OneSpan (OSPN) Risk Analysis

Technological changes occur rapidly in our industry and development of new products and features is critical to maintain and grow our revenue. Our ability to attract and retain customers will depend in part upon our ability to enhance our current products and develop innovative new solutions to distinguish us from the competition and to meet customers' changing needs. For instance, we believe that our bank and financial institution customers, who account for a majority of our revenue, may increasingly move away from multi-factor authentication methods and toward passkeys that use the FIDO2 passwordless authentication standard. If we are unable to provide our customers with high quality and innovative passkey solutions, or if we otherwise do not anticipate or adapt to changing technology, industry standards or customer requirements on a timely basis, competitive position and financial results will be negatively impacted. Product developments and technology innovations by others may adversely affect our competitive position. The introduction by our competitors of products embodying new technologies or the emergence of new industry standards could render our existing products obsolete and unmarketable. For example, if our competitors are able to more quickly and effectively integrate new technologies such as generative artificial intelligence into their products, our competitive position may suffer. We spend substantial amounts of time and money to research and develop new offerings and enhanced versions of our existing offerings in order to meet our customers' rapidly evolving needs. When we develop a new offering or an enhanced version of an existing offering, we typically incur expenses and expend resources upfront to market, promote and sell the new offering. Therefore, when we develop or acquire new or enhanced offerings, their introduction must achieve high levels of market acceptance in order to justify the amount of our investment in developing and bringing them to market. In some cases, we determine that product initiatives we initially believed were promising do not warrant further investment. For example, in 2023, we decided to discontinue investments in our Digipass CX product in order to rationalize and focus our product portfolio, and incurred non-cash charges as a result. If other recent or future new product offerings do not garner widespread customer adoption and implementation, we may incur future non-cash charges and our business may be adversely affected.

Our corporate infrastructure stores and processes our sensitive, proprietary and other confidential information (including information related to finance, technology, employees, marketing, sales, etc.) which is used daily in our operations. In addition, our solutions involve transmission and processing of our customers' confidential, proprietary, personal and sensitive information. We have legal and contractual obligations to protect the confidentiality and appropriate use of customer data. Because we are a digital agreements and cybersecurity company, and because the majority of our customers are banks and other financial institutions, which are frequent targets of cyberattacks, we may be an attractive target for cyber attackers or other data thieves. High-profile cyberattacks and security breaches have increased in recent years, with the potential for such acts heightened because of the number of employees working remotely since the COVID-19 pandemic and the increase in sophisticated cyberattack methods, such as the use of artificial intelligence to launch automated, accelerated and enhanced cyberattacks. Because techniques used to obtain unauthorized access or to sabotage systems are constantly evolving, change frequently and often are not recognized until launched against a specific target, we may be unable to anticipate these techniques or to implement adequate preventative measures. As we seek to increase our client base and expand awareness of our brand, we may become a greater target for third parties seeking to compromise our security systems and we anticipate that hacking attempts and cyberattacks will increase in the future. We have experienced several security incidents in the past. None have been material to date, but it is possible that we will experience a material event in the future. Even though we have established teams, processes and strategies to protect our assets, we may not always be successful in preventing or repelling unauthorized access to our systems. We also may face delays in our ability to identify or otherwise respond to a cybersecurity incident or other breach. Additionally, we use third-party service providers to provide some services to us that involve the storage or transmission of data, such as SaaS, cloud computing, and internet infrastructure and bandwidth, and they face various cybersecurity threats and may suffer cybersecurity incidents or other security breaches. Despite our security measures, our IT and infrastructure may be vulnerable to attacks. Threats to IT security can take a variety of forms. Individuals and groups of hackers and sophisticated organizations, including state-sponsored organizations or nation-states, continuously undertake attacks that pose threats to our customers and our own IT. These actors may use a wide variety of methods, which may include utilizing our products to launch phishing attacks, developing and deploying malicious software or exploiting vulnerabilities in hardware, software, or other infrastructure in order to attack our products and services or gain access to our networks, using social engineering techniques to induce our employees, users, partners, or customers to disclose passwords or other sensitive information or take other actions to gain access to our data or our users' or customers' data, or acting in a coordinated manner to launch distributed denial of service or other coordinated attacks. Inadequate account security practices may also result in unauthorized access to confidential and/or sensitive data. Security incidents may have a number of negative consequences to us, including the following: requiring us to expend significant capital and other resources to alleviate the incidents and to improve our security technologies; impairing our ability to provide services to our customers and protect the privacy of their data delaying product development efforts; compromising confidential or technical business information or personal data; harming our reputation or competitive position; resulting in theft or misuse of our intellectual property or other assets; and exposing us to substantial litigation expenses and damages, indemnity and other contractual obligations, government fines and penalties, mitigation expenses, costs for remediation and incentives offered to affected parties, including customers, other business partners and employees, in an effort to maintain business relationships after an incident. We are continuously working to improve our IT systems, together with creating security boundaries around our critical and sensitive assets. We provide security awareness training to our employees and our key contractors that focuses on various aspects of cybersecurity. All these steps are taken to mitigate the risk of attack and to ensure our readiness to responsibly manage a security violation or attack. However, we may nevertheless be unable to anticipate attacks or to implement adequate preventative measures. If an actual or perceived breach of our security occurs, the market perception of the effectiveness of our security measures and our products could be harmed, we could lose potential sales and existing customers, our ability to operate our business could be impaired, we may incur significant liabilities, we could suffer harm to our reputation and competitive position, and our business and financial condition could be negatively impacted.

