OneSpan (OSPN) Risk Analysis

Technological changes occur rapidly in our industry and development of new products and features is critical to maintain and grow our revenue. Our ability to attract and retain customers will depend in part upon our ability to enhance our current products and develop innovative new solutions to distinguish us from the competition and to meet customers' changing needs. Product developments and technology innovations by others may adversely affect our competitive position and we may not successfully anticipate or adapt to changing technology, industry standards or customer requirements on a timely basis. The introduction by our competitors of products embodying new technologies or the emergence of new industry standards could render our existing products obsolete and unmarketable. For example, if our competitors are better able to effectively integrate new technologies such as generative artificial intelligence ("AI") into their products, our competitive position may suffer. We spend substantial amounts of time and money to research and develop new offerings and enhanced versions of our existing offerings in order to meet our customers' rapidly evolving needs. When we develop a new offering or an enhanced version of an existing offering, we typically incur expenses and expend resources upfront to market, promote and sell the new offering. Therefore, when we develop or acquire new or enhanced offerings, their introduction must achieve high levels of market acceptance in order to justify the amount of our investment in developing and bringing them to market. In some cases, we determine that product initiatives we initially believed were promising do not warrant further investment. For example, in 2023, we decided to discontinue investments in our Digipass CX product in order to rationalize and focus our product portfolio, and incurred non-cash charges as a result. If other recent or future new product offerings do not garner widespread customer adoption and implementation, we may incur future non-cash charges and our business may be adversely affected.

Our corporate infrastructure stores and processes our sensitive, proprietary and other confidential information (including information related to financial, technology, employees, marketing, sales, etc.) which is used daily in our operations. In addition, our solutions involve transmission and processing of our customers' confidential, proprietary and sensitive information. We have legal and contractual obligations to protect the confidentiality and appropriate use of customer data. Because we are a digital agreements and cybersecurity company, and because the majority of our customers are banks and other financial institutions, which are frequent targets of cyberattacks, we may be an attractive target for cyber attackers or other data thieves. High-profile cyberattacks and security breaches have increased in recent years, with the potential for such acts heightened because of the number of employees working remotely due to the COVID-19 pandemic. Security industry experts and government officials have warned about the risks of hackers and cyberattacks targeting information technology, or IT, products and enterprise infrastructure. Because techniques used to obtain unauthorized access or to sabotage systems are constantly evolving, change frequently and often are not recognized until launched against a specific target, we may be unable to anticipate these techniques or to implement adequate preventative measures. As we seek to increase our client base and expand awareness of our brand, we may become more of a target for third parties seeking to compromise our security systems and we anticipate that hacking attempts and cyberattacks will increase in the future. We have experienced several security incidents in the past. None have been material to date, but it is possible that we will experience a material event in the future. Even though we have established teams, processes and strategies to protect our assets, we may not always be successful in preventing or repelling unauthorized access to our systems. We also may face delays in our ability to identify or otherwise respond to a cybersecurity incident or other breach. Additionally, we use third-party service providers to provide some services to us that involve the storage or transmission of data, such as software as a service (SaaS), cloud computing, and internet infrastructure and bandwidth, and they face various cybersecurity threats and may suffer cybersecurity incidents or other security breaches. Despite our security measures, our IT and infrastructure may be vulnerable to attacks. Threats to IT security can take a variety of forms. Individual and groups of hackers and sophisticated organizations, including state-sponsored organizations or nation-states, continuously undertake attacks that pose threats to our customers and our own IT. These actors may use a wide variety of methods, which may include developing and deploying malicious software or exploiting vulnerabilities in hardware, software, or other infrastructure in order to attack our products and services or gain access to our networks, using social engineering techniques to induce our employees, users, partners, or customers to disclose passwords or other sensitive information or take other actions to gain access to our data or our users' or customers' data, or acting in a coordinated manner to launch distributed denial of service or other coordinated attacks. Inadequate account security practices may also result in unauthorized access to confidential and/or sensitive data. Security incidents may have a number of negative consequences to us, including the following: requiring us to expend significant capital and other resources to alleviate the incidents and to improve our security technologies; impairing our ability to provide services to our customers and protect the privacy of their data delaying product development efforts; compromising confidential or technical business information; harming our reputation or competitive position; resulting in theft or misuse of our intellectual property or other assets; and exposing us to substantial litigation expenses and damages, indemnity and other contractual obligations, government fines and penalties, mitigation expenses, costs for remediation and incentives offered to affected parties, including customers, other business partners and employees, in an effort to maintain business relationships after an incident. We are continuously working to improve our IT systems, together with creating security boundaries around our critical and sensitive assets. We provide security awareness training to our employees and contractors that focuses on various aspects of cybersecurity. All these steps are taken to mitigate the risk of attack and to ensure our readiness to responsibly manage a security violation or attack. However, we may nevertheless be unable to anticipate attacks or to implement adequate preventative measures. If an actual or perceived breach of our security occurs, the market perception of the effectiveness of our security measures and our products could be harmed, we could lose potential sales and existing customers, our ability to operate our business could be impaired, we may incur significant liabilities, we could suffer harm to our reputation and competitive position, and our business and financial condition could be negatively impacted.

