with them all relationships and other matters that may reasonably be thought to bear on our independence, and where applicable, related safeguards.

From the matters communicated with those charged with governance, we determine those matters that were of most significance in the audit of the financial statements of the current period and are therefore the key audit matters. We describe these matters in our auditor's report unless law or regulation precludes public disclosure about the matter or when, in extremely rare circumstances, we determine that a matter should not be communicated in our report because the adverse consequences of doing so would reasonably be expected to outweigh the public interest benefits of such communication.

Other Reporting Requirements

Appointment

We were first appointed as auditors by the annual general meeting on April 7th 2016. Our appointment represents a total period of uninterrupted engagement of two years.

Other Information

The Board of Directors and the Managing Director are responsible for the other information. The other information comprises the report of the Board of Directors and the information included in the Annual Report, but does not include the financial statements and our auditor's report thereon. We have obtained the report of the Board of Directors prior to the date of this auditor's report and the Annual Report is expected to be made available to us after that date.

Our opinion on the financial statements does not cover the other information. In connection with our audit of the financial statements, our responsibility is to read the other information identified above and, in doing so, consider whether the other information is materially inconsistent with the financial statements or our knowledge obtained in the audit, or otherwise appears to be materially misstated. With respect to the report of the Board of Directors, our responsibility also includes considering whether the report of the Board of Directors has been prepared in accordance with the applicable laws and regulations.

In our opinion

• the information in the report of the Board of Directors is consistent with the information in the financial statements
• the report of the Board of Directors has been prepared in accordance with the applicable laws and regulations.

If, based on the work we have performed on the other information that we obtained prior to the date of this auditor's report, we conclude that there is a material misstatement of this other information, we are required to report that fact. We have nothing to report in this regard.

52

Helsinki February 8th 2018 PricewaterhouseCoopers Oy Authorised Public Accountants

Janne Rajalahti Authorised Public Accountant (KHT) F-SECURE IS

BUILT ON

STRONG

VALUES.

F-SECURE 2017 53

STATEMENT OF NON-FINANCIAL INFORMATION

In the digital and connected world we currently live in, cyber attacks and malware have the ability to seriously damage global businesses, result in losses of hundreds of millions of euros, and even cause human suffering. For 30 years, F-Secure has been committed to helping people and businesses fight these cyber threats. Improving our customers' security, resilience and the sustainability of their digital lives or businesses, is why we exist. We believe that through our core business and everyday actions we play a vital role in ensuring the functioning of modern society, and help to maintain trust between people and organizations. Internally, we emphasize the importance of a sense of fellowship among our employees, and we have always put a strong emphasis on shared core values.

F-Secure is committed to sustainable practices in carrying out our business. Corporate responsibility is led by the CEO with the support of the Leadership Team, and with the Board of Directors approving the annual Statement of Non-financial Information. To ensure that corporate responsibility is integrated into all business operations, governance and compliance processes have been established.

This statement lists key areas of responsibility that are considered most material in accordance with the Finnish Accounting Act. Corresponding aspects have been listed in the company's Code of Conduct, the summary of which is available on the company's website. Each employee of F-Secure is expected to know and comply with this code and report any suspected violations that they become aware of according to the applicable whistleblowing processes. F-Secure's subcontractors are also requested to act in compliance with this code or a corresponding code of their own.

F-SECURE'S BUSINESS MODEL AND VALUE CREATION

Every day, experts at F-Secure Labs analyze around 350,000 unique potential malware samples, equaling hundreds of potential new threats every second. Our cyber security consultants help many of the world's leading companies to predict, prevent, detect and recover from the most advanced cyber attacks.

By combining sophisticated technology with machine learning and human expertise, F-Secure provides a comprehensive offering of security products and cyber security services for both corporate customers as well as consumers.

For businesses, we offer vulnerability scanning and management solutions, endpoint protection products, detection and response solutions as well as comprehensive security and risk assessment services for top management, along with technical consulting. For consumers, we offer security and privacy solutions for all connected devices. Our products and services offer our customers best-in-class security as has been proven by several independent research institutions. For example, AV-TEST has given F-Secure the Best Protection award for

superior technology for five times during the past six years – no other company has achieved this.

We offer our products and services to defend thousands of companies and millions of people around the world through our network of around 200 telecommunications operators and thousands of IT service and retail partners. With our partnerled business model, trust has always been a cornerstone of all our operations.

F-Secure strives to cooperate with authorities and law enforcement to investigate online crime, and to bring criminals to justice. In fact, our security experts have participated in more European cybercrime investigations than any other company in the industry. That said, our products are always developed independent of governmental direction.

In our industry, it is critical that appropriate care is taken when handling customer information. Respecting customer privacy is an integral part of our company culture, and F-Secure has published its privacy principles on the company website. When protecting our customers against cyber threats, we

strive to do so with minimum risks to their privacy. All F-Secure employees commit to protecting the confidentiality of customer data, and we are currently implementing processes to ensure General Data Protection Regulation (GDPR) is complied with when processing personal data.

Material aspects

While we view improved security of our customers as our key contribution and impact to society, this report concentrates on information of environmental matters, social and employeerelated matters, respect for human rights as well as anticorruption and anti-bribery matters. Risks, risk management, applicable policies and due diligence processes, outcomes of policies, and key performance indicators have been listed for each of these aspects.

Within each aspect, we have tried to identify topics most relevant for F-Secure. If not otherwise stated, focus areas are material for the whole company.

Focus area Key aspects			Policies	Key performance indicator
m	SOCIAL AND EMPLOYEES: We value our employees	– Securing the right competencies – Ensuring equality, equal opportunity and diversity – Ensuring the wellbeing of employees		– Recruitment Policy – Development and training guideline – Co-operation review policy – Harassment prevention policy – Equality plan	Employee NPS score
O and the Leadership Tea	ANTI-CORRUPTION AND HUMAN RIGHTS: We operate responsibly	– Fighting corruption and bribery – Being responsible in procurement	Code of Conduct	– Supplier Code of Conduct – Purchase order process – Anti-corruption policy	Number of reported violations
CE	ENVIRONMENT: We respect the planet	– Reducing energy consumption and waste in our offices – Reducing energy consumption from IT operations – Travelling sensibly		– Office Environmental Policy – Travel policy	Total electricity consumption (kWh) in offices Electricity consumption (kWh), co-location servers

EMPLOYEE AND SOCIAL MATTERS:

WE VALUE OUR EMPLOYEES

F-Secure employs over 1,100 security experts, product developers, sales people and other employees globally. F-Secure's HR practices emphasize the importance of fellowship, and the company has always put an emphasis on shared values.