The market for digital solutions for security, authentication, identity, electronic signature, and digital workflow solutions is very competitive and, like most technology-driven markets, is subject to rapid change and constantly evolving solutions and services. Our identity verification and authentication products are designed to allow authorized users access to digital business processes and properties, in some cases using patented technology, as a replacement for or supplement to a static password. Our main competitors in our identity verification and authentication markets are Gemalto, a subsidiary of Thales Group, Yubico and RSA Security. There are also many other companies in adjacent areas, such as mobile device management ("MDM"), threat protection, and identity and access management ("IAM"), that offer competing services In addition to these companies, we face competition from many small authentication solution providers, many of whom offer new technologies and niche solutions such as biometric or risk and behavioral analysis. We believe that competition in this market is likely to intensify as a result of increasing demand for security products. Our primary competitors for electronic signature solutions are DocuSign and Adobe Systems. Both companies are significantly larger than us. In addition to these companies, there are numerous smaller and regional or niche providers of electronic signing solutions. Some of our present and potential competitors have significantly greater brand awareness and financial, technical, marketing, purchasing, and other resources than we do. As a result, they may be able to respond more quickly to new or emerging technologies and changes in customer requirements, devote greater resources to the development, promotion and sale of products, or deliver competitive products at a lower end-user price than we do. These factors have made it more difficult for us to compete successfully and may continue to do so, which would negatively affect our business.

We derive a substantial portion of our revenue from a limited number of customers. The loss of substantial sales to any one of them could adversely affect our operations and results. In 2024, 2023, and 2022, our top 10 largest customers contributed 20%, 22%, and 23%, respectively, of our total worldwide revenue.

We believe that enhancing our brand recognition is important to our efforts to attract new customers and channel partners, and that our relative lack of brand awareness has made it more challenging to acquire new customers. Our brand recognition and reputation are dependent upon numerous factors, including: - our marketing efforts;- our ability to continue to offer high quality, innovative and reliable products;- our ability to maintain customer satisfaction with our products;- our ability to be responsive to customer concerns and provide high quality customer support, training and professional services;- any misuse or perceived misuse of our products;- positive or negative publicity, including through reviews by industry analysts;- our ability to prevent or quickly react to any cyberattack on our information technology systems or security breach of or related to our software; and - litigation or regulatory-related developments. Improving our brand recognition is likely to require significant additional expenditures and may not be successful or yield increased revenues. If we do not successfully enhance our brand and maintain our reputation, we may continue to have difficulties attracting new customers, including due to reduced pricing power relative to competitors with stronger brands, and we could lose customers or renewals, which would adversely affect our business.

