10-K 1 ospn-20231231.htm 10-K ospn-20231231
00010447772023FYfalseP3YP3YP5Y121212P1Yhttp://fasb.org/us-gaap/2023#OtherAccruedLiabilitiesCurrenthttp://fasb.org/us-gaap/2023#OtherAccruedLiabilitiesCurrentP1YP1YP1Y25.0000010447772023-01-012023-12-3100010447772023-06-30iso4217:USD00010447772024-03-01xbrli:shares00010447772023-10-012023-12-3100010447772023-12-3100010447772022-12-31iso4217:USDxbrli:shares0001044777ospn:ProductAndLicenseMember2023-01-012023-12-310001044777ospn:ProductAndLicenseMember2022-01-012022-12-310001044777ospn:ProductAndLicenseMember2021-01-012021-12-310001044777ospn:ServiceAndOtherMember2023-01-012023-12-310001044777ospn:ServiceAndOtherMember2022-01-012022-12-310001044777ospn:ServiceAndOtherMember2021-01-012021-12-3100010447772022-01-012022-12-3100010447772021-01-012021-12-310001044777us-gaap:CommonStockMember2020-12-310001044777us-gaap:TreasuryStockCommonMember2020-12-310001044777us-gaap:AdditionalPaidInCapitalMember2020-12-310001044777us-gaap:RetainedEarningsMember2020-12-310001044777us-gaap:AccumulatedOtherComprehensiveIncomeMember2020-12-3100010447772020-12-310001044777us-gaap:RetainedEarningsMember2021-01-012021-12-310001044777us-gaap:AccumulatedOtherComprehensiveIncomeMember2021-01-012021-12-310001044777us-gaap:AdditionalPaidInCapitalMember2021-01-012021-12-310001044777us-gaap:CommonStockMember2021-01-012021-12-310001044777us-gaap:TreasuryStockCommonMember2021-01-012021-12-310001044777us-gaap:CommonStockMember2021-12-310001044777us-gaap:TreasuryStockCommonMember2021-12-310001044777us-gaap:AdditionalPaidInCapitalMember2021-12-310001044777us-gaap:RetainedEarningsMember2021-12-310001044777us-gaap:AccumulatedOtherComprehensiveIncomeMember2021-12-3100010447772021-12-310001044777us-gaap:RetainedEarningsMember2022-01-012022-12-310001044777us-gaap:AccumulatedOtherComprehensiveIncomeMember2022-01-012022-12-310001044777us-gaap:AdditionalPaidInCapitalMember2022-01-012022-12-310001044777us-gaap:CommonStockMember2022-01-012022-12-310001044777us-gaap:TreasuryStockCommonMember2022-01-012022-12-310001044777us-gaap:CommonStockMember2022-12-310001044777us-gaap:TreasuryStockCommonMember2022-12-310001044777us-gaap:AdditionalPaidInCapitalMember2022-12-310001044777us-gaap:RetainedEarningsMember2022-12-310001044777us-gaap:AccumulatedOtherComprehensiveIncomeMember2022-12-310001044777us-gaap:RetainedEarningsMember2023-01-012023-12-310001044777us-gaap:AccumulatedOtherComprehensiveIncomeMember2023-01-012023-12-310001044777us-gaap:AdditionalPaidInCapitalMember2023-01-012023-12-310001044777us-gaap:CommonStockMember2023-01-012023-12-310001044777us-gaap:TreasuryStockCommonMember2023-01-012023-12-310001044777us-gaap:CommonStockMember2023-12-310001044777us-gaap:TreasuryStockCommonMember2023-12-310001044777us-gaap:AdditionalPaidInCapitalMember2023-12-310001044777us-gaap:RetainedEarningsMember2023-12-310001044777us-gaap:AccumulatedOtherComprehensiveIncomeMember2023-12-31ospn:segment0001044777ospn:LetterOfCreditAndGuaranteesMember2023-12-310001044777ospn:LetterOfCreditAndGuaranteesMember2022-12-310001044777us-gaap:GuaranteesMember2023-12-310001044777us-gaap:GuaranteesMember2022-12-310001044777srt:MinimumMember2023-12-310001044777srt:MaximumMember2023-12-310001044777us-gaap:LeaseholdImprovementsMember2023-12-31ospn:reporting_unit0001044777srt:MinimumMemberospn:ProprietaryTechnologyMember2023-12-310001044777ospn:ProprietaryTechnologyMembersrt:MaximumMember2023-12-310001044777us-gaap:CustomerRelationshipsMembersrt:MinimumMember2023-12-310001044777us-gaap:CustomerRelationshipsMembersrt:MaximumMember2023-12-310001044777us-gaap:PatentsMember2023-12-310001044777ospn:InvestmentInPromonMember2022-01-312022-01-310001044777ospn:InvestmentInPromonMember2022-01-012022-12-310001044777ospn:InvestmentInPromonMember2022-01-30xbrli:pure00010447772022-05-1200010447772023-12-012023-12-310001044777ospn:ProfessionalServicesAndOtherMember2023-01-012023-12-310001044777ospn:ProfessionalServicesAndOtherMember2022-01-012022-12-310001044777ospn:ProfessionalServicesAndOtherMember2021-01-012021-12-310001044777ospn:CapitalizedSoftwareMember2023-12-310001044777ospn:DigitalAgreementsMember2023-01-012023-12-310001044777ospn:DigitalAgreementsMember2022-01-012022-12-310001044777ospn:DigitalAgreementsMember2021-01-012021-12-310001044777ospn:SecuritySolutionsMember2023-01-012023-12-310001044777ospn:SecuritySolutionsMember2022-01-012022-12-310001044777ospn:SecuritySolutionsMember2021-01-012021-12-310001044777us-gaap:OperatingSegmentsMember2023-01-012023-12-310001044777us-gaap:OperatingSegmentsMember2022-01-012022-12-310001044777us-gaap:OperatingSegmentsMember2021-01-012021-12-310001044777ospn:DigitalAgreementsMemberospn:SubscriptionMember2023-01-012023-12-310001044777ospn:SubscriptionMemberospn:SecuritySolutionsMember2023-01-012023-12-310001044777ospn:DigitalAgreementsMemberospn:SubscriptionMember2022-01-012022-12-310001044777ospn:SubscriptionMemberospn:SecuritySolutionsMember2022-01-012022-12-310001044777ospn:DigitalAgreementsMemberospn:SubscriptionMember2021-01-012021-12-310001044777ospn:SubscriptionMemberospn:SecuritySolutionsMember2021-01-012021-12-310001044777ospn:MaintenanceAndSupportMemberospn:DigitalAgreementsMember2023-01-012023-12-310001044777ospn:MaintenanceAndSupportMemberospn:SecuritySolutionsMember2023-01-012023-12-310001044777ospn:MaintenanceAndSupportMemberospn:DigitalAgreementsMember2022-01-012022-12-310001044777ospn:MaintenanceAndSupportMemberospn:SecuritySolutionsMember2022-01-012022-12-310001044777ospn:MaintenanceAndSupportMemberospn:DigitalAgreementsMember2021-01-012021-12-310001044777ospn:MaintenanceAndSupportMemberospn:SecuritySolutionsMember2021-01-012021-12-310001044777ospn:DigitalAgreementsMemberospn:ProfessionalServicesAndOtherMember2023-01-012023-12-310001044777ospn:SecuritySolutionsMemberospn:ProfessionalServicesAndOtherMember2023-01-012023-12-310001044777ospn:DigitalAgreementsMemberospn:ProfessionalServicesAndOtherMember2022-01-012022-12-310001044777ospn:SecuritySolutionsMemberospn:ProfessionalServicesAndOtherMember2022-01-012022-12-310001044777ospn:DigitalAgreementsMemberospn:ProfessionalServicesAndOtherMember2021-01-012021-12-310001044777ospn:SecuritySolutionsMemberospn:ProfessionalServicesAndOtherMember2021-01-012021-12-310001044777ospn:DigitalAgreementsMemberospn:HardwareProductsMember2023-01-012023-12-310001044777ospn:HardwareProductsMemberospn:SecuritySolutionsMember2023-01-012023-12-310001044777ospn:DigitalAgreementsMemberospn:HardwareProductsMember2022-01-012022-12-310001044777ospn:HardwareProductsMemberospn:SecuritySolutionsMember2022-01-012022-12-310001044777ospn:DigitalAgreementsMemberospn:HardwareProductsMember2021-01-012021-12-310001044777ospn:HardwareProductsMemberospn:SecuritySolutionsMember2021-01-012021-12-310001044777ospn:SubscriptionMember2023-01-012023-12-310001044777ospn:SubscriptionMember2022-01-012022-12-310001044777ospn:SubscriptionMember2021-01-012021-12-310001044777ospn:MaintenanceSupportAndOtherMember2023-01-012023-12-310001044777ospn:MaintenanceSupportAndOtherMember2022-01-012022-12-310001044777ospn:MaintenanceSupportAndOtherMember2021-01-012021-12-310001044777ospn:ProfessionalServicesMember2023-01-012023-12-310001044777ospn:ProfessionalServicesMember2022-01-012022-12-310001044777ospn:ProfessionalServicesMember2021-01-012021-12-310001044777ospn:ProductsMember2023-01-012023-12-310001044777ospn:ProductsMember2022-01-012022-12-310001044777ospn:ProductsMember2021-01-012021-12-310001044777us-gaap:EMEAMember2023-01-012023-12-310001044777us-gaap:EMEAMember2022-01-012022-12-310001044777us-gaap:EMEAMember2021-01-012021-12-310001044777srt:AmericasMember2023-01-012023-12-310001044777srt:AmericasMember2022-01-012022-12-310001044777srt:AmericasMember2021-01-012021-12-310001044777srt:AsiaPacificMember2023-01-012023-12-310001044777srt:AsiaPacificMember2022-01-012022-12-310001044777srt:AsiaPacificMember2021-01-012021-12-310001044777us-gaap:TransferredAtPointInTimeMember2023-01-012023-12-310001044777us-gaap:TransferredAtPointInTimeMember2022-01-012022-12-310001044777us-gaap:TransferredAtPointInTimeMember2021-01-012021-12-310001044777us-gaap:TransferredOverTimeMember2023-01-012023-12-310001044777us-gaap:TransferredOverTimeMember2022-01-012022-12-310001044777us-gaap:TransferredOverTimeMember2021-01-012021-12-310001044777srt:MinimumMember2023-01-012023-12-310001044777srt:MaximumMember2023-01-012023-12-3100010447772024-01-012023-12-3100010447772025-01-012023-12-3100010447772026-01-012023-12-3100010447772027-01-012023-12-310001044777ospn:ProductAndLicenseMember2023-06-012023-06-300001044777ospn:ProvenDBMember2023-02-222023-02-220001044777ospn:ProvenDBMemberus-gaap:SubsequentEventMember2024-02-012024-02-290001044777ospn:ProvenDBMemberospn:DigitalAgreementsMember2023-02-220001044777ospn:ProvenDBMemberospn:DigitalAgreementsMember2023-02-222023-02-220001044777ospn:DigitalAgreementsMember2021-12-310001044777ospn:SecuritySolutionsMember2021-12-310001044777ospn:DigitalAgreementsMember2022-12-310001044777ospn:SecuritySolutionsMember2022-12-310001044777ospn:DigitalAgreementsMember2023-12-310001044777ospn:SecuritySolutionsMember2023-12-310001044777us-gaap:DevelopedTechnologyRightsMembersrt:MinimumMember2023-12-310001044777us-gaap:DevelopedTechnologyRightsMembersrt:MinimumMember2022-12-310001044777us-gaap:DevelopedTechnologyRightsMembersrt:MaximumMember2023-12-310001044777us-gaap:DevelopedTechnologyRightsMembersrt:MaximumMember2022-12-310001044777us-gaap:DevelopedTechnologyRightsMember2023-12-310001044777us-gaap:DevelopedTechnologyRightsMember2022-12-310001044777us-gaap:CustomerRelationshipsMembersrt:MinimumMember2022-12-310001044777us-gaap:CustomerRelationshipsMembersrt:MaximumMember2022-12-310001044777us-gaap:CustomerRelationshipsMember2023-12-310001044777us-gaap:CustomerRelationshipsMember2022-12-310001044777us-gaap:LicenseMembersrt:MinimumMember2023-12-310001044777us-gaap:LicenseMembersrt:MinimumMember2022-12-310001044777us-gaap:LicenseMembersrt:MaximumMember2023-12-310001044777us-gaap:LicenseMembersrt:MaximumMember2022-12-310001044777us-gaap:LicenseMember2023-12-310001044777us-gaap:LicenseMember2022-12-310001044777ospn:CloudSubscriptionAgreementsMember2023-01-012023-12-310001044777ospn:CloudSubscriptionAgreementsMember2022-01-012022-12-310001044777ospn:CloudSubscriptionAgreementsMember2021-01-012021-12-310001044777us-gaap:CustomerRelationshipsMemberospn:DealfloLimitedMember2022-01-012022-12-310001044777ospn:OfficeEquipmentAndSoftwareMembersrt:MinimumMember2023-12-310001044777ospn:OfficeEquipmentAndSoftwareMembersrt:MinimumMember2022-12-310001044777ospn:OfficeEquipmentAndSoftwareMembersrt:MaximumMember2023-12-310001044777ospn:OfficeEquipmentAndSoftwareMembersrt:MaximumMember2022-12-310001044777ospn:OfficeEquipmentAndSoftwareMember2023-12-310001044777ospn:OfficeEquipmentAndSoftwareMember2022-12-310001044777us-gaap:LeaseholdImprovementsMember2022-12-310001044777us-gaap:FurnitureAndFixturesMember2022-12-310001044777us-gaap:FurnitureAndFixturesMember2023-12-310001044777us-gaap:SoftwareAndSoftwareDevelopmentCostsMember2023-12-310001044777us-gaap:SoftwareAndSoftwareDevelopmentCostsMember2022-12-310001044777ospn:CloudSubscriptionAgreementsMember2023-01-012023-12-310001044777ospn:CloudSubscriptionAgreementsMember2022-01-012022-12-310001044777ospn:CloudSubscriptionAgreementsMember2021-01-012021-12-310001044777us-gaap:LeaseholdImprovementsMember2023-04-012023-06-300001044777ospn:OfficeEquipmentAndSoftwareMember2023-04-012023-06-300001044777ospn:RealEstateRationalizationMemberospn:BrusselsOfficeMember2023-07-012023-09-300001044777us-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMember2023-12-310001044777us-gaap:FairValueInputsLevel1Memberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMember2023-12-310001044777us-gaap:FairValueInputsLevel2Memberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMember2023-12-310001044777us-gaap:FairValueInputsLevel3Memberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMember2023-12-310001044777us-gaap:CorporateBondSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001044777us-gaap:CorporateBondSecuritiesMemberus-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001044777us-gaap:FairValueInputsLevel2Memberus-gaap:CorporateBondSecuritiesMemberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001044777us-gaap:CorporateBondSecuritiesMemberus-gaap:FairValueInputsLevel3Memberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001044777us-gaap:CommercialPaperMemberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001044777us-gaap:CommercialPaperMemberus-gaap:FairValueInputsLevel1Memberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001044777us-gaap:FairValueInputsLevel2Memberus-gaap:CommercialPaperMemberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001044777us-gaap:CommercialPaperMemberus-gaap:FairValueInputsLevel3Memberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001044777us-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001044777us-gaap:FairValueInputsLevel1Memberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001044777us-gaap:FairValueInputsLevel2Memberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001044777us-gaap:FairValueInputsLevel3Memberus-gaap:MoneyMarketFundsMemberus-gaap:FairValueMeasurementsRecurringMember2022-12-310001044777us-gaap:BuildingMember2023-01-012023-12-310001044777us-gaap:BuildingMember2022-01-012022-12-310001044777us-gaap:BuildingMember2021-01-012021-12-310001044777ospn:AutomobileMember2023-01-012023-12-310001044777ospn:AutomobileMember2022-01-012022-12-310001044777ospn:AutomobileMember2021-01-012021-12-310001044777ospn:RealEstateRationalizationMemberospn:ChicagoOfficeMember2023-12-310001044777ospn:RealEstateRationalizationMemberospn:ChicagoOfficeMember2023-01-012023-12-310001044777ospn:RealEstateRationalizationMemberospn:BrusselsOfficeMember2023-12-310001044777ospn:RealEstateRationalizationMemberospn:BrusselsOfficeMember2023-01-012023-12-3100010447772023-10-3100010447772023-01-012023-03-3100010447772023-04-012023-06-3000010447772023-07-012023-09-3000010447772022-01-012022-03-3100010447772022-04-012022-06-3000010447772022-07-012022-09-3000010447772022-10-012022-12-310001044777country:CA2023-12-310001044777us-gaap:EarliestTaxYearMembercountry:CA2023-01-012023-12-310001044777us-gaap:LatestTaxYearMembercountry:CA2023-01-012023-12-310001044777us-gaap:StateAndLocalJurisdictionMember2023-12-310001044777us-gaap:HerMajestysRevenueAndCustomsHMRCMember2023-12-310001044777us-gaap:SwissFederalTaxAdministrationFTAMember2023-12-310001044777us-gaap:SwissFederalTaxAdministrationFTAMemberus-gaap:EarliestTaxYearMember2023-01-012023-12-310001044777us-gaap:SwissFederalTaxAdministrationFTAMemberus-gaap:LatestTaxYearMember2023-01-012023-12-310001044777us-gaap:ForeignCountryMember2023-12-310001044777ospn:ForeignProvincialTaxAuthorityMember2023-12-310001044777us-gaap:EarliestTaxYearMemberospn:ForeignProvincialTaxAuthorityMember2023-01-012023-12-310001044777us-gaap:LatestTaxYearMemberospn:ForeignProvincialTaxAuthorityMember2023-01-012023-12-310001044777us-gaap:DomesticCountryMember2023-12-310001044777us-gaap:EarliestTaxYearMemberus-gaap:StateAndLocalJurisdictionMember2023-01-012023-12-310001044777us-gaap:StateAndLocalJurisdictionMemberus-gaap:LatestTaxYearMember2023-01-012023-12-310001044777ospn:TaxCreditCarryforwardMemberospn:UnitedStatesCreditMember2023-12-310001044777ospn:TaxCreditCarryforwardMembercountry:CA2023-12-310001044777ospn:TaxCreditCarryforwardMemberospn:ForeignProvincialTaxAuthorityMember2023-12-310001044777us-gaap:CapitalLossCarryforwardMember2023-12-310001044777ospn:TaxCreditCarryforwardMemberospn:CanadaCreditTaxAuthorityMember2023-12-310001044777us-gaap:EarliestTaxYearMemberospn:TaxCreditCarryforwardMemberospn:CanadaCreditTaxAuthorityMember2023-01-012023-12-310001044777ospn:TaxCreditCarryforwardMemberospn:CanadaCreditTaxAuthorityMemberus-gaap:LatestTaxYearMember2023-01-012023-12-310001044777ospn:TaxCreditCarryforwardMemberospn:CanadaProvinceCreditsMember2023-12-310001044777us-gaap:EarliestTaxYearMemberospn:TaxCreditCarryforwardMemberospn:CanadaProvinceCreditsMember2023-01-012023-12-310001044777ospn:TaxCreditCarryforwardMemberus-gaap:LatestTaxYearMemberospn:CanadaProvinceCreditsMember2023-01-012023-12-310001044777ospn:TaxCreditCarryforwardMember2023-12-310001044777us-gaap:EarliestTaxYearMemberus-gaap:AustralianTaxationOfficeMember2023-01-012023-12-310001044777us-gaap:EarliestTaxYearMemberospn:AustriaFederalMinistryOfFinanceMember2023-01-012023-12-310001044777us-gaap:EarliestTaxYearMemberus-gaap:AdministrationOfTheTreasuryBelgiumMember2023-01-012023-12-310001044777us-gaap:EarliestTaxYearMemberus-gaap:CanadaRevenueAgencyMember2023-01-012023-12-310001044777us-gaap:EarliestTaxYearMemberus-gaap:TaxAndCustomsAdministrationNetherlandsMember2023-01-012023-12-310001044777us-gaap:EarliestTaxYearMemberus-gaap:InlandRevenueSingaporeIRASMember2023-01-012023-12-310001044777us-gaap:EarliestTaxYearMemberus-gaap:SwissFederalTaxAdministrationFTAMember2023-01-012023-12-310001044777us-gaap:EarliestTaxYearMemberus-gaap:HerMajestysRevenueAndCustomsHMRCMember2023-01-012023-12-310001044777us-gaap:EarliestTaxYearMemberus-gaap:InternalRevenueServiceIRSMember2023-01-012023-12-310001044777ospn:TwoThousandAndNineteenOmnibusIncentivePlanMember2023-01-012023-12-310001044777ospn:RestrictedStockSubjectToTimeBasedCriteriaMember2022-12-310001044777ospn:RestrictedStockSubjectToTimeBasedCriteriaMember2023-01-012023-12-310001044777ospn:RestrictedStockSubjectToTimeBasedCriteriaMember2022-01-012022-12-310001044777ospn:RestrictedStockSubjectToTimeBasedCriteriaMember2021-01-012021-12-310001044777ospn:RestrictedStockSubjectToTimeBasedCriteriaMember2023-12-310001044777us-gaap:ShareBasedPaymentArrangementEmployeeMembersrt:OfficerMemberospn:TimeBasedRestrictedStockUnitsSettledInStockMembersrt:MinimumMember2023-01-012023-12-310001044777us-gaap:ShareBasedPaymentArrangementEmployeeMembersrt:OfficerMemberospn:TimeBasedRestrictedStockUnitsSettledInStockMembersrt:MaximumMember2023-01-012023-12-310001044777ospn:TimeBasedRestrictedStockUnitsSettledInStockMember2023-01-012023-12-310001044777ospn:TimeBasedRestrictedStockUnitsSettledInStockMember2022-01-012022-12-310001044777ospn:TimeBasedRestrictedStockUnitsSettledInStockMember2021-01-012021-12-310001044777ospn:TimeBasedRestrictedStockUnitsSettledInStockMember2022-12-310001044777ospn:TimeBasedRestrictedStockUnitsSettledInStockMember2023-12-310001044777srt:MinimumMemberospn:RestrictedStockSubjectToPerformanceCriteriaMemberus-gaap:ShareBasedCompensationAwardTrancheTwoMember2023-01-012023-12-310001044777srt:MaximumMemberospn:RestrictedStockSubjectToPerformanceCriteriaMemberus-gaap:ShareBasedCompensationAwardTrancheTwoMember2023-01-012023-12-310001044777ospn:PerformanceSharesEarnedMembersrt:MinimumMemberus-gaap:ShareBasedCompensationAwardTrancheTwoMember2023-01-012023-12-310001044777ospn:PerformanceSharesEarnedMembersrt:MaximumMemberus-gaap:ShareBasedCompensationAwardTrancheTwoMember2023-01-012023-12-310001044777ospn:PerformanceSharesEarnedMembersrt:MinimumMember2023-01-012023-12-310001044777ospn:PerformanceSharesEarnedMember2023-01-012023-12-310001044777ospn:PerformanceSharesEarnedMember2022-01-012022-12-310001044777ospn:PerformanceSharesEarnedMember2021-01-012021-12-310001044777ospn:RestrictedStockSubjectToPerformanceCriteriaMember2022-12-310001044777ospn:RestrictedStockSubjectToPerformanceCriteriaMember2022-01-012022-12-310001044777ospn:RestrictedStockSubjectToPerformanceCriteriaMember2023-01-012023-12-310001044777ospn:RestrictedStockSubjectToPerformanceCriteriaMember2023-12-310001044777srt:MinimumMemberospn:MarketBasedRestrictedStockUnitsMemberus-gaap:ShareBasedCompensationAwardTrancheTwoMember2023-01-012023-12-310001044777ospn:MarketBasedRestrictedStockUnitsMembersrt:MaximumMemberus-gaap:ShareBasedCompensationAwardTrancheTwoMember2023-01-012023-12-310001044777ospn:MarketBasedRestrictedStockUnitsMember2023-01-012023-12-310001044777ospn:MarketBasedRestrictedStockUnitsMember2022-01-012022-12-310001044777ospn:MarketBasedRestrictedStockUnitsMember2021-01-012021-12-310001044777ospn:MarketBasedRestrictedStockUnitsMember2022-12-310001044777ospn:MarketBasedRestrictedStockUnitsMember2023-12-310001044777us-gaap:ShareBasedCompensationAwardTrancheOneMemberospn:RestrictedStockSubjectToTimeBasedCriteriaMember2023-01-012023-12-310001044777country:US2023-01-012023-12-310001044777country:US2022-01-012022-12-310001044777country:US2021-01-012021-12-310001044777us-gaap:ForeignPlanMember2023-01-012023-12-31ospn:age0001044777us-gaap:ForeignPlanMember2022-01-012022-12-310001044777us-gaap:ForeignPlanMember2021-01-012021-12-310001044777us-gaap:ForeignPlanMember2023-12-310001044777us-gaap:ForeignPlanMember2022-12-310001044777us-gaap:ForeignPlanMember2021-12-310001044777us-gaap:ForeignPlanMembersrt:MinimumMember2023-01-012023-12-310001044777us-gaap:ForeignPlanMembersrt:MaximumMember2023-01-012023-12-310001044777us-gaap:ForeignPlanMembersrt:MinimumMember2022-01-012022-12-310001044777us-gaap:ForeignPlanMembersrt:MaximumMember2022-01-012022-12-31ospn:region0001044777us-gaap:OperatingSegmentsMemberus-gaap:EMEAMember2023-01-012023-12-310001044777us-gaap:OperatingSegmentsMembersrt:AmericasMember2023-01-012023-12-310001044777us-gaap:OperatingSegmentsMembersrt:AsiaPacificMember2023-01-012023-12-310001044777us-gaap:OperatingSegmentsMemberus-gaap:EMEAMember2023-12-310001044777us-gaap:OperatingSegmentsMembersrt:AmericasMember2023-12-310001044777us-gaap:OperatingSegmentsMembersrt:AsiaPacificMember2023-12-310001044777us-gaap:OperatingSegmentsMemberus-gaap:EMEAMember2022-01-012022-12-310001044777us-gaap:OperatingSegmentsMembersrt:AmericasMember2022-01-012022-12-310001044777us-gaap:OperatingSegmentsMembersrt:AsiaPacificMember2022-01-012022-12-310001044777us-gaap:OperatingSegmentsMemberus-gaap:EMEAMember2022-12-310001044777us-gaap:OperatingSegmentsMembersrt:AmericasMember2022-12-310001044777us-gaap:OperatingSegmentsMembersrt:AsiaPacificMember2022-12-310001044777us-gaap:OperatingSegmentsMemberus-gaap:EMEAMember2021-01-012021-12-310001044777us-gaap:OperatingSegmentsMembersrt:AmericasMember2021-01-012021-12-310001044777us-gaap:OperatingSegmentsMembersrt:AsiaPacificMember2021-01-012021-12-310001044777us-gaap:OperatingSegmentsMemberus-gaap:EMEAMember2021-12-310001044777us-gaap:OperatingSegmentsMembersrt:AmericasMember2021-12-310001044777us-gaap:OperatingSegmentsMembersrt:AsiaPacificMember2021-12-310001044777us-gaap:RevenueFromContractWithCustomerMemberus-gaap:CustomerConcentrationRiskMember2022-01-012022-12-31ospn:customer0001044777us-gaap:RevenueFromContractWithCustomerMemberus-gaap:CustomerConcentrationRiskMember2021-01-012021-12-310001044777us-gaap:RevenueFromContractWithCustomerMemberus-gaap:CustomerConcentrationRiskMember2023-01-012023-12-310001044777us-gaap:CustomerConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMemberospn:TopTenCustomersMember2023-01-012023-12-310001044777us-gaap:CustomerConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMemberospn:TopTenCustomersMember2022-01-012022-12-310001044777us-gaap:CustomerConcentrationRiskMemberus-gaap:RevenueFromContractWithCustomerMemberospn:TopTenCustomersMember2021-01-012021-12-310001044777country:CN2023-01-012023-12-31ospn:factory0001044777country:RO2023-01-012023-12-310001044777ospn:OtherSoftwareAgreementsMember2023-12-310001044777ospn:OtherSoftwareAgreementsMembersrt:MinimumMember2023-01-012023-12-310001044777ospn:OtherSoftwareAgreementsMembersrt:MaximumMember2023-01-012023-12-310001044777ospn:PlanMember2023-01-012023-12-310001044777ospn:PlanMember2022-01-012022-12-310001044777ospn:EmployeeCostsMember2023-01-012023-12-310001044777ospn:EmployeeCostsMember2022-01-012022-12-31ospn:employee0001044777ospn:EmployeeCostsMember2023-12-310001044777ospn:SettlementCostsMemberospn:BrusselsOfficeMember2023-12-310001044777ospn:RealEstateRationalizationMember2023-12-310001044777ospn:RealEstateRationalizationMemberospn:ChicagoOfficeMember2023-07-012023-09-300001044777us-gaap:SoftwareAndSoftwareDevelopmentCostsMember2023-06-012023-06-300001044777ospn:VendorRationalizationMember2023-01-012023-12-310001044777ospn:EmployeeCostsMember2021-12-310001044777ospn:RealEstateRationalizationMember2021-12-310001044777ospn:RealEstateRationalizationMember2022-01-012022-12-310001044777ospn:EmployeeCostsMember2022-12-310001044777ospn:RealEstateRationalizationMember2022-12-310001044777ospn:RealEstateRationalizationMember2023-01-012023-12-310001044777ospn:BoardOfDirectorsMember2023-01-012023-12-310001044777ospn:BoardOfDirectorsMember2022-01-012022-12-310001044777ospn:BoardOfDirectorsMember2021-01-012021-12-310001044777ospn:BoardOfDirectorsMember2023-12-310001044777ospn:BoardOfDirectorsMember2022-12-310001044777us-gaap:EmployeeSeveranceMemberospn:PresidentAndChiefExecutiveOfficerMember2023-12-310001044777us-gaap:AllowanceForCreditLossMember2022-12-310001044777us-gaap:AllowanceForCreditLossMember2023-01-012023-12-310001044777us-gaap:AllowanceForCreditLossMember2023-12-310001044777us-gaap:AllowanceForCreditLossMember2021-12-310001044777us-gaap:AllowanceForCreditLossMember2022-01-012022-12-310001044777us-gaap:AllowanceForCreditLossMember2020-12-310001044777us-gaap:AllowanceForCreditLossMember2021-01-012021-12-31

UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
_____________________________________
FORM 10-K
FOR ANNUAL AND TRANSITION REPORTS PURSUANT TO
SECTIONS 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
(Mark One)
x    ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(D) OF THE SECURITIES EXCHANGE ACT OF 1934 FOR THE FISCAL YEAR ENDED DECEMBER 31, 2023
or
o    TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 FOR THE TRANSITION PERIOD FROM TO
Commission file number 000-24389
OneSpan Inc.
(Exact Name of Registrant as Specified in Its Charter)
Delaware36-4169320
(State or Other Jurisdiction of
Incorporation or Organization)
(IRS Employer
Identification No.)
1 Marina Park Drive, Unit 1410
Boston, Massachusetts 02210
(Address of Principal Executive Offices)(Zip Code)
Registrant’s telephone number, including area code:
312-766-4001
Securities registered pursuant to Section 12(b) of the Act:
Title of each classTrading SymbolName of exchange on which registered
Common Stock, par value $.001 per shareOSPN
NASDAQ Capital Market
Securities registered pursuant to Section 12(g) of the Act:
None
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined by Rule 405 of the Securities Act.    Yes o    No x
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the act.    Yes o    No x
Indicate by check mark whether the registrant: (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.    Yes x    No o
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).    Yes x    No o
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See definition of “large accelerated filer,” “accelerated filer”, “smaller reporting company”, and “emerging growth company” in Rule 12b-2 of the Exchange Act.
Large accelerated filer oAccelerated filerNon-accelerated fileroSmaller reporting companyoEmerging growth companyo
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards pursuant to Section 13(a) of the Exchange Act. o
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. x

If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the filing reflect the correction of an error to previously issued financial statements. 
o 

Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the registrant’s executive officers during the relevant recovery period pursuant to §240.10D-1(b). 
o  

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).    Yes 
o    No x

As of June 30, 2023, the aggregate market value of voting and non-voting common equity (based upon the last sale price of the common stock as reported on the NASDAQ Capital Market on June 30, 2023) held by non-affiliates of the registrant was $588,629,980 at $14.84 per share.

As of March 1, 2024, there were 37,789,737 shares of common stock outstanding.
DOCUMENTS INCORPORATED BY REFERENCE
Certain sections of the registrant’s Notice of Annual Meeting of Stockholders and Proxy Statement for its 2024 Annual Meeting of Stockholders are incorporated by reference into Part III of this report.
Auditor Name: KPMG LLP
Auditor Location: Chicago, IL
Auditor Firm ID: 185



OneSpan Inc.
Annual Report on Form 10-K
For the Year Ended December 31, 2023
TABLE OF CONTENTS
PAGE
F-1




References to OneSpan
Throughout this Annual Report on Form 10-K, the “Company,” “OneSpan,” “we,” “us,” and “our,” except where the context requires otherwise, refer to OneSpan Inc. and its consolidated subsidiaries, and “our board of directors” refers to the board of directors of OneSpan Inc.

Cautionary Note Regarding Forward-Looking Statements

This Annual Report on Form 10-K contains forward-looking statements within the meaning of applicable U.S. securities laws, including statements regarding the outcomes we expect from our updated strategic transformation plan and cost reduction and restructuring actions approved in August 2023 and in prior periods, including the ability of those actions to allow us to accelerate Adjusted EBITDA (earnings before interest, taxes, depreciation, and amortization) growth and drive value creation by growing revenue efficiently and profitably; estimates concerning the timing and amount of savings, Adjusted EBITDA improvements, and/or restructuring charges that may result from our cost reduction and restructuring actions; our plans for managing our Digital Agreements and Security Solutions segments; expectations about trends in our cost of goods sold, gross margin, and sales and marketing, research and development, and general and administrative expenses; the impact of foreign currency rate fluctuations; expectations regarding sources and uses of cash; and our general expectations regarding our operational or financial performance in the future. Forward-looking statements may be identified by words such as "seek", "believe", "plan", "estimate", "anticipate", “expect", "intend", "continue", "outlook", "may", "will", "should", "could", or "might", and other similar expressions. These forward-looking statements involve risks and uncertainties, as well as assumptions that, if they do not fully materialize or prove incorrect, could cause our results to differ materially from those expressed or implied by such forward-looking statements. Factors that could materially affect our business and financial results include, but are not limited to: our ability to execute our updated strategic transformation plan and cost reduction and restructuring actions in the expected timeframe and to achieve the outcomes we expect from them; unintended costs and consequences of our cost reduction and restructuring actions, including higher than anticipated restructuring charges, disruption to our operations, litigation or regulatory actions, reduced employee morale, attrition of valued employees, adverse effects on our reputation as an employer, loss of institutional know-how, slower customer service response times, and reduced ability to complete or undertake new product development projects and other business, product, technical, compliance or risk mitigation initiatives; our ability to attract new customers and retain and expand sales to existing customers; our ability to successfully develop and market new product offerings and product enhancements; changes in customer requirements; the potential effects of technological changes; the loss of one or more large customers; difficulties enhancing and maintaining our brand recognition; competition; lengthy sales cycles; challenges retaining key employees and successfully hiring and training qualified new employees; security breaches or cyber-attacks; real or perceived malfunctions or errors in our products; interruptions or delays in the performance of our products and solutions; reliance on third parties for certain products and data center services; our ability to effectively manage third party partnerships, acquisitions, divestitures, alliances, or joint ventures; economic recession, inflation, and political instability; claims that we have infringed the intellectual property rights of others; price competitive bidding; changing laws, government regulations or policies; pressures on price levels; component shortages; delays and disruption in global transportation and supply chains; impairment of goodwill or amortizable intangible assets causing a significant charge to earnings; actions of activist stockholders; and exposure to increased economic and operational uncertainties from operating a global business, as well as other factors described in the “Risk Factors” section of this Annual Report on Form 10-K. Our filings with the Securities and Exchange Commission (the “SEC”) and other important information can be found in the Investor Relations section of our website at investors.onespan.com. We do not have any intent, and disclaim any obligation, to update the forward-looking information to reflect events that occur, circumstances that exist or changes in our expectations after the date of this Form 10-K, except as required by law.

Our website address is included in this Annual Report on Form 10-K as an inactive textual reference only.



PART I
Item 1 – Business

Overview
OneSpan provides security, identity, electronic signature (“e-signature”) and digital workflow solutions that protect and facilitate digital transactions and agreements. Through our two business units, Security Solutions and Digital Agreements, we deliver products and services that automate and secure customer-facing and revenue-generating business processes for use cases ranging from simple transactions to workflows that are complex or require higher levels of security.

Our solutions help our customers ensure the integrity of the people and records associated with digital agreements, transactions, and interactions in industries including banking, financial services, healthcare, and professional services. We are trusted by global blue-chip enterprises, including more than 60% of the world’s largest 100 banks, and we process millions of digital agreements and billions of transactions in more than 100 countries annually.

We offer our products primarily through a subscription licensing model and provide multiple deployment options, including cloud-based and on-premises solutions. Our solutions are sold worldwide through our direct sales force, as well as through distributors, resellers, systems integrators, and original equipment manufacturers.

Business Transformation
We are currently in the midst of a business transformation. In December 2021, our board of directors (“Board” or “Board of Directors”) approved a restructuring plan (the “restructuring plan”) designed to advance our operating model, streamline our business, improve efficiency, and enhance our capital resources. The first phase of this restructuring plan began and was substantially completed during the three months ended March 31, 2022. In May 2022, our Board approved additional actions related to the restructuring plan and we announced a three-year strategic transformation plan that began on January 1, 2023 (the "2022 strategic plan"). In conjunction with the 2022 strategic plan and to enable a more efficient capital deployment model, effective with the quarter ended June 30, 2022, we began reporting under the following two lines of business, which are our reportable operating segments: Digital Agreements and Security Solutions.
Digital Agreements. Digital Agreements consists of solutions that enable our clients to secure and automate business processes associated with their digital agreement and customer transaction lifecycles that require consent, non-repudiation and compliance. These solutions, which are largely cloud-based, include OneSpan Sign e-signature, OneSpan Notary, and OneSpan Trust Vault. This segment also includes costs attributable to our transaction cloud platform.

Security Solutions. Security Solutions consists of our broad portfolio of software products, software development kits (SDKs), and Digipass authenticator devices that are used to build applications designed to defend against attacks on digital transactions across online environments, devices, and applications. The software products and SDKs included in the Security Solutions segment are largely on-premises software products and include identity verification, multi-factor authentication and transaction signing solutions, such as mobile application security, and mobile software tokens.

When we began the 2022 strategic plan, we expected that we would manage Digital Agreements for accelerated growth and market share gains and Security Solutions for cash flow given its more modest growth profile. During the three months ended March 31, 2023, we changed our methodology for allocating expenses between the segments to better reflect the shift in employee time, effort, and costs toward supporting the growth of our Digital Agreements segment instead of our Security Solutions segment.

During the quarter ended June 30, 2023, we determined that we were unlikely to achieve the revenue growth levels set forth in our 2022 strategic plan within the contemplated three-year timeframe. A number of factors contributed to the challenges achieving the originally planned growth levels, particularly in Digital Agreements, on the timeframes set forth in the 2022 strategic plan, including: macroeconomic uncertainties in the banking and financial services segments, which have resulted in longer sales cycles and greater price sensitivity on the part of customers; increasing maturity and competitiveness in the market for e-signature solutions; limited awareness of our brand among buyers of e-signature tools; and higher pricing aggressiveness from competitors. These and other factors made it more difficult than we originally anticipated to build our Digital Agreements sales pipeline, generate demand for our Digital Agreements solutions through marketing efforts, and improve our sales force productivity levels.

1


In response to these challenges in growing our Digital Agreements revenue, we modified our strategy to focus more heavily on improving Adjusted EBITDA margin across the business. To this end, in August 2023, our Board approved cost reduction actions (the “2023 Actions”) to seek to drive higher levels of Adjusted EBITDA while maintaining our long-term growth potential. We intend to continue to pursue the overall strategy set forth in the 2022 strategic plan, including driving efficient growth in Digital Agreements and managing Security Solutions for modest growth and cash flow, while implementing adjustments to our operating model that are intended to achieve greater operational efficiency and strengthen our ability to create value for our shareholders.

Our updated strategy, the 2023 Actions and other cost reduction actions implemented under our restructuring plan originally adopted in December 2021 involve numerous risks and uncertainties. For additional details please see Item IA, Risk Factors.

Industry Background

While digital transformation and the shift to cloud-delivered experiences across all industries has helped increase the pace of innovation and business execution, it has also increased security risks for organizations, their customers, and their employees. People and records associated with business interactions, transactions, and agreements have become the biggest attack surface, or point of vulnerability, to cyber-attacks.
Today’s cybersecurity bad actors are sophisticated and well-resourced, which means that enterprises everywhere are confronted with security threats on all fronts, from identity fraud and firewall breaches to nation-state espionage. Without secure and enforceable business processes and outcomes, economies everywhere are vulnerable. However, current security measures are typically at odds with the pressure for organizations to drive growth and support increasing customer expectations for frictionless user experiences.
For high-value transactions and agreements that have shifted to digital workflows, these challenges are amplified due to the fragmented legal requirements, regulatory rules, and complexity associated with doing business across state and national borders. In addition to automating and securing these digital workflows, cross-border identity verification, data privacy, and sovereignty regulations vary from one jurisdiction to the next, complicating compliance for organizations operating globally.
We expect that these trends will continue to accelerate and evolve, creating an opportunity for OneSpan to leverage our global security roots to deliver technology that enables frictionless customer experiences, with security seamlessly interwoven throughout every action and interaction. We believe that OneSpan is well positioned to help organizations deliver the simple and intuitive experiences their customers demand today, while preparing them for the security challenges of tomorrow.
Our Products and Services Portfolio
We offer a portfolio of products and solutions to enable secure, compliant and refreshingly easy customer interactions and transactions. Whereas other companies provide point solutions for either security or digital agreements, we support the entire lifecycle of digital agreements for global enterprises that need to meet the highest levels of assurance, security, and compliance, all while using a human-centric approach that minimizes friction for customers. Our portfolio spans across the key stages of digital transactions and agreements:
Verify – Identity Proofing and Verification: Establish a relationship with your customer, starting with knowing who they are.
Authenticate – User Authentication: Protect yourself and your customer’s identity and financial transactions with strong customer authentication.
Interact – Virtual Room and OneSpan Notary: Connect and collaborate with your customers and notarize documents in a secure, virtual environment.
Transact – E-Sign: Sign transactions and agreements remotely and securely.
Store – Secure Digital Storage: Complete the digital agreement process by securely storing transaction records and documentation.

Since June 30, 2022, we have reported our financial results under two operating segments: Digital Agreements and Security Solutions. The products and services that fall under each segment are shown below.

Digital Agreements
2



OneSpan Sign supports a broad range of e-signature requirements from simple to complex, and from the occasional agreement to processing tens of thousands of transactions. OneSpan Sign provides multiple public cloud deployment options to meet global data residency needs. The solution is also available in a Federal Risk and Authorization Management Program (FedRAMP) software as a service ("SaaS")-level compliant cloud, allowing U.S. government agencies to implement e- signatures in the cloud and meet General Services Administration ("GSA") security requirements.

Customers can configure OneSpan Sign to reinforce their brand for a seamless signing experience. Each step of the digital agreement workflow can be customized, from authentication to e-signing and secure digital storage. OneSpan Sign also provides comprehensive and secure electronic evidence for strong legal protection by capturing all actions that took place during the agreement process. This reduces the time and cost of gathering evidence and demonstrating legal and regulatory compliance. Electronic signature capabilities can be a critical component of the account opening and onboarding processes, providing a secure and user-friendly way to execute legally binding agreements.

Virtual Room is a purpose-built, high-assurance solution that blends the simplicity of a consumer video collaboration app with high-assurance identity and authentication security. OneSpan’s secure Virtual Room cloud service enables organizations to deliver live, high-touch assistance to their customers in a secure virtual environment. This next-generation customer engagement solution gives organizations the ability to combine identity verification, authentication, and e-signature solutions from the broader OneSpan portfolio with a high-assurance virtual experience that removes the friction of entering a branch or meeting in person. In addition, robust audit and compliance controls help manage risk and meet regulatory requirements.

OneSpan Notary is an online notary solution developed for organizations with in-house notaries. It includes live electronic signature, two-way secured videoconferencing, and strong identity proofing options, like ID Verification and Knowledge-based Authentication (KBA). It also simplifies the notarization process with guided workflows, the ability to upload eNotary Seal, recording, eJournaling, and audit trail capabilities in a single solution. OneSpan Notary is currently available for use in 30 states, and we are targeting availability for approximately 34 U.S. states by the end of the first quarter of 2024.

OneSpan Trust Vault is a blockchain-based decentralized digital storage solution that helps organizations meet compliance, regulatory, and chain of custody requirements for critical documents. Using blockchain technology, Trust Vault records the exact date of origin or creation of a document and tracks every user action with respect to the document, which enables the prompt detection of tampering and provides a comprehensive audit trail. Trust Vault is designed for high-value, high-risk use-cases by providing tamper resistant document storage supported by immutable compliance data.

Security Solutions

OneSpan Identity Verification gives banks and other financial institutions access to a wide range of identity verification services – all through a single API integration. This includes identity document (e.g., driver’s license, passport, etc.) capture and real-time authenticity verification, as well as facial comparison (“selfie”) and liveness detection (the ability to detect whether a digital interaction is with a live human being) to establish that the individual presenting the identity document is the same person whose picture appears on the authenticated identity document. We plan to present OneSpan Identity Verification in the Digital Agreements segment effective January 1, 2024 in order to reflect the greater alignment of this solution with our Digital Agreements product portfolio.

OneSpan Cloud Authentication is a quick-to-deploy, cloud-based multifactor authentication solution that supports a full range of authentication options including biometrics, push notification, visual cryptograms for transaction data security, SMS, and hardware authenticators. This allows customers to solve strong authentication problems across different endpoints to best meet their unique requirements through a single provider rather than integrating multiple modalities together. It eliminates cost associated with managing legacy on-premises authentication technology and provides a seamless upgrade path to more comprehensive capabilities such as Intelligent Adaptive Authentication, which applies a precise level of security for each unique customer interaction using advanced real-time risk analysis and scoring.

Mobile Security Suite is a comprehensive software development kit that helps protect mobile transactions from bad actors by allowing organizations to natively integrate security features including geolocation, device identification, jailbreak and root detection, fingerprint and face recognition, one-time password delivery via push notification, and transaction data security, among others. Through a comprehensive library of APIs, application developers can extend and strengthen application security, deliver enhanced convenience to their application users, and streamline application
3


deployment and lifecycle management processes. Mobile Security Suite also includes a Runtime Application Self-Protection module, which can detect and mitigate malicious app activity and potential loss to hacking activities.

Authentication Server resides on-premises and incorporates a range of strong authentication utilities and solutions designed to allow organizations to securely authenticate users and transactions. The solution, once integrated, becomes largely transparent to users, minimizing rollout and support issues. Authentication Server encompasses multiple authentication technologies (e.g., passwords, dynamic password technologies, certificates, and biometrics) and allows the use of any combination of those technologies simultaneously.

Digipass Authenticators are our family of hardware authenticators, consisting of a wide variety of authentication devices, each of which has its own distinct characteristics to meet the needs of our customers. All models of the Digipass family of authenticators are designed to work together so customers can switch devices without changes to their existing infrastructure. Our models range from one-button devices and smart card readers to devices that include more advanced technologies, such as public key infrastructure ("PKI") and visual cryptography.

Digipass FX1 BIO, the latest addition to our Digipass Authenticators product line, is a physical passkey with fingerprint scan built for the workforce authentication market. Digipass FX BIO is built on FIDO passwordless authentication technology and works with a wide range of platforms, services, devices and connectivity options. It allows organizations to cost-effectively adopt passwordless authentication across dispersed workforces while safeguarding corporate data and applications against social engineering, adversary-in-the-middle attacks and replay attacks.
Intellectual Property and Proprietary Rights and Licenses
We rely on a combination of patent, copyright, trademark, design, and trade secret laws, as well as employee and third-party non-disclosure agreements to protect our intellectual property ("IP") and other proprietary rights. We hold patents in the U.S. and in other countries, which cover multiple aspects of our technology. These patents expire between 2024 and 2040. In addition to the issued patents, we also have several patent applications pending in the U.S., Europe, and other countries. Many of our issued and pending patents are related to our Digipass product line. In addition to our owned IP, we license software from third parties for integration into our solutions, including open-source software and other software available on commercially reasonable terms.
We furthermore have registrations for most of our trademarks in most of the markets where we sell the corresponding products and services, as well as registrations of the designs of many of our Digipass devices, primarily in the European Union ("EU") and China.
Protecting IP rights can be difficult, particularly in countries that provide less protection to IP rights and in the absence of harmonized international IP standards. Competitors and others may already have IP rights covering similar products. We may not be able to secure IP rights covering our own products or may have difficulties obtaining IP licenses from other companies on commercially favorable terms. For a discussion of IP-related risks, see Item IA, Risk Factors.
Research and Development
Our research and development efforts are focused primarily on enhancing our solutions by building new features, functionality, and applications; developing technology to support new products; enhancing our transaction-cloud platform; and conducting product and quality assurance testing. We employ a team of full-time engineers and, from time to time, also engage independent engineering firms to conduct certain product development efforts on our behalf. For fiscal years ended December 31, 2023, 2022, and 2021, we incurred expenses, net of software capitalization, of $38.4 million, $41.7 million, and $47.4 million, respectively, for research and development.
Production
Our Digipass authentication devices are manufactured by third-party manufacturers pursuant to purchase orders that we issue. Our Digipass products are manufactured by several independent factories in Southern China and one in Romania. We maintain local personnel in China to conduct quality control and quality assurance procedures. Periodic visits to the factories are conducted by our personnel for quality management, assembly process review, and supplier relations.

Digipass devices are made primarily from commercially available electronic components, including microprocessors purchased from several suppliers. We purchase microprocessors and arrange for shipment to our third-
4


party manufacturers for assembly and testing in accordance with our design specifications. The microprocessors are the most important components of the devices which are not commodity items readily available on the open market.

During 2022, the supply chain for our Digipass devices was impacted by global issues related to the effects of the COVID-19 pandemic, the Russia-Ukraine conflict and the inflationary cost environment, particularly with respect to materials in the semiconductor market, including part shortages, increased freight costs, diminished transportation capacity and labor constraints. This resulted in disruptions in our supply chain during 2022, as well as difficulties and delays in procuring certain microprocessors. In addition, since late 2021, our costs have increased due to elevated lead times and increased material costs, in particular the need to purchase microprocessors from alternative sources. Although the supply chain issues we saw in 2022 stabilized during 2023, global supply chains for semiconductors and electronic components remain vulnerable to disruption from range of risks, including natural disasters and extreme weather, regional or global conflicts, and scarcity of certain minerals and components.

In response to these supply chain conditions, beginning in 2022, we focused on improving our supplier network, engineering alternative designs, and working to reduce supply shortages and mitigate their impact. We actively manage our inventory in an effort to minimize supply chain disruptions and enable continuity of supply and services to our customers, and we may maintain elevated levels of inventory for certain of our products to prepare for potential supply constraints. We also regularly evaluate alternative manufacturing and supply arrangements, including moving more of our manufacturing from China to Romania or other locations, to mitigate supply chain risks. Despite these efforts, we may experience additional supply chain disruptions or cost increases affecting our Digipass business in the future. Please see Item IA, Risk Factors.

Our software solutions are produced in-house or developed by third parties and sold under license.
Competition
The market for digital solutions for identity, authentication, and secure digital agreements is very competitive and, like most technology-driven markets, is subject to rapid change and constantly evolving solutions and services. Our identity verification and authentication products are designed to allow authorized users access to digital business processes and properties, in some cases using patented technology, as a replacement for or supplement to a static password. Our main competitors in our identity verification and authentication markets are Gemalto (a subsidiary of Thales Group), RSA Security and Yubico. There are also many other companies, such as Transmit Security, Symantec and Duo Security, that offer competing services.

In addition to these companies, we face competition from many small authentication solution providers, many of whom offer new technologies and niche solutions such as biometric or risk and behavioral analysis. We believe that competition in this market is likely to intensify as a result of increasing demand for security products.

Our primary competitors for electronic signature solutions are DocuSign and Adobe Systems. Both companies are significantly larger than us. In addition to these companies, there are numerous smaller and regional or niche providers of electronic signing solutions.

We believe that the principal competitive factors affecting the market for digital solutions for identity, security, and electronic signatures include the strength and effectiveness of the solution, technical features, ease of use, quality and reliability, customer service and support, brand recognition, customer base, distribution channels, and the total cost of ownership of the solution. With the exception of brand recognition, we believe that our products are currently competitive with respect to these factors; nevertheless, we may not be able to maintain our competitive position against current and potential competitors. Some of our present and potential competitors have significantly greater financial, technical, marketing, purchasing, and other resources. As a result, they may be able to respond more quickly to new or emerging technologies and changes in customer requirements, to devote greater resources to the development, promotion and sale of products, to establish and maintain greater brand recognition, or to deliver competitive products at a lower end-user price. Please see Item IA, Risk Factors.
Sales and Marketing
Our solutions are sold worldwide through our direct sales force as well as through distributors, resellers, systems integrators, and original equipment manufacturers. Our sales staff coordinates sales activity through both our sales channels and those of our partners, making direct sales calls either alone or with the sales personnel of our partners. Our sales staff
5


also provides product education seminars to sales and technical personnel of resellers and distributors and to potential end users of our products.

