0001558370-21-001842.txt : 20210225 0001558370-21-001842.hdr.sgml : 20210225 20210225163151 ACCESSION NUMBER: 0001558370-21-001842 CONFORMED SUBMISSION TYPE: 10-K PUBLIC DOCUMENT COUNT: 133 CONFORMED PERIOD OF REPORT: 20201231 FILED AS OF DATE: 20210225 DATE AS OF CHANGE: 20210225 FILER: COMPANY DATA: COMPANY CONFORMED NAME: OneSpan Inc. CENTRAL INDEX KEY: 0001044777 STANDARD INDUSTRIAL CLASSIFICATION: SERVICES-COMPUTER INTEGRATED SYSTEMS DESIGN [7373] IRS NUMBER: 364169320 STATE OF INCORPORATION: DE FISCAL YEAR END: 1231 FILING VALUES: FORM TYPE: 10-K SEC ACT: 1934 Act SEC FILE NUMBER: 000-24389 FILM NUMBER: 21680862 BUSINESS ADDRESS: STREET 1: 121 W WACKER DR. STREET 2: STE 2050 CITY: CHICAGO STATE: IL ZIP: 60601 BUSINESS PHONE: 3127664001 MAIL ADDRESS: STREET 1: 121 W WACKER DR. STREET 2: STE 2050 CITY: CHICAGO STATE: IL ZIP: 60601 FORMER COMPANY: FORMER CONFORMED NAME: One Span Inc. DATE OF NAME CHANGE: 20180706 FORMER COMPANY: FORMER CONFORMED NAME: VASCO DATA SECURITY INTERNATIONAL INC DATE OF NAME CHANGE: 19970821 10-K 1 ospn-20201231x10k.htm 10-K
000us-gaap:OperatingLeaseRightOfUseAssetus-gaap:OtherAccruedLiabilitiesCurrent00000000001044777--12-312020FYDELarge Accelerated FilerP3Y0P3YP5YP1YP2Y300000P12MP12MP12MP12MP1Yus-gaap:OperatingLeaseRightOfUseAssetus-gaap:OtherAccruedLiabilitiesCurrent0.250.250.02false0001044777us-gaap:AllowanceForCreditLossMember2019-01-012019-12-310001044777us-gaap:AllowanceForCreditLossMember2018-01-012018-12-310001044777us-gaap:AllowanceForCreditLossMember2020-12-310001044777us-gaap:AccountingStandardsUpdate201613Memberus-gaap:AllowanceForCreditLossMember2019-12-310001044777us-gaap:AllowanceForCreditLossMember2019-12-310001044777us-gaap:AccountingStandardsUpdate201613Member2019-12-310001044777us-gaap:AllowanceForCreditLossMember2018-12-310001044777us-gaap:AllowanceForCreditLossMember2017-12-310001044777us-gaap:AllowanceForCreditLossMember2020-01-012020-12-310001044777us-gaap:CanadaRevenueAgencyMemberospn:TaxCreditCarryforwardMember2020-12-310001044777ospn:ForeignProvincialTaxAuthorityMemberospn:TaxCreditCarryforwardMember2020-12-310001044777ospn:CanadaCreditTaxAuthorityMemberospn:TaxCreditCarryforwardMember2020-12-310001044777us-gaap:CapitalLossCarryforwardMember2020-12-310001044777ospn:TaxCreditCarryforwardMember2020-12-3100010447772020-06-100001044777us-gaap:CommonStockMember2018-01-012018-12-310001044777ospn:RestrictedStockSubjectToPerformanceCriteriaMemberospn:TwoThousandAndNineEquityIncentivePlanMember2020-01-012020-12-310001044777ospn:PerformanceSharesEarnedMember2020-01-012020-12-310001044777ospn:RestrictedStockSubjectToPerformanceCriteriaMemberospn:TwoThousandAndNineEquityIncentivePlanMember2019-01-012019-12-310001044777ospn:RestrictedStockSubjectToPerformanceCriteriaMemberospn:TwoThousandAndNineEquityIncentivePlanMember2018-01-012018-12-310001044777us-gaap:RetainedEarningsMember2020-12-310001044777us-gaap:AdditionalPaidInCapitalMember2020-12-310001044777us-gaap:AccumulatedOtherComprehensiveIncomeMember2020-12-310001044777us-gaap:RetainedEarningsMember2019-12-310001044777us-gaap:AdditionalPaidInCapitalMember2019-12-310001044777us-gaap:AccumulatedOtherComprehensiveIncomeMember2019-12-310001044777us-gaap:RetainedEarningsMember2018-12-310001044777us-gaap:AdditionalPaidInCapitalMember2018-12-310001044777us-gaap:AccumulatedOtherComprehensiveIncomeMember2018-12-310001044777us-gaap:RetainedEarningsMember2017-12-310001044777us-gaap:AdditionalPaidInCapitalMember2017-12-310001044777us-gaap:AccumulatedOtherComprehensiveIncomeMember2017-12-310001044777us-gaap:TreasuryStockCommonMember2020-12-310001044777us-gaap:CommonStockMember2020-12-310001044777us-gaap:CommonStockMember2019-12-310001044777us-gaap:CommonStockMember2018-12-310001044777us-gaap:CommonStockMember2017-12-310001044777ospn:TwoThousandAndNineteenOmnibusIncentivePlanMember2020-12-310001044777ospn:TimeBasedRestrictedStockUnitsSettledInStockMember2020-01-012020-01-010001044777ospn:TimeBasedRestrictedStockUnitsSettledInStockMember2020-01-010001044777ospn:RestrictedStockSubjectToTimeBasedCriteriaMember2019-12-310001044777ospn:RestrictedStockSubjectToPerformanceCriteriaMember2019-12-310001044777srt:OfficerMemberospn:TimeBasedRestrictedStockUnitsSettledInStockMemberus-gaap:ShareBasedPaymentArrangementEmployeeMember2020-01-012020-12-310001044777srt:OfficerMemberospn:RestrictedStockSubjectToTimeBasedCriteriaMemberus-gaap:ShareBasedPaymentArrangementEmployeeMember2020-01-012020-12-310001044777ospn:TimeBasedRestrictedStockUnitsSettledInStockMemberus-gaap:ShareBasedPaymentArrangementEmployeeMember2020-01-012020-12-310001044777ospn:TimeBasedRestrictedStockUnitsSettledInStockMemberus-gaap:ShareBasedCompensationAwardTrancheOneMember2020-01-012020-12-310001044777ospn:RestrictedStockSubjectToTimeBasedCriteriaMemberus-gaap:ShareBasedPaymentArrangementEmployeeMember2020-01-012020-12-310001044777ospn:RestrictedStockSubjectToTimeBasedCriteriaMemberus-gaap:ShareBasedCompensationAwardTrancheOneMember2020-01-012020-12-310001044777ospn:DealfloLimitedMemberus-gaap:IntersegmentEliminationMember2018-01-012018-12-3100010447772024-01-012020-12-3100010447772023-01-012020-12-3100010447772022-01-012020-12-3100010447772021-01-012020-12-310001044777us-gaap:SalesMemberospn:CoxAutomotiveMembersrt:ExecutiveVicePresidentMember2020-01-012020-12-310001044777us-gaap:TransferredOverTimeMember2020-01-012020-12-310001044777us-gaap:TransferredAtPointInTimeMember2020-01-012020-12-310001044777ospn:SubscriptionMember2020-01-012020-12-310001044777ospn:ServicesMember2020-01-012020-12-310001044777ospn:ProductsMember2020-01-012020-12-310001044777ospn:MaintenanceSupportMember2020-01-012020-12-310001044777ospn:LicensesMember2020-01-012020-12-310001044777ospn:ServiceAndOtherMemberus-gaap:ScenarioAdjustmentMember2019-01-012019-12-310001044777ospn:ServiceAndOtherMembersrt:ScenarioPreviouslyReportedMember2019-01-012019-12-310001044777ospn:ProductAndLicenseMemberus-gaap:ScenarioAdjustmentMember2019-01-012019-12-310001044777ospn:ProductAndLicenseMembersrt:ScenarioPreviouslyReportedMember2019-01-012019-12-310001044777us-gaap:TransferredOverTimeMember2019-01-012019-12-310001044777us-gaap:TransferredAtPointInTimeMember2019-01-012019-12-310001044777ospn:SubscriptionMember2019-01-012019-12-310001044777ospn:ServicesMember2019-01-012019-12-310001044777ospn:ProductsMember2019-01-012019-12-310001044777ospn:MaintenanceSupportMember2019-01-012019-12-310001044777ospn:LicensesMember2019-01-012019-12-310001044777ospn:ServiceAndOtherMemberus-gaap:ScenarioAdjustmentMember2018-01-012018-12-310001044777ospn:ServiceAndOtherMembersrt:ScenarioPreviouslyReportedMember2018-01-012018-12-310001044777ospn:ProductAndLicenseMemberus-gaap:ScenarioAdjustmentMember2018-01-012018-12-310001044777ospn:ProductAndLicenseMembersrt:ScenarioPreviouslyReportedMember2018-01-012018-12-310001044777us-gaap:TransferredOverTimeMember2018-01-012018-12-310001044777us-gaap:TransferredAtPointInTimeMember2018-01-012018-12-310001044777ospn:SubscriptionMember2018-01-012018-12-310001044777ospn:ServicesMember2018-01-012018-12-310001044777ospn:ProductsMember2018-01-012018-12-310001044777ospn:MaintenanceSupportMember2018-01-012018-12-310001044777ospn:LicensesMember2018-01-012018-12-310001044777us-gaap:AccountingStandardsUpdate201409Member2018-01-010001044777us-gaap:LetterOfCreditMember2020-12-310001044777us-gaap:LetterOfCreditMember2019-12-310001044777us-gaap:CostOfSalesMemberospn:TwilioInc.Membersrt:OfficerMember2020-12-310001044777ospn:TwilioInc.Membersrt:OfficerMember2020-12-310001044777ospn:CoxAutomotiveMembersrt:ExecutiveVicePresidentMember2020-12-310001044777us-gaap:InventoriesMember2020-12-310001044777ospn:HostingArrangementsMember2020-12-310001044777ospn:OtherSoftwareAgreementsMember2020-12-310001044777us-gaap:AccountingStandardsUpdate201613Member2020-01-012020-01-010001044777us-gaap:LeaseholdImprovementsMember2020-01-012020-12-310001044777us-gaap:LeaseholdImprovementsMember2020-12-310001044777us-gaap:FurnitureAndFixturesMember2020-12-310001044777