The market for digital solutions for identity, authentication, and secure digital agreements is very competitive and, like most technology-driven markets, is subject to rapid change and constantly evolving solutions and services. Our identity verification and authentication products are designed to allow authorized users access to digital business processes and properties, in some cases using patented technology, as a replacement for or supplement to a static password. Our main competitors in our identity verification and authentication markets are Gemalto, a subsidiary of Thales Group, Yubico and RSA Security. There are also many other companies, such as Transmit Security, Symantec, and Duo Security, that offer competing services. In addition to these companies, we face competition from many small authentication solution providers, many of whom offer new technologies and niche solutions such as biometric or risk and behavioral analysis. We believe that competition in this market is likely to intensify as a result of increasing demand for security products. Our primary competitors for electronic signature solutions are DocuSign and Adobe Systems. Both companies are significantly larger than us. In addition to these companies, there are numerous smaller and regional or niche providers of electronic signing solutions. Some of our present and potential competitors have significantly greater brand awareness and financial, technical, marketing, purchasing, and other resources than we do. As a result, they may be able to respond more quickly to new or emerging technologies and changes in customer requirements, devote greater resources to the development, promotion and sale of products, or deliver competitive products at a lower end-user price than we do. These factors have made it more difficult for us to compete successfully and may continue to do so, which would negatively affect our business.

We derive a substantial portion of our revenue from a limited number of customers. The loss of substantial sales to any one of them could adversely affect our operations and results. In 2023, 2022, and 2021, our top 10 largest customers contributed 22%, 23%, and 22%, respectively, of our total worldwide revenue.

We believe that enhancing our brand recognition is important to our efforts to attract new customers and channel partners, and that our relative lack of brand awareness, particularly in the Digital Agreements segment, has made it more challenging to acquire new customers. Our brand recognition and reputation are dependent upon numerous factors including: - our marketing efforts;- our ability to continue to offer high quality, innovative and reliable products;- our ability to maintain customer satisfaction with our products;- our ability to be responsive to customer concerns and provide high quality customer support, training and professional services;- any misuse or perceived misuse of our products;- positive or negative publicity, including through reviews by industry analysts;- our ability to prevent or quickly react to any cyberattack on our information technology systems or security breach of or related to our software; and - litigation or regulatory-related developments. Improving our brand recognition is likely to require significant additional expenditures and may not be successful or yield increased revenues. If we do not successfully enhance our brand and maintain our reputation, we may continue to have difficulties attracting new customers, including due to reduced pricing power relative to competitors with stronger brands, and we could lose customers or renewals, which would adversely affect our business.