In December 2023, we launched a new partner network program that we believe will allow our partners to reach more customers and grow their revenue with our high-assurance identity proofing, authentication, and secure electronic signature solutions. This new program features a streamlined onboarding process, access to sales enablement resources (including training materials, certifications, sales tools, marketing collateral, and technical support) and financial incentives. Partners can choose from various engagement models to meet their business needs, including distributors, resellers, system integrators, independent software vendors, and managed service providers.

Customers and Markets

The majority of our revenue is derived from financial institutions, which include traditional banks, credit unions, and online-only banks. We also sell to the enterprise market segment, government, healthcare, and insurance industries in select regions around the globe.

Our top 10 customers contributed 22%, 23%, and 22% in 2023, 2022, and 2021, respectively, of our total worldwide revenue.

Because a significant portion of our sales is denominated in foreign currencies, changes in exchange rates impact results of operations. To mitigate exposure to risks associated with fluctuations in currency exchange rates, we attempt to denominate an amount of billings in a currency such that it would provide a natural hedge against operating expenses being incurred in that currency. For additional information regarding how currency fluctuations can affect our business, please refer to Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations.

Financial Information Relating to Foreign and Domestic Operations

For financial information regarding OneSpan, see our consolidated financial statements and the related notes, which are included in Part IV of this Annual Report on Form 10-K. See Note 18, Geographic, Customer and Supplier Information included in the notes to consolidated financial statements in Part IV of this Annual Report on Form 10-K for a breakdown of revenue, gross profit and long-lived assets between the U.S. and other regions.

Government Regulation
As a global cybersecurity and e-signature company, we are subject to complex and evolving global regulations in the various jurisdictions in which our products and services are used. Also, because banking and financial services is our largest industry target market, the government regulations affecting our customers in this area have a significant indirect effect on our business. Similar regulatory dynamics occur in the other primary markets where we have customers, such as healthcare and government. Additional proposed or new legislation and regulations could also significantly affect our business.

See Item IA, Risk Factors, for additional information about the laws and regulations we are subject to and the risks to our business associated with those laws and regulations.
Human Capital
OneSpan is powered by a team of approximately 676 employees that spans the globe, consisting of approximately 381 employees in the Americas (includes North, Central, and South America and Canada), 256 employees in EMEA (includes Europe, the Middle East, and Africa), and 39 employees in the Asia Pacific region. As of December 31, 2023, approximately 277 of our employees were in research and development, 279 in sales and marketing, and 120 in general and administrative.

We understand that achieving our business objectives will depend primarily on the skills, creativity, and determination of our people. We believe that people do their best work in an environment built on a compelling shared purpose, openness, trust, mutual accountability, and the opportunity to make a meaningful impact. To that end, our human capital objectives are built on the following five pillars, which we refer to as our “People Promise”:

6


Now is the time. With a bold vision and an ambitious market opportunity, we are ready to seize the moment. There’s never been a better time to join the team and play a part in the OneSpan story.

Start from openness. We lead with transparency, engage with open minds, and promote diversity in our thinking and in our culture. That’s why we encourage each of our people to bring their whole self to work and be open to different ideas, new challenges, and new possibilities.

Build it on trust. Real connections and true collaboration are built on trust. We trust each other and have no time for internal politics. We trust our people to always bring their best. We trust ourselves to take chances and to build something bigger – together.

Own it. We believe in empowerment through freedom: giving our people flexibility and enabling them to carve their path, their way. We don’t just ask our team to embrace change; we ask them to own it.

Make a global impact. We challenge the now by thinking ahead, speaking up, and working together to constantly improve. Everyone is an integral part of the work we do with an equal opportunity to participate and make a global impact.

The goal of our People Promise is to create an environment that will attract, retain and develop talented people who are motivated to find opportunities and create new possibilities for our customers, for themselves and their teams, and for OneSpan. To achieve this goal, we focus on the areas described below.

Competitive Compensation and Benefits. We seek to provide our employees with competitive and fair compensation and benefit offerings, and use market benchmarks to ensure external competitiveness while maintaining equity within the organization. We tie incentive compensation to both business and individual performance and provide a range of health, wellness, family leave, savings, retirement, and time-off benefits for our employees, which vary based on local regulations and norms.

Engagement. We regularly request input from employees, including through a broad employee engagement survey which is typically conducted annually and through occasional “pulse” surveys. These surveys are intended to measure our progress in promoting an environment where employees are engaged, productive, and have a strong sense of belonging. As part of our commitment to acting on employee input, we also use survey results to identify areas where we can do better and expect our managers to actively work to improve those areas.

Hybrid Workplace Policy. For our employees who live near one of our offices, we have adopted a hybrid work model whereby employees generally come to the office in person once or twice per week, on a day designated by local office leadership. For the rest of the week, employees may work either remotely or from their local office. We believe this approach maintains the flexibility of remote work while also providing a regular opportunity for in-person interactions to collaborate, innovate, and build relationships with colleagues.

Diversity and Inclusion. With approximately 676 employees around the world and customers in more than 100 countries, we understand the importance of diversity in perspectives, experience, backgrounds and cultures. As part of our efforts to encourage diversity and inclusion, all employees take a diversity and inclusion training annually and an unconscious bias training upon hire. We also work with diversity focused job sites and candidate application platforms to increase access to diverse talent. In addition, we have an active employee resource group, Women at OneSpan, focused on providing support, mentoring and other resources for our female employees.

We monitor the gender diversity of our workforce regularly. We measure gender diversity overall, by job level, and by job family. As of December 31, 2023, approximately 31% of our employees identified as female, unchanged from the end of 2022 but up from 27% at the end of 2021. The percentage of women by job level (executive, vice president, director, manager, supervisor and individual) improved for the vice president, manager, and supervisor job levels, remained unchanged for the individual job level, and decreased slightly in the director and executive job levels. For job families (consisting of general and administrative, research and development, sales and marketing, and Digipass), the percentage of women by job family improved slightly for sales and marketing, remained unchanged for research and development, and declined slightly in general and administrative and Digipass. Although our gender diversity metrics may fluctuate from period to period, over the longer term, we hope and expect to see continued improvement in the representation of women across the company.

7


We are also proud of the strides we have made in the past two years in the diversity of our executive leadership team. More than half of our current 10-person executive team identifies as female, LGBTQ, and/or a person of color, which represents significant progress as compared to the beginning of 2022.

Training and Talent Development. We promote and support employee development, compliance and organizational effectiveness by providing professional development and compliance training. All of our employees take a required annual training on the following topics: our code of conduct and ethics; cybersecurity; diversity and inclusion; and preventing sexual harassment. We also require training on unconscious bias and psychological safety at work, which covers ways managers and employees can promote an open, trusting and non-judgmental environment that encourages creativity and the free exchange of ideas.

Feedback and Coaching. We believe regular feedback is an integral component of employee development, and that creating a culture of ongoing performance coaching is critical to our success. To that end, we conduct coaching sessions where each employee is evaluated by their personal manager at least annually. Employee performance is assessed in significant part based on the achievement of goals set collaboratively by the employee and their manager. We also encourage managers to provide ongoing feedback and performance coaching to their direct reports, and to solicit their teams’ feedback on their own performance.

Employee Recognition. We regularly recognize our employees for driving business results and exemplifying our company values. We believe that these recognition programs help drive strong employee performance. Employees also have access to an internal communications channel to recognize their peers for their contributions to the company.

Community Outreach and Support. We believe it is important to promote community outreach through corporate giving and employee volunteerism in the communities where we live and work. We provide each employee with one paid day off each year to participate in volunteer activities of their choice. In 2023, we launched a global social impact platform that helps our employees find volunteer opportunities, participate in employee-directed corporate giving initiatives, and collaborate with colleagues on social impact efforts.

Monitoring our Progress

We monitor our progress toward the goal of our People Promise by tracking the following metrics:

Employee Survey Results. As discussed above under “Engagement”, we typically conduct a comprehensive employee engagement survey annually, and compare results for each survey question from year to year.

Employee Turnover. We monitor voluntary turnover and total attrition, as a whole and by tenure, region, and by job family. Total attrition captures all reasons employees leave, including voluntary turnover and involuntary turnover due to job eliminations or performance reasons, whereas voluntary turnover is limited to elective departures by employees. Our voluntary turnover across our global employee base in 2023 was 9.5%, which we believe compares favorably with global voluntary turnover rates in the technology industry. Our total attrition in 2023 was 35.6%, primarily due to our cost reduction and restructuring efforts discussed elsewhere in this Annual Report on Form 10-K.

Diversity. As discussed above under “Diversity and Inclusion”, we measure gender diversity at least annually overall, by geography, by job role, and by job level. We also monitor the racial and ethnic diversity of our U.S.-based employees, to the extent that our employees disclose their race and ethnicity to us.

Corporate Information
Our predecessor company, VASCO Corp., entered the data security business in 1991 through the acquisition of a controlling interest in ThumbScan, Inc., which we renamed VASCO Data Security, Inc. In 1997, VASCO Data Security International, Inc. was incorporated and in 1998, we completed a registered exchange offer with the holders of the outstanding securities of VASCO Corp., thereby becoming a publicly traded company. In May 2018, VASCO Data Security International, Inc., our publicly traded parent company, changed its name to OneSpan Inc.

Including our predecessor companies, we have completed 17 acquisitions and two dispositions since our inception, including the 2013 acquisition of Cronto Limited, a provider of secure visual transaction authentication solutions
8


for online banking, and the 2015 acquisition of Silanis Technology Inc., a provider of e-signature and digital transaction solutions which we now market and sell under the OneSpan Sign name.

Our principal executive offices are located at 1 Marina Park Drive, Unit 1410, Boston, MA 02210.

“OneSpan” and other trademarks, trade names or service marks of OneSpan Inc. or its subsidiaries appearing in this Annual Report on Form 10-K are the property of OneSpan Inc. or its applicable subsidiary. This Annual Report on Form 10-K may contain additional trade names, trademarks and service marks of others, which are the property of their respective owners. Solely for convenience, trademarks and trade names referred to in this Annual Report on Form 10-K may appear without the ® or ™ symbols.

Available Information

We maintain an Internet website at www.onespan.com. The information on, or that can be accessed through, our website is not incorporated by reference into this Annual Report on Form 10-K and should not be considered to be a part of this Annual Report on Form 10-K. Our website address is included in this Annual Report on Form 10-K as inactive textual reference only. Our reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934, as amended (the "Exchange Act"), including our Annual Reports on Form 10-K, our Quarterly Reports on Form 10-Q and our Current Reports on Form 8-K, and amendments to those reports, are accessible through our website, free of charge, as soon as reasonably practicable after these reports are filed electronically with, or otherwise furnished to, the Securities and Exchange Commission, or the SEC. We also make available on our website the charters of our audit committee, compensation committee and nominating and corporate governance committee, as well as our corporate governance guidelines and our code of business conduct and ethics.

Information about our Executive Officers

The following sets forth certain information with regard to each of our executive officers. There are no family relationships between any of the executive officers, and there is no arrangement or understanding between any executive officer and any other person pursuant to which the executive officer was selected.
VICTOR LIMONGELLI Mr. Limongelli has served as OneSpan’s Interim Chief Executive Officer since January 2024. Mr. Limongelli is a seasoned software executive who most recently served as Chief Executive Officer at BQE Software, a private SaaS company providing billing, accounting, and similar functionality to professional services firms, from September 2021 to April 2023. From April 2018 to August 2021, he served as Chief Executive Officer of MobileCause, Inc., a private equity-backed SaaS company focused on fundraising and donor engagement for nonprofits, and from November 2015 to April 2018, he was initially Chairman of the Board and then Chief Executive Officer of AccessData Group, a privately held security software company. From May 2003 through November 2014, Mr. Limongelli held a number of executive positions with Guidance Software, Inc., a publicly traded security software company, including over 9 years as President and 7 years as its Chief Executive Officer. Mr. Limongelli received an A.B. from Dartmouth College and a J.D. from Columbia University. Mr. Limongelli is 57 years old.

JORGE MARTELL — Mr. Martell has served as OneSpan’s Chief Financial Officer since September 2022 and as its principal accounting officer since December 2023. From July 2016 to September 2022, he served as Chief Financial Officer and Treasurer and from April 2015 to July 2016 as Vice President of Finance, Corporate Controller, at Extreme Reach Inc., a private-equity owned omnichannel creative logistics company for brand advertising, where he played an integral role in optimizing the company’s balance sheet and in executing the company’s growth strategy through global M&A, prior to its acquisition by another private equity firm. From September 2012 to March 2015, Mr. Martell was Treasurer and Assistant Corporate Controller at Sapient Corporation, a technology company, where he led its global revenue organization, execution of its M&A financial strategy, and global treasury organization prior to its acquisition by Publicis Groupe. Earlier in his career, Mr. Martell held leadership roles at ABM Industries, Inc., a provider of facilities management solutions, and at KPMG LLP, a public accounting firm. Mr. Martell is 45 years old.
LARA MATAAC — Ms. Mataac has served as OneSpan’s General Counsel, Chief Compliance Officer and Secretary since June 2022. From April 2021 to June 2022, Ms. Mataac was General Counsel at Constant Contact, Inc., a provider of cloud-based online marketing solutions, where she led the legal and compliance team during a period of transition after the company’s spinout from Endurance International Group (EIG) in February 2021. Before Constant Contact, Ms. Mataac was at EIG, a provider of cloud-based web presence and online marketing solutions, from February 2013 through March 2021, most recently as Deputy General Counsel. Before EIG, Ms. Mataac was corporate legal director
9


at Bottomline Technologies, a software company. Earlier in her career, Ms. Mataac practiced corporate law at the firms Wilmer Cutler Pickering Hale & Dorr LLP and Fenwick & West LLP. Ms. Mataac is 47 years old.
Item 1A - Risk Factors

Risk Factors Summary
Our business is subject to numerous risks and uncertainties, including those highlighted in the section titled “Risk Factors” immediately following this Risk Factors Summary. These summary risks provide an overview of many of the risks we are exposed to in the normal course of our business, some of which have manifested and any of which may occur in the future. As a result, the following summary risks do not contain all of the information that may be important to you, and you should read them together with the more detailed discussion of risks set forth following this section under the heading “Risk Factors,” and with the other information in this Annual Report on Form 10-K. Additional risks beyond those summary risks discussed below, in “Risk Factors” or elsewhere in this Annual Report on Form 10-K, could have an adverse effect on our business, results of operations, financial condition or prospects, and could cause the trading price of our common stock to decline. Our business, results of operations, financial condition or prospects could also be harmed by risks and uncertainties not currently known to us or that we currently do not believe are material. Consistent with the foregoing, we are exposed to a variety of risks, including the following significant risks:
The change in our strategic plan and cost reduction and restructuring actions we implemented during 2023 involve numerous risks and may not achieve the results we expect.
If we are unable to attract new customers and retain and expand sales to existing customers, we will be unable to grow our business.
If our new product offerings and product enhancements do not keep pace with the needs of our customers or do not achieve sufficient customer acceptance, our competitive position and financial results will be negatively impacted.
A significant portion of our sales are to a limited number of customers. The loss of substantial sales to any one of them could have an adverse effect on revenues and profits.
If we are not able to enhance our brand recognition and maintain our brand reputation, our business may be adversely affected.
The market we serve is highly competitive, which may negatively affect our ability to add new customers, retain existing customers and grow our business.
Our Digipass authenticator business has a complex supply chain and is dependent on a limited number of suppliers for certain components, such that supply chain disruptions could materially impact our operations. Our Digipass business may also experience inventory-related losses.
The sales cycle for our products is often long, and we may incur substantial expenses for sales that do not occur when anticipated or at all.
If we are unable to retain key employees and successfully hire and train qualified new employees, we may be unable to achieve our business objectives.
Security breaches or cyberattacks could expose us to significant liability, cause our business and reputation to suffer and harm our competitive position.
Real or perceived malfunctions and errors in our products could result in warranty and product liability risks and economic and reputational damages.
We depend on third party hosting providers and other technology vendors, as well as our own infrastructure, to provide our products and solutions to our customers in a timely manner. Interruptions or delays in performance of our products and solutions could result in customer dissatisfaction, damage to our reputation, loss of customers, and a reduction in revenue.
Our success depends in part on establishing and maintaining relationships with other companies to distribute our technology and products or to incorporate their technology into our products and services, or vice versa.
We have operated at a loss for each of the past three years, and we may not be profitable in the future.
Our financial results may fluctuate from period to period, making it difficult to project future results. If we fail to meet the expectations of securities analysts or investors, the price of our common stock could decline.
Consolidations, failures and other developments in the banking and financial services industry may adversely impact our revenue.
We face a number of risks associated with our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue.
Acquisitions or other strategic transactions may not achieve the intended benefits or may disrupt our current plans and operations.
10


We may be subject to legal proceedings for a variety of claims, including intellectual property disputes, labor and employment issues, commercial disagreements, securities law violations and other matters. These proceedings may be costly, subject us to significant liability, limit our ability to use certain technologies, increase our costs of doing business or otherwise adversely affect our business and operating results.
We are subject to numerous laws and regulations and customer requirements governing the production, distribution, sale and use of our products. Any failure to comply with these laws, regulations and requirements could result in unanticipated costs and other negative impacts, and could have a materially adverse effect on our business, results of operations and financial condition.

Risk Factors
Our business involves significant risks, some of which are described below. You should carefully consider the following risks, some of which have manifested and any of which may occur in the future, together with all of the other information in this Annual Report on Form 10-K, including in the preceding Risk Factors Summary, and our consolidated financial statements and the related notes included elsewhere in this Annual Report on Form 10-K before making an investment decision with respect to any of our securities.
Risks Related to our Business and Industry

The change in our strategic plan and cost reduction and restructuring actions we implemented during 2023 involve numerous risks and may not achieve the results we expect.

In December 2021, our Board approved a restructuring plan designed to advance our operating model, streamline our business, improve efficiency, and enhance our capital resources. The first phase of this restructuring plan began and was substantially completed during the three months ended March 31, 2022. In May 2022, our Board approved additional actions in connection with the restructuring plan and we announced our 2022 strategic plan, a three-year plan which began on January 1, 2023. During the quarter ended June 30, 2023, we determined that we were unlikely to achieve the revenue growth levels set forth in the 2022 strategic plan within the contemplated three-year timeframe. A number of factors contributed to the challenges achieving the originally planned growth levels, particularly in Digital Agreements, on the timeframes set forth in the 2022 strategic plan, including: macroeconomic uncertainties in the banking and financial services segments, which have resulted in longer sales cycles and greater price sensitivity on the part of customers; increasing maturity and competitiveness in the market for e-signature solutions; limited awareness of our brand among buyers of e-signature tools; and higher pricing aggressiveness from competitors. These and other factors made it more difficult than we originally anticipated to build our Digital Agreements sales pipeline, generate demand for our Digital Agreements solutions through marketing efforts, and improve our sales force productivity levels.

In response to these challenges in growing our Digital Agreements revenue, we modified our strategy to focus more heavily on improving Adjusted EBITDA margin across the business. To this end, in August 2023, our Board approved the 2023 Actions described in Item 1, Business to seek to drive higher levels of Adjusted EBITDA while maintaining our long-term growth potential. The 2023 Actions consisted primarily of workforce related reductions, with a significantly smaller contribution from vendor contract termination and rationalization actions. Further information about the 2023 Actions, including associated expected restructuring charges, can be found in Item 7, Management’s Discussion and Analysis. The 2023 Actions and other cost reduction actions implemented under our restructuring plan originally adopted in December 2021 may yield unintended consequences and costs, such as: higher than anticipated restructuring charges; disruption to our operations; litigation and regulatory actions; reduced employee morale, attrition of valued employees, and adverse effects on our reputation as an employer; loss of institutional know-how; slower customer service response times; and reduced ability to complete or undertake new product development projects and other business, product, technical, compliance or risk mitigation initiatives. In addition, our ability to complete the 2023 Actions and achieve the anticipated benefits from the 2023 Actions within the expected time frame or at all is subject to estimates and assumptions and may vary materially from our expectations, including as a result of factors that are beyond our control, such that we may not succeed in achieving all or part of the intended benefits of the 2023 Actions.

If we are unable to attract new customers and retain and expand sales to existing customers, we will be unable to grow our business.

Our success will depend significantly on our ability to attract new customers and retain and expand sales to existing customers. We have experienced, and expect to continue to experience, challenges in adding new customers. Factors that we believe have contributed to these challenges in the Digital Agreements segment include: our limited brand awareness; reluctance on the part of many customers to switch from well-known e-signature providers such as DocuSign or Adobe Systems, which may be highly integrated into their internal processes, to a comparatively lesser-known provider;
11


the fact that we do not yet offer some third-party integrations and features that certain customers, particularly large enterprise customers, may expect; and increased price aggressiveness from competitors, which has generally reduced price-based incentives for potential new customers to switch to us.

The achievement of our business objectives also depends on our ability to retain and expand sales to existing customers. While this factor is important in both of our reporting segments, it is especially significant for our Security Solutions segment, which has been focused in recent years mostly on expanding sales to existing customers rather than seeking new customers. Our renewal and expansion rates in either segment may be below our expectations, decline or fluctuate as a result of a number of factors, including customer budgets, decreases in the number of users at our customers, changes in the type and size of our customers, pricing, competitive conditions, the competitiveness of our solutions, customer attrition and general economic and global market conditions. If our efforts to expand sales to our existing customers are not successful or if our customers do not renew their subscriptions at the rates we expect, our business will be negatively impacted.

If our new product offerings and product enhancements do not keep pace with the needs of our customers or do not achieve sufficient customer acceptance, our competitive position and financial results will be negatively impacted.

Technological changes occur rapidly in our industry and development of new products and features is critical to maintain and grow our revenue. Our ability to attract and retain customers will depend in part upon our ability to enhance our current products and develop innovative new solutions to distinguish us from the competition and to meet customers’ changing needs. Product developments and technology innovations by others may adversely affect our competitive position and we may not successfully anticipate or adapt to changing technology, industry standards or customer requirements on a timely basis. The introduction by our competitors of products embodying new technologies or the emergence of new industry standards could render our existing products obsolete and unmarketable. For example, if our competitors are better able to effectively integrate new technologies such as generative artificial intelligence ("AI") into their products, our competitive position may suffer.

We spend substantial amounts of time and money to research and develop new offerings and enhanced versions of our existing offerings in order to meet our customers’ rapidly evolving needs. When we develop a new offering or an enhanced version of an existing offering, we typically incur expenses and expend resources upfront to market, promote and sell the new offering. Therefore, when we develop or acquire new or enhanced offerings, their introduction must achieve high levels of market acceptance in order to justify the amount of our investment in developing and bringing them to market. In some cases, we determine that product initiatives we initially believed were promising do not warrant further investment. For example, in 2023, we decided to discontinue investments in our Digipass CX product in order to rationalize and focus our product portfolio, and incurred non-cash charges as a result. If other recent or future new product offerings do not garner widespread customer adoption and implementation, we may incur future non-cash charges and our business may be adversely affected.

A significant portion of our sales are to a limited number of customers. The loss of substantial sales to any one of them could have an adverse effect on revenues and profits.

We derive a substantial portion of our revenue from a limited number of customers. The loss of substantial sales to any one of them could adversely affect our operations and results. In 2023, 2022, and 2021, our top 10 largest customers contributed 22%, 23%, and 22%, respectively, of our total worldwide revenue.

If we are not able to enhance our brand recognition and maintain our brand reputation, our business may be adversely affected.

We believe that enhancing our brand recognition is important to our efforts to attract new customers and channel partners, and that our relative lack of brand awareness, particularly in the Digital Agreements segment, has made it more challenging to acquire new customers. Our brand recognition and reputation are dependent upon numerous factors including:

our marketing efforts;
our ability to continue to offer high quality, innovative and reliable products;
our ability to maintain customer satisfaction with our products;
our ability to be responsive to customer concerns and provide high quality customer support, training and professional services;
any misuse or perceived misuse of our products;
12


positive or negative publicity, including through reviews by industry analysts;
our ability to prevent or quickly react to any cyberattack on our information technology systems or security breach of or related to our software; and
litigation or regulatory-related developments.

Improving our brand recognition is likely to require significant additional expenditures and may not be successful or yield increased revenues. If we do not successfully enhance our brand and maintain our reputation, we may continue to have difficulties attracting new customers, including due to reduced pricing power relative to competitors with stronger brands, and we could lose customers or renewals, which would adversely affect our business.

The market we serve is highly competitive, which may negatively affect our ability to add new customers, retain existing customers and grow our business.

The market for digital solutions for identity, authentication, and secure digital agreements is very competitive and, like most technology-driven markets, is subject to rapid change and constantly evolving solutions and services.

Our identity verification and authentication products are designed to allow authorized users access to digital business processes and properties, in some cases using patented technology, as a replacement for or supplement to a static password. Our main competitors in our identity verification and authentication markets are Gemalto, a subsidiary of Thales Group, Yubico and RSA Security. There are also many other companies, such as Transmit Security, Symantec, and Duo Security, that offer competing services. In addition to these companies, we face competition from many small authentication solution providers, many of whom offer new technologies and niche solutions such as biometric or risk and behavioral analysis. We believe that competition in this market is likely to intensify as a result of increasing demand for security products.

Our primary competitors for electronic signature solutions are DocuSign and Adobe Systems. Both companies are significantly larger than us. In addition to these companies, there are numerous smaller and regional or niche providers of electronic signing solutions.

Some of our present and potential competitors have significantly greater brand awareness and financial, technical, marketing, purchasing, and other resources than we do. As a result, they may be able to respond more quickly to new or emerging technologies and changes in customer requirements, devote greater resources to the development, promotion and sale of products, or deliver competitive products at a lower end-user price than we do. These factors have made it more difficult for us to compete successfully and may continue to do so, which would negatively affect our business.

Our Digipass authenticator business has a complex supply chain and is dependent on a limited number of suppliers for certain components, such that supply chain disruptions could materially impact our operations. Our Digipass business may also experience inventory-related losses.

In the event that the supply of components or finished products for our Digipass authenticator business is interrupted or relations with any of our principal component vendors or contract manufacturers is terminated, there could be increased costs and considerable delay in finding suitable replacement sources for components or alternative manufacturers for our hardware products. Our Digipass authentication devices are assembled at facilities located in mainland China and Romania. The importation of these products from China and Romania exposes us to the possibility of product supply disruption and increased costs in the event of changes in the policies of the Chinese, Romanian or EU governments, political unrests, natural disasters, extreme weather or unstable economic conditions in China, Romania or the EU, or developments in China, Romania, the U.S. or the EU that are adverse to trade, including enactment of protectionist legislation. We experienced supply chain disruption in 2022 as a result of the China’s implementation and subsequent reversal of its “Zero COVID” policy and extreme heatwaves and drought affecting southern China, both of which affected our China-based contract manufacturers. We may experience similar disruptions again due to numerous factors, including trade disputes, geopolitical tensions, armed conflict, impacts as a result of the COVID-19 pandemic, future pandemics or other public health threats, and natural disasters and extreme weather, which are likely to occur more frequently due to climate change. These factors have in the past, and may in the future, cause delays in our fulfillment of customer orders, which may in turn delay our recognition of revenue from such orders or cause customers not to place orders or to seek alternative suppliers.