ospn:OfficeEquipmentAndSoftwareMember2020-12-310001044777us-gaap:LeaseholdImprovementsMember2019-12-310001044777us-gaap:FurnitureAndFixturesMember2019-12-310001044777ospn:OfficeEquipmentAndSoftwareMember2019-12-310001044777us-gaap:AccumulatedOtherComprehensiveIncomeMember2020-01-012020-12-310001044777us-gaap:AccumulatedOtherComprehensiveIncomeMember2019-01-012019-12-310001044777us-gaap:AccumulatedOtherComprehensiveIncomeMember2018-01-012018-12-310001044777us-gaap:StateAndLocalJurisdictionMember2020-12-310001044777us-gaap:HerMajestysRevenueAndCustomsHMRCMember2020-12-310001044777us-gaap:ForeignCountryMember2020-12-310001044777us-gaap:CanadaRevenueAgencyMember2020-12-310001044777ospn:ForeignProvincialTaxAuthorityMember2020-12-310001044777srt:RestatementAdjustmentMemberus-gaap:AccountingStandardsUpdate201602Member2019-01-010001044777srt:RestatementAdjustmentMemberus-gaap:AccountingStandardsUpdate201602Memberospn:OtherAccruedExpensesMember2019-01-010001044777srt:RestatementAdjustmentMemberus-gaap:AccountingStandardsUpdate201602Memberospn:LongTermLeaseLiabilitiesMember2019-01-010001044777srt:RestatementAdjustmentMemberus-gaap:AccountingStandardsUpdate201602Member2019-01-010001044777us-gaap:BuildingMember2020-01-012020-12-310001044777ospn:AutomobileMember2020-01-012020-12-310001044777us-gaap:BuildingMember2019-01-012019-12-310001044777ospn:AutomobileMember2019-01-012019-12-310001044777us-gaap:TaxAndCustomsAdministrationNetherlandsMemberus-gaap:EarliestTaxYearMember2020-01-012020-12-310001044777us-gaap:SwissFederalTaxAdministrationFTAMemberus-gaap:EarliestTaxYearMember2020-01-012020-12-310001044777us-gaap:InternalRevenueServiceIRSMemberus-gaap:EarliestTaxYearMember2020-01-012020-12-310001044777us-gaap:InlandRevenueSingaporeIRASMemberus-gaap:EarliestTaxYearMember2020-01-012020-12-310001044777us-gaap:HerMajestysRevenueAndCustomsHMRCMemberus-gaap:EarliestTaxYearMember2020-01-012020-12-310001044777us-gaap:AustralianTaxationOfficeMemberus-gaap:EarliestTaxYearMember2020-01-012020-12-310001044777us-gaap:AdministrationOfTheTreasuryBelgiumMemberus-gaap:EarliestTaxYearMember2020-01-012020-12-310001044777ospn:AustriaFederalMinistryOfFinanceMemberus-gaap:EarliestTaxYearMember2020-01-012020-12-310001044777us-gaap:OperatingSegmentsMemberospn:UnitedStatesAndCanadaSegmentMember2020-12-310001044777us-gaap:OperatingSegmentsMemberospn:EuropeMiddleEastAfricaSegmentMember2020-12-310001044777us-gaap:OperatingSegmentsMemberospn:AsiaPacificSegmentMember2020-12-310001044777us-gaap:OperatingSegmentsMemberospn:UnitedStatesAndCanadaSegmentMember2019-12-310001044777us-gaap:OperatingSegmentsMemberospn:EuropeMiddleEastAfricaSegmentMember2019-12-310001044777us-gaap:OperatingSegmentsMemberospn:AsiaPacificSegmentMember2019-12-310001044777us-gaap:OperatingSegmentsMemberospn:UnitedStatesAndCanadaSegmentMember2018-12-310001044777us-gaap:OperatingSegmentsMemberospn:EuropeMiddleEastAfricaSegmentMember2018-12-310001044777us-gaap:OperatingSegmentsMemberospn:AsiaPacificSegmentMember2018-12-310001044777us-gaap:RetainedEarningsMember2020-01-012020-12-310001044777us-gaap:RetainedEarningsMember2019-01-012019-12-310001044777us-gaap:RetainedEarningsMember2018-01-012018-12-310001044777us-gaap:IndemnificationGuaranteeMember2020-12-310001044777srt:MinimumMember2020-12-310001044777srt:MaximumMember2020-12-310001044777us-gaap:OtherIntangibleAssetsMember2019-12-310001044777us-gaap:DevelopedTechnologyRightsMember2019-12-310001044777us-gaap:CustomerRelationshipsMember2019-12-310001044777us-gaap:OtherIntangibleAssetsMember2018-12-310001044777us-gaap:DevelopedTechnologyRightsMember2018-12-310001044777us-gaap:CustomerRelationshipsMember2018-12-310001044777us-gaap:AdministrationOfTheTreasuryBelgiumMember2018-12-310001044777us-gaap:AdministrationOfTheTreasuryBelgiumMember2017-12-3100010447772018-10-012018-12-310001044777ospn:InvestmentInPromonMember2020-01-012020-12-310001044777ospn:InvestmentInPromonMember2019-01-012019-12-310001044777ospn:InvestmentInPromonMember2018-01-012018-12-310001044777us-gaap:OperatingSegmentsMemberospn:UnitedStatesAndCanadaSegmentMember2020-01-012020-12-310001044777us-gaap:OperatingSegmentsMemberospn:EuropeMiddleEastAfricaSegmentMember2020-01-012020-12-310001044777us-gaap:OperatingSegmentsMemberospn:AsiaPacificSegmentMember2020-01-012020-12-310001044777us-gaap:OperatingSegmentsMemberospn:UnitedStatesAndCanadaSegmentMember2019-01-012019-12-310001044777us-gaap:OperatingSegmentsMemberospn:EuropeMiddleEastAfricaSegmentMember2019-01-012019-12-310001044777us-gaap:OperatingSegmentsMemberospn:AsiaPacificSegmentMember2019-01-012019-12-310001044777us-gaap:OperatingSegmentsMemberospn:UnitedStatesAndCanadaSegmentMember2018-01-012018-12-310001044777us-gaap:OperatingSegmentsMemberospn:EuropeMiddleEastAfricaSegmentMember2018-01-012018-12-310001044777us-gaap:OperatingSegmentsMemberospn:AsiaPacificSegmentMember2018-01-012018-12-310001044777srt:MinimumMemberus-gaap:SoftwareDevelopmentMember2020-01-012020-12-310001044777srt:MinimumMemberus-gaap:CustomerRelationshipsMember2020-01-012020-12-310001044777srt:MinimumMemberospn:ProprietaryTechnologyMember2020-01-012020-12-310001044777srt:MaximumMemberus-gaap:SoftwareDevelopmentMember2020-01-012020-12-310001044777srt:MaximumMemberus-gaap:CustomerRelationshipsMember2020-01-012020-12-310001044777srt:MaximumMemberospn:ProprietaryTechnologyMember2020-01-012020-12-310001044777us-gaap:PatentsMember2020-01-012020-12-310001044777us-gaap:OtherIntangibleAssetsMember2020-12-310001044777us-gaap:DevelopedTechnologyRightsMember2020-12-310001044777us-gaap:CustomerRelationshipsMember2020-12-310001044777us-gaap:AccountingStandardsUpdate201613Member2020-01-012020-12-310001044777us-gaap:AccountingStandardsUpdate201613Member2020-12-310001044777us-gaap:AccountingStandardsUpdate201613Member2020-01-010001044777ospn:DealfloLimitedMember2018-01-010001044777ospn:InvestmentInPromonMember2020-12-310001044777ospn:TimeBasedRestrictedStockUnitsSettledInStockMember2020-12-310001044777ospn:RestrictedStockSubjectToTimeBasedCriteriaMember2020-12-310001044777ospn:RestrictedStockSubjectToPerformanceCriteriaMember2020-12-310001044777ospn:MarketBasedRestrictedStockUnitsMember2020-12-3100010447772020-10-012020-12-3100010447772020-07-012020-09-3000010447772020-04-012020-06-3000010447772020-01-012020-03-310001044777us-gaap:ScenarioAdjustmentMember2019-10-012019-12-3100010447772019-10-012019-12-3100010447772019-07-012019-09-3000010447772019-04-012019-06-3000010447772019-01-012019-03-310001044777srt:ConsolidationEliminationsMember2020-01-012020-12-310001044777srt:ConsolidationEliminationsMember2019-01-012019-12-310001044777srt:ConsolidationEliminationsMember2018-01-012018-12-310001044777country:US2020-01-012020-12-310001044777country:US2019-01-012019-12-310001044777country:US2018-01-012018-12-310001044777us-gaap:ForeignPlanMember2018-12-310001044777us-gaap:ForeignPlanMember2018-01-012018-12-310001044777us-gaap:ForeignPlanMember2020-12-310001044777us-gaap:ForeignPlanMember2019-12-310001044777us-gaap:AccountingStandardsUpdate201616Memberus-gaap:RetainedEarningsMember2020-01-012020-12-310001044777us-gaap:AccountingStandardsUpdate201616Member2020-01-012020-12-310001044777us-gaap:AccountingStandardsUpdate201616Memberus-gaap:RetainedEarningsMember2018-01-012018-12-310001044777us-gaap:AccountingStandardsUpdate201409Memberus-gaap:RetainedEarningsMember2018-01-012018-12-310001044777us-gaap:AccountingStandardsUpdate201616Member2018-01-012018-12-310001044777us-gaap:AccountingStandardsUpdate201409Member2018-01-012018-12-310001044777ospn:InvestmentInPromonMemberus-gaap:CostOfSalesMember2020-01-012020-12-310001044777ospn:InvestmentInPromonMemberus-gaap:AccountsPayableAndAccruedLiabilitiesMember2020-01-012020-12-310001044777ospn:InvestmentInPromonMemberus-gaap:CostOfSalesMember2019-01-012019-12-310001044777ospn:InvestmentInPromonMemberus-gaap:AccountsPayableAndAccruedLiabilitiesMember2019-01-012019-12-310001044777ospn:ServiceAndOtherMember2020-01-012020-12-310001044777ospn:ProductAndLicenseMember2020-01