From time to time, we are involved as a party or an indemnitor in disputes or regulatory inquiries. These may include alleged claims, lawsuits and proceedings regarding intellectual property disputes, labor and employment issues, commercial disagreements, securities law violations and other matters. In particular, companies in the software industry are often required to defend against litigation or claims based on allegations of infringement or other violations of intellectual property rights. In certain instances, we have received claims that we have infringed the intellectual property rights of others, including claims regarding patents, copyrights, and trademarks. Because of constant technological change in the markets in which we compete, the extensive patent coverage of existing technologies, and the rapid rate of issuance of new patents, it is possible that the number of these claims may grow. Such claims sometimes involve patent holding companies or other adverse patent owners that have no relevant product revenue and against which our own patents may therefore provide little or no deterrence. In addition, former employers of our former, current, or future employees may assert claims that such employees have improperly disclosed to us the confidential or proprietary information of these former employers. If we are not successful in defending such claims, we could be required to stop selling our products, delay shipments, redesign our products, pay monetary amounts as damages, enter into royalty or licensing arrangements (which may not be available to us on commercially reasonable terms), or satisfy indemnification obligations to our customers, any of which could have a material adverse effect on our business. Regardless of the merits or ultimate outcome of any claims that have been or may be brought against us or that we may bring against others, lawsuits are time-consuming and expensive to resolve, divert management's time and attention, and could harm our reputation. Although we carry general liability and other forms of insurance, our insurance may not cover potential claims that arise or may not be adequate to indemnify us for all liability that may be imposed. We may also determine that the most cost-effective way to resolve a dispute is to enter into a settlement agreement. Litigation is inherently unpredictable and we cannot predict the timing, nature, controversy or outcome of lawsuits, and it is possible that litigation could have an adverse effect on our business, operating results or financial condition.

We are subject to U.S. federal, state, local and sales taxes in the United States and foreign income taxes, withholding taxes and transaction taxes in numerous foreign jurisdictions. Significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain and the relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes to our operating structure (including a currently in-process revenue of our intellectual property structure), by changes in foreign currency exchange rates, or by changes in the valuation of our deferred tax assets and liabilities. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, sales taxes and value-added taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period for which a determination is made. At December 31, 2024 we had U.S. federal, state, and foreign net operating losses ("NOLs"), of $22.7 million, $44.1 million, and $117.0 million, respectively, available to offset future taxable income, some of which begin to expire in 2025. Federal NOLs incurred in taxable years beginning after December 31, 2017 can be carried forward indefinitely, but the deductibility of federal NOLs in taxable years beginning after December 31, 2021 is subject to certain limitations. A lack of future taxable income would adversely affect our ability to utilize these NOLs before they expire. In addition, under the provisions of the Internal Revenue Code of 1986, as amended (the "Internal Revenue Code"), substantial changes in our ownership may limit the amount of pre-change NOLs that can be utilized annually in the future to offset taxable income. Section 382 of the Internal Revenue Code imposes limitations on a company's ability to use its NOLs if one or more stockholders or groups of stockholders that own at least 5% of the company's stock increase their ownership by more than 50 percentage points over their lowest ownership percentage within a rolling three-year period. Similar rules may apply under state tax laws. Based upon an analysis as of December 31, 2024, we determined that we do not expect these limitations to materially impair our ability to use our NOLs prior to expiration. However, if changes in our ownership occurred after such date, or occur in the future, our ability to use our NOLs may be further limited. Subsequent statutory or regulatory changes in respect of the utilization of NOLs for federal or state purposes, such as suspensions on the use of NOLs or limitations on the deductibility of NOLs carried forward, or other unforeseen reasons,may result in our existing NOLs expiring or otherwise being unavailable to offset future income tax liabilities. For these reasons, we may not be able to utilize a material portion of the NOLs, even if we achieve profitability.