To mitigate the risks associated with our China-based contract manufacturing facilities, we regularly evaluate alternative manufacturing and supply arrangements, such as moving some of the Digipass manufacturing currently done in
13


China to Romania or to other locations. It is possible that such a transition, if it occurred, would cause a disruption in our Digipass manufacturing operations. Regardless of whether we undertake such a transition, supply chain disruptions or related cost increases affecting our Digipass devices could have a material adverse impact on our business.

Under some circumstances, we purchase multiple years’ supply of parts for our Digipass authenticator devices based on internal forecasts of demand, anticipated supply chain constraints, or other reasons. To meet customers’ demands for accelerated delivery of product, we sometimes produce finished product for existing customers before we receive the executed order from the customer. Should our forecasts of future demand be inaccurate or if we produce product that is never ordered, we could incur substantial losses related to the realization of our inventory.

The sales cycle for our products is often long, and we may incur substantial expenses for sales that do not occur when anticipated or at all.

The sales cycle for our products, which is the period of time between the identification of a potential customer and completion of the sale, is typically lengthy and subject to a number of significant risks over which we have little control.
A typical sales cycle in the financial services market is often nine to 18 months long. We often need to spend significant time and resources to better educate and familiarize these potential customers with the value proposition of our products and solutions. Purchasing decisions for our products and services may be subject to delays due to a number of factors, many of which are outside of our control, such as:
Time required for a prospective customer to recognize the need for our products;
Effectiveness of our salesforce;
Changes to regulatory requirements;
The complexity of contracts with certain large business customers;
The significant expense of some of our products and systems;
Customer budgeting and procurement processes;
Economic and other factors impacting customer budgets; and
Customer evaluation, testing and approval process.
The timing of sales with our enterprise customers and related revenue recognition is difficult to predict because of the length and unpredictability of the sales cycle for these customers. As our operating expenses are based on anticipated revenue levels, a small fluctuation in the timing of sales can cause our operating results to vary significantly between periods. In addition, during the sales cycle, we expend significant time and money on sales and marketing and contract negotiation activities, which may not result in a sale.

If we are unable to retain key employees and successfully hire and train qualified new employees, we may be unable to achieve our business objectives.

Our ability to successfully attain our business objectives will depend significantly on our ability to retain and motivate key employees and attract qualified new hires. In 2022 and 2023, we terminated the employment of approximately 270 employees as part of our cost reduction and restructuring efforts, and in early January 2024, we terminated the employment of our previous CEO and hired an interim CEO. These layoffs and the changes in our leadership have created uncertainty among our employees, and we expect it may make it more difficult, more time-consuming and more expensive for us to retain key employees and attract new hires. We face intense competition for these employees from numerous technology, software and other companies, many of whom have greater resources than we do, and our employees are generally employed on an at-will basis, which means that they could terminate their employment with us at any time. The temporary or permanent loss of the services of senior management or other key employees for any reason could significantly delay or prevent the achievement of our objectives and harm our business, financial condition and results of operations. Further, the loss of key employees, particularly those in senior management roles, could be negatively perceived in the capital markets, which could reduce the market value of our securities.

Difficulties retaining, motivating and attracting qualified employees could have an adverse effect on our ability to achieve our business objectives and, as a result, our ability to compete could decrease and our financial results could be adversely affected. In addition, even if we are able to identify and recruit a sufficient number of new hires, these new hires will require significant training before they achieve full productivity, particularly in the case of sales employees.

Security breaches or cyberattacks could expose us to significant liability, cause our business and reputation to suffer and harm our competitive position.
14



Our corporate infrastructure stores and processes our sensitive, proprietary and other confidential information (including information related to financial, technology, employees, marketing, sales, etc.) which is used daily in our operations. In addition, our solutions involve transmission and processing of our customers' confidential, proprietary and sensitive information. We have legal and contractual obligations to protect the confidentiality and appropriate use of customer data. Because we are a digital agreements and cybersecurity company, and because the majority of our customers are banks and other financial institutions, which are frequent targets of cyberattacks, we may be an attractive target for cyber attackers or other data thieves.

High-profile cyberattacks and security breaches have increased in recent years, with the potential for such acts heightened because of the number of employees working remotely due to the COVID-19 pandemic. Security industry experts and government officials have warned about the risks of hackers and cyberattacks targeting information technology, or IT, products and enterprise infrastructure. Because techniques used to obtain unauthorized access or to sabotage systems are constantly evolving, change frequently and often are not recognized until launched against a specific target, we may be unable to anticipate these techniques or to implement adequate preventative measures. As we seek to increase our client base and expand awareness of our brand, we may become more of a target for third parties seeking to compromise our security systems and we anticipate that hacking attempts and cyberattacks will increase in the future.

We have experienced several security incidents in the past. None have been material to date, but it is possible that we will experience a material event in the future. Even though we have established teams, processes and strategies to protect our assets, we may not always be successful in preventing or repelling unauthorized access to our systems. We also may face delays in our ability to identify or otherwise respond to a cybersecurity incident or other breach. Additionally, we use third-party service providers to provide some services to us that involve the storage or transmission of data, such as software as a service (SaaS), cloud computing, and internet infrastructure and bandwidth, and they face various cybersecurity threats and may suffer cybersecurity incidents or other security breaches. Despite our security measures, our IT and infrastructure may be vulnerable to attacks. Threats to IT security can take a variety of forms. Individual and groups of hackers and sophisticated organizations, including state-sponsored organizations or nation-states, continuously undertake attacks that pose threats to our customers and our own IT. These actors may use a wide variety of methods, which may include developing and deploying malicious software or exploiting vulnerabilities in hardware, software, or other infrastructure in order to attack our products and services or gain access to our networks, using social engineering techniques to induce our employees, users, partners, or customers to disclose passwords or other sensitive information or take other actions to gain access to our data or our users’ or customers’ data, or acting in a coordinated manner to launch distributed denial of service or other coordinated attacks. Inadequate account security practices may also result in unauthorized access to confidential and/or sensitive data.

Security incidents may have a number of negative consequences to us, including the following: requiring us to expend significant capital and other resources to alleviate the incidents and to improve our security technologies; impairing our ability to provide services to our customers and protect the privacy of their data delaying product development efforts; compromising confidential or technical business information; harming our reputation or competitive position; resulting in theft or misuse of our intellectual property or other assets; and exposing us to substantial litigation expenses and damages, indemnity and other contractual obligations, government fines and penalties, mitigation expenses, costs for remediation and incentives offered to affected parties, including customers, other business partners and employees, in an effort to maintain business relationships after an incident. We are continuously working to improve our IT systems, together with creating security boundaries around our critical and sensitive assets. We provide security awareness training to our employees and contractors that focuses on various aspects of cybersecurity. All these steps are taken to mitigate the risk of attack and to ensure our readiness to responsibly manage a security violation or attack. However, we may nevertheless be unable to anticipate attacks or to implement adequate preventative measures. If an actual or perceived breach of our security occurs, the market perception of the effectiveness of our security measures and our products could be harmed, we could lose potential sales and existing customers, our ability to operate our business could be impaired, we may incur significant liabilities, we could suffer harm to our reputation and competitive position, and our business and financial condition could be negatively impacted.

Real or perceived malfunctions and errors in our products could result in warranty and product liability risks and economic and reputational damages.

Our products are inherently complex and may malfunction or contain undetected errors or defects when first introduced or as new versions are released. We have experienced these malfunctions and errors or defects in connection with new products and product upgrades, and we expect that these malfunctions, errors and defects will continue to be
15


found from time to time in new or enhanced products. Malfunctions and defects may make our products vulnerable to attacks, prevent vulnerability detection, result in system instability or latency-related delays, or temporarily impact our customers' environments. These problems may result in a breach of a legal obligation or may cause physical harm or damage which could result in tort or warranty claims against us. We seek to reduce the risk of these losses by using qualified engineers in the design, manufacturing and testing of our hardware products, proper development, testing, and scanning of our software solutions (including SaaS), attempting to negotiate warranty disclaimers and liability limitation clauses in our sales agreements, and maintaining customary insurance coverage. However, these measures may ultimately prove ineffective in limiting our liability for damages.

In addition to any monetary liability for the failure of our products, a publicly known defect or perceived defect in our products could lead to customers delaying or withholding payments, divert the attention of our key personnel, adversely affect the market’s perception of us and our products, and have an adverse effect on our reputation and the demand for our products.

Our financial results may fluctuate from period to period, making it difficult to project future results. If we fail to meet the expectations of securities analysts or investors, the price of our common stock could decline.

Our revenue and results of operations have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including:

The size, timing, and payment terms of significant orders, and any unexpected delay or cancellation of such orders;
The variability of revenue realized from individual customers, as their buying patterns can vary significantly from period to period and are affected by the individual solutions purchased and the structure of the contract;
Larger customers delaying renewal of their subscriptions or failing to renew at all;
Changes in customer budgets;
The effectiveness of our sales and marketing programs, including our ability to hire, train and retain our sales personnel;
Changes in pricing by competitors;
New product announcements or introductions by competitors;
Technological changes in the market for our products, including the adoption of new technologies and standards;
Our ability to develop, introduce and market new products and product enhancements on a timely basis;
Market and customer acceptance of any new products and product enhancements that we introduce;
With respect to our Digipass business, component costs and availability;
Network outages, security breaches, technical difficulties or interruptions affecting our products;
Seasonality in our business;
Changes in foreign currency exchange rates;
General economic and political conditions, as well as economic conditions specifically affecting industries in which our customers operate; and
Other events or factors, including those resulting from pandemics, war, natural disasters, incidents of terrorism or responses to these events.

Any one of these or other factors discussed elsewhere in this Annual Report on Form 10-K, or the cumulative effect of a combination of these factors, may result in fluctuations in our financial results, which may cause us to miss our guidance and analyst expectations and cause the price of our common stock to decline.

We have operated at a loss for each of the past three fiscal years, and we may not be profitable in the future.

Over our approximately 30-year operating history, we have operated at a loss for many of those years, including for the years ended December 31, 2023, 2022 and 2021, for which we reported a net loss of $29.8 million, $14.4 million, and $30.6 million, respectively. We will need to generate and sustain increased revenue levels and manage our expenses in future periods to become profitable and, even if we do, we may not be able to maintain or increase our level of profitability. We intend to continue to incur significant expenses to maintain, develop and enhance our products and solutions, improve our infrastructure and technology, and grow our customer base. These efforts may be costlier than we expect, and we may not be able to increase our revenue enough to offset our increased operating expenses. We may incur significant losses in the future for a number of reasons, including the other risks described herein, and experience unforeseen expenses, difficulties, complications and delays and other unknown events. If we are unable to achieve and sustain profitability, the value of our business and common stock may significantly decrease.
16



We depend on third-party hosting providers and other technology vendors, as well as our own infrastructure, to provide our products and solutions to our customers in a timely manner. Interruptions or delays in performance of our products and solutions could result in customer dissatisfaction, damage to our reputation, loss of customers, and reduction in revenue.

We outsource portions of our cloud infrastructure to third-party hosting providers, principally Amazon Web Services, or AWS. We also outsource components of our services to third-party technology vendors who host their products in the cloud. Customers of our products need to be able to access our platform at any time, without interruption or degradation of performance. AWS and other third-party hosting providers run their own platforms that we access, and we are therefore vulnerable to service interruptions on these third-party platforms, as well as to service interruptions affecting our own infrastructure and our third-party technology vendors. We have experienced interruptions, delays and outages in service and availability from time to time due to a variety of factors impacting our third-party hosting providers, our own infrastructure or other vendors, and we expect to experience these types of incidents in the future.

If our products or platform are unavailable or our users are otherwise unable to use our products within a reasonable amount of time or at all, then our business, results of operations and financial condition could be adversely affected. In some instances, we may not be able to identify the cause or causes of these performance problems within a period of time acceptable to our customers. It may become increasingly difficult to maintain and improve our platform performance, especially during peak usage times, as our products become more complex and the usage of our products increases. We have in the past and may in the future experience capacity constraints that affect our product performance and cause us to miss our service level agreements with our customers. These capacity constraints can be due to a number of causes, including technical failures, natural disasters, fraud or security attacks. To the extent that we do not effectively address capacity constraints, either through our own infrastructure, our current third-party providers or alternative providers of cloud infrastructure, our business, results of operations and financial condition may be adversely affected. In addition, any changes in service levels from our third-party hosting providers or other cloud-based technology vendors may adversely affect our ability to meet our customers' requirements.

Our third-party hosting providers have no obligations to renew their agreements with us on commercially reasonable terms or at all, and the agreements governing these relationships can generally be terminated by either party with limited notice. Access to hosting services may also be restricted by the provider at any time, with no or limited notice. Although we expect that we could receive similar services from other third parties, if any of our arrangements with AWS or other third-party hosting providers are terminated, we could experience interruptions on our platform and in our ability to make our platform available to customers, as well as downtime, delays and additional expenses in arranging alternative cloud infrastructure services.

It is also possible that our customers and potential customers would hold us accountable for any breach of security affecting infrastructure of our third-party hosting providers. We may incur significant liability from those customers and from third parties with respect to any such breach, and we may not be able to recover a material portion of our liabilities to our customers and third parties from our hosting providers in the event of any breach affecting their systems.

Any of the above circumstances or events may harm our reputation, cause customers to stop using our products, impair our ability to increase revenue from existing customers, impair our ability to grow our customer base, subject us to financial penalties and liabilities under our service level agreements and otherwise harm our business, results of operations and financial condition.

Our success depends in part on establishing and maintaining relationships with other companies to distribute our technology and products or to incorporate their technology into our products and services, or vice versa.
Part of our business strategy is to enter into partnerships and other cooperative arrangements with third parties. We are regularly involved in cooperative efforts with respect to the incorporation of our products into products of others and vice versa, research and development efforts, and marketing, distributor and reseller arrangements. These relationships are generally non-exclusive, and some of our partners also have cooperative relationships with certain of our competitors or offer some products and services that are competitive with ours. If we lose third-party relationships, if these relationships are not commercially successful, or if we are unable to enter into third-party relationships on commercially reasonable terms in the future, our business could be negatively impacted.

SaaS offerings, which involve various risks, constitute an important part of our business.
17



We expect that our SaaS offerings will constitute an increasingly important part of our business. As a result, we will need to continue to evolve our processes to meet a number of regulatory, intellectual property, contractual, service, and security compliance challenges. These challenges include compliance with licenses for open-source and third-party software embedded in our SaaS offerings, maintaining compliance with export control and privacy regulations (including the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the General Data Protection Regulation ("GDPR")), protecting our products from external threats, maintaining continuous service levels and data security practices expected by our customers, preventing inappropriate use of our products, and incurring significant up-front costs where desired higher margins are dependent on achieving significant sales volume and adapting our go-to-market efforts. In addition to using our internal resources, we also utilize third-party resources to deliver SaaS offerings, such as third-party data hosting vendors. The failure of a third-party provider to prevent service disruptions, data losses or security breaches may require us to issue credits or refunds or to indemnify or otherwise be liable to customers or third parties for damages that may occur. Additionally, if these third-party providers fail to deliver on their obligations, our reputation could be damaged, and our customers could lose confidence in us and our ability to maintain and expand our SaaS offerings. Finally, our SaaS offerings need to be designed to operate at significant transaction volumes. When combined with third-party software and hosting infrastructure, our SaaS offerings may not perform as designed, which could lead to service disruptions and associated damages.

Failure to maintain high-quality customer support could have a material adverse effect on our business.

Our business relies on our customers’ satisfaction with the technical and customer support and professional services we provide to support our products. If we fail to provide customer and technical support services that are high-quality, responsive, and able to promptly resolve issues that our customers encounter with our products and services, then they may elect not to purchase or renew subscription licenses or may otherwise reduce or discontinue their business relationship with us. This would likely result in loss of revenue and damage to our reputation, which could have an adverse effect on our business.

Failure to effectively manage our product and service lifecycles could harm our business.

As part of the natural lifecycle of our products and services, we periodically inform customers that products or services have reached their end of life or end of availability and will no longer be supported or receive updates and security patches. Failure to effectively manage our product and service lifecycles could lead to customer dissatisfaction and contractual liabilities, which could adversely affect our business and operating results. In addition, the failure to generate new revenue to replace and/or expand the revenue realized from discontinued products or services could adversely affect our business and operating results.

We are subject to foreign currency exchange rate fluctuations, which could adversely affect our financial condition and results of operations.

Because a significant number of our principal customers are located outside the United States, we expect that international sales will continue to generate a significant portion of our total revenue. We are subject to foreign exchange fluctuations and risks because the majority of our product costs are denominated in U.S. dollars, whereas a significant portion of the sales and expenses of our foreign operating subsidiaries are denominated in various foreign currencies. A decrease in the value of any of these foreign currencies relative to the U.S. dollar could adversely affect our revenue and profitability in U.S. dollars of our products sold in these markets. Furthermore, a strengthening of the U.S. dollar could increase the cost in local currency of our products and services to customers outside the United States, which could adversely affect our business, results of operations, financial condition and cash flows.

The exchange rate between the U.S. dollar and foreign currencies has fluctuated in recent years and may fluctuate substantially in the future. For example, the U.S. dollar’s strength against foreign currencies, particularly the Euro, during 2022 had a significant impact on our 2022 financial results. Although foreign exchange impact was not significant to our 2023 results, it could adversely affect our results for 2024 and beyond. We do not currently use forward contracts or other hedging strategies such as options or foreign exchange swaps to mitigate our exposure to foreign currency fluctuations.

Consolidations, failures and other developments in the banking and financial services industry may adversely impact our revenue.

18


Mergers, acquisitions, and personnel changes at key banks and financial services organizations have the potential to adversely affect our business, financial condition, cash flows, and results of operations. A majority of our revenue is derived from customers in the banking and financial services industry, making us susceptible to consolidation in, or contraction of, the number of participating institutions within that industry. In addition, other factors affecting the banking and financial services industry, such as economic and credit conditions, may create uncertainty or financial pressures that cause our customers or potential customers to adopt cost reduction measures or reduce capital spending, resulting in longer sales cycles, deferrals or delays in purchases of our products, delays in paying our accounts receivable, and increased price competition, any of which could negatively impact our revenue. Furthermore, if customers respond to a negative or unpredictable economic climate by consolidating with other banks or financial institutions, it could reduce the number of our current and/or potential customers.

We face a number of risks associated with our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue.

In 2023, approximately 83% of our revenue and approximately 58% of our operating expenses were generated/incurred outside of the U.S. In 2022, approximately 83% of our revenue and approximately 66% of our operating expenses were generated/incurred outside of the U.S. In 2021, approximately 86% of our revenue and approximately 68% of our operating expenses were generated/incurred outside of the U.S. A severe economic decline in any of our major foreign markets could adversely affect our results of operations and financial condition.

In addition to exposures to changes in the economic conditions of our major foreign markets, we are subject to a number of risks related to our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue. These include:

increased management, infrastructure and legal costs associated with having international operations;
costs of compliance with foreign legal and regulatory requirements, including, but not limited to data privacy, data protection and data security regulations and sustainability reporting requirements and the risks and costs of non-compliance;
costs of compliance with U.S. laws and regulations for foreign operations, including the U.S. Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell or provide our solutions in certain foreign markets, and the risks and costs of non-compliance;
heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;
costs of compliance with multiple and possibly overlapping tax structures, and related potential adverse tax impacts;
risks of reliance on channel partners for sales in some countries;
differing technology standards in certain international markets;
the uncertainty and limitation of protection for intellectual property rights in some countries;
greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;
difficulties and costs of staffing and managing international operations, including maintaining internal controls and challenges in closing or restructuring such operations;
difficulty in providing support and training to customers in certain international locations;
management communication and integration problems resulting from cultural and linguistic differences and geographic dispersion;
foreign currency exchange rate fluctuations;
adverse tax burdens and foreign exchange controls that could make it difficult to repatriate earnings and cash;
increased exposure to climate change, natural disasters, armed conflict, terrorism, epidemics, or pandemics and other health crises; and
economic or political instability in foreign markets, including instability related to the United Kingdom’s exit from the EU and the impact of geopolitical tensions between China and the U.S. over Taiwan, Hong Kong, tariffs and other matters.

Our business, including the sales of our products and professional services by us and our channel partners, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Our failure, or the failure by our channel partners, to comply with these regulations could adversely affect our business. Further, in some foreign countries, it may be more common for others to engage in business practices that are
19


prohibited by our internal policies and procedures or U.S. regulations applicable to us. Violations of laws or internal policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our products and could have a material adverse effect on our business and results of operations. If we are unable to successfully manage the challenges of international expansion and operations, our business and operating results could be adversely affected.

If our goodwill or intangible assets become impaired, we may be required to record a significant charge to earnings.

We review our goodwill and intangible assets for impairment when events or changes in circumstances indicate the carrying value may not be recoverable. Goodwill is required to be tested for impairment at least annually. At December 31, 2023, we had goodwill and intangible assets with a net book value of $104.5 million primarily related to our acquisitions. An adverse change in market conditions, particularly if such change has the effect of changing one of our critical assumptions or estimates, could result in a change to the estimation of fair value that could result in an impairment charge to our goodwill or intangible assets.

Because we recognize revenue from subscription-based software licenses over the term of the relevant contract, downturns or upturns in sales contracts are not immediately reflected in full in our operating results. In addition, our reported revenue may fluctuate widely due to the interpretation or application of accounting rules.

Approximately 45% of our total revenue for the year ended December 31, 2023 was attributable to subscription license contracts. We recognize subscription revenue over the term of each of our subscription contracts, which are typically one year in length but may be up to three years or longer. As a result, much of our revenue is generated from the recognition of contract liabilities from contracts entered into during previous periods. Consequently, a shortfall in demand for our products or a decline in new or renewed contracts in any one quarter may not significantly reduce our revenue for that quarter but could negatively affect our revenue in future quarters. Our revenue recognition model also makes it difficult for us to rapidly increase our revenue through additional sales contracts in any period, as revenue from new customers is recognized over the applicable term of their contracts.

In addition, our sales arrangements often include multiple elements, including hardware, services, software, maintenance and support. We have sold software related arrangements in multiple forms, including perpetual licenses, term-based licenses and SaaS subscriptions, each of which may be treated differently under accounting rules. The accounting rules for such arrangements are complex and subject to change from time to time. The nature of the arrangement can create variations in the timing of revenue recognition. If applicable accounting standards or practices change, or if the judgments or estimates we use when applying existing standards prove to be incorrect, our financial results may be adversely affected.

We could be subject to additional tax liabilities, and our ability to use our net operating losses may be limited.

We are subject to U.S. federal, state, local and sales taxes in the United States and foreign income taxes, withholding taxes and transaction taxes in numerous foreign jurisdictions. Significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain and the relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes to our operating structure (including a currently in-process revenue of our intellectual property structure), by changes in foreign currency exchange rates, or by changes in the valuation of our deferred tax assets and liabilities. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, sales taxes and value-added taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period for which a determination is made.

At December 31, 2023 we had U.S. federal, state, and foreign net operating losses ("NOLs"), of $27.5 million, $30.5 million, and $124.3 million, respectively, available to offset future taxable income, some of which begin to expire in 2025. Federal NOLs incurred in taxable years beginning after December 31, 2017 can be carried forward indefinitely, but the deductibility of federal NOLs in taxable years beginning after December 31, 2021, is subject to certain limitations. A lack of future taxable income would adversely affect our ability to utilize these NOLs before they expire.
20



In addition, under the provisions of the Internal Revenue Code of 1986, as amended, or the Internal Revenue Code, substantial changes in our ownership may limit the amount of pre-change NOLs that can be utilized annually in the future to offset taxable income. Section 382 of the Internal Revenue Code imposes limitations on a company’s ability to use its NOLs if one or more stockholders or groups of stockholders that own at least 5% of the company’s stock increase their ownership by more than 50 percentage points over their lowest ownership percentage within a rolling three-year period. Similar rules may apply under state tax laws. Based upon an analysis as of December 31, 2021, we determined that we do not expect these limitations to materially impair our ability to use our NOLs prior to expiration. However, if changes in our ownership occurred after such date, or occur in the future, our ability to use our NOLs may be further limited. Subsequent statutory or regulatory changes in respect of the utilization of NOLs for federal or state purposes, such as suspensions on the use of NOLs or limitations on the deductibility of NOLs carried forward, or other unforeseen reasons, may result in our existing NOLs expiring or otherwise being unavailable to offset future income tax liabilities. For these reasons, we may not be able to utilize a material portion of the NOLs, even if we achieve profitability.

Acquisitions or other strategic transactions may not achieve the intended benefits or may disrupt our current plans and operations.

In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products or technologies or to make investments in, or enter into joint ventures or similar transactions with, third parties. These transactions involve numerous risks, including the following:

Difficulties or delays in integrating the acquired businesses, which could prevent us from realizing the anticipated benefits of acquisitions;
Delays or reductions in customer purchases for both us and the company we acquired due to customer uncertainty about continuity and effectiveness of service from either company;
Challenges in successfully cross-selling acquired products to our existing customer base, or in cross-selling our products to the acquired company’s customer base;
Difficulties in supporting and migrating acquired customers, if any, to our platforms, which could cause customer churn, unanticipated costs, and damage to our reputation;
Disruption of our ongoing business and diversion of management and other resources from existing operations;
Constraints on our liquidity in the event that we use cash or incur debt to fund an acquisition, or dilution to existing stockholders in the event we issue equity securities as part of the consideration for the acquisition;
Our use of cash to pay for acquisitions would limit other potential uses for our cash and affect our liquidity;
Assumption of debt or other actual or contingent liabilities of the acquired company, including litigation risk;
Differences in in corporate culture, compliance protocols, and risk management practices between us and acquired companies;
Potential loss of the key employees of an acquired business;
Potential loss of the customers or partners of an acquired business due to the actual or perceived impact of the acquisition;
Difficulties associated with governance, management, and control matters in majority or minority investments or joint ventures;
Unforeseen or undisclosed liabilities or challenges associated with the companies, businesses, or technologies we acquire;
Adverse tax consequences, including exposure of our entire business to taxation in additional jurisdictions; and
Accounting effects, including potential impairment charges and requirements that we record acquired deferred revenue at fair value.

Any of these risks could result in acquisitions or other strategic transactions disrupting our business and/or failing to achieve their intended objectives.