-012020-12-310001044777ospn:ServiceAndOtherMember2019-01-012019-12-310001044777ospn:ProductAndLicenseMember2019-01-012019-12-310001044777ospn:ServiceAndOtherMember2018-01-012018-12-310001044777ospn:ProductAndLicenseMember2018-01-012018-12-310001044777us-gaap:ScenarioAdjustmentMember2019-01-012019-12-310001044777srt:ScenarioPreviouslyReportedMember2019-01-012019-12-310001044777us-gaap:ScenarioAdjustmentMember2018-01-012018-12-310001044777srt:ScenarioPreviouslyReportedMember2018-01-012018-12-3100010447772017-12-310001044777us-gaap:GeneralAndAdministrativeExpenseMember2018-01-012018-12-310001044777ospn:DealfloLimitedMember2018-05-290001044777ospn:DealfloLimitedMember2020-01-012020-12-310001044777ospn:DealfloLimitedMember2019-05-290001044777us-gaap:TrademarksMember2018-05-300001044777us-gaap:TechnologyBasedIntangibleAssetsMember2018-05-300001044777us-gaap:CustomerRelationshipsMember2018-05-3000010447772018-05-300001044777ospn:DealfloLimitedMember2018-05-302018-05-300001044777ospn:DealfloLimitedMember2018-05-292018-05-290001044777ospn:DealfloLimitedMemberus-gaap:AcquisitionRelatedCostsMember2018-01-012018-12-310001044777ospn:DealfloLimitedMember2018-05-300001044777us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasurySecuritiesMember2020-12-310001044777us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasuryBillSecuritiesMember2020-12-310001044777us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2020-12-310001044777us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CorporateBondSecuritiesMember2020-12-310001044777us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2020-12-310001044777us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasurySecuritiesMember2020-12-310001044777us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasuryBillSecuritiesMember2020-12-310001044777us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2020-12-310001044777us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CorporateBondSecuritiesMember2020-12-310001044777us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2020-12-310001044777us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasurySecuritiesMember2019-12-310001044777us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasuryBillSecuritiesMember2019-12-310001044777us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2019-12-310001044777us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CorporateBondSecuritiesMember2019-12-310001044777us-gaap:FairValueInputsLevel2Memberus-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2019-12-310001044777us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasurySecuritiesMember2019-12-310001044777us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USTreasuryBillSecuritiesMember2019-12-310001044777us-gaap:FairValueMeasurementsRecurringMemberus-gaap:USGovernmentAgenciesDebtSecuritiesMember2019-12-310001044777us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CorporateBondSecuritiesMember2019-12-310001044777us-gaap:FairValueMeasurementsRecurringMemberus-gaap:CommercialPaperMember2019-12-310001044777us-gaap:DevelopedTechnologyRightsMember2020-01-012020-12-310001044777us-gaap:CustomerRelationshipsMember2020-01-012020-12-310001044777us-gaap:OtherIntangibleAssetsMember2019-01-012019-12-310001044777us-gaap:DevelopedTechnologyRightsMember2019-01-012019-12-310001044777us-gaap:CustomerRelationshipsMember2019-01-012019-12-310001044777ospn:TimeBasedRestrictedStockUnitsSettledInStockMember2020-01-012020-12-310001044777ospn:RestrictedStockSubjectToTimeBasedCriteriaMember2020-01-012020-12-310001044777ospn:RestrictedStockSubjectToPerformanceCriteriaMember2020-01-012020-12-310001044777ospn:MarketBasedRestrictedStockUnitsMember2020-01-012020-12-310001044777ospn:TimeBasedRestrictedStockUnitsSettledInStockMember2019-01-012019-12-310001044777ospn:RestrictedStockSubjectToTimeBasedCriteriaMember2019-01-012019-12-310001044777ospn:RestrictedStockSubjectToPerformanceCriteriaMember2019-01-012019-12-310001044777ospn:RestrictedStockSubjectToTimeBasedCriteriaMember2018-01-012018-12-310001044777ospn:RestrictedStockSubjectToPerformanceCriteriaMember2018-01-012018-12-310001044777us-gaap:TrademarksMember2018-05-302018-05-300001044777us-gaap:TechnologyBasedIntangibleAssetsMember2018-05-302018-05-300001044777us-gaap:CustomerRelationshipsMember2018-05-302018-05-300001044777us-gaap:ScenarioAdjustmentMemberus-gaap:AccountingStandardsUpdate201616Member2020-01-010001044777ospn:CanadaCreditTaxAuthorityMemberospn:TaxCreditCarryforwardMemberus-gaap:LatestTaxYearMember2020-01-012020-12-310001044777ospn:CanadaCreditTaxAuthorityMemberospn:TaxCreditCarryforwardMemberus-gaap:EarliestTaxYearMember2020-01-012020-12-310001044777us-gaap:CommonStockMember2020-01-012020-12-310001044777us-gaap:CommonStockMember2019-01-012019-12-310001044777us-gaap:ScenarioAdjustmentMember2019-12-310001044777srt:ScenarioPreviouslyReportedMember2019-12-310001044777us-gaap:ScenarioAdjustmentMember2018-12-310001044777srt:ScenarioPreviouslyReportedMember2018-12-3100010447772018-12-310001044777srt:ScenarioPreviouslyReportedMember2017-12-310001044777ospn:RestrictedStockSubjectToPerformanceCriteriaMemberus-gaap:ShareBasedCompensationAwardTrancheTwoMember2020-01-012020-12-310001044777ospn:PerformanceSharesEarnedMemberus-gaap:ShareBasedCompensationAwardTrancheTwoMember2020-01-012020-12-310001044777ospn:MarketBasedRestrictedStockUnitsMemberus-gaap:ShareBasedCompensationAwardTrancheTwoMember2020-01-012020-12-310001044777ospn:TwoThousandAndNineteenOmnibusIncentivePlanMember2020-01-012020-12-310001044777us-gaap:EMEAMember2020-01-012020-12-310001044777srt:AsiaPacificMember2020-01-012020-12-310001044777srt:AmericasMember2020-01-012020-12-310001044777us-gaap:EMEAMember2019-01-012019-12-310001044777srt:AsiaPacificMember2019-01-012019-12-310001044777srt:AmericasMember2019-01-012019-12-310001044777us-gaap:EMEAMember2018-01-012018-12-310001044777srt:AsiaPacificMember2018-01-012018-12-310001044777srt:AmericasMember2018-01-012018-12-310001044777us-gaap:StateAndLocalJurisdictionMemberus-gaap:LatestTaxYearMember2020-01-012020-12-310001044777us-gaap:StateAndLocalJurisdictionMemberus-gaap:EarliestTaxYearMember2020-01-012020-12-310001044777us-gaap:CanadaRevenueAgencyMemberus-gaap:LatestTaxYearMember2020-01-012020-12-310001044777us-gaap:CanadaRevenueAgencyMemberus-gaap:EarliestTaxYearMember2020-01-012020-12-310001044777ospn:ForeignProvincialTaxAuthorityMemberus-gaap:LatestTaxYearMember2020-01-012020-12-310001044777ospn:ForeignProvincialTaxAuthorityMemberus-gaap:EarliestTaxYearMember2020-01-012020-12-310001044777us-gaap:SalesRevenueNetMemberus-gaap:CustomerConcentrationRiskMember2020-01-012020-12-310001044777us-gaap:SalesRevenueNetMemberus-gaap:CustomerConcentrationRiskMember2019-01-012019-12-310001044777us-gaap:SalesRevenueNetMemberus-gaap:CustomerConcentrationRiskMember2018-01-012018-12-310001044777ospn:DealfloLimitedMember2019-01-012019-12-310001044777us-gaap:OtherIntangibleAssetsMember2020-01-012020-12-310001044777us-gaap:ForeignPlanMember2019-01-012019-12-310001044777srt:MinimumMemberus-gaap:ForeignPlanMember2020-01-012020-12-310001044777srt:MaximumMemberus-gaap:ForeignPlanMember2020-01-012020-12-310001044777srt:MinimumMemberus-gaap:ForeignPlanMember2019-01-012019-12-310001044777srt:MaximumMemberus-gaap:ForeignPlanMember2019-01-012019-12-3100010447772020-12-3100010447772019-12-310001044777srt:MinimumMember2020-01-012020-12-310001044777srt:MaximumMember2020-01-012020-12-310001044777ospn:DealfloLimitedMember2018-01-012018-12-310001044777us-gaap:ForeignPlanMember2020-01-012020-12-310001044777us-gaap:AdditionalPaidInCapitalMember2020-01-012020-12-310001044777us-gaap:AdditionalPaidInCapitalMember2019-01-012019-12-3100010447772019-01-012019-12-310001044777us-gaap:AdditionalPaidInCapitalMember2018-01-012018-12-3100010447772018-01-012018-12-3100010447772020-06-3000010447772021-02-2200010447772020-01-012020-12-31xbrli:sharesiso4217:USDospn:agexbrli:pureospn:Optionospn:customeriso4217:USDxbrli:sharesospn:segment