The regulatory framework for the collection, use, access, sharing, transfer and other processing of information worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. Globally, virtually every jurisdiction in which we operate has established its own data security and privacy frameworks with which we must comply. We collect, transmit, store, and otherwise process (on our systems and on our third-party partners' systems) our customers' and our employees' data that includes personal data subject to these international and domestic privacy and data protection laws and regulations. For example, in the European Union, we are required to comply with the General Data Protection Regulation, (EU) 2016/679 as well as supplementary laws implemented by EU member states of the European Economic Area ("EEA") (collectively, "GDPR"). The GDPR is wide-ranging in scope and imposes numerous requirements on companies that process personal data, including requirements relating to processing biometric and other sensitive data, obtaining consent of the individuals to whom the personal data relates, providing information to individuals regarding data processing activities, implementing safeguards to protect the security and confidentiality of personal data, providing notification of data breaches, and taking certain measures when engaging third-party processors. The GDPR also imposes strict rules on the transfer of personal data from the EEA to other countries that are not viewed as providing an adequate level of data protection. In addition, the GDPR permits data protection authorities to require destruction of improperly gathered or used personal information and/or impose substantial fines for violations of the GDPR, which can be up to four percent of global revenues or 20 million Euros, whichever is greater, and it also confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of the GDPR. We continue to adapt our compliance with GDPR using standard contractual clauses and other methods; however, it is difficult to be certain that compliance has been achieved. We have expended significant resources to comply, but those methods may be subject to scrutiny by data protection authorities in EEA member states. There are ongoing concerns about the ability of companies to transfer personal data from the EEA to other countries. In October 2022, President Biden signed an executive order to implement the EU-U.S. Data Privacy Framework ("DPF"). The European Commission adopted an adequacy decision to permit data transfers from the EEA to the United States going forward. This development permits data transfers at this point under this framework and more broadly has made international data transfers more straightforward, but these provisions are being challenged in court. The new U.S. presidential administration may also impact whether the DPF remains an adequate data transfer framework. The continuing uncertainty around this issue may further impact our business operations in the EEA. Beyond the GDPR, there are privacy and data security laws in a growing number of countries around the world. For example, other jurisdictions such as Brazil, Canada, and the United Kingdom have enacted privacy and data protection laws and regulations that impose similar restrictions and obligations on products and services we sell and that otherwise may impact our ability to conduct our business activities. In the United States, the federal and state governments have also enacted privacy and data protection laws and regulations that impact us, our customers, and partners. At the federal level, we could potentially be subject to privacy enforcement from the Federal Trade Commission (the "FTC"), which has been particularly focused on the processing of biometric and other sensitive data through its recent enforcement actions. The FTC's enforcement priorities (as well as those of other federal regulators) may be impacted by the change in administration and new leadership. These shifts in enforcement priorities may also impact our business. At the state level, the California Consumer Privacy Act ("CCPA")-which went into effect on January 1, 2020-is creating similar risks and obligations as those created by GDPR. The CCPA also has been amended through a recent referendum in California that creates additional obligations beginning in 2023. The California Privacy Rights Act of 2020 ("CPRA") also created a new enforcement agency – the California Privacy Protection Agency – whose sole responsibility is to enforce the CPRA, which will further increase compliance risks. In addition, more than 18 other states already have passed comprehensive privacy laws. States are also passing laws regulating specific categories of information that may impact our business. For example, the State of Washington passed the My Health My Data Act in 2023, which specifically regulates health information, including biometric data, that is not otherwise regulated by the HIPAA rules and includes a private right action. A broad range of legislative measures also have been introduced at the federal level. Accordingly, failure to comply with federal and state laws (both those currently in effect and future legislation) regarding privacy and security of personal information could expose us to fines and penalties under such laws. There also is the threat of consumer class actions related to these laws and the overall protection of personal data. Even if we are not determined to have violated these laws, government investigations into these issues typically require the expenditure of significant resources and generate negative publicity, which could harm our reputation and our business. In addition, several jurisdictions have imposed legal and compliance requirements on biometric data that are more stringent than requirements on other classifications of personal data. For example, in the U.S., the Illinois Biometric Information Privacy Act ("BIPA") regulates the collection, use, safeguarding, and storage of biometric identifiers and information, requires informed consent before collection, imposes fines for non-compliance, and grants residents a private right of action over improper collection and mishandling of biometric data. The U.S. state comprehensive privacy laws generally treat biometric data as sensitive personal data, subject to heightened requirements around its processing. Similarly, Québec's Act respecting the protection of personal data in the private sector ("Law 25", formerly known as "Bill 64") introduces substantial changes to the privacy landscape in Quebec, enhancing protection for personal data and introducing new obligations for transparency and accountability in data processing activities, including those involving biometric data. Our activities as a SaaS solution provider mainly involve the processing of personal data on behalf of our customers. Our operations as a processor of our customers' data relate to collecting, transmitting, storing, and processing a wide array of data, including personal data and biometric information of individuals worldwide. This data is handled both on our systems and those of our third-party partners, making us subject to a complex web of regulations across various jurisdictions. Adapting to these requirements may entail significant operational changes, including revising data processing and storage practices, enhancing data security measures, ensuring transparent communication with data subjects about their rights and our data handling practices, and it may impact our business activities, including our relationships with business partners and the marketing and distribution of our products. We work to comply with all applicable international and domestic privacy and data protection laws and regulations; however, these laws and regulations vary greatly from jurisdiction to jurisdiction, change rapidly, and are subject to interpretation, all of which leads to uncertainty in their applicability. The costs of compliance with these laws and regulations that apply to us, and other burdens imposed by them, may limit our use of personal data and could have a material adverse impact on our results of operations. Compliance may require that we implement new processes and policies or change our existing processes and policies or features of our systems, which may require substantial financial and other resources, and which otherwise may be difficult to undertake. Any failure or perceived failure by us (or our third-party partners) to comply with these privacy and data protection laws and regulations, our processes and policies, contractual provisions, or an actual, perceived or suspected data privacy or information security incident could result in serious consequences for us. These consequences may include enforcement actions, audits, investigations, prosecutions, fines, penalties, debarment, litigation, claims for damages by customers and other affected individuals, reputational loss, and financial and business losses.