As a whole, the cyber security industry is facing increasing competition and there is structural undersupply of suitable experts. Due to this, the most significant risk related to employee and social matters is the company's ability to identify, attract, retain and develop talent to support the company's growth. Additionally, in a rapidly evolving industry, the company must also be able to ensure employees constantly update their competences according to market needs. Other important employee-related issues include employee well-being, a healthy work-life balance, and ensuring equality and equal opportunities.

F-Secure strives to:

• attract and retain the right competencies and enable people to develop themselves
• ensure everyone has equal opportunity to achieve their maximum potential
• ensure the wellbeing of each employee, and that everyone is valued and treated with respect

To measure success, the company biannually conducts an Employee Net Promoter Score (eNPS) survey among staff to measure employee loyalty.

Human Resources is responsible for developing people management processes, tools, and ways of working. The company's Leadership Team is responsible for following up on the results of the eNPS survey and ensuring corrective action plans are developed.

Securing the right competencies and constant development

Successful recruitment is crucial for F-Secure's business success. Our aim is to ensure that we hire professionals with competencies that are in line with F-Secure's business objectives, culture and values. An internal Global Recruiting policy gives guidance to managers to ensure consistency and equal treatment of candidates, as well as to provide candidates a positive experience with the company.

After recruitment, the responsibility for competence development lies both with the individual employee and his or her manager, as well as with the company. An internal development and training guideline addresses the roles and responsibilities as well as practices related to learning and personal development.

At least once a year, each employee conducts a review discussion with their line manager. This review discussion includes a performance review, objective setting and a development discussion. As a result individual goals are set for personal development. The goal is that every employee completes their review annually. Going forward, F-Secure aims to implement rolling objective setting so goals can be updated during the year. An internal cooperation review policy addresses the responsibilities and practicalities of this process.

Developing the leadership skills of managers is a focus area. All F-Secure leaders participate in a leadership development program called Leadership Bridge during 2016–2018, which is strongly linked to F-Secure culture and strategy. During the same time, F-Secure leaders will also receive a 360-evaluation.

F-Secure has a number of development programs and training available for both managers and employees including:

• Leadership development programs
• Network mentoring programs
• Cyber security competence development

2017:

The number of employees continued to increase as F-Secure recruited sales persons, product developers, cyber security consultants and other experts to support the company's growth. In total the company saw a net addition of 78 employees throughout the year 2017.

To further develop the annual review discussion process, F-Secure introduced a new tool (Workday) enabling for example more dynamic objective setting and feedback possibilities.

At the end of 2017, 69% of leaders had participated in the company's Leadership Bridge program.

Ensure equality, equal opportunities and diversity

F-Secure employed people of 45 different nationalities at the end of 2017, the majority of which are also represented in the company headquarters. Our commitment to equality of opportunity is clearly explained in our Code of Conduct. F-Secure has prepared an equality plan for 2017–2018 which includes key elements for promoting equality in practice.

Employment is based solely upon individual merit and qualifications related to professional competence. We treat all of our employees, candidates, customers and business partners fairly and equally, without regard to sexual orientation, gender, race, religion and age, according to applicable laws and practices. We prohibit discrimination or harassment of any kind. An internal Harassment Prevention Policy gives instructions on how to manage potential violations.

Violations of any of the aforementioned policies are closely monitored. Violations must be reported either to the HR team, the Compliance Team or to the Board of Directors according to instructions given. The Compliance Team reviews all reported cases and decides on further actions. Third-party experts are consulted if necessary. Violations are reported as part of non-financial reporting where such third-party expert needs to be consulted. Decisions by the Compliance Team are presented to the Leadership team or the Board of Directors for corrective actions.

2017:

No violations passing the reporting threshold were reported to the Compliance Team or Board of Directors during 2017.

Ensure the wellbeing of employees

In ensuring the wellbeing of employees, F-Secure emphasizes the importance of good leadership in addition to a preventative approach to health care.

Every employee globally is entitled to basic health care services, but practices vary locally. In certain regions, employees are provided with additional sports benefits, and extended health care services according to local practices. Also, in some locations there are additional benefits such as the possibility to arrange a caretaker for a sick child. The company allows for flexible working hours and the possibility of working remotely. F-Secure offers voluntary wellbeing lectures and training for both employees and managers.

F-Secure closely monitors employee sick leaves. In case of longer sick leaves, the company supports employees, and assists them in returning back to work.

2017:

In Finland, a Digi Clinic service was introduced to personnel, enabling employees to contact doctors or nurses 24/7.

WE OPERATE RESPONSIBLY

F-Secure transacts with approximately 4,000 suppliers every year. While the majority of F-Secure's business is considered to be in low-risk regions in terms of human rights violations, we acknowledge the need to stay alert for possible violations, and evaluate all new partnerships critically. Bribery and corruption are a risk for all companies, and have a detrimental impact on business by undermining good governance and distorting free markets.

We are committed to applying the highest standards of ethical conduct and integrity in our business activities. Similarly, we strive to minimize risks associated with our suppliers.

F-Secure respects human dignity and promotes human rights, and requires respect for the same principles from every F-Secure employee, including freedom of association, freedom of thought, conscience and religion and freedom of opinion and expression. Also, we do not tolerate working conditions that are in conflict with international conventions or practices and support Conventions of the International Labor Organization (ILO). This is clearly explained in our Code of Conduct.

Preventing corruption and bribery

Every employee and individual acting on F-Secure's behalf is responsible for conducting company business honestly and professionally. We do not tolerate any form of bribery by, or of, our employees or any persons or companies acting for it or on our behalf.

The Code of Conduct explains F-Secure's general commitment to ethical conduct. We have also issued a specific Anti-Bribery Policy that applies to all employees. It defines the rules to be applied related to gifts, hospitality, travelling and accommodation and specific terms concerning governmental officials as well as the process for escalation as needed. The company expects suppliers, subcontractors and partners to comply with the policy or a policy of their own – of similar or higher standard. Ethical practices are emphasized in contracts and the company engages in continuing dialogue with relevant stakeholders.

To evaluate success, F-Secure closely follows all reports of potential violations. Any suspected breaches must be reported, and each alleged violation is investigated in an appropriate and fair manner. Any breach will be dealt with according to relevant policies and laws.