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 10-K

FOR ANNUAL AND TRANSITION REPORTS PURSUANT TO

SECTIONS 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

(Mark One)

   ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(D) OF THE SECURITIES EXCHANGE ACT OF 1934 FOR THE FISCAL YEAR ENDED DECEMBER 31, 2020

or

   TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 FOR THE TRANSITION PERIOD FROM            TO

Commission file number 000-24389

OneSpan Inc.

(Exact Name of Registrant as Specified in Its Charter)

DELAWARE

36-4169320

(State or Other Jurisdiction of
Incorporation or Organization)

(IRS Employer
Identification No.)

121 West Wacker Drive, Suite 2050

Chicago, Illinois 60601

(Address of Principal Executive Offices)(Zip Code)

Registrant’s telephone number, including area code:

312-766-4001

Securities registered pursuant to Section 12(b) of the Act:

Title of each class

    

Trading Symbol

    

Name of exchange on which registered 

Common Stock, par value $.001 per share

OSPN

NASDAQ Capital Market

Securities registered pursuant to Section 12(g) of the Act:

None

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined by Rule 405 of the Securities Act.  Yes       No  

Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the act.  Yes       No  

Indicate by check mark whether the registrant: (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.   Yes       No  

Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).   Yes       No  

Indicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K is not contained herein, and will not be contained, to the best of registrant’s knowledge, in definitive proxy or information statements incorporated by reference in Part III of this Form 10-K or any amendment to this Form 10-K.

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See definition of “large accelerated filer,” “accelerated filer”, “smaller reporting company”, and “emerging growth company” in Rule 12b-2 of the Exchange Act.

Large accelerated filer  

Accelerated filer  

Non-accelerated filer  

Smaller reporting company  

Emerging growth company  

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards pursuant to Section 13(a) of the Exchange Act.

Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report.

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).   Yes       No  

As of June 30, 2020, the aggregate market value of voting and non-voting common equity (based upon the last sale price of the common stock as reported on the NASDAQ Capital Market on June 30, 2020) held by non-affiliates of the registrant was $955,147,012 at $27.93 per share.

As of February 23, 2021, there were 40,391,202 shares of common stock outstanding.

DOCUMENTS INCORPORATED BY REFERENCE

Certain sections of the registrant’s Notice of Annual Meeting of Stockholders and Proxy Statement for its 2018 Annual Meeting of Stockholders are incorporated by reference into Part III of this report.

TABLE OF CONTENTS

PAGE

PART I

Item 1.

Business

1

Item 1A.

Risk Factors

9

Item 1B.

Unresolved Staff Comments

29

Item 2.

Properties

29

Item 3.

Legal Proceedings

29

Item 4.

Mine Safety Disclosures

30

PART II

Item 5.

Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities

31

Item 6.

Selected Financial Data

33

Item 7.

Management’s Discussion and Analysis of Financial Condition and Results of Operations

33

Item 7A.

Quantitative and Qualitative Disclosures About Market Risk

50

Item 8.

Financial Statements and Supplementary Data

51

Item 9.

Changes in and Disagreements with Accountants on Accounting and Financial Disclosures

51

Item 9A.

Controls and Procedures

51

Item 9B.

Other Information

55

PART III

Item 10.

Directors, Executive Officers and Corporate Governance

55

Item 11.

Executive Compensation

55

Item 12.

Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters

55

Item 13.

Certain Relationships and Related Transactions, and Director Independence

56

Item 14.

Principal Accounting Fees and Services

56

PART IV

Item 15.