We also review our product portfolio from time to time for contributions to our objectives and alignment with our strategy, and we may pursue divestiture activities as a result of these reviews. However, we may not be successful in separating any underperforming or non-strategic assets, and gains or losses on any divestiture of, or lost operating income from, such assets may adversely affect our results of operations. Divestitures could also expose us to unanticipated liabilities or result in ongoing obligations, including transition service obligations and indemnity obligations.

Provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.
21



Our agreements with customers, solution partners and channel partners generally include provisions under which we agree to indemnify them for losses suffered or incurred as a result of claims of intellectual property infringement and, in some cases, for damages caused by us to property or persons or for other damages. In the past, we worked with a customer at our expense to resolve a claim brought against the customer related to our technology, and it is likely that we will need to indemnify our customers for similar claims in the future. The expense of defending these types claims may adversely affect our financial results and may not be covered by any insurance policies we maintain. In addition, any such disputes and litigation could divert management attention and harm our reputation in the market.

We also make certain representations and warranties and incur obligations under our contracts in the ordinary course of business, including for items related to data security and potential data privacy breaches. Although we normally contractually limit our liability with respect to such representations, warranties and other contractual obligations, we may still incur substantial liability related to them. Not all of our potential losses under our contracts are covered by insurance policies, which could increase the impact of any such loss should it occur. Large indemnity payments or damages resulting from our contractual obligations could harm our business, operating results and financial condition.

Any failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.

Our success is dependent, in part, upon protecting our proprietary technology. We rely on a combination of patents, copyrights, trademarks, service marks, trade secret laws and contractual provisions in an effort to establish and protect our proprietary rights. However, the steps we take to protect our intellectual property may be inadequate. While we have been issued patents in the U.S. and other countries and have additional patent applications pending, we may be unable to obtain patent protection for the technology covered in our patent applications. In addition, any patents issued in the future may not provide us with competitive advantages or may be successfully challenged by third parties. Any of our patents, trademarks or other intellectual property rights may be challenged or circumvented by others or invalidated through administrative process or litigation. There can be no guarantee that others will not independently develop similar products, duplicate any of our products or design around our patents. Furthermore, legal standards relating to the validity, enforceability and scope of protection of intellectual property rights are uncertain. Despite our precautions, it may be possible for unauthorized third parties to copy our products and use information that we regard as proprietary to create products and solutions that compete with ours. Some license provisions protecting against unauthorized use, copying, transfer and disclosure of our products may be unenforceable under the laws of jurisdictions outside the U.S. To the extent we expand our international activities, our exposure to unauthorized copying and use of our products and proprietary information may increase.

We enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with parties with whom we have strategic relationships and business alliances. These agreements may not be effective in controlling access to and distribution of our products and proprietary information. Further, these agreements do not prevent our competitors or partners from independently developing technologies that are substantially equivalent or superior to our products and solutions.

In order to protect our intellectual property rights, we may be required to spend significant resources to monitor and protect and enforce these rights, including through litigation. Litigation brought to protect and enforce our intellectual property rights could be costly, time consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management’s attention and resources, could delay further sales or the implementation of our products and solutions, impair the functionality of our products and solutions, delay introductions of new solutions, result in our substituting inferior or more costly technologies into our products and solutions or injure our reputation. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property may be difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the U.S. and where mechanisms for enforcement of intellectual property rights may be weak. If we fail to adequately protect our intellectual property and proprietary rights, our business, operating results and financial condition could be adversely affected.

We may be subject to legal proceedings for a variety of claims, including intellectual property disputes, labor and employment issues, commercial disagreements, securities law violations and other matters. These proceedings may be
22


costly, subject us to significant liability, limit our ability to use certain technologies, increase our costs of doing business or otherwise adversely affect our business and operating results.

From time to time, we are involved as a party or an indemnitor in disputes or regulatory inquiries. These may include alleged claims, lawsuits and proceedings regarding intellectual property disputes, labor and employment issues, commercial disagreements, securities law violations and other matters. In particular, companies in the software industry are often required to defend against litigation or claims based on allegations of infringement or other violations of intellectual property rights. In certain instances, we have received claims that we have infringed the intellectual property rights of others, including claims regarding patents, copyrights, and trademarks. Because of constant technological change in the markets in which we compete, the extensive patent coverage of existing technologies, and the rapid rate of issuance of new patents, it is possible that the number of these claims may grow. Such claims sometimes involve patent holding companies or other adverse patent owners that have no relevant product revenue and against which our own patents may therefore provide little or no deterrence. In addition, former employers of our former, current, or future employees may assert claims that such employees have improperly disclosed to us the confidential or proprietary information of these former employers. If we are not successful in defending such claims, we could be required to stop selling our products, delay shipments, redesign our products, pay monetary amounts as damages, enter into royalty or licensing arrangements (which may not be available to us on commercially reasonable terms), or satisfy indemnification obligations to our customers, any of which could have a material adverse effect on our business.

Regardless of the merits or ultimate outcome of any claims that have been or may be brought against us or that we may bring against others, lawsuits are time-consuming and expensive to resolve, divert management’s time and attention, and could harm our reputation. Although we carry general liability and other forms of insurance, our insurance may not cover potential claims that arise or may not be adequate to indemnify us for all liability that may be imposed. We may also determine that the most cost-effective way to resolve a dispute is to enter into a settlement agreement. Litigation is inherently unpredictable and we cannot predict the timing, nature, controversy or outcome of lawsuits, and it is possible that litigation could have an adverse effect on our business, operating results or financial condition.

We use open-source software in our products, which could subject us to litigation or other actions.

We use open-source software in our products and solutions. Any use of open-source software may expose us to greater risks than the use of commercial software because open-source licensors generally do not provide warranties or controls on the functionality or origin of the software. Any use of open-source software may involve security risks, making it easier for hackers and other third parties to determine how to compromise our platform. From time to time, there have been claims challenging the ownership of open-source software against companies that incorporate open-source software into their products. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open-source software. Litigation could be costly for us to defend, have a negative effect on our operating results and financial condition or require us to devote additional research and development resources to change our products. In addition, if we were to combine our proprietary software products with open-source software in a certain manner, we could, under certain of the open-source licenses, be required to release the source code of our proprietary software products. If we inappropriately use or incorporate open-source software subject to certain types of open-source licenses that challenge the proprietary nature of our software products, we may be required to re-engineer our products, discontinue the sale of our products and solutions or take other remedial actions.

There is significant government regulation of technology imports and exports. If we cannot meet the requirements of applicable regulations, we may be prohibited from exporting some of our products, which could negatively impact our revenue.

Our international sales and operations are subject to risks such as the imposition of government controls, new or changed export license requirements, restrictions on the export of critical technology, trade restrictions and changes in tariffs. If we are unable to obtain regulatory approvals on a timely basis, our business may be impacted. Certain of our products are subject to export controls under U.S. law including the U.S. Export Administration Regulations, U.S. Customs regulations, and various economic and trade sanctions administered by the U.S. Treasury Department’s Office of Foreign Assets Control. The list of products and countries for which export approval is required, and the regulatory policies with respect thereto, may be revised from time to time and our inability to obtain required approvals under these regulations could materially and adversely affect our ability to make international sales. Additionally, we may be negatively affected if our third-party technology partners fail to obtain proper licenses and permits for the import and export of their products. We maintain trade control compliance requirements for our partners; however, we cannot guarantee that our partners will comply with these requirements. Violations of export control and international trade laws could result in penalties, fines,
23


adverse reputational consequences, and other materially adverse consequences. In the past, we voluntarily disclosed a trade control matter to the U.S. government. Although this matter was closed during 2019 with no fines, penalties, or finding of wrongdoing, similar issues could arise in the future. In addition, future changes in government regulation technology imports and exports could negatively affect our business.

We employ cryptographic technology in our authentication products. If the codes used in our cryptographic technology are eventually broken or become subject to additional government regulation, our technology and products may become less effective, which would have a material adverse effect on our business.

A portion of our products are based on cryptographic technology. With cryptographic technology, a user is given a key that is required to encrypt and decode messages. The security afforded by this technology depends on the integrity of a user’s key and in part on the application of algorithms, which are advanced mathematical factoring equations. These codes may eventually be broken or become subject to government regulation regarding their use, which would render our technology and products less effective. The occurrence of any one of the following could result in a decline in demand for our technology and products, which would have a material adverse effect on our business:

Any significant advance in techniques for attacking cryptographic systems, including the development of an easy factoring method or faster, more powerful computers, such as quantum computing;
Publicity of the successful decoding of cryptographic messages or the misappropriation of keys; and
Increased government regulation limiting the use, scope or strength of cryptography.

International and domestic privacy and data protection laws and regulations could have a material adverse impact on our results of operations.

We collect, transmit, store, and otherwise process (on our systems and on our third-party partners’ systems) our customers’ and our employees’ data that includes personal data subject to international and domestic privacy and data protection laws and regulations. For example, in Europe, we are subject to the European Union's General Data Protection Regulation, (EU) 2016/679 (“GDPR”) and laws implemented by EU member states. These laws and regulations impose restrictions on the collection and use of personal data that are generally more stringent, and impose more significant burdens on subject businesses, than current privacy standards in the United States. They establish several obligations that organizations must follow with respect to use of personal data, including consent requirements, data subject rights, and a prohibition on the transfer of personal data from the EU to other countries whose laws do not protect personal data to an adequate level of privacy or security. We continue to adapt our compliance with GDPR using standard contractual clauses and other methods; however, it is difficult to be certain that compliance has been achieved. We have expended significant resources to comply, but those methods may be subject to scrutiny by data protection authorities in EU member states. In addition, other jurisdictions such as Brazil, Canada, and the United Kingdom have enacted privacy and data protection laws and regulations that impose similar restrictions and obligations on products and services we sell.

In the United States, the federal and state governments have also enacted privacy and data protection laws and regulations that impact us, our customers, and partners. For example, in June 2018, California enacted the California Consumer Privacy Act (“CCPA”), which took effect January 1, 2020, and imposed many requirements on businesses that process the personal information of California residents. Many of the CCPA’s requirements are similar to those found in the GDPR, including requiring businesses to provide notice to data subjects regarding the information collected about them and how such information is used and shared, and providing data subjects the right to request access to such personal information and, in certain cases, request the erasure of such personal information. The CCPA also affords California residents the right to opt-out of “sales” of their personal information. The CCPA contains significant penalties for companies that violate its requirements. In January 2023, the California Privacy Rights Act of 2020 (“CPRA”) went into effect, and significantly expanded the CCPA to incorporate additional GDPR-like provisions including requiring that the use, retention, and sharing of personal information of California residents be reasonably necessary and proportionate to the purposes of collection or processing, granting additional protections for sensitive personal information, and requiring greater disclosures related to notice to residents regarding retention of information. The CPRA also created a new enforcement agency – the California Privacy Protection Agency – whose sole responsibility is to enforce the CPRA, which will further increase compliance risks. The provisions in the CPRA may apply to some of our business activities. In addition, several other states have passed state privacy and data protection laws, and the U.S. Congress has been debating passing a federal privacy law.

We use biometric data in some of our identity verification products, and several jurisdictions have imposed legal and compliance requirements on biometric data that are more stringent than requirements on other classifications of personal data. For example, under GDPR, biometric data is considered “sensitive data” which requires special attention and
24


technical and organizational measures to protect the biometric data against breaches of confidentiality, integrity, and availability. Similarly, in the U.S., the Illinois Biometric Information Privacy Act (“BIPA”) regulates the collection, use, safeguarding, and storage of biometric identifiers and information, requires informed consent before collection, imposes fines for non-compliance, and grants residents a private right of action over improper collection and mishandling of biometric data. Similarly, Québec's Act respecting the protection of personal data in the private sector (“Law 25” formerly known as “Bill 64”) introduces substantial changes to the privacy landscape in Quebec, enhancing protection for personal data and introducing new obligations for transparency and accountability in data processing activities, including those involving biometric data.

Our activities as a SaaS solution provider mainly involve the processing of personal data on behalf of our customers. Our operations as a processor of our customers’ data relate to collecting, transmitting, storing, and processing a wide array of data, including personal data and biometric information of individuals worldwide. This data is handled both on our systems and those of our third-party partners, making us subject to a complex web of regulations across various jurisdictions. Adapting to these requirements may entail significant operational changes, including revising data processing and storage practices, enhancing data security measures, ensuring transparent communication with data subjects about their rights and our data handling practices, and it may impact our business activities, including our relationships with business partners and the marketing and distribution of our products.

We work to comply with all applicable international and domestic privacy and data protection laws and regulations; however, these laws and regulations vary greatly from jurisdiction to jurisdiction, change rapidly, and are subject to interpretation, all of which leads to uncertainty in their applicability. The costs of compliance with these laws and regulations that apply to us, and other burdens imposed by them, may limit our use of personal data and could have a material adverse impact on our results of operations. Compliance may require that we implement new processes and policies or change our existing processes and policies or features of our systems, which may require substantial financial and other resources, and which otherwise may be difficult to undertake. Any failure or perceived failure by us (or our third-party partners) to comply with these privacy and data protection laws and regulations, our processes and policies, contractual provisions, or an actual, perceived or suspected data privacy or information security incident could result in serious consequences for us. These consequences may include enforcement actions, audits, investigations, prosecutions, fines, penalties, debarment, litigation, claims for damages by customers and other affected individuals, reputational loss, and financial and business losses. .

We must comply with the requirements of being a public company, including developing and maintaining proper and effective disclosure controls and procedures and internal control over financial reporting. Any failure to comply with these requirements may adversely affect investor confidence in our company and, as a result, the value of our common stock.

As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act, the listing requirements of Nasdaq and other applicable securities rules and regulations that impose various requirements on public companies. Our management and other personnel devote a substantial amount of time to compliance with these requirements and such compliance requires significant ongoing legal, accounting and financial reporting costs.

The Sarbanes-Oxley Act requires that we maintain effective disclosure controls and procedures and internal control over financial reporting and furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting on an annual basis. This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting. We are also required to have our independent registered public accounting firm issue an opinion annually on the effectiveness of our internal control over financial reporting. During the evaluation and testing process, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal control over financial reporting is effective.

We have identified a material weakness in the past and it is possible that other material weaknesses, or significant deficiencies, in our internal controls will be identified in the future. Failure to maintain effective controls or implement new or improved controls could result in significant deficiencies or material weaknesses, affect management evaluations and auditor attestations regarding the effectiveness of our internal controls, failure to meet periodic reporting obligations, and material misstatements in our financial statements. Any material misstatement of our financial statements may result in a restatement, loss of investor and customer confidence, a decline in the market price of our common stock, and potential sanctions or investigations by Nasdaq, the SEC or other regulatory authorities. Failure to remedy any material weakness in
25


our internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.

Our business in certain countries and transactions with foreign governments increase the risks associated with our international activities.

We are subject to anti-corruption laws in the jurisdictions in which we operate, including the U.S. Foreign Corrupt Practices Act ("FCPA"), the U.K. Bribery Act, and other similar laws that prohibit improper payments or offers of payments to foreign governments and their officials and political parties by U.S. and other business entities for the purpose of obtaining or retaining business. We have operations, deal with and make sales to governmental or quasi-governmental customers in countries known to experience corruption, particularly certain countries in the Middle East, Africa, East Asia and South and Central America, and further expansion of our international selling efforts may involve additional regions. Our activities in these countries create the risk of unauthorized payments or offers of payments by one of our employees, consultants, sales agents or channel partners that could be in violation of various laws, including the FCPA and the U.K. Bribery Act, even though these parties are not always subject to our control. While we have implemented policies and training that mandate compliance with these anti-corruption laws, we cannot guarantee that these policies and procedures will prevent reckless or criminal acts committed by our employees, consultants, sales agents or channel partners. Violations of these laws may result in materially significant diversion of management’s resources as well as significant investigation and outside counsel expense. Violations of these laws may also result in severe criminal or civil sanctions, including suspension or debarment from government contracting, and we may be subject to other liabilities which could disrupt our business and result in a materially adverse effect on our reputation, business, results of operations, and financial condition.

We are subject to numerous laws, regulations and customer requirements governing the production, distribution, sale and use of our products. Any failure to comply with these laws, regulations and requirements could result in unanticipated costs and other negative impacts, and could have a materially adverse effect on our business, results of operation, and financial condition.

We are subject to global legal, regulatory, and customer compliance requirements that span many different areas. For example, we are subject to the Restriction on the Use of Hazardous Substances Directive 2002/95/EC (also known as the RoHS Directive) and the Waste Electrical and Electronic Equipment Directive (also known as the WEEE Directive), which restrict the distribution of products containing certain substances within applicable geographies and require a manufacturer or importer to recycle products containing those substances. These directives affect the worldwide electronics and electronics components industries as a whole. If we or our customers fail to comply with such laws and regulations, we could incur liabilities and fines and our operations could be suspended.

In addition, like many electronic devices, our Digipass authenticator devices contain certain minerals and derivatives, referred to as Conflict Minerals, that are subject to SEC and other disclosure and reporting requirements. Compliance with these rules requires due diligence, including country of origin inquiries to determine the sources of Conflict Minerals used in our products. We expect to incur ongoing costs associated with complying with these disclosure and due diligence requirements. We may be unable to verify the origin of all Conflict Minerals in our products, and may encounter challenges with customers and stakeholders if we are unable to certify that our products are conflict free. Disclosure and due diligence requirements may also affect pricing, sourcing and availability of Conflict Minerals used to produce our devices.

Efforts to manage and mitigate climate change, pollution, biodiversity loss and other environmental impacts have produced significant regulatory and legislative efforts on a global basis, a trend we expect to continue. We expect that new laws and regulations in this area will result in added compliance requirements and increased costs for us and our suppliers, which could result in a significant negative impact on our ability to operate profitably. In particular, we expect to be subject to the EU Corporate Social Responsibility Directive and related EU laws beginning for our fiscal year ending December 31, 2025, and believe we will need to incur significant costs to comply with these requirements. In addition, many of our customers are also subject to significant new environmental and climate-related regulations or stakeholder pressure, which may affect their purchasing decisions in ways unfavorable to us. For instance, customers who purchase our Digipass authenticator devices sometimes inquire about the environmental impact of the devices, and customers who are especially focused on carbon footprint or waste minimization may choose software-based authentication methods rather than physical authentication devices. Finally, disclosures we may be required to make with respect to climate change, pollution or other environmental impacts may damage our reputation and have an adverse impact on our business.

26


We sell products and services to U.S. federal, state and local governments as well as foreign government entities. Risks associated with selling our products and services to government entities include compliance with complex procurement regulations and government-specific contractual requirements that may vary from our standard terms and conditions, longer sales cycles that are not easy to predict, and varying government funding and budgeting processes. Selling to these entities is expensive and time-consuming and often requires significant up-front resource effort and expense. We have processes in place to aid in compliance with applicable government contracting requirements; however, it is difficult to be certain that compliance has been achieved. Non-compliance with government entity requirements may result in significant material risk to the Company including debarment, reputational loss, and financial and business losses.

New laws and regulations and changes to current laws and regulations are always possible and, in some cases they may be introduced with little or no time to bring related products into compliance. Furthermore, our products are used by customers to assist with achieving compliance with laws and regulations that apply to their industry. Our failure to comply with laws and regulations and to adapt to our customers’ needs may prevent us from selling our products in a certain country or to a particular customer. In addition, these laws, regulations, and requirements may increase our cost of supplying the products by forcing us to redesign existing products, change manufacturing practices, or to use more expensive designs or components. In these cases, we may experience unexpected disruptions in our ability to supply customers with products, or we may incur unexpected costs or operational complexities to bring products into compliance, and we may experience lowered customer demand. This could have an adverse effect on our revenues, gross profit margins and results of operations and increase the volatility of our financial results.

We may require additional capital to support our business objectives, and this capital might not be available on acceptable terms, if at all.

We expect that our existing cash and cash equivalents will be sufficient to meet our anticipated cash needs for working capital and capital expenditures for at least the next 12 months. Our estimate as to how long we expect our cash and cash equivalents to be able to fund our operations is based on assumptions that may prove to be wrong, and we could use our available capital resources sooner than we currently expect. Further, changing circumstances, some of which may be beyond our control, could cause us to consume capital significantly faster than we currently anticipate, and we may need to seek additional funds sooner than planned. We intend to continue to make investments to support our business objectives and may require additional funds to achieve our objectives and respond to business challenges, including the need to develop new features or enhance our products, improve our operating infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in equity or debt financings to secure additional funds. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock.

General economic conditions both inside and outside the U.S., as well as the COVID-19 pandemic and geopolitical events, have resulted in significant volatility in global financial markets in recent years. If this volatility persists or becomes more pronounced, we could experience an inability to access additional capital, which could in the future negatively affect our capacity for certain corporate development transactions or our ability to make other important, opportunistic investments. In addition, market volatility, high levels of inflation and interest rate fluctuations may increase our cost of financing or restrict our access to potential sources of future liquidity. Adequate additional financing may not be available to us on acceptable terms, or at all. If we are unable to obtain adequate financing or financing on terms satisfactory to us when we require it, our ability to continue to support our business objectives and to respond to business challenges could be significantly impaired, and our business may be adversely affected.

Risks Related to Ownership of Our Common Stock

Our stock price has been and will likely continue to be volatile.

The market price of our common stock has been and may continue to be highly volatile and may fluctuate substantially as a result of a variety of factors, including those described in this “Risk Factors” section, many of which are beyond our control and may not be related to our operating performance. Factors that could cause fluctuations in the market price of our common stock include the following:

Actual or anticipated fluctuations in our quarterly or annual operating results;
Variance in our financial performance from our own financial guidance or from expectations of securities analysts;
The trading volume of our common stock;
27


Failure of securities analysts to maintain coverage of our company or changes in financial estimates by any securities analysts who follow our company;
Changes in market valuations of other technology companies;
Announcements by us or our competitors of significant technical innovations, contracts, acquisitions, strategic partnerships, joint ventures or capital commitments;
Our involvement in any litigation or investigations by regulators;
Our sale of our common stock or other securities in the future;
Sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders;
Repurchases pursuant to Board-authorized share repurchase programs, or announcements of the inception or discontinuation of any such program;
Short sales, hedging and other derivative transactions involving our capital stock;
Additions or departures of any of our key personnel;
Changing legal or regulatory developments;
The inclusion or exclusion of our stock in ETFs, indices and other benchmarks, and changes made to related methodologies;
Reactions by investors to uncertainties in the world economy and financial markets.

In recent years, the stock markets have experienced price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies due to, among other factors, the actions of market participants or other actions outside of our control, including general market volatility caused by geopolitical events, developments in the COVID-19 pandemic, and general economic developments. These fluctuations have often been unrelated or disproportionate to the operating performance of those companies. Broad market and industry fluctuations, as well as general economic, political, regulatory and market conditions, may negatively impact the market price of our common stock. In the past, companies that have experienced volatility in the market price of their securities have been subject to securities class action litigation. We have been the target of this type of litigation in the past, and may be targeted again the future, which could result in substantial costs and divert our management’s attention.

A small group of shareholders control a substantial amount of our common stock and could promote, delay or prevent a change of control.

A small number of shareholders control a significant amount of our outstanding common stock, as follows (based on the number of our shares of common stock outstanding as of December 31, 2023): Blackrock, Inc. holds approximately 9.2% of our outstanding common stock; Legion Partners Asset Management holds approximately 8.0%; Vanguard Group Holdings holds approximately 6.9%; First Trust holds approximately 6.0%; Legal & General Investment Management Limited holds approximately 5.9%; and Mr. T. Kendall Hunt, our founder and former Chairman of the Board, holds approximately 5.1%. This concentration of ownership may have the effect of a small number of investors promoting, discouraging, delaying or preventing a change in control and may also have an adverse effect on the market price of our common stock.

Certain provisions of our charter and of Delaware law make a takeover of our Company more difficult.

Our corporate charter and Delaware law contain provisions, such as a class of authorized but unissued preferred stock which may be issued by our Board without stockholder approval that might enable our management to resist a takeover of our Company. Delaware law also limits business combinations with interested stockholders. These provisions might discourage, delay or prevent a change in control or a change in our management. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors and take other corporate actions. The existence of these provisions could limit the price that investors might be willing to pay in the future for shares of our common stock.

Future issuances of blank check preferred stock may reduce voting power of common stock and may have anti-takeover effects that could prevent a change in control.

Our corporate charter authorizes the issuance of up to 500,000 shares of preferred stock with such designations, rights, powers and preferences as may be determined from time to time by our Board of Directors, including such dividend, liquidation, conversion, voting or other rights, powers and preferences as may be determined from time to time by the Board of Directors without further stockholder approval.

28


The issuance of preferred stock could adversely affect the voting power or other rights of the holders of common stock. In addition, the authorized shares of preferred stock and common stock could be utilized, under certain circumstances, as a method of discouraging, delaying or preventing a change in control.

Our business could be adversely affected as a result of actions of activist stockholders.

Although we strive to maintain constructive, ongoing communications with all of our stockholders, and welcome their views and opinions with the goal of enhancing value for all of our stockholders, our stockholders have in the past, and may from time to time in the future, engage in proxy solicitations, advance stockholder proposals or otherwise attempt to effect changes or acquire control of the Company. Campaigns by stockholders to effect changes at publicly traded companies are sometimes led by investors seeking to increase short-term stockholder value through actions such as stock repurchases or sales of assets or the entire company. Responding to proxy contests and other actions by activist stockholders can be costly and time-consuming and could divert the attention of our Board of Directors and senior management from the management of our operations and the pursuit of our business strategy. We cannot predict whether additional proxy contests or related matters will occur in the future and the time and cost associated with such matters.

Any perceived uncertainties as to our future direction and control, our ability to execute on our strategy or changes to the composition of our Board of Directors or senior management team arising from proposals by activist stockholders or a proxy contest could lead to the perception of a change in the direction of our business or instability that may be exploited by our competitors and/or other activist stockholders, result in the loss of customers or potential business opportunities, and make it more difficult to pursue our strategic initiatives or attract and retain qualified employees and business partners, any of which could have an adverse effect on our business, financial condition and operating results.

General Risks

Economic uncertainties or downturns could materially adversely affect our business.