Anti-corruption processes are managed by F-Secure's legal team.

2017:

No violations of Anti-Bribery were reported in 2017.

Responsible supplier management

The majority of F-Secure's suppliers are considered to be low risk. In terms of spending, the majority of suppliers provide operating services and marketing services, which represent over 50% of the total supplier spend. Operating services include outsourced sales and product development services, as well as royalties for third-party technology providers. Marketing services include local advertising, as well as search engine and social media advertising. Other significant suppliers include providers of production services, office space rental costs, management consulting, auditing, HR services, and IT equipment and licenses.

F-Secure has a Supplier Code of Conduct, which is a part of the F-Secure agreement template and included in all new agreements. The Supplier Code of Conduct covers both anti-corruption and bribery as well as human rights issues.

When considering new suppliers, each function evaluates the need for supplier auditing together with F-Secure's procurement. F-Secure offers training to employees who select suppliers and are involved with preparing requests for proposals (RFP) or drafting agreements to enable them to assess the possible risks and take appropriate precautions.

If deemed necessary, the supplier will be issued with a detailed survey focusing on key issues, including responsible business procedures. The supplier must have a process in place to verify compliance towards the Supplier Code of Conduct and must participate in a self-assessment process organized by F-Secure if requested. F-Secure has the right to audit how suppliers and sub-contractors fulfill the Supplier Code of Conduct or corresponding requirements. For any identified non-compliances with the Code of Conduct, the supplier must provide a corrective action plan to be approved by F-Secure.

2017:

No violations of the Supplier Code of Conduct were reported in 2017.

F-Secure implemented a new Purchase Order Process to have better visibility of spending and vendors and to mitigate risks. The Request For Proposal (RFP) template was updated to better take into account risks.

ENVIRONMENTAL MATTERS: RESPECT FOR THE PLANET

The majority of F-Secure's business activities involve the development, production and delivery of software and professional services. Due to this, the company's direct environmental impact is limited, and associated risks to the environment are not considered significant. The company's environmental footprint derives primarily from the use of electricity for office activities – including heating and cooling – as well as the use of electricity from IT operations. Additionally CO2-emissions are created by business travel, and a limited amount of waste is generated by office activities.

F-Secure acknowledges climate change and other environmental impacts are both global as well as local concerns, and the company strives to minimize its impact. F-Secure has a precautionary approach to environmental challenges, as stated in our Code of Conduct. We seek to ensure compliance with local legislation, and aim to continuously increase the energy efficiency of our operations and reduce the amount of waste. Where possible and practical, we give preference to ecologically sound suppliers' products and services. Only a very limited amount F-Secure's sales involve physical products, and when they do, packages are made from recycled materials.

To evaluate our success in limiting our environmental impact, F-Secure conducts an annual energy review to estimate our total direct consumption of electricity at the company level.

2017:

F-Secure started to systematically calculate direct electricity use at the company level including office energy consumption, travelling and internal server activity. Outsourced third-party servers are excluded due to the unavailability of data.

Reducing energy consumption and waste in our offices

F-Secure has offices in 23 locations globally. The majority of operations are concentrated in Helsinki and Oulu in Finland, Kuala Lumpur in Malaysia, Poznan in Poland and a number of smaller offices throughout Europe, Asia and the Americas.

The company rents office facilities from local real estate providers. Typically a lease agreement includes service charges for electricity and heating, as well as handling of a limited amount of waste generated by office activities. Paper, bio and energy waste are primarily recycled according to local practices. Hazardous waste consists solely of batteries, which are disposed of at suitable recycling points. Electronic waste is recycled carefully and, as appropriate, with careful attention to ensuring confidential waste is specifically managed. Confidential paper waste is also managed with special care.

The company has a new Office Environmental Policy, which sets out the principles of the company's approach to protecting the environment. The policy also sets out in detail the steps the company and all employees should take to comply with the rule, and improve the environmental efficiency of our operations.

Office processes are managed by F-Secure's HR & Office Services team.

2017:

The company created a new Office Environmental Policy which will be implemented in 2018.

Office services also initiated a discussion at each company office about environmental best practices, with the aim of developing improvement plans. We have also challenged our premises' owners to provide electricity from renewable sources. During 2018 F-Secure will roll out an environmental impact improvement program at each location to monitor and measure concrete steps taken.

Reducing the energy consumption of IT operations

F-Secure uses both private servers and third-party cloud platforms to develop and run its services.

Currently, approximately 70% of the computing capacity is in co-location facilities, where F-Secure also operates the infrastructure. With third-party cloud platforms, F-Secure mainly partners with Amazon Web Services (AWS).

In co-location facilities, F-Secure is able to directly measure electricity consumption on a monthly basis. F-Secure utilizes server hardware with good energy efficiency (Energy Star), and in Finland the company's main data center vendor is 100% powered by wind energy.

For third-party providers, electricity consumption data is not available, as electricity costs are part of the overall service contract. That said, Amazon, the main service partner, has publicly announced a goal of being 100% powered by renewable energy (50% in 2017).

Going forward, F-Secure plans to increase the use of third-party and decrease the amount of privately operated co-location servers. The transition is expected to increase the company's overall energy efficiency and lower total consumption, as third-party providers are running the more energy efficient servers.

All computing capacity is centrally managed by the Production & IT unit.

2017:

F-Secure continued to increasingly outsource the company's server activity. The transition is expected to increase the company's overall energy efficiency.

Travelling sensibly

As F-Secure's business grows and expands geographically, more travelling to customer premises is often required.

F-Secure has a Travel policy, which aims to reduce the environmental impact of travelling, minimizing energy consumption and emissions by choosing environmentally friendly means of travelling. The policy requires a pre-approval of employee travels, and the policy also encourages employees to use online conferencing tools when collaborating with our internal and external stakeholders. When travelling, the company recommends using public transport when feasible and train instead of flights.

In order to have better management of the overall travel and travel management, F-Secure is consolidating the company's travel agency agreements from country-specific solutions to a centralized solution.

Table section

EMPLOYEE AND SOCIAL

Key perforce indicator	Decription	2017
Employee Net Promoter Score 1)	Key performance indicator of	H1: 9
	overall employee wellbeing.	H2: 13

1) The Net Promoter Score measures employee satisfaction by asking people how likely it is that they would recommend F-Secure as an employer. The score is derived by deducting the share of employees giving low scores (0 to 6, "detractors") from the share of employees giving high scores (9 to 10, "promoters"). Scores from 7 to 8 are considered neutral.