Exhibits, Financial Statement Schedules

56

CONSOLIDATED FINANCIAL STATEMENTS AND SCHEDULE

F-1

Forward Looking Statement

This Annual Report on Form 10-K contains forward-looking statements within the meaning of applicable U.S. securities laws, including statements regarding the potential benefits, performance and functionality of our products and solutions, including future offerings; our expectations, beliefs, plans, operations and strategies relating to our business and the future of our business; our strategic plans regarding our portfolio, including acquisitions and dispositions; and our expectations regarding our financial performance in the future. Forward-looking statements may be identified by words such as "seek", "believe", "plan", "estimate", "anticipate", “expect", "intend", "continue", "outlook", "may", "will", "should", "could", or "might", and other similar expressions. These forward-looking statements involve risks and uncertainties, as well as assumptions that, if they do not fully materialize or prove incorrect, could cause our results to differ materially from those expressed or implied by such forward-looking statements. Factors that could materially affect our business and financial results include, but are not limited to: market acceptance of our products and solutions and competitors’ offerings; the potential effects of technological changes; the impact of the COVID-19 pandemic and actions taken to contain it; our ability to effectively manage acquisitions, divestitures, alliances, joint ventures and other portfolio actions; the execution of our transformative strategy on a global scale; the increasing frequency and sophistication of hacking attacks; claims that we have infringed the intellectual property rights of others; changes in customer requirements; price competitive bidding; changing laws, government regulations or policies; pressures on price levels; investments in new products or businesses that may not achieve expected returns; impairment of goodwill or amortizable intangible assets causing a significant charge to earnings; actions of activist stockholders; and exposure to increased economic and operational uncertainties from operating a global business, as well as those factors described in the “Risk Factors” section of this Form 10-K. Our filings with the Securities and Exchange Commission (the “SEC”) and other important information can be found in the Investor Relations section of our website at investors.onespan.com. We do not have any intent, and disclaim any obligation, to update the forward-looking information to reflect events that occur, circumstances that exist or changes in our expectations after the date of this Form 10-K, except as required by law.

Unless otherwise noted, references in this Annual Report on Form 10-K to “OneSpan”, “Company”, “we”, “our”, and “us” refer to OneSpan Inc. and its subsidiaries.

PART I

Item 1 – Business

Overview

OneSpan Inc. and its wholly owned subsidiaries design, develop and market digital solutions for identity, security, and business productivity that protect and facilitate electronic transactions via mobile and connected devices. We are a global leader in digital identity and anti-fraud solutions to financial institutions and other businesses. We do this by delivering trust in people’s identities, their devices, and the transactions they conduct online. We make digital banking accessible, secure, easy, and valuable. Our solutions secure access to online accounts, data, assets, and applications for global enterprises; provide tools for application developers to easily integrate security functions into their web-based and mobile applications; and facilitate end-to-end financial agreement automation including digital identity verification, electronic signature and electronic notarization. Our trusted identity platform technologies including Identity Verification, Cloud Authentication, Intelligent Adaptive Authentication and Risk Analytics, along with mobile app security, transaction signing and various other multi-factor authentication technologies, enhance the ability of companies to onboard new customers and prevent hacking attacks against online and mobile transactions while providing an exceptional experience for remote customers.

We offer cloud based and on-premises solutions using both open standards and proprietary technologies. Some of our proprietary technologies are patented. Our products and services are used for authentication, fraud mitigation, e-signing transactions and documents, and identity management in Business-to-Business (“B2B”), Business-to-Employee (“B2E”) and Business-to-Consumer (“B2C”) environments. Our target market is business processes using an electronic interface, particularly the internet, where there is risk of account takeover or new account fraud. Our products can increase security associated with accessing business processes, reduce losses from unauthorized access, help customers comply with regulations, enhance the end-user experience, and reduce the cost of business processes by automating activities previously performed manually.

Online and mobile application owners and publishers benefit from our expertise in multi-factor authentication, document signing, transaction signing, application security, remote customer onboarding, and in mitigating hacking attacks. Our convenient and proven security solutions enable low friction and trusted interactions between businesses, employees, and consumers across a variety of online and mobile platforms.

Our primary growth strategy is to make digital banking more accessible, secure, easy and valuable. Our key growth objectives include:

Expanding our portfolio of solutions that enable institutions to mitigate fraud, reduce operational costs, comply with regulations, easily on-board customers, adaptively authenticate transactions and reduce time to deploy;
Automating and securing digital customer journeys to remotely verify identities, mitigate application fraud, and secure account openings and transactions;
Increasing sales to existing customers and acquiring new customers;
Driving increased demand for our products in new applications, new markets, and new territories;
Expanding our channel partner ecosystem; and
Strategically acquiring companies that expand our technology portfolio or customer base and increase our recurring revenue.

1

Impact of COVID-19 pandemic

In March 2020, the World Health Organization recognized a novel strain of coronavirus (COVID-19) as a pandemic. In response to the pandemic, the United States and various foreign, state and local governments have, among other actions, imposed travel and business restrictions and required or advised communities in which we do business to adopt stay-at-home orders and social distancing guidelines, causing many businesses, including retail banking branches, to reduce or suspend operating activities. The pandemic and various governments’ responses have caused significant and widespread uncertainty, volatility and disruptions in the U.S. and global economies, including in the regions in which we operate.

Beginning in the Summer of 2020 and continuing through the year ended December 31, 2020, we experienced lengthened sales cycles and reduced demand for some of our security solutions due to economic uncertainty connected with the COVID-19 pandemic. The most significant impact of the pandemic on our business has been a sharp drop in demand for our hardware authentication products and delays in the implementation of certain software security solutions.

As we cannot predict the duration or scope of the pandemic or its impact on the economy, financial markets and our customers, any negative impact to our results cannot be reasonably estimated, but it could be material. We continue to closely monitor the Company’s financial health and liquidity and the impact of the pandemic on the Company. We are able to serve the needs of our customers while taking steps to protect the health and safety of our employees, customers, partners, and communities. See Part I – Item 1A – Risk Factors of this Form 10-K for additional information regarding the potential impact of COVID-19 on the Company.

Industry Background

Rapid global growth in cloud and mobile banking transactions is driving increased demand for multi-channel security solutions and enhanced user experiences across the financial services industry. Similarly, increasing remote corporate access of important resources by employees, business partners and customers is introducing new security risks for participants. Large and powerful criminal hacking organizations are launching more sophisticated hacking attacks with greater frequency. The criminal activities of private and state-sponsored hacking organizations have driven an increased need for security solutions and expansion of regulations requiring improved security measures to protect against hacking attacks and breaches. Several governments worldwide have issued specific recommendations either requiring or advocating multi-factor authentication and other security measures to improve the security of remote banking transactions. We believe these global trends have been accelerated by the pandemic and will continue and that the market for authentication, anti-fraud, and e-signature solutions will continue to grow driven by growth in digital banking transactions, digital commerce, work-from-home corporate access requirements, growing awareness of the impact of cyber-crime, and new government regulations.

Our Background

Our predecessor company, VASCO Corp., entered the data security business in 1991 through the acquisition of a controlling interest in ThumbScan, Inc., which we renamed as VASCO Data Security, Inc.

In 1996, we expanded our computer security business by acquiring Lintel Security NV/SA, a Belgian corporation, which included assets associated with the development of security tokens and security technologies for personal computers and computer networks. Also in 1996, we acquired Digipass NV/SA, a Belgian corporation, which was also a developer of security tokens and security technologies. In 1997, the acquired entity was renamed VASCO Data Security NV/SA.

In 1997, VASCO Data Security International, Inc. was incorporated and in 1998, we completed a registered exchange offer with the holders of the outstanding securities of VASCO Corp., becoming a publicly traded company.

In 2006, we opened our international headquarters in Zurich, Switzerland.

2

In 2013, we acquired Cronto Limited (“Cronto”), a provider of secure visual transaction authentication solutions for online banking.

In 2014, we acquired Risk IDS, a provider of risk analysis solutions to the banking community.

In 2015, we acquired Silanis Technology Inc., a leading provider of electronic signature (e-signature) and digital transaction solutions used to electronically sign, send, and manage documents. The solution is sold under the OneSpan Sign (formerly eSignLive) name and is trusted by many of the largest banks, insurers, and government agencies.

In May 2018, we acquired Dealflo Limited, a leading provider of identity verification and end-to-end financial automation solutions.

Also in May 2018, VASCO Data Security international, Inc. changed its name to OneSpan Inc. The Company’s name change reflects a shift in our strategy and solution offerings.

Including our predecessor companies, we have engaged in sixteen acquisitions and two dispositions.

Our Products and Services

Trusted Identity Platform

The Trusted Identity (TID) platform is a cloud-based platform that brings together OneSpan’s broad portfolio of technologies including Intelligent Adaptive Authentication, Risk Analytics, OneSpan Cloud Authentication, OneSpan Identity Verification, Mobile Security Suite, OneSpan Sign, multi-factor authentication, biometrics, and orchestration to power solutions that secure users, devices, and transactions across the digital journey. The innovative approach of this platform delivers on simplicity with orchestration technology that integrates applications and services requirements via a single interface while constantly protecting sensitive data through an encrypted client/server secure channel.