Negative economic conditions, including conditions resulting from changes in foreign currency rates, changes in interest rates, gross domestic product growth, financial and credit market fluctuations, inflation, political turmoil (including potential political turmoil or conflict related to the 2024 U.S. presidential elections), geopolitical tensions, natural catastrophes, regional and global conflicts, natural disasters, and terrorist attacks, could cause a decrease in business investments, including spending on information technology, and negatively affect the performance of our business. If global or regional economic and financial market conditions remain uncertain and/or weak for an extended period of time, any of the following factors, among others, could have a material adverse effect on our financial condition and results of operations:

slower consumer or business spending may result in reduced demand for our products and services, reduced orders from customers, order cancellations, lower revenues, increased inventories, and lower gross margins;
volatility in the global markets and fluctuations in exchange rates for foreign currencies could negatively impact our reported financial results and condition;
volatility in the prices for materials and components we use in our Digipass products could have a material adverse effect on our costs, gross margins, and profitability;
restructurings, reorganizations, consolidations and other corporate events could affect our customers’ budgets and buying cycles, particularly in the banking and financial services industry, where we have particular exposure due to the majority of our customers being banks and financial institutions;
if our customers experience declining revenues, or experience difficulty obtaining financing in the capital and credit markets to purchase our products and services, this could result in reduced orders, longer sales cycles, order cancellations, inability of customers to timely meet their payment obligations to us, extended payment terms, higher accounts receivable, reduced cash flows, greater expense associated with collection efforts and increased bad debt expense;
severe financial difficulty experienced by our customers (such as the mid-market bank failures that occurred in 2023) may cause them to become insolvent or cease business operations, which could reduce sales, cash collections and revenue streams; and
any difficulty or inability on the part of manufacturers of our products or other participants in our supply chain in obtaining sufficient financing to purchase raw materials or to finance general working capital needs may result in delays or non-delivery of shipments of our products.

Furthermore, in an adverse economic environment there is a risk that customers may delay their orders until the economic conditions improve. If a significant number of orders are delayed for an indefinite period of time, our revenue
29


and cash receipts may not be sufficient to meet the operating needs of the business. If this is the case, we may need to significantly reduce our workforce, sell certain of our assets, enter into strategic relationships or business combinations, discontinue some or all of our operations, or take other similar restructuring actions. While we expect that these actions would result in a reduction of recurring costs, they also may result in a reduction of recurring revenue and cash receipts. It is also likely that we would incur substantial non-recurring costs to implement one or more of these restructuring actions.

Catastrophic events may disrupt our business.

Our business operations are subject to interruption by natural disasters, including extreme weather related to the effects of climate change, and other catastrophic events such as fire, floods, power loss, telecommunications failure, cyberattack, war or terrorist attack, or epidemic or pandemic, such as the COVID-19 pandemic. To the extent such events impact our facilities or off-premises infrastructure, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our software development, lengthy interruptions in our services, breaches of data security and loss of critical data, all of which could have an adverse effect on our future operating results.
Item 1B - Unresolved Staff Comments
None.
Item 1C - Cybersecurity


Risk Management and Strategy

As a cloud-based digital agreements and identity and authentication security solutions provider servicing customers in regulated industries, cybersecurity risk management is an important part of our identity. We maintain an enterprise cybersecurity risk management program designed to assess, identify, and manage material cybersecurity risks within our corporate information security environment and the systems we develop and operate for the benefit of our customers. Our cybersecurity risk management program is based upon best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and the International Organization Standardization (“ISO”) 27001 Information Security Management System Requirements.

Policies and Training. We maintain security policies, standards, and processes that apply across our operations and that are approved by management, communicated to our personnel, and reviewed on an annual basis. We provide a global security awareness education program that includes mandatory security and privacy awareness training for all personnel, regular phishing identification exercises, focused training opportunities for particular roles, and incident response training for key individuals.

Risk Assessment and Safeguards. We conduct regular assessments of risks and vulnerabilities to the confidentiality, integrity, and availability of data in our systems, and we implement safeguards to reduce these risks and vulnerabilities to a reasonable and appropriate level. For internal information systems and assets, we conduct regular internal reviews, employ continuous security monitoring, and conduct periodic independent reviews of the key components of our security program. For customer-facing products and services, in addition to internal reviews and testing, we undergo external reviews and penetration testing using an independent third party provider. Our cloud platforms for SaaS solutions are audited annually by external independent auditors who review our platforms against the Service Organization Controls (“SOC”) 2 and ISO 27001, 27017 and 27018 standards, and some of our Digital Agreement products are available on a FedRAMP compliant platform. Some of our products are certified under specific technical standards or industry guidelines, such as FIPS 140-2 and FIDO. Our Digipass authentication fulfillment services are also audited annually by external independent auditors against the SOC 2 standard. We conduct self-assessment activities for those standards or regulations that are not covered by the external auditors, such as the General Data Protection Regulation in Europe. Additionally, we periodically engage third party consultants to assist with identifying, assessing, and/or managing cybersecurity threats.

Incident Management. We have a documented incident response plan for identifying and responding to cybersecurity incidents that focuses on isolating, containing, mitigating, and eradicating the threat as quickly as possible. In the event of a cybersecurity incident, we will follow a documented incident escalation procedure. For a discussion of whether any cybersecurity risks have, or are likely to materially affect us, please see 1A, Risk Factors, for a discussion of identified cybersecurity risks.

Third Party Risk Management. Our vendor security risk management program covers vendors that require connectivity to our systems or access to confidential information. We utilize a trust intelligence platform for managing data
30


privacy and data governance which includes third party risk management. Security reviews are performed periodically, based on vendor criticality, to identify potential security issues with the vendor systems or practices. New vendor contracts are reviewed by our legal and security teams, as appropriate, to confirm that security and data protection are appropriately addressed.

Material Cybersecurity Incidents. While we have experienced several security incidents in the past, we have not experienced any material cybersecurity incidents for the fiscal year ended December 31, 2023. We do not believe that there are currently any known risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company or our business strategy, results of operations or financial condition.

Governance

Our Board is primarily responsible for overseeing the assessment and management of our risk exposure, including the balance between risk and opportunity and the totality of risk exposure across the organization. The Audit Committee oversees the company’s cybersecurity risks and exposures. We operate our security program under a global Information Security Charter approved by the Audit Committee, and the Audit Committee receives security updates and information about cybersecurity risks from the Chief Information Officer ("CIO") and Chief Information Security Officer ("CISO") at least quarterly. Our Board generally reviews the company’s overall risk management program at least annually, including the corporate insurance program which includes our cybersecurity insurance policy. We maintain an Information Security Steering Committee which is composed of key senior leaders who oversee the corporate information security program and our cybersecurity posture. Cybersecurity threats with the possibility of heightened criticality are escalated to a management team comprised of C-level executives and legal department representatives.

The CIO leads our global information technology organization and has nearly 30 years of information technology leadership experience, including acting as CIO at two cloud-based technology providers. The Senior Vice President of Research and Development has more than 25 years of information technology experience, including at another publicly traded technology company. Our CISO reports to the CIO and is responsible for leading our information security organization and overseeing our information security program. The CISO has over 20 years experience in information technology and security, including serving as Chief Information Security Officer at another cloud-based technology provider. Team members who support our cybersecurity risk management program have relevant education and experience in the fields of cybersecurity, risk management, security architecture, data protection, application security, audit, compliance, incident response, identity governance and governance of enterprise information technology.
Item 2 - Properties
OneSpan is headquartered in Boston, Massachusetts and has operations in Austria, Australia, Belgium, Canada, China, France, Japan, The Netherlands, Singapore, Switzerland, the United Arab Emirates, the United Kingdom, and the United States of America. Our European operational headquarters is in Brussels, Belgium; our primary global research and development center is in Montreal, Canada; and our Digipass authenticator logistics facility is located in Erembodegem, Belgium. We conduct sales and marketing, customer support, and general and administrative activities from various locations around the world.

Each of our properties support the operations of our two lines of business, which are our reportable operating segments: Digital Agreements and Security Solutions.

All of our properties are leased. We believe that our facilities are adequate for our current needs and that suitable additional or substitute space will be available as needed to accommodate expansion of our operations.
Item 3 - Legal Proceedings
We are subject to certain legal proceedings and claims incidental to the operations of our business. We are also subject to certain other legal proceedings and claims that have arisen in the ordinary course of business that have not been fully adjudicated. We currently do not anticipate that these matters, if resolved against us, will have a material adverse impact on our financial results or financial condition.

For further information regarding our legal proceedings and claims, see Note 19, Commitments and Contingencies, included in the notes to consolidated financial statements in Part IV of this Annual Report on Form 10-K.
Item 4 - Mine Safety Disclosures
Not applicable.
31


PART II
Item 5 - Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
Our common stock, par value $0.001 per share, trades on the NASDAQ Capital Market under the symbol OSPN.
The following table sets forth, for the periods indicated, the range of high and low daily closing prices of our common stock on the NASDAQ Capital Market.
2023HighLow
Fourth quarter$11.77 $7.71 
Third quarter$14.96 $10.67 
Second quarter$18.48 $12.94 
First quarter$18.81 $11.55 
2022HighLow
Fourth quarter$14.12 $8.36 
Third quarter$12.40 $8.58 
Second quarter$15.87 $11.01 
First quarter$17.42 $12.34 
On February 19, 2024, there were 111 registered holders of our common stock.
Dividends
We have not paid any dividends on our common stock since incorporation. The declaration and payment of dividends will be at the sole discretion of the Board of Directors and subject to certain limitations under the General Corporation Law of the State of Delaware. The timing, amount and form of dividends, if any, will depend, among other things, on our results of operations, financial condition, cash requirements, plans for expansion and other factors deemed relevant by the Board of Directors. We intend to retain any future earnings for use in our business and therefore do not anticipate paying any cash dividends in the foreseeable future.
Recent Sales of Unregistered Securities
None
Issuer Purchases of Equity Securities
The following table provides information about purchases by the Company of its shares of common stock during the fourth quarter of 2023:
Period
Total Number of Shares Purchased (1)
Average Price Paid per Share
Total Number of Shares Purchased as Part of Publicly Announced Plans or Programs (1)
Maximum Dollar Value of Shares that May Yet Be Purchased Under the Plans or Programs (1)
October 1, 2023 through October 31, 2023
$— — 40,761,555 
November 1, 2023 through November 30, 2023
$— — 40,761,555 
December 1, 2023 through December 31, 2023
2,380,834 $10.50 2,380,834 15,762,798 
(1)    On May 12, 2022, the Board of Directors adopted a stock repurchase program (the "2022 stock repurchase program") under which OneSpan is authorized to repurchase up to $50.0 million of our issued and outstanding shares of common stock. Share purchases under the program will take place in open market transactions, privately negotiated transactions or tender offers, and may be made from time to time depending on market conditions, share price, trading volume, and other factors. The timing of the repurchases and the amount of stock repurchased in each transaction is subject to our sole discretion and will depend upon market and business conditions, applicable legal and credit requirements, and
32


other corporate considerations. The authorization is effective until May 11, 2024 unless the total amount has been used or authorization has been cancelled. In December 2023, OneSpan repurchased 2,380,834 shares of our issued and outstanding common stock pursuant to a modified “Dutch auction” tender offer conducted under the 2022 stock repurchase program.
Stock Performance Graph
The Stock Performance Graph below compares the cumulative total return through December 31, 2023 assuming reinvestment of dividends, by an investor who invested $100.00 on December 31, 2018, in each of (i) our common stock, (ii) the Nasdaq Computer Index, (iii) the Russell 2000 Index, and (iv) the Standard Industrial Code Index 3577 – Computer Peripheral Equipment, NEC. The stock price performance shown on the graph below is not necessarily indicative of future price performance.

This graph shall not be deemed "soliciting material" or be deemed "filed" for purposes of Section 18 of the Exchange Act or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any of our filings under the Securities Act of 1933, as amended (the "Securities Act"), whether made before or after the date hereof and irrespective of any general incorporation language in any such filing.
Picture1.jpg
12/31/201812/31/201912/31/202012/31/202112/31/202212/31/2023
OneSpan Inc.$100.00 $132.20 $159.69 $130.73 $86.40 $82.76 
NASDAQ Computer Index$100.00 $150.34 $225.48 $310.84 $199.64 $332.34 
Russell 2000 Index $100.00 $125.52 $150.58 $172.90 $137.56 $160.85 
3577 - Computer Peripheral Equipment, NEC$100.00 $140.82 $202.54 $321.38 $227.51 $371.40 
Item 6.
[Reserved]
Item 7 - Management’s Discussion and Analysis of Financial Condition and Results of Operations (in thousands, except head count, ratios, time periods and percentages)
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our financial statements and related notes appearing elsewhere in this Annual Report on Form 10-K. In addition to historical financial information, the following discussion may contain predictions, estimates and other forward-
33


looking statements that involve a number of risks and uncertainties, including those discussed under Item 1A, Risk Factors and elsewhere in this Form 10-K. These risks could cause our actual results to differ materially from any future performance suggested below. Please see “Cautionary Note Regarding Forward Looking Statements” at the beginning of this Form 10-K.
For a comparison of our results of operations for the fiscal years ended December 31, 2022 and 2021, see “Part II, Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations” of our Annual Report on Form 10-K for the year ended December 31, 2022, filed on February 28, 2023.

Overview

OneSpan provides security, identity, electronic signature (“e-signature”) and digital workflow solutions that protect and facilitate digital transactions and agreements. Through our two business units, Security Solutions and Digital Agreements, we deliver products and services that automate and secure customer-facing and revenue-generating business processes for use cases ranging from simple transactions to workflows that are complex or require higher levels of security.

Our solutions help our customers ensure the integrity of the people and records associated with digital agreements, transactions, and interactions in industries including banking, financial services, healthcare, and professional services. We are trusted by global blue-chip enterprises, including more than 60% of the world’s largest 100 banks, and we process millions of digital agreements and billions of transactions in more than 100 countries annually.

We offer our products primarily through a subscription licensing model and provide multiple deployment options, including cloud-based and on-premises solutions. Our solutions are sold worldwide through our direct sales force, as well as through distributors, resellers, systems integrators, and original equipment manufacturers.

Business Transformation

We are currently in the midst of a business transformation. In December 2021, our Board approved a restructuring plan (the “restructuring plan”) designed to advance our operating model, streamline our business, improve efficiency, and enhance our capital resources. The first phase of this restructuring plan began and was substantially completed during the three months ended March 31, 2022. In May 2022, our Board approved additional actions related to the restructuring plan and we announced a three-year strategic transformation plan that began on January 1, 2023 (the "2022 strategic plan"). In conjunction with the 2022 strategic plan and to enable a more efficient capital deployment model, effective with the quarter ended June 30, 2022, we began reporting under the following two lines of business, which are our reportable operating segments: Digital Agreements and Security Solutions.

Digital Agreements. Digital Agreements consists of solutions that enable our clients to secure and automate business processes associated with their digital agreement and customer transaction lifecycles that require consent, non-repudiation and compliance. These solutions, which are largely cloud-based, include OneSpan Sign e-signature, OneSpan Notary and OneSpan Trust Vault. This segment also includes costs attributable to our transaction cloud platform.

Security Solutions. Security Solutions consists of our broad portfolio of software products, software development kits ("SDKs"), and Digipass authenticator devices that are used to build applications designed to defend against attacks on digital transactions across online environments, devices, and applications. The software products and SDKs included in the Security Solutions segment are largely on-premises software products and include identity verification, multi-factor authentication and transaction signing solutions, such as mobile application security, and mobile software tokens.

When we began the 2022 strategic plan, we expected that we would manage Digital Agreements for accelerated growth and market share gains and Security Solutions for cash flow given its more modest growth profile. During the three months ended March 31, 2023, we changed our methodology for allocating expenses between the segments to better reflect the shift in employee time, effort, and costs toward supporting the growth of our Digital Agreements segment instead of our Security Solutions segment.

34


During the quarter ended June 30, 2023, we determined that we were unlikely to achieve the revenue growth levels set forth in our 2022 strategic plan within the contemplated three-year timeframe. A number of factors contributed to the challenges achieving the originally planned growth levels, particularly in Digital Agreements, on the timeframes set forth in the 2022 strategic plan, including: macroeconomic uncertainties in the banking and financial services segments, which have resulted in longer sales cycles and greater price sensitivity on the part of customers; increasing maturity and competitiveness in the market for e-signature solutions; limited awareness of our brand among buyers of e-signature tools; and higher pricing aggressiveness from competitors. These and other factors made it more difficult than we originally anticipated to build our Digital Agreements sales pipeline, generate demand for our Digital Agreements solutions through marketing efforts, and improve our sales force productivity levels.

In response to these challenges in growing our Digital Agreements revenue, we modified our strategy to focus more heavily on improving Adjusted EBITDA margin across the business. To this end, in August 2023, our Board approved the 2023 Actions described in Item 1, Business, to seek to drive higher levels of Adjusted EBITDA while maintaining our long-term growth potential. We intend to continue to pursue the overall strategy set forth in the 2022 strategic plan, including driving efficient growth in Digital Agreements and managing Security Solutions for modest growth and cash flow, while implementing adjustments to our operating model that are intended to achieve greater operational efficiency and strengthen our ability to create value for our shareholders.

Our updated strategy, the 2023 Actions and other cost reduction actions implemented under our restructuring plan originally adopted in December 2021 involve numerous risks and uncertainties. For additional details please see Item IA, Risk Factors.
Restructuring Plan
In December 2021, our Board approved a restructuring plan designed to advance our operating model, streamline our business, improve efficiency, and enhance our capital resources. The first phase of this restructuring plan began and was substantially completed during the three months ended March 31, 2022.

In May 2022, our Board approved additional actions related to the restructuring plan through the year ending December 31, 2025. The additional actions consisted primarily of headcount-related reductions designed to continue to advance the same objectives as the first phase of the plan.

On August 3, 2023, our Board of Directors approved the 2023 Actions. We have incurred and expect to continue to incur restructuring charges in connection with the 2023 Actions, and anticipate that these charges will consist primarily of charges related to employee transition and severance payments and employee benefits, with a significantly smaller amount of charges relating to vendor contract termination and rationalization actions. We currently expect that we will incur restructuring charges of approximately $11.0 million to $12.0 million in employee transition and severance payments related to the 2023 Actions and approximately $2.0 million to $3.0 million in vendor contract termination and rationalization charges. We incurred approximately $9.0 million of these expected restructuring charges in 2023.

We completed a substantial majority of the workforce reductions that are planned as part of the 2023 Actions by the end of 2023, and we expect that most of the remaining workforce reductions will occur over the course of 2024 as several Company projects are completed during the year. The vendor contract component of the 2023 Actions is planned for completion by the end of 2025.

As part of the restructuring plan (including the 2023 Actions), we reduced headcount by eliminating approximately 270 positions. We incurred severance and related benefits costs, recorded in “Restructuring and other related charges” in the consolidated statement of operations for the year ended December 31, 2023.

Tender Offer
In December 2023, we completed a modified "Dutch auction" tender offer (the "Tender Offer"). Pursuant to the Tender Offer, we repurchased a total of 2,380,834 shares of our common stock at a purchase price of $10.50 per share, for an aggregate cost of approximately $25.0 million, excluding fees and expenses related to the Tender Offer. The repurchase of common stock in the Tender Offer was made pursuant to the share repurchase program approved by our Board of Directors in May 2022. Please see Item 5, Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities, for more information on share repurchases.

35


Recent Developments
On January 4, 2024, our Board of Directors appointed Victor Limongelli as Interim Chief Executive Officer, effective immediately. Mr. Limongelli is a seasoned software executive who most recently served as Chief Executive Officer at BQE Software, a private SaaS company providing billing, accounting, and similar functionality to professional services firms. Please see Item 1, Business, for more information about Mr. Limongelli.
Mr. Limongelli replaced Matthew Moynahan, whose employment as the Company’s President and Chief Executive Officer was terminated without cause on January 4, 2024 immediately prior to Mr. Limongelli’s appointment. Under his previously disclosed Amended and Restated Employment Agreement, dated February 27, 2023 (the "Employment Agreement"), subject to Mr. Moynahan’s timely execution and non-revocation of a separation and release agreement, which includes a release of claims against the Company and its affiliates, Mr. Moynahan is entitled to receive the payments and benefits associated with a termination without cause as set forth in the Employment Agreement. Therefore, $1.2 million of severance and other benefits were accrued for as of December 31, 2023 and included within "Other accrued expenses" on the consolidated balance sheet.
Components of Operating Results
Revenue
We generate revenue from the sale of our subscriptions, maintenance and support, professional services, and Digipass hardware products. We believe comparison of revenues between periods is heavily influenced by the timing of orders and shipments reflecting the transactional nature of significant parts of our business.
Product and license revenue. Product and license revenue includes Digipass hardware products and software licenses, which are provided on a perpetual or term basis subscription model.
Service and other revenue. Service and other revenue includes solutions that are provided on a cloud-based subscription model, maintenance and support, and professional services.
Cost of Goods Sold
Our total cost of goods sold consists of cost of product and license revenue and cost of service and other revenue. We expect our cost of goods sold to increase in absolute dollars as our business grows, although it may fluctuate as a percentage of total revenue from period to period.
Cost of product and license revenue. Cost of product and license revenue primarily consists of direct product and license costs, including personnel costs, production costs, freight, and inventory write-off adjustments for discontinued products and services.
Cost of service and other revenue. Cost of service and other revenue primarily consists of costs related to cloud subscription solutions, including personnel and equipment costs, depreciation, amortization, and personnel costs of employees providing professional services and maintenance and support.
Gross Profit
Gross profit is revenue net of the cost of goods sold. Gross profit as a percentage of total revenue, or gross margin, has been and will continue to be affected by a variety of factors, including our average selling price, manufacturing costs, the mix of products sold, and the mix of revenue among products, subscriptions and services. We expect our gross margins to fluctuate over time depending on these factors.
Operating Expenses
Our operating expenses are generally based on anticipated revenue levels and fixed over short periods of time. As a result, small variations in revenue may cause significant variations in the period-to-period comparisons of operating income or operating income as a percentage of revenue.
Generally, the most significant factor driving our operating expenses is headcount. Direct compensation and benefit plan expenses generally represent between 50% and 60% of our operating expenses. In addition, a number of other expense categories are directly related to headcount. We attempt to manage our headcount within the context of the economic environments in which we operate, restructuring activities, and the investments we believe we need to make for our infrastructure to support future growth and for our products to remain competitive.
36


Historically, operating expenses have been impacted by changes in foreign exchange rates. We estimate the change in currency rates in 2023 compared to 2022 resulted in an increase in operating expenses of approximately $0.9 million in 2023.

The comparison of operating expenses can also be impacted significantly by costs related to our stock-based and long-term incentive plans. In 2023, 2022, and 2021, operating expenses included $14.6 million, $8.8 million, and $5.2 million, respectively, of expenses related to stock-based and long-term incentive plans. Stock-based compensation expense during 2023 included the impact of a significant number of new grants to executives hired in 2022 as well as an overall expansion of the equity incentive program in 2022 in order to promote the long-term retention of our employees. Long-term incentive plan compensation expense consists of stock-based incentives and an immaterial amount of cash-based incentives.
Sales and marketing. Sales and marketing expenses consist primarily of personnel costs, commissions and bonuses, trade shows, marketing programs and other marketing activities, travel, outside consulting costs, and long-term incentive compensation. We expect sales and marketing expenses to decrease in absolute dollars as as result of the 2023 Actions. However, our sales and marketing expenses may fluctuate as a percentage of total revenue.
Research and development. Research and development expenses consist primarily of personnel costs and long-term incentive compensation. We expect research and development costs to decrease in absolute dollars as a result of the 2023 Actions, and as we capitalize certain costs related to the expansion of our cloud product portfolio. However, our research and development expenses may fluctuate as a percentage of total revenue.
General and administrative. General and administrative expenses consist primarily of personnel costs, legal, consulting and other professional fees, and long-term incentive compensation. We expect general and administrative expenses to decrease in absolute dollars as a result of the 2023 Actions, although our general and administrative expenses may fluctuate as a percentage of total revenue.
Restructuring and other related charges. Restructuring and other related charges consists of employee costs which include severance and related benefits incurred from headcount reductions as part of our restructuring plan, including the 2023 Actions; real estate rationalization costs incurred to optimize our real estate footprint which include lease contract termination costs, fixed asset write-off charges, and lease right-of-use asset and lease liability write-off gains or losses; and vendor rationalization costs for contractually committed services that we are no longer utilizing. We plan to incrementally incur additional restructuring costs through December 31, 2025, when the restructuring plan terminates and the 2023 Actions are completed.
Impairment of intangible assets. Impairment of intangible assets are incurred when we determine that the carrying value of an asset exceeds its fair value. We test annually, or when triggering events arise. During the year ended December 31, 2022, we performed an impairment review of the customer relationships intangible assets obtained in our 2018 acquisition of Dealflo Limited (“Dealflo”). The impairment review was triggered by our July 2022 notification to customers regarding our intent to gradually sunset our Dealflo solution in the months leading up to December 31, 2023. The results of the impairment review indicated that the carrying value of the Dealflo customer relationships exceeded the fair value, and we recorded a $3.8 million impairment charge on the entire remaining value of the asset during the year ended December 31, 2022. This was recorded in "restructuring and other related charges" on the consolidated statements of operations.
Amortization of intangible assets. Acquired intangible assets are amortized over their respective amortization periods and are periodically evaluated for impairment.

Segment Results

Segment operating income (loss) consists of the revenue generated by a segment, less the direct costs of revenue, sales and marketing, research and development and amortization and impairment charges that are incurred directly by a segment. Unallocated corporate costs include general and administrative expense and other company-wide costs that are not attributable to a particular segment. Financial results by operating segment are included below under Results of Operations.
Interest Income (Expense), Net
Interest income (expense), net, consists of income earned on our cash equivalents and short-term investments. Our cash equivalents and short-term investments are invested in short-term instruments at current market rates.
37


Other Income (Expense), Net
Other income (expense), net, primarily includes exchange gains (losses) on transactions that are denominated in currencies other than our subsidiaries’ functional currencies, subsidies received from foreign governments in support of our research and development in those countries and other miscellaneous non-operational expenses.
Income Taxes

Our effective tax rate reflects our global structure related to the ownership of our intellectual property (“IP”). The majority of our IP in our Security Solutions business is owned by two subsidiaries, one in the U.S. and one in Switzerland. The e-signature IP in our Digital Agreements business is owned by a subsidiary in Canada. These subsidiaries have entered into agreements with most of the other OneSpan entities under which those other entities provide services to the IP owners on either a percentage of revenue or on a cost plus basis, or both. In addition, many of our OneSpan entities operate as distributors for all of our OneSpan products. Under this structure, the earnings of our service provider subsidiaries are relatively constant. These service provider companies tend to be in jurisdictions with higher effective tax rates. Fluctuations in earnings flow to the IP owners.

As the majority of our revenues are generated outside of the U.S., our consolidated effective tax rate is strongly influenced by the effective tax rate of our foreign operations. Changes in the effective rate related to foreign operations reflect changes in the geographic mix of earnings and the tax rates in each of the countries in which it is earned. The statutory tax rate for the primary foreign tax jurisdictions ranges from 11% to 35%.

We recorded changes in valuation allowance of $8.5 million and $4.4 million, as of December 31, 2023 and 2022, respectively, against deferred tax assets that, based on management’s assessment are considered not to be more likely than not to be realized. The increase in the valuation allowance in 2023 reflects Net Operating Losses (“NOLs”), other deduction carryforwards, and credits for which the realization is not more likely than not. The change in valuation allowance also reflects other factors including, but not limited to, changes in management’s assessment of the ability to use existing deferred tax assets, including NOLs and other deduction carryforwards.