2017:

During the year, F-Secure's overall Employee Net Promoter Score developed positively from the first half-year (eNPS: 9) to the second (eNPS:13). Key driver behind the improvement was that the share of detractors decreased while the share of promoters was at previous year's level.

Other metrics	2017
Number of employees	1,104
Share of women, of total employees	22.7%
Share of women, of managers 2)	15.9%
Sick leaves, % 3)	3.11%

2) Includes line managers

3) Sick leave percentage is the average amount of sick days per employee. The figure includes only personnel in Finland, which represents approximately half of the company's total employees.

2017:

During the year, F-Secure continued efforts to recruit more female employees and managers. That said, the industry is facing a common challenge in the low availability of female experts in cyber security which originates from the skewed gender distribution among students in technology .

ENVIRONMENTAL

Key performance indicator	Decription	2017
Electricity consumption, co-location servers, MWh 1)	Key performance indicator for the transition to more efficient computing.	1,564 MWh
Electricity consumption, offices, MWh 2)	Key performance indicator for increasing energy efficiency in offices.	1,322 MWh

Other metrics

Travelling emission, CO2, 1,000 kg 3) 559,5 tons CO2

2017:

F-Secure has a very limited environmental impact due to the nature of our business. As F-Secure did not collect data on electricity consumption or emissions prior to 2017, there are no comparison figures available to judge progress during the year.

1) The electricity consumption of co-location servers includes two server facilities in undisclosed locations.

2) The electricity consumption of offices includes approximately 85% of F-Secure's offices, as a percentage of total employees. Excluded offices are Oulu (Finland), Paris (France), St. Petersburg (Russia), London (UK), New Jersey (US), San Jose (US), Trieste (Italy), Berlin (Germany) and Utrecht (Netherlands).

3) The CO2 emissions from travelling include only air travel and are based on calculations provided by the company's travel agency.

F-SECURE 2017 60

F-SECURE'S CORPORATE GOVERNANCE STATEMENT 2017

GENERAL GOVERNING PRINCIPLES

F-Secure's corporate governance practices comply with applicable Finnish laws as well as the rules, regulations and guidelines of Nasdaq Helsinki Oy and the Finnish Financial Supervisory Authority. This statement has been prepared in accordance with the Finnish Corporate Governance Code (publicly available at http://cgfinland.fi/en/) issued by the Securities Market Association of Finland in 2015.

Up-to-date information about F-Secure's governance is available on the Company's website at www.f-secure.com/investors.

GOVERNING BODIES

F-Secure's highest decision-making body is the General Meeting of Shareholders. The Board of Directors is responsible for F-Secure's strategy and overseeing and monitoring the Company's business. The CEO, assisted by the Leadership Team, is responsible for managing the Company's business and implementing its strategic and operational targets.

General Meeting of Shareholders

Under the Limited Liability Companies Act, shareholders exercise their decision-making power at the General Meetings.

The General Meeting is normally held once a year as an Annual General Meeting (AGM). A shareholder may propose items to be included on the agenda provided they are within the authority of the meeting and the Board of Directors has been informed of the requests in due time. The invitation to the AGM is published on the Company's website.

The AGM decides on matters stipulated by the Company's Articles of Association and the Limited Liability Companies Act, including:

• the adoption of the Financial Statements
• the distribution of profit for the year
• discharging the members of the Board of Directors and CEO from liability
• the selection of members of the Board and the decision on their remuneration
• the election of the auditor and the decision on auditor's remuneration, and
• other proposals made by the Board or shareholders

Each share carries one vote in the General Meeting.

2017:

The AGM was held on 5 April 2017 at F-Secure premises in Helsinki.

Further details on the resolutions by the AGM are available on the Company website (release published on 5 April 2017) and in the Board of Directors report in the Annual Report.

Board of Directors

The objective of the Board of Directors is to direct the Company with the aim of achieving the best possible return on invested capital for shareholders in the long term.

The Board's responsibilities and duties are defined in detail in the Board's Charter (available on the Company website) and cover the following main areas:

• approving the strategy of F-Secure, overseeing its operations and annual budgets
• approving any major investments, acquisitions, changes in corporate structure or other significant decisions
• ensuring that the supervision of the Company's accounting and financial management is duly organized
• ensuring that internal control and risk management systems are in place
• approving personnel policies and rewards systems
• preparing matters to be handled by the General Meeting

The Board of Directors meets as frequently as necessary, at least five times during its term. The Board of Directors has quorum when more than half of the members are present. An annual self-assessment is carried out by the Board to evaluate its operations.

In accordance with F-Secure's Articles of Association, the Board of Directors comprises three to seven members, which are elected at the Annual General Meeting for a period of office that extends to the following AGM. The majority of Board members shall be independent from the Company and from its major shareholders.

One member of the Board of Directors is elected from F-Secure Corporation's personnel in the following manner: an election is arranged for F-Secure personnel. Each permanent employee of F-Secure Corporation is eligible as a candidate. The Personnel Committee interviews three persons who have obtained the highest number of votes in the elections, and chooses a candidate from amongst them to be proposed for

Members	Independence of the Company	Independence of major shareholders	Board (Meeting attendance)	Audit Committee (Meeting attendance)	Personnel Committee (Meeting attendance)
Risto Siilasmaa	Yes	No1)	Chairman (13/13)		Chairman (4/4)
Pertti Ervi	Yes	Yes	Vice Chairman (13/13)	Chairman (5/5)
Ari Inki (as of 5 Apr 2017)	No2)	Yes	Member (6/7)	Member (4/4)
Jussi Arovaara (until 5 Apr 2017)	Yes	Yes	Member (6/6)	Member (1/1)
Matti Heikkonen	Yes	Yes	Member (11/13)		Member (3/4)
Anu Nissinen (until 5 Apr 2017)	Yes	Yes	Member (6/6)	Member (1/1)	Member (2/2)
Sofie Nystøm (as of 5 Apr 2017)	Yes	Yes	Member (6/7)	Member (4/4)
Bruce Oreck	Yes	Yes	Member (11/13)	Member (1/2)	Member (3/4)
Janne Pirttilahti (until 5 Apr 2017)	No2)	Yes	Member (6/6)	Member (1/1)
Päivi Rekonen (as of 5 Apr 2017)	Yes	Yes	Member (7/7)	Member (4/4)

Members of the Board of Directors

1) Risto Siilasmaa is the founder of F-Secure and on 31 December 2017 owned 37.76% of F-Secure shares.