Our ability to successfully attain our business objectives will depend significantly on our ability to retain and motivate key employees and attract qualified new hires. In 2022, 2023 and 2024, we terminated the employment of approximately 330 employees as part of our cost reduction and restructuring efforts. These reductions may make it more difficult, more time-consuming and more expensive for us to retain key employees and attract new hires, both because our reputation in the hiring market may have been negatively affected by the reductions and because the remaining employees have had to assume additional work. We face intense competition for these employees from numerous technology, software and other companies, many of whom have greater resources than we do, and our employees are generally employed on an at-will basis, which means that they could terminate their employment with us at any time. The temporary or permanent loss of the services of our CEO, other members of senior management or other key employees for any reason could significantly delay or prevent the achievement of our objectives and harm our business, financial condition and results of operations. Further, the loss of key employees, particularly those in senior management roles, could be negatively perceived in the capital markets, which could reduce the market value of our securities. Difficulties retaining, motivating and attracting qualified employees could have an adverse effect on our ability to achieve our business objectives and, as a result, our ability to compete could decrease and our financial results could be adversely affected. In addition, even if we are able to identify and recruit a sufficient number of new hires, these new hires will require significant training before they achieve full productivity, particularly in the case of sales employees. In addition, while we believe the significant workforce reductions we completed in the past three years were necessary in order to position the company for profitable growth, it is possible that we could experience various negative effects from these reductions, including slower customer service response times and reduced ability to complete or undertake new product development projects and other business, product, technical, compliance or risk mitigation initiatives.