Our ability to successfully attain our business objectives will depend significantly on our ability to retain and motivate key employees and attract qualified new hires. In 2022 and 2023, we terminated the employment of approximately 270 employees as part of our cost reduction and restructuring efforts, and in early January 2024, we terminated the employment of our previous CEO and hired an interim CEO. These layoffs and the changes in our leadership have created uncertainty among our employees, and we expect it may make it more difficult, more time-consuming and more expensive for us to retain key employees and attract new hires. We face intense competition for these employees from numerous technology, software and other companies, many of whom have greater resources than we do, and our employees are generally employed on an at-will basis, which means that they could terminate their employment with us at any time. The temporary or permanent loss of the services of senior management or other key employees for any reason could significantly delay or prevent the achievement of our objectives and harm our business, financial condition and results of operations. Further, the loss of key employees, particularly those in senior management roles, could be negatively perceived in the capital markets, which could reduce the market value of our securities. Difficulties retaining, motivating and attracting qualified employees could have an adverse effect on our ability to achieve our business objectives and, as a result, our ability to compete could decrease and our financial results could be adversely affected. In addition, even if we are able to identify and recruit a sufficient number of new hires, these new hires will require significant training before they achieve full productivity, particularly in the case of sales employees.

Negative economic conditions, including conditions resulting from changes in foreign currency rates, changes in interest rates, gross domestic product growth, financial and credit market fluctuations, inflation, political turmoil (including potential political turmoil or conflict related to the 2024 U.S. presidential elections), geopolitical tensions, natural catastrophes, regional and global conflicts, natural disasters, and terrorist attacks, could cause a decrease in business investments, including spending on information technology, and negatively affect the performance of our business. If global or regional economic and financial market conditions remain uncertain and/or weak for an extended period of time, any of the following factors, among others, could have a material adverse effect on our financial condition and results of operations: - slower consumer or business spending may result in reduced demand for our products and services, reduced orders from customers, order cancellations, lower revenues, increased inventories, and lower gross margins;- volatility in the global markets and fluctuations in exchange rates for foreign currencies could negatively impact our reported financial results and condition;- volatility in the prices for materials and components we use in our Digipass products could have a material adverse effect on our costs, gross margins, and profitability;- restructurings, reorganizations, consolidations and other corporate events could affect our customers' budgets and buying cycles, particularly in the banking and financial services industry, where we have particular exposure due to the majority of our customers being banks and financial institutions;- if our customers experience declining revenues, or experience difficulty obtaining financing in the capital and credit markets to purchase our products and services, this could result in reduced orders, longer sales cycles, order cancellations, inability of customers to timely meet their payment obligations to us, extended payment terms, higher accounts receivable, reduced cash flows, greater expense associated with collection efforts and increased bad debt expense;- severe financial difficulty experienced by our customers (such as the mid-market bank failures that occurred in 2023) may cause them to become insolvent or cease business operations, which could reduce sales, cash collections and revenue streams; and - any difficulty or inability on the part of manufacturers of our products or other participants in our supply chain in obtaining sufficient financing to purchase raw materials or to finance general working capital needs may result in delays or non-delivery of shipments of our products. Furthermore, in an adverse economic environment there is a risk that customers may delay their orders until the economic conditions improve. If a significant number of orders are delayed for an indefinite period of time, our revenue and cash receipts may not be sufficient to meet the operating needs of the business. If this is the case, we may need to significantly reduce our workforce, sell certain of our assets, enter into strategic relationships or business combinations, discontinue some or all of our operations, or take other similar restructuring actions. While we expect that these actions would result in a reduction of recurring costs, they also may result in a reduction of recurring revenue and cash receipts. It is also likely that we would incur substantial non-recurring costs to implement one or more of these restructuring actions.

Our business operations are subject to interruption by natural disasters, including extreme weather related to the effects of climate change, and other catastrophic events such as fire, floods, power loss, telecommunications failure, cyberattack, war or terrorist attack, or epidemic or pandemic, such as the COVID-19 pandemic. To the extent such events impact our facilities or off-premises infrastructure, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our software development, lengthy interruptions in our services, breaches of data security and loss of critical data, all of which could have an adverse effect on our future operating results.