2) Janne Pirttilahti was elected from F-Secure Corporation's personnel, according to the process described below in 2016. Ari Inki was elected according to the same process in 2017.

election as a new member of the Board by the Annual General Meeting.

The Board's Personnel Committee prepares the proposals for board candidates to be approved by the shareholders at the General Meeting. Proposals are based on candidates' skills and qualifications and on maintaining diversity on the Board of Directors. Currently both genders are represented in the Board of Directors.

For a detailed description of the members of the Board of Directors and their shareholdings see pages 66–68.

Board Committees

The Board has two permanent Committees: Audit Committee and Personnel Committee (nomination and remuneration issues). The duties of both Committees are defined in their charters, available on the Company's website.

Audit Committee

The Audit Committee reviews, instructs and evaluates risk management, internal controls, IT strategy and practices, financial reporting as well as auditing of the accounts. The Audit Committee also prepares proposal for the election of auditor to the Board of Directors and regularly considers the need for a separate internal audit function. Members of the

Audit Committee must have broad business knowledge, as well as an adequate knowledge of and experience in financial and supervisory matters.

Members of the Audit Committee are listed in the table in the previous section. According to the Finnish Corporate Governance Code, majority of the members of an audit committee must be independent of the company.

Personnel Committee

The Personnel Committee prepares material and instructs with issues related to the composition and compensation of the Board of Directors and the remuneration and incentives of key managerial personnel. The Committee also prepares the proposals for the Board composition and remuneration for the Annual General Meeting of Shareholders.

Members of the Personnel Committee are listed in the table in the previous section.

2017:

The Executive Committee was renamed Personnel Committee at the Annual General Meeting.

President and CEO

The Board of Directors appoints the CEO and decides upon his/ her remuneration and other benefits. The CEO is responsible for the day-to-day management of the Company. His/her duties include:

• managing the business according to the instructions issued by the Board of Directors
• presenting the matters to be handled in the Board of Directors' meetings
• implementing the decisions made by the Board of Directors
• other duties determined in the Limited Liability Companies Act

For a description of the CEO and his shareholdings see page 69 and for his remuneration see Annual Report, Notes to financial statements, 26. Related party disclosures.

F-SECURE 2017 63

Leadership Team

The Leadership Team supports the CEO in the daily operative management and development of the Company. The CEO appoints the Leadership Team members and decides upon the terms and conditions of their employment.

2017:

Members of the Company's Leadership Team on 31 December 2017 were:

• Samu Konttinen, CEO
• Mari Heusala, Executive Vice President, Human Resources and Office Services
• Kristian Järnefelt, Executive Vice President, Consumer Business Unit
• Eriikka Söderström, Chief Financial Officer
• Jyrki Rosenberg, Executive Vice President, Corporate Security Business Unit
• Jari Still, Vice President, Chief Information Officer
• Mika Ståhlberg, Chief Technology Officer
• Jens Thonke, Executive Vice President, Cyber Security Services
• Jyrki Tulokas, Executive Vice President, Strategy & Corporate Development

Current information on the F-Secure Leadership Team can be found on our website: www.f-secure.com/investors.

For descriptions of all members of the Leadership Team during 2017 their roles, respective membership periods and shareholdings see pages 69–71 this document.

Management remuneration

Compensation of key management personnel of the Group:

	2017	2016
Wages and other short-term employee benefits	2,319	2,423
CEO	407	6311)
Other Leadership Team members	1,687	1,513
Members of the Boards of Directors	225	279
Share-based payments	1,014	768
Total	3,333	3,191

1) Includes the remuneration of two CEOs. In August 2016 Samu Konttinen became the Company CEO, replacing Christian Fredrikson.

Compensation for the CEO in 2017

	Wages	Fees	Incentive reward
Samu Konttinen, CEO	407		312

Compensation for the Board of Directors in 2017

	Wages	Fees	Incentive reward
Risto Siilasmaa, Chairman of the Board		55
Pertti Ervi		40
Matti Heikkonen		30
Sofie Nystrøm (as of 5 Apr 2017)		30
Päivi Rekonen (as of 5 Apr 2017)		30
Bruce Oreck		30
Ari Inki (as of 5 Apr 2017)		10
Total		225

CONTROLS AND OTHER GOVERNANCE ISSUES

MAIN FEATURES OF INTERNAL CONTROL AND RISK MANAGEMENT SYSTEMS PERTAINING TO THE FINANCIAL REPORTING PROCESS

Risk management

The objective of F-Secure's risk management is to ensure a current, correct and holistic understanding and prioritized management of key uncertainties related to strategy implementation and business operations. The process and risk management methods in use are constantly developed to respond to the changing needs of the company. During 2017 the development was concentrated on the risk management framework and a new model considering the following three risk categories was taken in use.

• Strategic risks: Risks related to strategic objectives and competitive environment, managed by the leadership team and board of directors
• Business risks: Risks that threaten the achievement of the business objectives, identified and managed by the organizational units as part of the operational planning and management
• Operational risks: Risks relating to the company's daily operations and processes as well as to potential disruptions, managed within the organizational units

The objective in organizing the risk management process has been to empower the organization to identify and manage risks. This approach enables understanding of risk management objectives and distribution of responsibility for risk management decisions making in adequate level of the organization.

Different risk modelling and quantification methods developed by the F-Secure risk management consulting services are used to identify and analyze the risks when appropriate. During 2017, a new method for risk quantification was taken in use to analyze selected risks. Financial quantification is useful to analyze cases where the risk consequence has high variation. In these cases, it is adequate to create good understanding of the different outcome

options of the realization of risk prior to deciding on the risk treatment strategy.

The most significant risks and their treatment strategies are reported annually to the Audit Committee of the Board of Directors.

The most significant risks

Risks are defined as uncertainties which can impact the achievement of the Company's short and long term objectives. Risks are assessed as a combination of probability and impact.

Endpoint protection market disruption

Endpoint security market is highly competitive. Operating system manufacturers have increased their focus to built-in security features and at the same time new vendors and technologies have emerged. Successful security vendors must have in-depth understanding of cyber security threat landscape, hacker techniques and technologies used as well as continue to innovate in defense technologies.