Negative economic conditions, including conditions resulting from changes in foreign currency rates, changes in interest rates, gross domestic product growth, financial and credit market fluctuations, inflation, political turmoil, geopolitical tensions, tariffs, international trade disputes, natural catastrophes, regional and global conflicts, natural disasters, and terrorist attacks, could cause a decrease in business investments, including spending on information technology, and negatively affect the performance of our business. If global or regional economic and financial market conditions remain uncertain and/or weak for an extended period of time, any of the following factors, among others, could have a material adverse effect on our financial condition and results of operations: - slower consumer or business spending may result in reduced demand for our products and services, reduced orders from customers, order cancellations, lower revenues, increased inventories, and lower gross margins;- volatility in global markets, tariffs or international trade disputes, and fluctuations in exchange rates for foreign currencies could negatively impact our reported financial results and condition;- volatility in the prices for materials and components we use in our Digipass products could have a material adverse effect on our costs, gross margins, and profitability;- restructurings, reorganizations, consolidations and other corporate events could affect our customers' budgets and buying cycles, particularly in the banking and financial services industry, where we have particular exposure due to the majority of our customers being banks and financial institutions;- if our customers experience declining revenues, or experience difficulty obtaining financing in the capital and credit markets to purchase our products and services, this could result in reduced orders, longer sales cycles, order cancellations, inability of customers to timely meet their payment obligations to us, extended payment terms, higher accounts receivable, reduced cash flows, greater expense associated with collection efforts and increased bad debt expense;- severe financial difficulty experienced by our customers (such as the mid-market bank failures that occurred in 2023) may cause them to become insolvent or cease business operations, which could reduce sales, cash collections and revenue streams; and - any difficulty or inability on the part of manufacturers of our products or other participants in our supply chain in obtaining sufficient financing to purchase raw materials or to finance general working capital needs may result in delays or non-delivery of shipments of our products. Furthermore, in an adverse economic environment there is a risk that customers may delay their orders until the economic conditions improve. If a significant number of orders are delayed for an indefinite period of time, our revenue and cash receipts may not be sufficient to meet the operating needs of the business. If this is the case, we may need to significantly reduce our workforce, sell certain of our assets, enter into strategic relationships or business combinations, discontinue some or all of our operations, or take other similar restructuring actions. While we expect that these actions would result in a reduction of recurring costs, they also may result in a reduction of recurring revenue and cash receipts. It is also likely that we would incur substantial non-recurring costs to implement one or more of these restructuring actions.

Our business operations are subject to interruption by natural disasters, including extreme weather related to the effects of climate change, and other catastrophic events such as fire, floods, power loss, telecommunications failure, cyberattack, war or terrorist attack, or epidemic or pandemic. To the extent such events impact our facilities or off-premises or third-party infrastructure, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our software development, lengthy interruptions in our services, breaches of data security and loss of critical data, all of which could have an adverse effect on our future operating results.

Because a significant number of our principal customers are located outside the United States, we expect that international sales will continue to generate a significant portion of our total revenue. We are subject to foreign exchange fluctuations and risks because the majority of our product costs are denominated in U.S. dollars, whereas a significant portion of the sales and expenses of our foreign operating subsidiaries are denominated in various foreign currencies. A decrease in the value of any of these foreign currencies relative to the U.S. dollar could adversely affect our revenue and profitability in U.S. dollars of our products sold in these markets. Furthermore, a strengthening of the U.S. dollar could increase the cost in local currency of our products and services to customers outside the United States, which could adversely affect our business, results of operations, financial condition and cash flows. The exchange rate between the U.S. dollar and foreign currencies has fluctuated in recent years and may fluctuate substantially in the future. For example, the U.S. dollar's strength against foreign currencies, particularly the Euro, during 2022 had a significant impact on our 2022 financial results. Although foreign exchange impact was not significant to our 2023 and 2024 results, it could adversely affect our results for 2025 and beyond. We do not currently use forward contracts or other hedging strategies such as options or foreign exchange swaps to mitigate our exposure to foreign currency fluctuations.