Because a significant number of our principal customers are located outside the United States, we expect that international sales will continue to generate a significant portion of our total revenue. We are subject to foreign exchange fluctuations and risks because the majority of our product costs are denominated in U.S. dollars, whereas a significant portion of the sales and expenses of our foreign operating subsidiaries are denominated in various foreign currencies. A decrease in the value of any of these foreign currencies relative to the U.S. dollar could adversely affect our revenue and profitability in U.S. dollars of our products sold in these markets. Furthermore, a strengthening of the U.S. dollar could increase the cost in local currency of our products and services to customers outside the United States, which could adversely affect our business, results of operations, financial condition and cash flows. The exchange rate between the U.S. dollar and foreign currencies has fluctuated in recent years and may fluctuate substantially in the future. For example, the U.S. dollar's strength against foreign currencies, particularly the Euro, during 2022 had a significant impact on our 2022 financial results. Although foreign exchange impact was not significant to our 2023 results, it could adversely affect our results for 2024 and beyond. We do not currently use forward contracts or other hedging strategies such as options or foreign exchange swaps to mitigate our exposure to foreign currency fluctuations.

We are subject to U.S. federal, state, local and sales taxes in the United States and foreign income taxes, withholding taxes and transaction taxes in numerous foreign jurisdictions. Significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain and the relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes to our operating structure (including a currently in-process revenue of our intellectual property structure), by changes in foreign currency exchange rates, or by changes in the valuation of our deferred tax assets and liabilities. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, sales taxes and value-added taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period for which a determination is made. At December 31, 2023 we had U.S. federal, state, and foreign net operating losses ("NOLs"), of $27.5 million, $30.5 million, and $124.3 million, respectively, available to offset future taxable income, some of which begin to expire in 2025. Federal NOLs incurred in taxable years beginning after December 31, 2017 can be carried forward indefinitely, but the deductibility of federal NOLs in taxable years beginning after December 31, 2021, is subject to certain limitations. A lack of future taxable income would adversely affect our ability to utilize these NOLs before they expire. In addition, under the provisions of the Internal Revenue Code of 1986, as amended, or the Internal Revenue Code, substantial changes in our ownership may limit the amount of pre-change NOLs that can be utilized annually in the future to offset taxable income. Section 382 of the Internal Revenue Code imposes limitations on a company's ability to use its NOLs if one or more stockholders or groups of stockholders that own at least 5% of the company's stock increase their ownership by more than 50 percentage points over their lowest ownership percentage within a rolling three-year period. Similar rules may apply under state tax laws. Based upon an analysis as of December 31, 2021, we determined that we do not expect these limitations to materially impair our ability to use our NOLs prior to expiration. However, if changes in our ownership occurred after such date, or occur in the future, our ability to use our NOLs may be further limited. Subsequent statutory or regulatory changes in respect of the utilization of NOLs for federal or state purposes, such as suspensions on the use of NOLs or limitations on the deductibility of NOLs carried forward, or other unforeseen reasons, may result in our existing NOLs expiring or otherwise being unavailable to offset future income tax liabilities. For these reasons, we may not be able to utilize a material portion of the NOLs, even if we achieve profitability.