Intelligent Adaptive Authentication

Intelligent Adaptive Authentication is a cloud-based solution that enables banks and other financial institutions to secure users, devices, and transactions while providing an enhanced customer experience. It is powered by the TID platform and leverages advanced risk analytics, mobile security, multi-factor authentication, biometrics, and other technologies that enable the real-time analysis and scoring of vast and disparate data across channels. This risk score drives a precise level of authentication security for each unique transaction which ensures a positive customer experience while safe guarding transactions and sensitive customer data. This helps institutions reduce fraud and drive growth through higher customer loyalty and increased use of bank services.

Risk Analytics

Risk Analytics is a comprehensive anti-fraud solution designed to help banks and other financial institutions improve the speed and accuracy of detecting known and emerging fraud across online and mobile channels. A component of the TID platform, which includes machine learning technology, the solution analyzes vast amounts of user, device, and transaction data in real time to provide a comprehensive risk assessment. It enables institutions to take a proactive approach to fraud prevention while removing major points of friction for end users. Cross-channel, prebuilt rules complement this scoring process and allow fraud experts to make decisions on alerts or link to automated business processes such as step-up authentication. The solution can be implemented in combination with Mobile Security Suite to provide integrated trust with minimal impact on the end user experience. It can be deployed in the cloud or on-premises.

OneSpan Cloud Authentication

OneSpan Cloud Authentication is a quick-to-deploy, cloud-based multifactor authentication solution that supports a full range of authentication options including biometrics, push notification, visual cryptograms for transaction

3

data signing, SMS and hardware authenticators. It eliminates cost associated with managing legacy on-premises authentication technology and provides a seamless upgrade path to more comprehensive solutions such as Intelligent Adaptive Authentication and Risk Analytics.

OneSpan Identity Verification

OneSpan Identity Verification gives banks and other financial institutions access to a wide range of identity verification services – all through a single API integration. Solution capabilities include: Identity document (e.g., driver’s license, passport, etc.) capture and real-time authenticity verification, as well as facial comparison (“selfie”) and liveness detection to establish that the individual presenting the identity document is the same person whose picture appears on the authenticated identity document.

The solution enables banks and financial institutions to verify the identity of remote applicants during the new digital account opening, lending, and financing application processes. The multi-layered identity verification approach enables automated failover to alternative identity verification providers in the event of a verification failure or provider unavailability which reduces applicant abandonment rates. Additionally, the solution provides organizations the ability to ensure the best identity verification processes for their business needs and digital channels to help maximize pass rates, minimize application fraud, and increase operational efficiencies.

Mobile Security Suite and Mobile Authenticator Studio

Mobile Security Suite is a comprehensive software development kit that allows application developers to natively integrate security features including geolocation, device identification, jailbreak and root detection, fingerprint and face recognition, one-time password delivery via push notification, and electronic signing, among others. Through a comprehensive library of APIs, application developers can extend and strengthen application security, deliver enhanced convenience to their application users, and streamline application deployment and lifecycle management processes. Mobile Security Suite also includes a Runtime Application Self-Protection module, which can detect and mitigate malicious app activity and potential loss to hacking activities.

Mobile Authenticator Studio is a user-friendly and secure mobile authenticator that operates as a discrete mobile application. It includes many of the features of the Mobile Security Suite and can easily be tailored to meet the needs of countless authentication processes. It can be customized and deployed rapidly without extensive technical support ensuring strong security with compelling value.

OneSpan Sign

OneSpan Sign supports a broad range of e-signature requirements from simple to complex, and from the occasional agreement to processing tens of thousands of transactions. OneSpan Sign provides multiple deployment options including public cloud, private cloud, or on-premises without compromising security or functionality. The solution is also available in a Federal Risk and Authorization Management Program (FedRAMP) SaaS-level compliant cloud, allowing U.S. government agencies to implement e-signatures in the cloud and meet GSA security requirements.

Customers can configure OneSpan Sign to reinforce their brand for a seamless signing experience. Each step of the e-signature workflow can be customized, from authentication to distribution and storage. OneSpan Sign also provides comprehensive and secure electronic evidence for strong legal protection by capturing both document and process-level evidence. This reduces the time and cost of gathering evidence and demonstrating legal and regulatory compliance. Electronic signature capabilities can be a critical component of the account opening and onboarding processes, providing a secure and user-friendly way to execute legally binding agreements.

Hardware Authenticators

We offer a wide variety of hardware authenticators, each of which has its own distinct characteristics to meet the needs of our customers. All models of the Digipass family of authenticators are designed to work together so customers can switch devices without changes to their existing infrastructure. Our models range from one-button devices

4

and smart card readers to devices that include more advanced technologies, such as public key infrastructure (“PKI”) and visual cryptography.

Digipass hardware technology is designed to support authentication and digital signatures for applications running on traditional PCs, tablets, and mobile phones.

Authentication Server

Authentication Server resides on-premises and incorporates a range of strong authentication utilities and solutions designed to allow organizations to securely authenticate users and transactions. The solution, once integrated, becomes largely transparent to users, minimizing rollout and support issues. Authentication Server encompasses multiple authentication technologies (e.g., passwords, dynamic password technologies, certificates, and biometrics) and allows the use of any combination of those technologies simultaneously.

Authentication Server enables customers to administer a high level of access control. The solution requires only a few days to implement in most systems and supports our line of hardware and software authenticators. Once linked to an application, Authentication Server automatically handles login requests from any authorized user.

Intellectual Property and Proprietary Rights and Licenses

We rely on a combination of patent, copyright, trademark, design, and trade secret laws, as well as employee and third-party non-disclosure agreements to protect our proprietary rights. In particular, we hold several patents in the U.S. and in other countries, which cover multiple aspects of our technology. These patents expire between now and more than 10 years from now. In addition to the issued patents, we also have several patent applications pending in the U.S., Europe, and other countries. The majority of our issued and pending patents cover our Digipass product line. We believe these patents to be valuable property rights and we rely on the strength of our patents and on trade secret law to protect our proprietary technology. We furthermore have registrations for most of our trademarks in most of the markets where we sell the corresponding products and services and registrations of the designs of many of our hardware products primarily in the EU and China. To the extent that we believe our intellectual property rights are being infringed upon, we intend to assert vigorously our intellectual property rights, including but not limited to, pursuing all available legal remedies.

Research and Development

Our research and development efforts historically have been, and will continue to be, concentrated on solution enhancement, new technology development, and related new software introductions. We employ a team of full-time engineers and, from time to time, also engage independent engineering firms to conduct non-strategic product development efforts on our behalf. For fiscal years ended December 31, 2020, 2019, and 2018, we incurred expenses of $41.2 million, $42.5 million, and $32.2 million, respectively, for research and development.

Production

Our Digipass security hardware products are manufactured by third party manufacturers pursuant to purchase orders that we issue. Our hardware Digipass products are made primarily from commercially available electronic components purchased globally. Our software solutions are produced in-house or developed by third parties and sold under license.

Hardware Digipass products utilize commercially available programmable microprocessors purchased from several suppliers. The microprocessors are the most important components of our security authenticators that are not commodity items readily available on the open market. Some microprocessors are single sourced. Orders of microprocessors generally require a lead-time of 12-16 weeks. We attempt to maintain a sufficient inventory of all parts to handle short-term increases in orders.

5

Large orders that would significantly deplete our inventory are typically required to be placed with more than twelve weeks of lead-time, allowing us to make appropriate arrangements with our suppliers. We purchase microprocessors and arrange for shipment to third parties for assembly and testing in accordance with our design specifications. The majority of our Digipass products are manufactured by four independent factories in Southern China. Purchases are made on a volume purchase order basis. We supply product test equipment at the point of assembly. We maintain a local team in China to conduct quality control and quality assurance procedures. Periodic visits are conducted by our personnel for quality management, assembly process review, and supplier relations.

The COVID-19 pandemic resulted in a temporary closure of some component suppliers and third party manufacturers, and a reduction in global air and sea transportation capacity. Adjustments to our supply chain, manufacturing and transportation workflow processes has enabled us to meet customer delivery requirements.