Market Consolidation

The cyber security market is consolidating due to economies of scale. Companies have to succeed in choosing the right acquisition targets, as well as successfully integrate target companies.

Failure to innovate and develop new technologies

In a rapidly evolving industry it is vital to keep the products and services relevant to the customers while introducing new technologies to the market. The Company is driving technology simplification and R&D effectivization initiatives as well as investments to artificial intelligence to ensure a competitive product portfolio.

Failure to attract and retain talent

Competition for capable personnel is increasing and there is structural undersupply of talent in the security industry. The Company is thus further developing and adopting new ways of recruitment, building its own talent and knowledge pools and investing to training and development of personnel.

Other notable risks

Other risks that affect the F-Secure business include but are not limited to:

• Intellectual property (IPR) claims against F-Secure
• Risk exposure from contractual liability requirements
• Failure of new product launches
• Potential security threats related to F-Secure's products and services
• Credit risk due to regional political or financial climate and regulation
• Tax risk relating to changing laws and regulations and interpretations of said regulations by the relevant authorities

2017:

F-Secure has continued the development of the risk management process. The objective has been to empower the organization to identify and manage risks more effectively through the adoption of new risk modelling and quantification methods .

Internal control

The purpose of Internal Control is to ensure that operations are effective and aligned with the strategy, and that financial reporting and management information is reliable and in compliance with applicable regulations and operating principles.

Internal control consists of all the guidelines, policies, processes, practices and relevant information about organizational structure that help ensure that the business conduct is in compliance with all applicable regulations. The purpose of internal control is also to ensure that accounting and financial information provides a true and accurate reflection of the activities and financial situation of the company. Actual performance is monitored against sales and cost targets by operative reporting systems on a daily, weekly, or monthly basis.

The Company constantly monitors its key financial processes linked to sales, revenue, costs and profitability as well as incoming and outgoing payment transactions. If any inconsistencies appear, the issues are handled without delay. The Company's finance department is responsible for the consistency and reliability of internal control methods. The

finance team works in close cooperation with the CFO and businesses, providing relevant data for business planning purposes and sales estimates. The team also regularly assesses and monitors the reliability of estimates and revenue recognition.

2017:

F-Secure implemented a new integrated Finance and Human Resources ERP system that has further improved internal processes and controls.

Internal audit

F-Secure's Audit Committee considers regularly the need for and appropriateness of a separate Internal Audit function. To date, the Audit Committee has concluded that, due to the size, organizational structure and largely centrally controlled financial management of the Company, a separate Internal Audit function is not necessary.

In the absence of an Internal Audit function, attention is paid to periodical review of the written guidelines and policies concerning accounting, reporting, documentation, authorization, risk management, internal control and other relevant matters in all departments. Related controls are also tested from time to time. The guidelines and policies are coordinated by the Company's finance department with active involvement by the legal team.

The absence of a separate Internal Audit function is considered when defining the scope of the Company's external audit. Where necessary, the Board may also purchase Internal Audit services from an external provider.

To facilitate transparency and exchange of information on Internal Audit related matters, the financial management team has frequent meetings with the auditors. The Audit Committee also meets regularly with the auditors and head of the Company's legal team to discuss related matters of their areas of responsibility.

The Company has taken into use two direct lines for all employees to notify the Board and Leadership Team of any unethical activity or abuse.

Insider issues

F-Secure's IR-function is in charge of the company's insider issues, with the exception of project based insider issues, which are managed by the Legal department. The Company follows the insider regulations of Nasdaq Helsinki Oy and has adopted the new Market Abuse Regulations (EU, N:o 596/2014, "MAR"), which came into force on 3 July 2016. F-Secure has published an internal guideline on insider issues and regularly trains employees and management on insider issues.

Insider registries

F-Secure maintains three separate lists of insiders and other persons relevant for insider issues:

• project based insiders (maintained by the Legal team)
• list of persons discharging managerial responsibilities, as well as persons closely associated with them, as specified by MAR
• other insiders, including people participating in the preparation of financial reporting or otherwise having access to significant non-published financial information.

Managers' transactions

Persons discharging managerial responsibilities ("Managers") comprise the Board of Directors, the CEO, the CFO and other members of the Leadership Team. These persons have a duty to notify within three business days F-Secure and the Finnish Financial Supervisory Authority of every transaction in their own account relating to Financial Instruments of F-Secure. The Company publishes these notifications as a stock exchange release, as specified by MAR. All releases published on managers' transactions are available on the Company's website.

Closed window

All insiders or their interest parties are not entitled to trade shares, options, or other securities 30 days prior to the publication of financial reports. Additionally, project-based insiders are never entitled to trade shares, options, or other securities during the duration of an insider project, including the day the insider information is made public.

Silent period

F-Secure observes a silent period of 21 days before each quarterly report announcement. During the silent period, the Company will arrange neither meetings nor conference calls with the investor community.

Auditors

The auditor is elected by the Annual General Meeting for a term of service ending at the close of the next Annual General Meeting. The auditor is responsible for auditing the consolidated and parent company financial statements and accounting. The auditor reports to the Board of Directors or the Audit Committee at least once a year.

2017:

F-Secure has been audited by PricewaterhouseCoopers with Janne Rajalahti, Authorized Public Accountant, as the responsible auditor.

F-Secure paid to the auditor EUR 173,000 in audit fees (2016: EUR 144,500), and EUR 106,000 (2016: EUR 77,280) for non-audit services.

DETAILED DESCRIPTIONS

BOARD OF DIRECTORS

In this section are the biographies of the Members of the Board of Directors during 2017. Shareholdings are listed as of 31 December 2017 unless otherwise stated.

RISTO SIILASMAA

Chairman of the Board of Directors since 2006 Board member since 1988 Born 1966, M.Sc. (Engineering) Main employment history: Currently Chairman of the Board, F-Secure Corporation, 2006– President and CEO, F-Secure Corporation, 1988–2006

Founder, F-Secure Corporation

Interim CEO, Nokia Corporation, 2013–2014

Current board memberships and public duties:

Chairman of the Board, Nokia Corporation, 2012–

Chairman of the Board, The Federation of Finnish Technology Industries, 2016– Vice Chairman, Confederation of Finnish

Industries, EK, 2017–

Member of ERT European Round Table of Industrialists, 2013–

Holdings: number of shares 59,969,896, holding 37.76%

PERTTI ERVI

Board member since 2003, Chairman of the Audit Committee Born 1957, B.Sc. (Electronics)

Main employment history: Currently an independent management consultant

Co-CEO, Member of the Executive Board, Computer 2000 AG, 1995–2000 Co-founder, Managing Director, Computer 2000 Finland Oy, 1983–1995 Has worked at international management levels with major IT vendors such as Cisco, IBM, Intel, HP, and Microsoft.