We collect, transmit, store, and otherwise process (on our systems and on our third-party partners' systems) our customers' and our employees' data that includes personal data subject to international and domestic privacy and data protection laws and regulations. For example, in Europe, we are subject to the European Union's General Data Protection Regulation, (EU) 2016/679 ("GDPR") and laws implemented by EU member states. These laws and regulations impose restrictions on the collection and use of personal data that are generally more stringent, and impose more significant burdens on subject businesses, than current privacy standards in the United States. They establish several obligations that organizations must follow with respect to use of personal data, including consent requirements, data subject rights, and a prohibition on the transfer of personal data from the EU to other countries whose laws do not protect personal data to an adequate level of privacy or security. We continue to adapt our compliance with GDPR using standard contractual clauses and other methods; however, it is difficult to be certain that compliance has been achieved. We have expended significant resources to comply, but those methods may be subject to scrutiny by data protection authorities in EU member states. In addition, other jurisdictions such as Brazil, Canada, and the United Kingdom have enacted privacy and data protection laws and regulations that impose similar restrictions and obligations on products and services we sell. In the United States, the federal and state governments have also enacted privacy and data protection laws and regulations that impact us, our customers, and partners. For example, in June 2018, California enacted the California Consumer Privacy Act ("CCPA"), which took effect January 1, 2020, and imposed many requirements on businesses that process the personal information of California residents. Many of the CCPA's requirements are similar to those found in the GDPR, including requiring businesses to provide notice to data subjects regarding the information collected about them and how such information is used and shared, and providing data subjects the right to request access to such personal information and, in certain cases, request the erasure of such personal information. The CCPA also affords California residents the right to opt-out of "sales" of their personal information. The CCPA contains significant penalties for companies that violate its requirements. In January 2023, the California Privacy Rights Act of 2020 ("CPRA") went into effect, and significantly expanded the CCPA to incorporate additional GDPR-like provisions including requiring that the use, retention, and sharing of personal information of California residents be reasonably necessary and proportionate to the purposes of collection or processing, granting additional protections for sensitive personal information, and requiring greater disclosures related to notice to residents regarding retention of information. The CPRA also created a new enforcement agency – the California Privacy Protection Agency – whose sole responsibility is to enforce the CPRA, which will further increase compliance risks. The provisions in the CPRA may apply to some of our business activities. In addition, several other states have passed state privacy and data protection laws, and the U.S. Congress has been debating passing a federal privacy law. We use biometric data in some of our identity verification products, and several jurisdictions have imposed legal and compliance requirements on biometric data that are more stringent than requirements on other classifications of personal data. For example, under GDPR, biometric data is considered "sensitive data" which requires special attention and technical and organizational measures to protect the biometric data against breaches of confidentiality, integrity, and availability. Similarly, in the U.S., the Illinois Biometric Information Privacy Act ("BIPA") regulates the collection, use, safeguarding, and storage of biometric identifiers and information, requires informed consent before collection, imposes fines for non-compliance, and grants residents a private right of action over improper collection and mishandling of biometric data. Similarly, Québec's Act respecting the protection of personal data in the private sector ("Law 25" formerly known as "Bill 64") introduces substantial changes to the privacy landscape in Quebec, enhancing protection for personal data and introducing new obligations for transparency and accountability in data processing activities, including those involving biometric data. Our activities as a SaaS solution provider mainly involve the processing of personal data on behalf of our customers. Our operations as a processor of our customers' data relate to collecting, transmitting, storing, and processing a wide array of data, including personal data and biometric information of individuals worldwide. This data is handled both on our systems and those of our third-party partners, making us subject to a complex web of regulations across various jurisdictions. Adapting to these requirements may entail significant operational changes, including revising data processing and storage practices, enhancing data security measures, ensuring transparent communication with data subjects about their rights and our data handling practices, and it may impact our business activities, including our relationships with business partners and the marketing and distribution of our products. We work to comply with all applicable international and domestic privacy and data protection laws and regulations; however, these laws and regulations vary greatly from jurisdiction to jurisdiction, change rapidly, and are subject to interpretation, all of which leads to uncertainty in their applicability. The costs of compliance with these laws and regulations that apply to us, and other burdens imposed by them, may limit our use of personal data and could have a material adverse impact on our results of operations. Compliance may require that we implement new processes and policies or change our existing processes and policies or features of our systems, which may require substantial financial and other resources, and which otherwise may be difficult to undertake. Any failure or perceived failure by us (or our third-party partners) to comply with these privacy and data protection laws and regulations, our processes and policies, contractual provisions, or an actual, perceived or suspected data privacy or information security incident could result in serious consequences for us. These consequences may include enforcement actions, audits, investigations, prosecutions, fines, penalties, debarment, litigation, claims for damages by customers and other affected individuals, reputational loss, and financial and business losses. .