Management assesses the need for a valuation allowance on a regular basis, weighing all positive and negative evidence to determine whether a deferred tax asset will be fully or partially realized. In evaluating the realizability of deferred tax assets, significant pieces of negative evidence such as 3-year cumulative losses are considered. Management also reviewed reversal patterns of temporary differences to determine if the Company would have sufficient taxable income due to the reversal of temporary differences to support the realization of deferred tax assets. Management continues to maintain a valuation allowance against certain deferred tax assets in jurisdictions where assets are not more likely than not to be realized. For all other remaining deferred tax assets, management believes it is still more likely than not that the results of future operations will generate sufficient taxable income to realize the deferred tax assets.
Impact of Currency Fluctuations
In 2023 and 2022, we generated approximately 83% and 83% of our revenues and incurred approximately 58% and 66% of our operating expenses outside of the U.S., respectively. As a result, changes in currency exchange rates, especially the Euro exchange rate and the Canadian dollar exchange rate, can have a significant impact on our revenue and operating expenses.

While the majority of our revenue is generated outside of the U.S., a significant amount of our revenue earned during the year ended December 31, 2023 was denominated in U.S. dollars. In 2023, approximately 53% of our revenue was denominated in U.S. dollars, 43% was denominated in Euros and 4% was denominated in other currencies. In 2022, approximately 54% of our revenue was denominated in U.S. dollars, 42% was denominated in Euros and 4% was denominated in other currencies.

In general, to minimize the net impact of currency fluctuations on operating income, we attempt to denominate an amount of billings in a currency such that it would provide a natural hedge against the operating expenses being incurred in that currency. We expect that changes in currency rates may impact our future results if we are unable to match amounts of revenue with our operating expenses in the same currency. If the amount of our revenue in Europe denominated in Euros continues as it is now or declines, we may not be able to balance fully the exposures of currency exchange rates on revenue and operating expenses.

38


The financial position and the results of operations of our foreign subsidiaries, with the exception of our subsidiaries in Switzerland, Singapore and Canada, are measured using the local currency as the functional currency. The functional currency for our subsidiaries in Switzerland, Singapore and Canada is the U.S. dollar. Accordingly, assets and liabilities are translated into U.S. dollars using current exchange rates as of the balance sheet date. Revenues and expenses are translated at average exchange rates prevailing during the year. Translation adjustments arising from differences in exchange rates generated comprehensive income of $3.7 million in 2023 and a comprehensive loss of $7.2 million in 2022. These amounts are included as a separate component of stockholders’ equity.

Gains and losses resulting from foreign currency transactions are included in the consolidated statements of operations in other income (expense). Foreign exchange transaction losses aggregated $1.1 million and $1.9 million for the years ended December 31, 2023 and 2022, respectively.
Results of Operations
In conjunction with the 2022 strategic plan, effective with the quarter ended June 30, 2022, we began reporting under the following two lines of business, which are our reportable operating segments: Digital Agreements and Security Solutions.
The following table sets forth, for the periods indicated, selected segment and consolidated operating results.
Years Ended December 31,
(In thousands, except percentages)20232022
Digital Agreements
Revenue$50,925 $48,401 
Gross profit$37,742 $37,488 
Gross margin74 %77 %
Operating (loss) income$(18,525)$5,348 
Security Solutions
Revenue$184,181 $170,605 
Gross profit$119,974 $111,082 
Gross margin65 %65 %
Operating income$60,190 $32,051 
Total Company:
Revenue$235,106 $219,006 
Gross profit$157,715 $148,570 
Gross margin67 %68 %
Statements of operations reconciliation:
Segment operating income$41,665 $37,399 
Corporate operating expenses not allocated at the segment level70,536 64,514 
Operating loss$(28,871)$(27,115)
Interest income, net2,090 595 
Other income (expense), net(532)14,827 
Loss before income taxes$(27,313)$(11,693)
Revenue
Revenue by products and services allocated to the segments for the years ended December 31, 2023 and 2022 is as follows:
39


Years Ended December 31,
20232022
(In thousands)Digital AgreementsSecurity SolutionsDigital AgreementsSecurity Solutions
Subscription (1)$45,886 $60,550 $42,029 $47,124 
Maintenance and support4,143 42,240 5,451 42,894 
Professional services and other (2)896 5,425 921 7,087 
Hardware products— 75,966 — 73,500 
Total Revenue$50,925 $184,181 $48,401 $170,605 
(1) Subscription includes cloud and on-premises subscription revenue, previously referred to as "subscription" and "term-based software licenses", respectively.
(2) Professional services and other includes perpetual software licenses revenue, which was approximately 1% of total revenue for the year ended December 31, 2023 and approximately 2% of revenue for the year ended December 31, 2022.
For the year ended December 31, 2023, total revenue increased by $16.1 million, or 7%, compared to the year ended December 31, 2022. Changes in foreign exchange rates as compared to the same period in 2022 favorably impacted total revenue by approximately $2.3 million.
Additional information on our revenue by segment follows.

Digital Agreements revenue increased $2.5 million, or approximately 5%, during the year ended December 31, 2023 compared to the year ended December 31, 2022. The increase in Digital Agreements revenue was driven by higher cloud subscription revenue from existing customer expansion, including some of our clients purchasing and running our on-premise and SaaS products simultaneously during their product migrations, partially offset by contraction related to our strategy of sunsetting our on-premises e-signature product. Changes in foreign exchange rates as compared to the same period in 2022 favorably impacted Digital Agreements revenue by less than $0.1 million.

Security Solutions revenue increased $13.6 million, or approximately 8%, during the year ended December 31, 2023 compared to the year ended December 31, 2022. This increase was driven primarily by higher on-premises term subscription revenue, driven by existing customer expansion, and increased hardware revenue as a result of product mix and a higher average selling price, partially offset by a decrease in professional services and other revenue, driven by lower perpetual license revenue. Changes in foreign exchange rates compared to the same period in 2022 favorably impacted Security Solutions revenue by $2.3 million.
Revenue by Geographic Regions: We classify our sales by customer location in three geographic regions: 1) EMEA, which includes Europe, Middle East and Africa; 2) the Americas, which includes sales in North, Central, and South America; and 3) Asia Pacific (APAC), which also includes Australia, New Zealand, and India. The breakdown of revenue in each of our major geographic areas was as follows:
40


Years Ended December 31,
(In thousands, except percentages)20232022$ Change % Change
Revenue
EMEA$111,568 $100,298 $11,270 11 %
Americas80,057 77,740 2,317 %
APAC43,481 40,968 2,513 %
Total revenue$235,106 $219,006 $16,100 %
% of Total Revenue
EMEA47 %46 %
Americas34 %35 %
APAC19 %19 %
For the year ended December 31, 2023, revenue generated in EMEA was $11.3 million or 11% higher than the same period in 2022, driven largely by higher on-premises term subscription revenue and increased hardware revenue as a result of higher average selling prices.
For the year ended December 31, 2023, revenue generated in the Americas was $2.3 million or 3% higher than the same period in 2022, driven primarily by growth in Security Solutions, including hardware, mobile, and cloud authentication, as well as mobile application security products.
For the year ended December 31, 2023, revenue generated in the Asia Pacific region ("APAC") was $2.5 million or 6% higher than the same period in 2022, driven largely by higher on-premises term subscription revenue and an increase in hardware sales.
Cost of Goods Sold and Gross Margin
Years Ended December 31,
(In thousands, except percentages)20232022$ Change% Change
Cost of goods sold
Product and license$48,676 $45,106 $3,570 %
Services and other28,715 25,330 3,385 13 %
Total cost of goods sold$77,391 $70,436 $6,955 10 %
Gross profit$157,715 $148,570 $9,145 %
Gross margin
Product and license63 %63 %
Services and other72 %74 %
Total gross margin67 %68 %
The cost of product and license revenue increased $3.6 million or 8% for the year ended December 31, 2023 compared to the year ended December 31, 2022. The increase in cost of product and license was driven by product mix, including increased sales of lower margin hardware products, and higher third-party license costs, partially offset by lower freight and hardware components costs.
The cost of services and other revenue increased $3.4 million or 13% for the year ended December 31, 2023, compared to the year ended December 31, 2022. This increase was largely due to a one-time credit from a cloud service provider in the prior year period, along with higher cloud platform costs related to higher volume usage, higher depreciation of our capitalized software costs, and increased amortization associated with the ProvenDB acquisition.
41


Gross profit increased $9.1 million, or 6% for the year ended December 31, 2023 compared to the year ended December 31, 2022. Total gross margin was 67% for the year ended December 31, 2023, compared to 68% for the year ended December 31, 2022. The increase in total gross profit was driven by the increased revenue and the higher costs of revenues discussed above.
The majority of our inventory purchases are denominated in U.S. dollars. Our sales are denominated in various currencies, including the Euro, although over 90% of our sales are either in U.S. dollars or Euros. The impact of changes in currency rates are estimated to have had a unfavorable impact on overall cost of goods sold of approximately $0.2 million for the year ended December 31, 2023. Had currency rates in 2023 been equal to rates in the comparable period of 2022, the gross profit margin would have been less than 1 percentage point higher for the year ended December 31, 2023.

Additional information on our gross profit by segment follows.

Digital Agreements gross profit increased $0.3 million, or approximately 1%, for the year ended December 31, 2023 compared to the prior year. The increase in gross profit was driven by higher overall revenue, partially offset by increased costs of sales depreciation and amortization included in cost of goods sold. Digital Agreements gross margin for the years ended December 31, 2023 and 2022 was 74% and 77%, respectively. The decrease in gross margin is related to the increase in depreciation and amortization included in cost of goods sold in 2023 as compared to 2022.

Security Solutions gross profit increased $8.9 million, or approximately 8%, for the year ended December 31, 2023 compared to the prior year. The increase in gross profit was primarily driven by higher overall revenue. Security Solutions gross margin was 65% for each of the years ended December 31, 2023 and 2022, respectively.
Operating Expenses
For the year ended December 31, 2023, operating expenses increased by $10.9 million, or 6%, compared to the year ended December 31, 2022. Changes in foreign exchange rates unfavorably impacted operating expenses by approximately $0.9 million as compared to the year ended December 31, 2022.
The following table presents the breakout of operating expenses by category as of December 31, 2023 and 2022:
Years Ended December 31,
(In thousands, except percentages)20232022$ Change% Change
Operating costs
Sales and marketing$70,235 $60,949 $9,286 15 %
Research and development38,420 41,735 (3,315)(8)%
General and administrative58,267 55,552 2,715 %
Restructuring and other related charges17,311 13,310 4,001 30 %
Amortization of intangible assets2,353 4,139 (1,786)(43)%
Total operating costs$186,586 $175,685 $10,901 %
Sales and Marketing Expenses
Sales and marketing expenses increased $9.3 million, or 15%, for the year ended December 31, 2023 compared to the year ended December 31, 2022. The increase was driven by higher expenses for sales-related activities, higher hiring expenses, commission expenses and other employee compensation costs, and an increase in travel-related expenses due to increased customer activity and in-person company meetings.
Average full-time sales and marketing employee headcount for year ended December 31, 2023 was 339, compared to 344 for year ended December 31, 2022. Average headcount in 2023 was 1% lower than in 2022.
Research and Development Expenses
Research and development expenses decreased $3.3 million, or 8%, for the year ended December 31, 2023 compared to the year ended December 31, 2022. The decrease in expense was driven primarily by the capitalization of research and development costs of $6.1 million, partially offset by an increase in contractor and consultant costs.
42


Average full-time research and development employee headcount for year ended December 31, 2023 was 305, compared to 340 for year ended December 31, 2022. Average headcount in 2023 was 10% lower than in 2022.
General and Administrative Expenses
General and administrative expenses increased $2.7 million, or 5%, for the year ended December 31, 2023 compared to the year ended December 31, 2022. This increase in expense was due to higher salaries and stock-based compensation expense in 2023, partially offset by lower consulting fees related to our strategic plan as compared with the prior year period.
Average full-time general and administrative employee headcount for the years ended December 31, 2023 and December 31, 2022 was 139. There was no change in average general and administrative headcount from 2023 to 2022.

Restructuring and Other Related Charges
Restructuring and other related charges were $17.3 million for the year ended December 31, 2023, compared to $13.3 million for the year ended December 31, 2022, an increase of $4.0 million or 30%. The increase was due to severance, retention pay, and related benefit costs incurred in conjunction with our restructuring plans, real estate rationalization costs to align the real estate footprint with the Company’s needs, and vendor rationalization costs for contractually committed services the Company is no longer utilizing, offset by the impact of an impairment recognized in 2022 that did not recur in 2023.
Amortization of Intangible Assets
Amortization of intangible assets for the year ended December 31, 2023 was $2.4 million, compared to $4.1 million for the year ended December 31, 2022, a decrease of $1.8 million or 43%. The decrease was driven by certain intangible assets acquired in the prior years becoming fully amortized or impaired during 2022.
Segment Operating Income (Loss)
Information on our operating income (loss) by segment follows.
Digital Agreements Operating loss for the year ended December 31, 2023 was $18.5 million, compared to operating income of $5.3 million for the prior year. The decrease in operating income (loss) was primarily driven by a change in expense allocations between the segments primarily impacting operating expenses, higher investments made in the first half of 2023 in sales and marketing, higher depreciation of capitalized software, and a one-time credit from a cloud service provider in the prior year, partially offset by higher revenue in 2023.

Security Solutions For the year ended December 31, 2023, Security Solutions operating income was $60.2 million, which was $28.1 million, or 88%, higher than the prior year. This increase was driven by higher revenue, a change in expense allocations between the segments primarily impacting operating expenses, lower research and development costs, and lower amortization as a result of the Dealflo intangible asset impairment of $3.8 million in 2022.
Interest Income (expense), net
Years Ended December 31,
(In thousands, except percentages)20232022$ Change % Change
Interest income (expense), net$2,090 $595 $1,495 NM
Interest income (expense), net, was $2.1 million for the year ended December 31, 2023, compared to $0.6 million for the year ended December 31, 2022. The increase in interest income is related to higher interest rates favorably impacting our invested excess cash.
43


Other Income (Expense), Net
Years Ended December 31,
(In thousands, except percentages)20232022$ Change % Change
Other income (expense), net$(532)$14,827 $(15,359)NM
Other income (expense), net, includes subsidies received from foreign governments in support of our research and development in those countries, exchange gains (losses) on transactions that are denominated in currencies other than our subsidiaries’ functional currencies, and other miscellaneous non-operational, non-recurring income and expenses.
For the year ended December 31, 2023, other income (expense), net was $(0.5) million, compared to $14.8 million for the year ended December 31, 2022. The fluctuation was primarily driven by the $14.8 million gain in 2022 on the sale of our equity-method investment in Promon AS ("Promon") in January 2022.
Provision for income taxes
Years Ended December 31,
(In thousands, except percentages)20232022$ Change% Change
Provision for income taxes$2,486 $2,741 $(255)(9)%
We recorded income taxes expense of $2.5 million and $2.7 million for the years ended December 31, 2023 and 2022, respectively. The decrease in expense recorded for the year ended December 31, 2023 was primarily attributable to the jurisdictional mix of profits, and a higher loss before taxes in 2023 compared to 2022.
Loss Carryforwards Available
At December 31, 2023, we have gross deferred tax assets of $53.3 million resulting from U.S. federal, foreign and state NOL carryforwards of $182.3 million and other foreign deductible carryforwards of $117.0 million. At December 31, 2023, we have a valuation allowance of $45.9 million against deferred tax assets related to certain carryforwards.
Key Business Metrics and Non-GAAP Financial Measures
In our quarterly earnings press releases and conference calls, we discuss the below key metrics and financial measures that are not calculated according to generally accepted accounting principles (“GAAP”). These metrics and non-GAAP financial measures help us monitor and evaluate the effectiveness of our operations and evaluate period-to-period comparisons. Management believes that these metrics and non-GAAP financial measures help illustrate underlying trends in our business. We use these metrics and non-GAAP financial measures to establish budgets and operational goals (communicated internally and externally), manage our business and evaluate our performance. We also believe that both management and investors benefit from referring to these metrics and non-GAAP financial measures as supplemental information in assessing our performance and when planning, forecasting, and analyzing future periods. We believe these metrics and non-GAAP financial measures are useful to investors both because they allow for greater transparency with respect to financial measures used by management in their financial and operational decision-making and also because they are used by investors and the analyst community to help evaluate the health of our business.

Annual Recurring Revenue

We use annual recurring revenue, or ARR, as an approximate measure to monitor the revenue growth of our recurring business. ARR represents the annualized value of the active portion of SaaS, term-based license, and maintenance and support contracts at the end of the reporting period. For term-based license arrangements, the amount included in ARR is consistent with the amount that we invoice the customer annually for the term-based license transaction. A customer with a one-year term-based license contract will be invoiced for the total value of the contract at the beginning of the contractual term, while a customer with a multi-year term-based license contract will be invoiced for each annual period at the beginning of each year of the contract. For contracts that include annual values that increase over time because there are additional deliverables in subsequent periods, we include in ARR only the annualized value of components of the contract that are considered active as of the date of the ARR calculation. We do not include the future committed increases in the contract value as of the date of the ARR calculation.

44


We consider a contract to be active from when the product or service contractual term commences (the “start date”) until the right to use the product or service ends (the “expiration date”). Even if the contract with the customer is executed before the start date, the contract will not count toward ARR until the customer's right to receive the benefit of the products or services has commenced.

To the extent that we are negotiating a renewal with a customer within 90 days after the expiration of a recurring contract, we continue to include that revenue in ARR if we are actively in discussions with the customer for a new recurring contract or renewal and the customer has not notified us of an intention not to renew. We exclude from the calculation of ARR renewal contracts that are more than 90 days after their expiration date, even if we are continuing to negotiate a renewal at that time.

ARR is not calculated based on recognized or unearned revenue and there is no direct relationship between revenue recognized in accordance with ASC 606 and the Company’s ARR business metric. We believe ARR is a valuable operating measure to assess the health of our SaaS, term-based license, and maintenance and support contracts because it illustrates our customer recurring contracts as of the measurement date. ARR is not a forecast of future revenue, which can be impacted by contract start and end dates and renewal rates, and does not include revenue from perpetual licenses, purchases of Digipass authenticators, training, professional services or other sources of revenue that are not deemed to be recurring in nature.

ARR does not have any standardized meaning and is therefore unlikely to be comparable to similarly titled measures presented by other companies. ARR should be viewed independently of revenue and deferred revenue as ARR is an operating metric and is not intended to be combined with or replace these items. Investors should consider our ARR operating measure only in conjunction with our GAAP financial results.

At December 31, 2023, we reported ARR of $154.6 million, which was 11% higher than 2022 ARR of $138.7 million. Changes in foreign exchange rates during the year ended December 31, 2023 as compared to the prior year did not materially impact ARR. ARR growth was primarily driven by an increase in subscription contracts.

Net Retention Rate

Net Retention Rate, or NRR, is defined as the approximate year-over-year percentage growth in ARR from the same set of customers at the end of the prior year period. It measures the Company’s ability to increase revenue across our existing customer base through expanded use of our platform, offset by customers whose subscription contracts with us are not renewed or renew at a lower amount. The Company’s ability to drive growth and generate incremental revenue depends, in part, on our ability to maintain and grow our relationships with customers. NRR is an important way in which we track our performance in this area.

We previously referred to NRR as Dollar-Based Net Expansion ("DBNE"). There is no change in how we define or calculate NRR as compared to DBNE.

We reported NRR of 110% and 107% at December 31, 2023 and 2022, respectively. The year-over-year increase in NRR was primarily driven by an expansion in the use of our solutions at existing customers.

Adjusted EBITDA
We define Adjusted EBITDA as net income (loss) before interest, taxes, depreciation, amortization, long-term incentive compensation, restructuring and other related charges, and certain non-recurring items, including acquisition related costs, rebranding costs, and non-routine shareholder matters. We use Adjusted EBITDA as a simplified measure of performance for use in communicating our performance to investors and analysts and for comparisons to other companies within our industry.
As a performance measure, we believe that Adjusted EBITDA presents a view of our operating results that is most closely related to serving our customers. By excluding interest, taxes, depreciation, amortization, long-term incentive compensation, restructuring costs, and certain other non-recurring items, we are able to evaluate performance without considering decisions that, in most cases, are not directly related to meeting our customers’ requirements and were either made in prior periods (e.g., depreciation, amortization, long-term incentive compensation, non-routine shareholder matters), deal with the structure or financing of the business (e.g., interest, one-time strategic action costs, restructuring costs, impairment charges) or reflect the application of regulations that are outside of the control of our management team
45


(e.g., taxes). In addition, removing the impact of these items helps us compare our core business performance with that of our competitors.
Non-GAAP financial metrics such as Adjusted EBITDA are not measures of performance under GAAP and should not be considered in isolation or as alternatives or substitutes for the most directly comparable financial measures calculated in accordance with GAAP, but, rather, should be considered together with our consolidated financial statements, which are prepared in accordance with GAAP and included in Part IV, Item 15, Exhibits and Financial Statement Schedules.
The following table reconciles net income as reported on our consolidated statements of operations to non-GAAP Adjusted EBITDA:
Years Ended
December 31,
(In thousands)20232022
Net loss$(29,799)$(14,434)
Interest income, net(2,090)(595)
Provision for income taxes2,486 2,741 
Depreciation and amortization of intangible assets (1)6,479 7,066 
Long-term incentive compensation (2)14,562 8,813 
Restructuring and other related charges17,311 13,310 
Other non-recurring items (3)3,048 (10,505)
Adjusted EBITDA$11,997 $6,396 

(1) Includes cost of sales depreciation and amortization expense directly related to delivering cloud subscription revenue of $1.5 million and $0 for the years ended December 31, 2023 and 2022, respectively. Costs are recorded in “Cost of goods sold - Services and other” on the consolidated statements of operations.
(2) Long-term incentive compensation includes immaterial expense for cash incentive grants awarded to employees located in jurisdictions where we do not issue stock-based compensation due to tax, regulatory or similar reasons. The expense associated with these cash incentive grants was $0.3 million and $0.2 million for the years ended December 31, 2023 and 2022, respectively.
(3) For the year ended December 31, 2023, other non-recurring items consist of $1.6 million of fees related to non-recurring projects and our acquisition of ProvenDB, and $1.4 million of fees related to non-recurring items, primarily severance payable to our former chief executive officer. For the year ended December 31, 2022, other non-recurring items consist of $4.3 million of outside services related to our strategic action plan, and a $(14.8) million non-operating gain on the sale of our investment in Promon AS.

Adjusted EBITDA increased during the year ended December 31, 2023 compared to 2022, primarily due to higher revenue and gross profit dollars, partially offset by an increase in operating expenses net of depreciation of software capitalization costs, restructuring, and other non-recurring items.

Please see further discussion in Item 7, Management's Discussion and Analysis of Financial Condition and Results of Operations for an analysis of what comprises Net loss in the consolidated statements of operations for the years ended December 31, 2023 and 2022, and additional detail around items excluded from Adjusted EBITDA.
Liquidity and Capital Resources
As of December 31, 2023, we had net cash balances (total cash and cash equivalents) of $42.5 million and short-term investments of $0. At December 31, 2022, we had net cash balances of $96.2 million and short-term investments of $2.3 million. Short-term investments at December 31, 2022 consisted of U.S. treasury bills and notes, government agency notes, corporate notes and bonds, and high-quality commercial paper with maturities at acquisition of more than three months and less than twelve months. The decrease in net cash balances from December 31, 2022 to December 31, 2023 resulted primarily from $3.5 million in repurchases of our common stock on the open market pursuant to our share repurchase program, $25.0 million in repurchases of our common stock pursuant to the Tender Offer, and $12.2 million in
46


severance payments associated with the 2023 Actions. Please see Item 5 - Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities for more information on share repurchases.
We are party to lease agreements that require letters of credit and guarantees to secure the obligations which totaled $0.9 million and $1.1 million at December 31, 2023 and 2022, respectively. Additionally, the Company maintained a cash guarantee with a payroll vendor in the amount of $0.1 million at both December 31, 2023 and 2022. The restricted cash related to the letters of credit and guarantees is recorded in "Restricted cash" on the consolidated balance sheets.
As of December 31, 2023, we held $37.1 million of cash and cash equivalents in subsidiaries outside of the United States. Of that amount, $36.5 million is not subject to repatriation restrictions, but may be subject to taxes upon repatriation.
We expect that our existing cash and cash equivalents will be sufficient to meet our anticipated cash needs for working capital and capital expenditures for at least the next 12 months.
Our cash flows are as follows:
Years Ended December 31,
(In thousands)20232022
Cash provided by (used in):  
Operating activities$(10,735)$(5,759)
Investing activities$(12,013)$46,587 
Financing activities$(32,094)$(7,308)
Effect of foreign exchange rate changes on cash and cash equivalents$997 $(372)
Operating Activities
Cash used in operating activities is primarily comprised of net income (loss), as adjusted for non-cash items, and changes in operating assets and liabilities. Non-cash adjustments consist primarily of amortization of intangible assets, deferred taxes, depreciation of property and equipment, and stock-based compensation. We expect cash inflows from operating activities to be affected by increases or decreases in sales and timing of collections. Our primary uses of cash from operating activities have been for personnel and vendor costs. We expect cash outflows from operating activities to be affected by changes in personnel costs and the payments of expenditures.
For the year ended December 31, 2023, $10.7 million of cash was used in operating activities. This was primarily driven by investments made in sales and marketing during the first half of the year, severance payments made associated with the 2023 Actions, and increases in inventories and income taxes payable. For the year ended December 31, 2022, $5.8 million of cash was used in operating activities.
Our working capital at December 31, 2023 was $31.5 million, a decrease of $56.1 million, or 64%, from $87.6 million at December 31, 2022. The decrease was due to a lower operating income driven by restructuring and other related charges as well as lower capital needs as we better manage the timing of cash collections and vendor payments.
Investing Activities
The changes in cash flows from investing activities primarily relate to timing of purchases, maturities and sales of investments, purchases of property and equipment, capitalized software activities, and activity in connection with acquisitions. We expect to continue to purchase property and equipment to support the continued growth of our business as well as to continue to invest in our infrastructure and activity in connection with acquisitions.
For the year ended December 31, 2023 cash of $12.0 million was used in investing activities, compared to cash of $46.6 million provided by investing activities during the year ended December 31, 2022. The cash used for the year ended December 31, 2023 was primarily attributable to additions to property and equipment, net (primarily capital software activities) and purchase of ProvenDB, offset by the maturities of short-term investments.
47


Financing Activities
The changes in cash flows from financing activities primarily relate to the purchases of common stock under our share repurchase program and tax payments for restricted stock issuances.
For the year ended December 31, 2023, net cash used in financing activities was $32.1 million, which consisted of $29.2 million of common stock repurchases, both in open market repurchases and pursuant to the Tender Offer, and $2.9 million of tax payments for restricted stock issuances.
For the year ended December 31, 2022, net cash used in financing activities was $7.3 million, which consisted of $5.7 million of common stock repurchases and $1.6 million of tax payments for restricted stock issuances.
Off-Balance Sheet Arrangements
The Company has no off-balance sheet arrangements.
Contractual Obligations and Commitments
We have unrecognized purchase obligations of $6.3 million for other software agreements related to the administration of our business which range from 1 to 3 years.
We have operating lease obligations of $8.9 million which will expire in the next 1 to 9 years. The operating lease obligations do not include common area maintenance charges or real estate taxes under our operating leases, for which we are also obligated. These charges are generally not fixed and can fluctuate from year to year.
We have taxes payable of $2.6 million due within 1 year, which primarily represent deemed repatriation tax from 2017. We had $0 of unrecognized tax benefits as of both December 31, 2023 and 2022.
Critical Accounting Policies and Estimates
Management’s Discussion and Analysis of Financial Condition and Results of Operations discusses our consolidated financial statements, which have been prepared in accordance with accounting principles generally accepted in the U.S. The preparation of these financial statements requires management to make estimates and assumptions that affect the reported amounts of assets and liabilities and the disclosure of contingent assets and liabilities at the date of the consolidated financial statements and the reported amounts of revenue and expenses during the reporting period.
On an on-going basis, management evaluates its estimates and judgments, including those related to bad debts, net realizable value of inventory and intangible assets. Management bases its estimates and judgments on historical experience and on various other factors that are believed to be reasonable under the circumstances, the results of which form the basis for making judgments about the carrying values of assets and liabilities that are not readily apparent from other sources. Actual results may differ from these estimates under different assumptions or conditions. Management believes the following critical accounting policies affect significant judgments and estimates used in the preparation of its consolidated financial statements.
Revenue Recognition
We record revenue in accordance with ASC Topic 606 "Revenue from Contracts with Customers". We determine revenue recognition through the following steps:
Identification of the contract, or contracts, with a customer;
Identification of the performance obligations in the contract;
Determination of the transaction price;
Allocation of the transaction price to the performance obligations in the contract; and
Recognition of revenue when, or as, we satisfy a performance obligation.