Current board memberships and public duties:

Chairman of the Board 2011–, Member of the Board 2008–, Efecte Corporation, Chairman of the Board 2017–, Member of the Board 2009–, Teleste Corporation Chairman of the Board, Mintly, 2017– Holdings: number of shares 51,036

MATTI HEIKKONEN

Board member since 2013 Born 1976, M.Sc. (Eng.)

Main employment history:

Senior Executive Vice President, Global Operations and Partner, QuestBack AS, 2010– Entrepreneur and CEO, Digium Ltd, 2007–2010 Head of Nokia-Cisco Systems Global Alliance, Nokia Corporation, 2004–2007 Entrepreneur and CEO, Triple Check Ltd, 2002–2004 Researcher, Aalto University, Finland, 2002–2004 Group Marketing Director, Business Unit Manager and Partner, Done Solutions Corp, 2000–2002 Entrepreneur and CEO, Identia Ltd, 1998–2000 Current board memberships and public duties:

Chairman of the Board, Benemen Oy, 2018– Board member of Mobile Wellness MWS Oy, 2017–

Holdings: number of shares 23,565

66

ARI INKI

Board member since April 2017 Born 1974, B. Sc. (Computer Engineering), MBA

Main employment history:

Chief Architect and Vice President of Architecture & Platforms, F-Secure, 2017– Chief Architect and Head of Technology Office, F-Secure, 2011–2017 Various research and development roles, F-Secure, 2008–2017 Information Security Specialist, TietoEnator, 2007–2008 Architect, Technical Product Manager and Software Developer, F-Secure, 1999–2007 Holdings: number of shares, 6,856

SOFIE NYSTRØM

Board member since April 2017 Born 1978, Ms. Sc. (Computer Science)

Main employment history:

Director, NTNU Center for Cyber and Information Security, 2015– Vice President, Head of Group Security, Telenor Group, 2014–2015 Executive Vice President, Chief Information Security Officer, DNB Bank, 2008–2013 Director, Symantec Norway, Consulting services, 2006–2008 Manager, National Security Authority, Norway, 2004–2006

Holdings: number of shares 2,830

BRUCE ORECK

Board member since 2016 Born 1953, LL.M. (Taxation)

Main employment history: Executive in Residence, Aalto University, 2016– Ambassador to Finland, United States,

2009–2015

Founding and managing partner, Oreck, Bradley, Crighton, Adams & Chase, 2005–2009 Executive Vice-President and General Counsel, Oreck Corporation, 1993–2003

Current board memberships and public duties:

Member of the Board, U.S. Green Building Council (USGBC), 2016– Member of the Board, Earth Day Network, 2016

PÄIVI REKONEN

Board member since April 2017 Born 1969, M. Sc. (Economics), M.Sc. (Social Sciences)

Main employment history:

Currently an independent strategy advisor, 2018–

Managing Director, Group Technology, USB, 2014–2018

Senior Vice President, Global Head of Digital Strategy, Adecco Group, 2011–2012 Head of IT, Credit Suisse, 2007–2009 Various leadership roles, Cisco Systems, 1998–2007

Various leadership roles, Nokia, 1990–1998 Holdings: number of shares 2,830

68

F-SECURE 2017

NON-CURRENT MEMBERS

JUSSI AROVAARA

Board member since 2010 (until April 2017) Born 1966

Main employment history:

Vice President, Global Sales, Corel Corporation (UK) 2012– Vice President, Global Operations, Corel Corporation (UK), 2010–2012 Senior Director, International Sales and Marketing Operations, Corel Corporation (UK), 2005–2009 Director, International Product Marketing, Corel Corporation (UK), 2004–2005 Vice President, EMEA Sales, Corel Corporation (UK), 2002–2004 Vice President, Sales Operations, Corel Corporation (Canada), 1999–2001 Earlier has worked in several sales and marketing positions in computer wholesaling. Holdings: number of shares 38,833 (April 2017)

JANNE PIRTTILAHTI

Board member since April 2016 (until April 2017) Born 1976, Undergraduate Student of Science Main employment history: Vice President, R & D, Corporate Security, F-Secure, 2016– Various roles, F-Secure, 2005– Sales manager, Rommon Oy, 2003–2005 Product Manager, Bonware Oy, 2001–2003 Current board memberships and public duties: Member of the Board of Directors, Loopback Oy, 2005– Holdings: number of shares 8,603 (April 2017)

ANU NISSINEN

Board member since 2010 (until April 2017) Born 1963, M.Sc. (Economics)

Main employment history:

Founder, Digma Design Oy 2016– Founding partner, Era Content Oy, 2016 Founding partner and CEO, Era Content Oy, 2014–2015 CEO, Sanoma Media Finland Ltd, and a Member of the Executive Management Group of Sanoma, 2011–2013 President, Sanoma Entertainment Ltd, 2008–2011 Member of the Executive Management Group, Sanoma, 2008–2010 President, SW Television Ltd/Welho, 2004–2008 Marketing Director, Helsinki Televisio Ltd, 2001–2004 Marketing Manager, Oy Sinebrychoff Ab, 1998–2000 Current board memberships and public duties: Member of the Board, DNA Oy, (2010–2012) 2014–

Member of the Board, Siili Solutions Oyj, 2014– Member of the Board, Kesko Oyj, 2015– Member of the Board, Viestilehdet Oy, 2015– Holdings: number of shares 38,833 (April 2017)

LEADERSHIP TEAM

In this section are the biographies of all the members of the Leadership Team during 2017. Shareholdings are listed as of 31 December 2017 unless otherwise stated.