Competition

The market for digital solutions for identity, security, and business productivity solutions is very competitive and, like most technology-driven markets, is subject to rapid change and constantly evolving solutions and services. Our anti-fraud products are designed to allow authorized users access to a computing environment or application, in some cases using patented technology, as a replacement for or supplement to a static password. Although certain of our security technologies are patented, there are other organizations that offer anti-fraud solutions that compete with us for market share. Our main competitors in our anti-fraud markets are Gemalto, a subsidiary of Thales Group, and RSA Security. There are many other companies, such as Transmit Security, Symantec, and Early Warning that offer competing services. In addition to these companies, we face competition from many small authentication solution providers, many of whom offer new technologies and niche solutions such as biometric or behavioral analysis. We believe that competition in this market is likely to intensify as a result of increasing demand for security products. Our primary competitors for electronic signature solutions include DocuSign and Adobe Systems. Both companies are significantly larger than us. In addition to these companies, there are dozens of smaller and regional providers of electronic signing solutions.

We believe that the principal competitive factors affecting the market for digital solutions for identity, security, and business productivity, as well as electronic signatures include the strength and effectiveness of the solution, technical features, ease of use, quality and reliability, customer service and support, brand recognition, customer base, distribution channels, and the total cost of ownership of the solution. Although we believe that our products currently compete favorably with respect to such factors, there can be no assurance that we can maintain our competitive position against current and potential competitors.

Some of our present and potential competitors have significantly greater financial, technical, marketing, purchasing, and other resources. As a result, they may be able to respond more quickly to new or emerging technologies and changes in customer requirements, or to devote greater resources to the development, promotion and sale of products, or to deliver competitive products at a lower end-user price. Current and potential competitors have established or may establish cooperative relationships among themselves or with third parties to increase the ability of their products to address the needs of our prospective customers. It is possible that new competitors or alliances may emerge and rapidly acquire significant market share. Accordingly, we have forged, and will continue to forge, our own partnerships to offer a broader range of products and capabilities to the market.

Sales and Marketing

Our solutions are sold worldwide through our direct sales force as well as through distributors, resellers, systems integrators, and original equipment manufacturers. Our sales staff coordinates sales activity through both our sales channels and those of our partners making direct sales calls either alone or with the sales personnel of our partners. Our sales staff also provides product education seminars to sales and technical personnel of resellers and distributors with whom we have working relationships and to potential end-users of our products.

We offer customers a choice between SaaS, private cloud, and traditional on-premise software deployments.

6

Part of our expanded selling effort includes approaching our partners to find additional applications for our products. In addition, our marketing plan calls for the identification of new business opportunities that may require enhanced security or areas where we do not currently market our products.

Customers and Markets

We generally focus our sales and marketing efforts in three primary areas. The first is financial institutions where the majority of our revenue is derived. This segment includes traditional banks, credit unions, and online-only banks. This is our primary market. We believe there are substantial opportunities for future growth in the financial vertical as our solution portfolio expands and we deliver additional capabilities targeted specifically at identifying and mitigating online and mobile banking fraud. We also sell to the enterprise market segment which consists primarily of businesses seeking secure internal and remote network access. We sell to these businesses mostly through distribution and resellers. Our strategy is to leverage products developed for the banking market in the enterprise market as the hacking attacks in both markets have many similarities. We also target the government, healthcare and insurance market segments in select regions around the globe.

Our top 10 customers contributed 21%, 29%, and 24%, in 2020, 2019, and 2018, respectively, of total worldwide revenue.

A significant portion of our sales is denominated in foreign currencies and changes in exchange rates impact results of operations. To mitigate exposure to risks associated with fluctuations in currency exchange rates, we attempt to denominate an amount of billings in a currency such that it would provide a hedge against operating expenses being incurred in that currency. For additional information regarding how currency fluctuations can affect our business, please refer to “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and “Quantitative and Qualitative Disclosures about Market Risk.”

We also experience seasonality or variation across the year in our markets. These trends can include lower sales during the summer months, particularly in EMEA.

Financial Information Relating to Foreign and Domestic Operations

For financial information regarding OneSpan, see our Consolidated Financial Statements and the related Notes, which are included in this Annual Report on Form 10-K. We have a single operating segment for all our products and operations. See Note 17 in the Notes to Consolidated Financial Statements for a breakdown of revenue and long-lived assets between the U.S. and other regions.

Government Regulation

As a global cybersecurity company, we are subject to complex and evolving global regulations in the various jurisdictions in which our products and services are used. The most significant government regulations that impact our business are discussed below. For further discussion of how global regulations may impact our business, see Item 1A – Risk Factors.

We are subject to anti-corruption laws and regulations, including the U.S. Foreign Corrupt Practices Act (FCPA), the UK Bribery Act and other laws that generally prohibit the making or offering of improper payments to foreign government officials and political figures for the purpose of obtaining or retaining business or to gain an unfair business advantage.

In addition, we are subject to economic and trade sanctions programs administered by the Office of Foreign Assets Control (OFAC) in the U.S. Therefore, we do not permit financial institutions or entities that are domiciled in countries or territories subject to comprehensive OFAC trade sanctions (currently, Cuba, Iran, North Korea, Syria and Crimea), or that are included on OFAC’s list of Specially Designated Nationals and Blocked persons, to purchase OneSpan products and services or engage in transactions using our services.

7

The European General Data Production Regulation (GDPR) took effect in May 2018 and applies to certain of our products and services used by customers in Europe. The GDPR includes operational requirements for companies that receive or process personal data of residents of the European Union that are different from those previously in place in the European Union, and includes significant penalties for non-compliance. Other jurisdictions, such as Canada and Australia have enacted data privacy or data protection laws. As these laws continue to emerge in the countries where we or our customers operate, we need to analyze each of them to determine the applicability to our corporate operations and the applicability to our solutions and customers.

We are subject to the Restriction on the Use of Hazardous Substances Directive 2002/95/EC (also known as the “RoHS Directive”) and the Waste Electrical and Electronic Equipment Directive (also known as the “WEEE Directive”). These directives restrict the distribution of products containing certain substances, including lead, within applicable geographies and require a manufacturer or importer to recycle products containing those substances. These directives affect the worldwide electronics and electronics components industries as a whole.

Because banking and financial services is our largest industry target market, the government regulations affecting our customers in this area have a significant indirect effect on our business. For example, regulatory changes in Europe to promote a more open and connected digital banking ecosystem create compliance needs for our customers as well as market opportunities for those market participants that move to capitalize on these changes. Similar regulatory dynamics occur in the other primary markets where we have customers, such as healthcare and government. Additional proposed or new legislation and regulations could also significantly affect our business.

Human Capital

OneSpan’s values focus on developing and maintaining a world class innovative workforce through collaboration, accountability, transparency, and speed. Our talented teams are carefully managed to ensure retention and ability to sustain business performance with an eye toward the future.

Our talent management and succession plan process at OneSpan includes the identification of key positions based on current and future business strategies, the identification of potential successors, and a plan for talent development. In addition to deep technical and skill development opportunities that enable OneSpan to foster employee engagement, we conduct extensive compliance-related training which is completed by all employees annually. Our managers of people are offered a variety of leadership development modules. Moreover, all employees are empowered to lead from any seat.

OneSpan aligns its base and variable pay with the external market to ensure external competitiveness while maintaining internal value or equity within the organization. Our short-term and long-term incentive plans are designed to provide a variable pay opportunity to reward the attainment of key financial and operational goals and shareholder value creation. The mix among base compensation, short-term incentives and long-term incentives is designed to align with the competitive market.

OneSpan is committed to fostering, cultivating, and preserving a culture of diversity, equality and inclusion. Our vision is to embrace an inclusive and engaged culture that drives a sense of belonging and respects and celebrates our differences.

As of December 31, 2020, we had 870 total employees, including 449 located in the Americas, 383 located in EMEA (Europe, the Middle East and Africa), and 38 located in Asia Pacific. Of the total employees, 389 were involved in sales, marketing, operations, and customer support, 347 in research and development and 134 in general and administration.

8

Item 1A - Risk Factors

You should carefully consider the following risk factors, which we consider the most significant, as well as other information contained in this Annual Report on Form 10-K. In addition, there are a number of less significant and other general risk factors that could affect our future results. If any of the events described in the risk factors were to occur, our business, financial condition or operating results could be materially and adversely affected. We have grouped our Risk Factors under captions that we believe describe various categories of potential risk. For the reader’s convenience, we have not duplicated risk factors that could be considered to be included in more than one category.

Summary of Risk Factors

We are providing the following summary of the risk factors contained in this Form 10-K to enhance the readability and accessibility of our risk factor disclosures. We encourage our stockholders to carefully review the full risk factors contained in this Form 10-K in their entirety for additional information regarding the risks and uncertainties that could cause our actual results to vary materially from recent results or from our anticipated future results.