48


Revenues are recognized when control of the promised goods or services is transferred to our customers, in an amount that reflects the consideration we expect to be entitled to in exchange for those products or services, which excludes any sales incentives and amounts collected on behalf of third parties. Taxes assessed by a governmental authority that are both imposed on and concurrent with a specific revenue-producing transaction, that are collected by us from a customer, are excluded from revenue. Shipping and handling costs associated with outbound freight before control over a product has transferred to a customer are accounted for as a fulfillment cost and are included in "Cost of goods sold".
Nature of Goods and Services
We derive our revenues primarily from product and license revenue, which includes hardware products and on-premises subscription revenue, and services and other, which is inclusive of cloud subscription revenue, maintenance and support, and professional services.
Subscription: Subscription includes cloud and on-premises subscription revenue, previously referred to as “subscription” and “term-based software licenses”, respectively.
We generate cloud subscription revenues from our Digital Agreements and Security Solutions cloud service offerings. Our standard customer arrangements do not provide the customer with the right to take possession of the software supporting the cloud-based application service at any time. As such, these arrangements are considered service contracts and revenue is recognized ratably over the service period of the contract. Customer payments are normally in advance for annual service.
Revenue from the sale of on-premises subscription revenue is recorded upon delivery which is the latter of when the customer receives the ability to access the software or when they are legally allowed to use the software. No significant obligations or contingencies exist with regard to delivery, customer acceptance or rights of return at the time revenue is recognized. We offer term licenses for on-premises subscription revenue ranging from one to five years in length. For term licenses, payments are either on installment or in advance. In limited circumstances, we integrate third-party software solutions into our software products. We have determined that, consistent with our conclusion under prior revenue recognition rules, generally we act as the principal with respect to the satisfaction of the related performance obligation and record the corresponding revenue on a gross basis from these transactions. For transactions in which we do not act as the principal, we recognize revenue on a net basis. The fees owed to the third parties are recognized as a component of cost of goods sold when the revenue is recognized.
Maintenance and support: Maintenance and support agreements generally call for us to provide software updates and technical support, respectively, to customers. The annual fee for maintenance and technical support is recognized ratably over the term of the maintenance and support agreement as this is the period the services are delivered. Customer payments are normally in advance for annual service.

Professional Services and other revenue: Professional services revenues are primarily comprised of implementing, automating and extending business processes, technology infrastructure, and software applications. Professional services revenues are recognized over time as services are rendered, usually over a period of time that is generally less than a few months. Most projects are performed on a time and materials basis while a portion of revenues is derived from projects performed on a fixed fee. For time and material contracts, revenues are generally recognized and invoiced by multiplying the number of hours expended in the performance of the contract by the contractual hourly rates. For fixed fee contracts, revenues are generally recognized using an input method based on the ratio of hours expended to total estimated hours to complete the services. Customer payments normally correspond with delivery. Professional services and other revenue includes perpetual licenses revenue, which was approximately 1% of total revenue for the year ended December 31, 2023 and approximately 2% of total revenue for the year ended December 31, 2022. Perpetual licenses grant the customer unlimited access to the software.
Hardware products: Revenue from the sale of security hardware is recorded upon shipment, which is the point at which control of the goods are transferred and the completion of the performance obligations, unless there are specific terms that would suggest control is transferred at a later date (e.g. delivery). No significant obligations or contingencies typically exist with regard to delivery, customer acceptance or rights of return at the time revenue is recognized. Customer invoices and subsequent payments normally correspond with delivery.
The Company also enters into separate service agreements with certain hardware customers to perform distribution services. In these situations, revenue is recognized prior to physical delivery of a good (i.e. “bill-and-hold
49


arrangements). The Company evaluates bill-and-hold arrangements, and records revenue accordingly when the following criteria are met:

The reason for the bill-and-hold arrangement is substantive;
The product is identified separately as belonging to the customer;
The product currently is ready for physical transfer to the customer; and
OneSpan does not have the ability to use the product or to direct it to another customer.
Multiple-Element Arrangements
In our typical multiple-element arrangement, the primary deliverables include:

1.A client component (i.e. an item that is used by the person being authenticated in the form of either a new standalone hardware device or software that is downloaded onto a device that the customer already owns);

2.Server system software that is installed on the customer’s systems (i.e., software on the server system that verifies the identity of the person being authenticated) or licenses for additional users on the server system software if the server system software had been installed previously; and

3.Post contract support ("PCS") in the form of maintenance on the server system software or support.

Our multiple-element arrangements may also include other items that are usually delivered prior to the recognition of any revenue and are incidental to the overall transaction such as initialization of the hardware device, customization of the hardware device itself or the packaging in which it is delivered, deployment services where we deliver the device to our customer’s end-use customer or employee and, in some limited cases, professional services to assist with the initial implementation of a new customer.

Significant Judgments
We enter into contracts to deliver a combination of hardware devices, software licenses, subscriptions, maintenance and support and, in some situations, professional services. The Company evaluates the nature of the goods or services promised in these arrangements to identify the distinct performance obligations. Determining whether products and services are considered distinct performance obligations that should be accounted for separately versus together may require significant judgment depending on the terms and conditions of the respective customer arrangement. When a hardware client device and licenses to server software are sold in a contract, they are treated as a single performance obligation because the software license is deemed to be a component of the hardware that is integral to the functionality of the hardware that is used by our customers for identity authentication. When a software client device is sold in a contract server software, the licenses are considered a single performance obligation to deliver the authentication solution to the customer. In either of these types of arrangements, maintenance and support and professional services are typically distinct separate performance obligations from the hardware or software solutions. Our contracts to deliver subscription services typically do not include multiple performance obligations; however, in certain limited cases customers may purchase professional services that are distinct performance obligations.

For contracts that contain multiple performance obligations, the transaction price is allocated to the separate performance obligations based on their estimated relative standalone selling price. Judgment is required to determine the stand-alone selling price (“SSP”) of each distinct performance obligation. We determine SSP for maintenance and support and professional services based on observable inputs; specifically, the range of prices charged to customers to renew annual maintenance and support contracts and the range of hourly rates we charge our customers in standalone professional services contracts. In instances where SSP is not directly observable, and when we sell at a highly variable price range, such as for transactions involving software licenses or subscriptions, we determine the SSP for those performance obligations using the residual approach.
50


Credit Losses
In accordance with Accounting Standards Update ("ASU") No. 2016-13, the Company evaluates its allowance based on expected losses rather than incurred losses, which is known as the current expected credit loss ("CECL") model. The allowance is determined using the loss rate approach and is measured on a collective (pool) basis when similar risk characteristics exist. Where financial instruments do not share risk characteristics, they are evaluated on an individual basis. The allowance is based on relevant available information, from internal and external sources, relating to past events, current conditions, and reasonable and supportable forecasts.
Income Taxes
As a global company, we calculate and provide for income taxes in each tax jurisdiction in which we operate. The provision for income taxes includes the amounts payable or refundable for the current year, the effect of deferred taxes and impacts from uncertain tax positions. Our provision for income taxes is significantly affected by shifts in the geographic mix of our pre-tax earnings across tax jurisdictions, changes in tax laws and regulations, and tax planning opportunities available in each tax jurisdiction.
Deferred tax assets and liabilities are recognized for the expected future tax consequences of temporary differences between the financial statement and tax bases of our assets and liabilities and for operating losses and tax credit carryforwards. Deferred tax assets and liabilities are measured using enacted tax rates that will apply to taxable income in the years in which those differences are expected to be recovered or settled. Valuation allowances are established for deferred tax assets when it is more likely than not that a tax benefit will not be realized. We recognize the effect of a change in tax rates on deferred tax assets and liabilities and in income in the period that includes the enactment date.

We recognize tax benefits for tax positions that are more likely than not to be sustained upon examination by tax authorities. The amount recognized is measured as the largest amount of benefit that is greater than 50 percent likely to be realized upon ultimate settlement. Unrecognized tax benefits are tax benefits claimed in our income tax returns that do not meet these recognition and measurement standards. Assumptions, judgments, and the use of estimates are required in determining whether the “more-likely-than-not” standard has been met when developing the provision for income taxes.

We recognize the tax impact of including certain foreign earnings in U.S. taxable income as a period cost. We have recognized deferred income taxes for local country income and withholding taxes that could be incurred on distributions of non-U.S. earnings because we do not plan to indefinitely reinvest such earnings.

We monitor for changes in tax laws and reflect the impacts of tax law changes in the period of enactment.
Recently Issued Accounting Pronouncements
For information regarding our new accounting pronouncements, see Note 2, Summary of Significant Accounting Policies, in the notes to consolidated financial statements included in Part IV, Item 15, Exhibits and Financial Statements Schedules.
Item 7A - Quantitative and Qualitative Disclosures about Market Risk (In thousands)
Foreign Currency Exchange Risk – In 2023, approximately 83% of our business was conducted outside the United States, primarily in Europe, Latin America and Asia Pacific. A significant portion of our business operations is transacted in foreign currencies. As a result, we have exposure to foreign exchange fluctuations. We are affected by both foreign currency translation and transaction adjustments. Translation adjustments result from the conversion of the foreign subsidiaries’ balance sheets and income statements to U.S. dollars at year-end exchange rates and weighted average exchange rates, respectively. Translation adjustments resulting from this process are recorded directly into stockholders’ equity. Transaction adjustments result from currency exchange movements when one of our companies transacts business in a currency that differs from its local currency. These adjustments are recorded as gains or losses in our consolidated statements of operations. Our business transactions are spread across numerous countries and currencies. As noted in Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations above, we attempt to minimize the net impact of currency on operating earnings by denominating an amount of billings in a currency such that it would provide a natural hedge against the operating expenses being incurred in that currency. We do not believe that an immediate 10% increase or decrease in the relative value of the U.S. dollar to other currencies would have a material effect on our operating results.
51



Interest Rate Risk – We have minimal interest rate risk. We had no debt outstanding at December 31, 2023. Our cash and cash equivalents are invested in short-term instruments at current market rates. The effect of a hypothetical one percentage point increase or decrease would not have a material impact on our consolidated financial statements.
Item 8 - Financial Statements and Supplementary Data
The information in response to this item is included in our consolidated financial statements, together with the report thereon of KPMG LLP, in Item 15, Exhibits and Financial Statement Schedules.
Item 9 - Changes in and Disagreements with Accountants on Accounting and Financial Disclosure
None.
Item 9A - Controls and Procedures
Evaluation of Disclosure Controls and Procedures

Our management, with the participation of our Interim Chief Executive Officer (our principal executive officer) and Chief Financial Officer (our principal financial officer), has evaluated the effectiveness of our disclosure controls and procedures (as defined in Rules 13a-15(e) and 15d-15(e) under the Securities Exchange Act of 1934 as amended (the "Exchange Act")) as of December 31, 2023.
Based upon that evaluation, our Interim Chief Executive Officer and Chief Financial Officer have concluded that our disclosure controls and procedures were effective as of December 31, 2023, to provide reasonable assurance that the information required to be disclosed by us in reports filed under the Exchange Act, is recorded, processed, summarized and reported within the time period specified in the rules and forms of the SEC, and is accumulated and communicated to management, including our principal executive officer and principal financial officer, as appropriate, to allow timely decisions regarding required disclosure.
Management’s Annual Report on Internal Control over Financial Reporting
The management of OneSpan Inc. is responsible for establishing and maintaining adequate internal control over financial reporting (as defined in Rule 13a-15(f) and 15d-15(f) promulgated under the Exchange Act ). Management, led by our Interim Chief Executive Officer and Chief Financial Officer, assessed the effectiveness of our internal control over financial reporting based upon the criteria set forth in the Internal Control Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO") in Internal Control—Integrated Framework (2013).

Management has concluded that its internal control over financial reporting was effective as of December 31, 2023 to provide reasonable assurance regarding the reliability of our financial reporting and the preparation of financial statements in accordance with U.S. GAAP.

KPMG LLP, an independent registered public accounting firm, has audited the effectiveness of our internal control over financial reporting as of December 31, 2023, included on F-2 of this Annual Report on Form 10-K.
Changes in Internal Control over Financial Reporting
There were no changes in our internal control over financial reporting (as that term is defined in Rule 13a-15(f) and 15d-15(f) under the Exchange Act) during the quarter ended December 31, 2023, that have materially affected, or are reasonably likely to materially affect, our internal control over financial reporting.
Limitations on the Effectiveness of Controls
Management believes that our disclosure controls and procedures and internal control over financial reporting are designed to provide reasonable assurance of achieving their objectives and are effective at the reasonable assurance level. However, our management does not expect that our disclosure controls and procedures or our internal control over financial reporting will prevent all errors and all fraud. A control system, no matter how well designed and operated, can provide only reasonable, not absolute, assurance that the objectives of the control system are met. Because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that all control issues and
52


instances of fraud, if any, have been detected. Additionally, controls can be circumvented by the individual acts of some persons, by collusion of two or more people or by management override of the controls. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies and procedures may deteriorate.

Item 9B -
Other Information
Director and Officer Trading Arrangements

None of our directors or executive officers adopted or terminated a Rule 10b5-1 trading arrangement or a non-Rule 10b5-1 trading arrangement (as defined in Item 408(c) of Regulation S-K) during the fourth quarter of 2023.
Item 9C - Disclosure Regarding Foreign Jurisdictions that Prevent Inspection

Not applicable.

PART III
Item 10 - Directors, Executive Officers and Corporate Governance
All information in response to this Item, other than the required information on executive officers and the required information under Regulation S-K Item 406, is incorporated by reference to the “Information regarding our Board of Directors” and “Delinquent Section 16(a) Reports” sections of OneSpan’s Proxy Statement to be filed with the SEC for the 2024 Annual Meeting of Stockholders. The required information on executive officers is set forth in Part I of this Form 10-K under the heading "Information about our Executive Officers."
We have adopted a written code of business conduct and ethics that applies to our directors, officers, and employees, including our principal executive officer, principal financial officer, principal accounting officer or controller, or persons performing similar functions. A copy of the code is posted on the Corporate Governance section of our website,which is located at www.onespan.com. If we make any substantive amendments to, or grant any waivers from, the code of business conduct and ethics for any officer or director, we will disclose the nature of such amendment or waiver on our website. We will provide any person, without charge, a copy of our code of conduct and ethics upon written request, which may be mailed to Corporate Secretary, OneSpan Inc.,1 Marina Park Drive, Unit 1410, Boston, Massachusetts, 02210.
Item 11 - Executive Compensation
The information in response to this Item is incorporated by reference to the “Executive Compensation” and "Director Compensation" sections of OneSpan’s Proxy Statement (except for the section titled "Executive Compensation - Pay versus Performance") to be filed with the SEC for the 2024 Annual Meeting of Stockholders.
Item 12 - Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters
The information in response to this Item is incorporated by reference to the “Security Ownership of Certain Beneficial Owners, Directors and Management” and “Equity Compensation Plan Information”sections of OneSpan’s Proxy Statement to be filed with the SEC for the 2024 Annual Meeting of Stockholders.
Item 13 - Certain Relationships and Related Transactions, and Director Independence
The information in response to this Item is incorporated by reference to the “Information regarding our Board of Directors” and “Transactions with Related Persons” sections of OneSpan’s Proxy Statement to be filed with the SEC for the 2024 Annual Meeting of Stockholders.
53


Item 14 - Principal Accounting Fees and Services
The information in response to this Item is incorporated by reference to the “Fees Paid to Independent Registered Public Accounting Firm for 2023 and 2022” section of OneSpan’s Proxy Statement to be filed with the SEC for the 2024 Annual Meeting of Stockholders.

PART IV
Item 15 - Exhibits and Financial Statement Schedules
(a)The following documents are filed as part of this Annual Report on Form 10-K.
(1)The following consolidated financial statements and notes thereto, and the related independent auditors’ report, are included on pages F-1 through F-39 of this Annual Report on Form 10-K:
Report of Independent Registered Public Accounting Firm
Consolidated Balance Sheets as of December 31, 2023 and 2022
Consolidated Statements of Operations for the Years Ended December 31, 2023, 2022 and 2021
Consolidated Statements of Comprehensive Income (Loss) for the Years Ended December 31, 2023, 2022 and 2021
Consolidated Statements of Stockholders’ Equity for the Years Ended December 31, 2023, 2022 and 2021
Consolidated Statements of Cash Flows for the Years Ended December 31, 2023, 2022 and 2021
Notes to Consolidated Financial Statements
(2)The following consolidated financial statement schedule of the Company is included on page F-41 of this Form 10-K:
Schedule II – Valuation and Qualifying Accounts
All other financial statement schedules are omitted because such schedules are not required or the information required has been presented in the aforementioned consolidated financial statements.
(3)The following exhibits are filed with this Annual Report on Form 10-K or incorporated by reference as set forth at the end of the list of exhibits:

54


Exhibit
Number
Description
4.1
4.2
10.1*
10.2*
10.3*
10.4*
10.5*
10.6*
10.7*
10.8*
10.9*
10.10*
10.11*
10.12*
10.13*
10.14
55


Exhibit
Number
Description
10.15*
10.16*
10.17*
10.18*
10.19*
10.20*
10.21*
10.22*
21
23
31.1
31.2
32.1
32.2
97
101.INSXBRL Instance Document – the instance document does not appear in the Interactive Data File because its XBRL tags are embedded within the Inline XBRL document
101.SCHXBRL Taxonomy Extension Schema Document
101.CALXBRL Taxonomy Extension Calculation Linkbase Document
56


Exhibit
Number
Description
101.LABXBRL Taxonomy Extension Label Linkbase Document
101.PREXBRL Taxonomy Extension Presentation Linkbase Document
101.DEFXBRL Taxonomy Extension Definition Linkbase Document
104
Cover page Interactive Data File (formatted as inline XBRL with applicable taxonomy extension information contained in Exhibit 101)
___________________________
*Compensatory plan or management contract.
OneSpan Inc. will furnish any of the above exhibits to stockholders upon written request addressed to the Secretary at the address given on the cover page of this Form 10-K.
57


OneSpan Inc.
INDEX TO FINANCIAL STATEMENTS AND SCHEDULE
All other financial statement schedules are omitted because they are not applicable or the required information is shown in the consolidated financial statements or notes thereto.
F-1


Report of Independent Registered Public Accounting Firm
To the Stockholders and Board of Directors
OneSpan Inc.:
Opinions on the Consolidated Financial Statements and Internal Control Over Financial Reporting

We have audited the accompanying consolidated balance sheets of OneSpan Inc. and subsidiaries (the Company) as of December 31, 2023 and 2022, the related consolidated statements of operations, comprehensive income (loss), stockholders’ equity, and cash flows for each of the years in the three-year period ended December 31, 2023, and the related notes and financial statement schedule II (collectively, the consolidated financial statements). We also have audited the Company’s internal control over financial reporting as of December 31, 2023, based on criteria established in
Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission.
In our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the financial position of the Company as of December 31, 2023 and 2022, and the results of its operations and its cash flows for each of the years in the three-year period ended December 31, 2023, in conformity with U.S. generally accepted accounting principles. Also in our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 2023 based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission.
Basis for Opinions

The Company’s management is responsible for these consolidated financial statements, for maintaining effective internal control over financial reporting, and for its assessment of the effectiveness of internal control over financial reporting, included in the accompanying Management's Annual Report on Internal Control over Financial Reporting. Our responsibility is to express an opinion on the Company’s consolidated financial statements and an opinion on the Company’s internal control over financial reporting based on our audits. We are a public accounting firm registered with the Public Company Accounting Oversight Board (United States) (PCAOB) and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audits to obtain reasonable assurance about whether the consolidated financial statements are free of material misstatement, whether due to error or fraud, and whether effective internal control over financial reporting was maintained in all material respects.
Our audits of the consolidated financial statements included performing procedures to assess the risks of material misstatement of the consolidated financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the consolidated financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the consolidated financial statements. Our audits of internal control over financial reporting included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our audits also included performing such other procedures as we considered necessary in the circumstances. We believe that our audits provide a reasonable basis for our opinions.

Definition and Limitations of Internal Control Over Financial Reporting
A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and
F-2


directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.

Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
Critical Audit Matter
The critical audit matter communicated below is a matter arising from the current period audit of the consolidated financial statements that was communicated or required to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the consolidated financial statements and (2) involved our especially challenging, subjective, or complex judgments. The communication of a critical audit matter does not alter in any way our opinion on the consolidated financial statements, taken as a whole, and we are not, by communicating the critical audit matter below, providing a separate opinion on the critical audit matter or on the accounts or disclosures to which it relates.

Identification of performance obligations in contracts containing software licenses with unique terms and conditions
As discussed in Notes 2 and 4 to the consolidated financial statements, the Company enters into contracts to deliver a combination of hardware devices, software licenses, subscriptions, maintenance and support and, in some situations, professional services. The Company evaluates the nature of the goods and services promised in these arrangements to identify the distinct performance obligations. The Company recognized total revenue of $235 million, a portion of which related to contracts containing software licenses, for the year ended December 31, 2023. We identified the evaluation of the Company’s identification of performance obligations in contracts containing software licenses with unique terms and conditions as a critical audit matter. Specifically, complex auditor judgment was required to evaluate the Company's identification of performance obligations in such contracts, including for contracts with new customers or contracts that were amended with existing customers.

The following are the primary procedures we performed to address this critical audit matter. We evaluated the design and tested the operating effectiveness of certain internal controls related to the Company’s revenue recognition process. This included controls related to the identification of performance obligations and evaluation of unique terms and conditions present in individual contracts. We tested a selection of contracts, including contracts with new customers and contracts that were amended with existing customers, by obtaining and reading the underlying contract and accounting analysis to evaluate the Company’s identification of performance obligations. Specifically, we evaluated the completeness and accuracy of the Company’s identification of terms and conditions that were unique to the selected contracts and the Company’s determination of the impact of those terms and conditions on revenue recognition.
/s/ KPMG LLP
We have served as the Company’s auditor since 1996.
Chicago, Illinois
March 6, 2024
F-3


OneSpan Inc.
CONSOLIDATED BALANCE SHEETS
(In thousands, except per share data)
December 31,
20232022
ASSETS
Current assets
Cash and cash equivalents$42,493 $96,167 
Restricted cash1,037 1,208 
Short-term investments 2,328 
Accounts receivable, net of allowances of $1,536 in 2023 and $1,600 in 2022
64,387 65,132 
Inventories, net15,553 12,054 
Prepaid expenses6,575 6,222 
Contract assets5,139 4,520 
Other current assets11,159 10,757 
Total current assets146,343 198,387 
Property and equipment, net18,722 12,681 
Operating lease right-of-use assets6,171 8,022 
Goodwill93,684 90,514 
Intangible assets, net of accumulated amortization10,832 12,482 
Deferred income taxes1,721 1,901 
Other assets11,718 11,095 
Total assets$289,191 $335,082 
LIABILITIES AND STOCKHOLDERS' EQUITY
Current liabilities
Accounts payable$17,452 $17,357 
Deferred revenue69,331 64,637 
Accrued wages and payroll taxes14,335 18,345 
Short-term income taxes payable2,646 2,438 
Other accrued expenses10,684 7,664 
Deferred compensation382 373 
Total current liabilities114,830 110,814 
Long-term deferred revenue4,152 6,269 
Long-term lease liabilities6,824 8,442 
Long-term income taxes payable 2,565 
Deferred income taxes1,067 1,197 
Other long-term liabilities3,177 2,484 
Total liabilities130,050 131,771 
Stockholders' equity
Preferred stock: 500 shares authorized, none issued and outstanding at December 31, 2023 and 2022
  
Common stock: $0.001 par value per share, 75,000 shares authorized; 41,243 and 40,764 shares issued; 37,519 and 39,726 shares outstanding at December 31, 2023 and 2022
38 40 
Additional paid-in capital118,620 107,305 
Treasury stock, at cost, 3,724 and 1,038 shares outstanding at December 31, 2023 and 2022, respectively
(47,377)(18,222)
Retained earnings98,939 128,738 
Accumulated other comprehensive loss(11,079)(14,550)
Total stockholders' equity159,141 203,311 
Total liabilities and stockholders' equity$289,191 $335,082 
See accompanying notes to consolidated financial statements.
F-4


OneSpan Inc.
CONSOLIDATED STATEMENTS OF OPERATIONS
(in thousands, except per share data)
Years Ended December 31,
202320222021
Revenue
Product and license$130,848 $121,426 $120,358 
Services and other104,258 97,580 94,123 
Total revenue235,106 219,006 214,481 
Cost of goods sold   
Product and license48,676 45,106 46,196 
Services and other28,715 25,330 25,350 
Total cost of goods sold77,391 70,436 71,546 
Gross profit157,715 148,570 142,935 
Operating costs   
Sales and marketing70,235 60,949 62,730 
Research and development38,420 41,735 47,414 
General and administrative58,267 55,552 53,031 
Restructuring and other related charges17,311 13,310  
Amortization of intangible assets2,353 4,139 5,888