SAMU KONTTINEN

President and CEO Born 1973 Member of the Leadership Team since 2009 Main employment history: President and CEO, F-Secure, 2016– Executive Vice President, Corporate Security, F-Secure, 2016 Executive Vice President, Consumer Security, F-Secure 2014–2016 Executive Vice President, Customer and Market Operations, F-Secure, 2012–2014 Vice President, Sales and Marketing, F-Secure, 2011–2012 Vice President, Sales and Geographical Operations, F-Secure, 2009–2011 Holdings: number of shares 1,800 Vice President, Mobile Business Unit, F-Secure, 2007–2009 Various leadership roles in sales and channel management, F-Secure, 2005–2007 Vice President, Sales, Valimo Wireless, 2001–2005. Current Board Memberships: Member of the Board, Digitalist Plc, 2011– Member of the Board, Information Technology branch group, Technology Industries of Finland, 2016– Chairman of the Board, Finnish Information Security Cluster (FISC), 2017– Holdings: number of shares 82,103

MARI HEUSALA

Executive Vice President, Human Resources and Office services Born 1966, M.Sc. (Economics) Member of the Leadership Team since 2015 Main employment history: Executiye Vice Precident, Human Resources and Office Services, 2015– Senior Vice President, Human Resources & Development, Basware Corporation, 2009–2015 Various global HR director positions, Nokia, 1997–2009 Project Coordinator, Northrop Grumman International Aircraft Inc, 1993–1996

KRISTIAN JÄRNEFELT

Executive Vice President, Consumer security Born 1965, M.Sc (Economics) Member of the Leadership Team since 2016 Main employment history: Executive Vice President, Consumer security, F-Secure, 2016– Director, Sales, Fujitsu Finland Oy , 2014–2015 CEO and partner, Miradore Oy, 2010–2014 CEO and partner, Concilio Networks Oy, 2006–2009 Various senior leadership roles, Hewlett-Packard, 1994–2006 Holdings: –

JYRKI ROSENBERG

Executive Vice President, Corporate Security Born 1971, M.Sc. (Communication), MBA Member of the Leadership Team since 2016 Main employment history:

Executive Vice President, Corporate Security, F-Secure, 2016–

CEO and a member of the Board, MixRadio Ltd 2015–2016

Vice President, Entertainment Businesses, Microsoft Devices Group , Nokia Corporation, 2012–2015

Various of senior roles in marketing, sales, product development and general management, Nokia, 1996–2012

Holdings: –

JARI STILL

Vice President, Information and Business Services (as of February 2016) Born 1965, B.Sc Member of the Leadership Team since 2012 Main employment history: Chief Information Officer, F-Secure, 2016– Vice President, Information and Business Services, F-Secure, 2012–2016 Head of Research and Development, Mobile Business Unit, F-Secure, 2000–2012 Co-founder and CEO, Modera Point Oy, 1991–2000 Various product development and manage-

ment roles in Finnish telecommunication and software companies, 1987–1991 Holdings: number of shares 100,657

MIKA STÅHLBERG

Chief Technology Officer (as of February 2016) Born 1973, M.Sc. (Engineering), Officer's degree

Member of the Leadership Team since 2016

Main employment history:

Chief Technology Officer, F-Secure, 2016– Director, Strategic Threat Research, F-Secure, 2014–2016

CTO, Security, F-Secure, 2012–2014 Vice President, Labs, F-Secure, 2009–2012 Director of Security Research, F-Secure, 2008–2009

Various position, F-Secure, 2004–2008 Various positions, Finnish Defense Forces, 1998–2004

Holdings: number of shares 29,263

ERIIKKA SÖDERSTRÖM

Chief Financial Officer (as of February 2017) Born 1968, M.Sc. (Econ.) Member of the Leadership Team since 2017 Main employment history:

CFO, KONE Corporation, 2013–2016 CFO, Vacon Corporation, 2009–2012 CFO, Oy Nautor Ab, 2008 Various senior finance leader roles, Nokia Networks and Nokia Siemens Networks, 1994–2007

Current board memberships:

Member of the Board, Valmet, 2017– Holdings: number of shares 40,000

JENS THONKE

Executive Vice President, Cyber Security Services Born 1966 Member of the Leadership Team since 2015 Main employment history: Executive Vice President, Cyber Security Services, F-Secure, 2015– CEO, nSense, 2009–2015 CEO, Ezenta, 2000–2009 Holdings: number of shares 166,359

JYRKI TULOKAS

Executive Vice President, Strategy and Corporate Development Born 1975, M.Sc. (Economics) Member of the Leadership Team since 2016 Main employment history: Executive Vice President, Strategy and Corporate Development, F-Secure, 2016– Various leadership roles in product

management, marketing, strategy and business development operations, F-Secure, 2007–2016 Head of Business Development, Suunto, 2005–2007

Holdings: –

NON-CURRENT MEMBERS

SAILA MIETTINEN-LÄHDE

Chief Financial Officer (until February 2017) Born 1962 M.Sc. (Engineering) Member of the Leadership Team between 2015–2017

INFORMATION FOR SHAREHOLDERS

The main goal of F-Secure's investor communications is to make available correct, up-to-date information about F-Secure and its operations – impartially and simultaneously to all interest groups.

All published investor information including annual reports, interim reports, as well as stock exchange and press releases are available on the Group's website www.f-secure.com/ investors. All investor information is published in English and in Finnish.

Subscriptions for the emailing list for stock exchange releases can be made by sending your contact details to investor-relations@f-secure.com.

F-Secure publishes a financial statement release, a half year report and two interim reports during 2018 and arranges news conferences for media and analysts at the time of publishing of the quarterly reports. F-Secure observes a three-week silent period before the publishing of each quarterly report. During this time, F-Secure neither arranges meetings nor phone conferences with investors or analysts.

Annual General Meeting

The Annual General Meeting of F-Secure Corporation is scheduled to be held on Wednesday, 4 April 2018. More information on how to attend as well as the documents for the meeting are available on the Group's webpage www.f-secure.com/agm.

Financial calendar for 2018

Q1 Interim Report 4 May Q2 Half year report 8 August Q3 Interim Report 2 November

F-Secure share facts

Listing since (1999) NASDAQ OMX Helsinki Ltd. Trading symbol FSC1V Number of shares 158,798,739

IR Contacts

For any inquiries on F-Secure as an investment target, please contact:

Tapio Pesola, Investor Relations Manager investor-relations@f-secure.com +358 44 3734693

F-Secure Corporation Corporate Headquarters Tammasaarenkatu 7 P.O. Box 24 00181 Helsinki, Finland Tel. +358 9 2520 0700 www.f-secure.com

content F-Secure design and layout Kreab photographs F-Secure

AT YOUR SIDE, WATCHING YOUR BACK.

F-Secure Corporation Tammasaarenkatu 7 P.O. Box 24, 00181 Helsinki Tel. +358 9 2520 0700 helsinki@f-secure.com www.f-secure.com