Risks Related to our Business

While we believe the coronavirus could have a negative impact on our financial results in the future, the impact is difficult to assess at this time.
A significant portion of our sales are to a limited number of customers. The loss of substantial sales to any one of them could have an adverse effect on revenues and profits.
The return of a worldwide recession and/or regional economic downturns may further impact our business.
Disruptions in markets or the European Union may affect our liquidity and capital resources.
We could incur substantial accounting related costs if we are unable to maintain an effective system of internal control over financial reporting.
We have a long operating history, but only modest accumulated profit.
We derive revenue from a limited number of products.
The sales cycle for our products and technology is long, and we may incur substantial expenses for sales that do not occur when anticipated.
We have a great dependence on a limited number of suppliers and the loss of their manufacturing capability could materially impact our operations.
We order some hardware components, such as processors, in advance of expected use and often produce finished goods prior to the receipt of executed customer orders. If orders are not received, we could suffer losses related to inventory that cannot be sold at full value.
Our success depends on establishing and maintaining strategic relationships with other companies to distribute our technology and products and, in some cases, for us to incorporate their technology into our products and our products and services.
We may not be able to maintain effective product distribution channels, which could result in decreased revenue.
We depend on our key personnel for the success of our business and the loss of one or more of our key personnel could have an adverse effect on our ability to manage our business or could be negatively perceived in the capital markets.
If we fail to continue to attract and retain qualified personnel, our business may be harmed.
Changes in our effective tax rate may have an adverse effect on our results of operations.
Our worldwide income tax provisions and other tax accruals may be insufficient if any taxing authorities assume taxing positions that are contrary to our positions.
Changes in global tax laws or in their interpretation or enforcement, could have a material adverse effect on our effective tax rate, results of operations, cash flows and financial condition.
Acquisitions, divestitures and other strategic transactions present many risks, and failure to realize the financial and strategic goals we anticipate could have a material adverse effect on our business, results of operations, cash flows and financial condition.

9

Reported revenue may fluctuate widely due to the interpretation or application of accounting rules.
Provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.
The evolution of our business requires more complex development and go-to-market strategies, which involve significant risk.

Risks Related to the Market

We face significant competition and if we lose or fail to gain market share our financial results will suffer.
A decrease of average selling prices for our products and services could adversely affect our business.
We may need additional capital in the future and our failure to obtain capital would interfere with our growth strategy.
We experience variations in quarterly operating results and sales are subject to seasonality, both of which may result in a volatile stock price.
Our stock price may be volatile for reasons other than variations in our quarterly operating results.
Our stock repurchase program could affect the price of our common stock and increase volatility and may be suspended or terminated at any time, which may result in a decrease in the trading price of our common stock
A small group of persons control a substantial amount of our common stock and could delay or prevent a change of control.
Certain provisions of our charter and of Delaware law make a takeover of our Company more difficult.
Future issuances of blank check preferred stock may reduce voting power of common stock and may have anti-takeover effects that could prevent a change in control.
Our business could be adversely affected as a result of actions of activist stockholders.

Risks Related to Technology and Intellectual Property

Technological changes occur rapidly in our industry and our development of new products is critical to maintain our revenue.
Our business could be negatively impacted by cyber security incidents and other disruptions.
We rely upon Amazon Web Services to operate portions of our platform and any disruption of or interference with our use of Amazon Web Services or other vendors’ material would adversely affect our business, results of operations and financial condition
Some of our products contain third-party, open-source software and failure to comply with the terms of the underlying open-source software licenses could restrict our ability to sell our products or otherwise result in claims against us.
We must continue to attract and retain highly skilled technical personnel for our research and development efforts.
We cannot be certain that our research and development activities will be successful.
Failure to effectively manage our product and service lifecycles could harm our business.
SaaS offerings, which involve various risks, constitute an important part of our business.
We depend significantly upon our proprietary technology and intellectual property and the loss of or successful challenge to our proprietary rights could require us to divert management attention and could reduce revenue and increase our operating costs.
Our patents may not provide us with competitive advantages.
We are subject to warranty and product liability risks.
There is significant government regulation of technology imports and exports and to the extent we cannot meet the requirements of the regulations we may be prohibited from exporting some of our products, which could negatively impact our revenue.
We employ cryptographic technology in our authentication products that uses complex mathematical formulations.

10

Risks Related to International Operations

We face a number of risks associated with our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue.
We are subject to foreign currency exchange rate fluctuations and risks, and improper management of that risk could adversely affect our business, results of operations, and financial conditions.
Changes in the European regulatory environment regarding privacy and data protection regulations could have a material adverse impact on our results of operations.
We must comply with governmental regulations setting environmental standards.
The vote by the United Kingdom (UK) to leave the European Union (EU) could adversely affect our financial results.
We or our suppliers may be impacted by new regulations related to climate change.
The effects of regulations relating to conflict minerals may adversely affect our business.
U.S. investors may have difficulties in making claims for any breach of their rights as holders of shares because some of our assets and key employees are not located in the United States.
Our business in countries with a history of corruption and transactions with foreign governments increase the risks associated with our international activities.

Risks Related to Our Business

While we believe the coronavirus could have a negative impact on our financial results in the future, the impact is difficult to assess at this time.

The effects of the COVID-19 pandemic have materially affected how we and our customers are operating our businesses, and the duration and extent to which this will impact our future results of operations and overall financial performance remains uncertain.

In December 2019, a novel coronavirus disease (“COVID-19”) was reported and in January 2020, the World Health Organization (“WHO”) declared it a Public Health Emergency of International Concern. On February 28, 2020, the WHO raised its assessment of the COVID-19 threat from high to very high at a global level due to the continued increase in the number of cases and affected countries, and on March 11, 2020, the WHO characterized COVID-19 as a pandemic. A significant outbreak of epidemic, pandemic, or contagious diseases in the human population could result in a widespread health crisis that could adversely affect the broader economies, financial markets and overall demand environment for our products.

As a result of the COVID-19 pandemic, we temporarily closed our offices in March 2020 (including our corporate headquarters) in many countries except where we have been able to accommodate limited essential employees such as for the shipping of our hardware authentication tokens under revised procedures. We re-opened a limited number of our offices during the third and fourth quarter of 2020 with limited capacity under revised procedures. We are unable to predict further re-openings or whether the initial re-openings will be successful or remain in place. We implemented certain travel restrictions, remote work arrangements and other measures and while our early experience with this new situation has been satisfactory to date, it has disrupted how we normally operate our business and may in the longer term impact our productivity, innovation and effectiveness such that our results are adversely affected. We have shifted certain of our customer events to virtual-only experiences and we may deem it advisable to similarly alter, postpone or cancel entirely additional customer, employee or industry events in the future. Because we operate in multiple international locations, we expect there to be variability and additional complications from differing conditions and inconsistent guidance from numerous public health agencies.

In our hardware business, we are exposed to specific risks related to manufacturing, supply chain, shipping and distribution- all of which have been impacted by the COVID-19 pandemic. As a result of COVID-19, we experienced some delays and increased costs related to fulfilling our hardware orders. Such issues have been primarily resolved however we may be unable to satisfy certain customer orders for our products in the future if orders substantially increase and/or supply chain problems emerge. In addition, the global economic uncertainty associated with the COVID-

11

19 pandemic has affected many of our customers and we believe one of those effects has been decreased orders of hardware authentication tokens. We are not able to predict at this time whether and to what extent such orders may return or in what specific quantities. This risk is in addition to the other risks associated with our hardware business as stated elsewhere in “Risk Factors.”

In our software business, we experienced some increased sales for products used in remote employee access and electronic signature in 2020 that we attribute in part to the COVID-19 pandemic. This increase may have been temporary, and we are unable to predict whether it will continue or decline. Moreover, the conditions caused by the COVID-19 pandemic can affect the rate of IT spending, the decision to start new IT projects, the timing of existing projects and the priority our customers place on various projects. While these factors may be positive for some of our software solutions such as electronic signature, these factors may be negative for our other software solutions, such as risk analysis software. The COVID-19 pandemic could adversely affect our customers’ ability or willingness to attend our events or to purchase our offerings, delay prospective customers’ purchasing decisions, adversely impact our ability to provide on-site sales meetings or professional services to our customers, delay the provisioning of our offerings, lengthen payment terms, reduce the value or duration of their contracts, or affect attrition rates, all of which could adversely affect our future sales, operating results and overall financial performance. During the Summer of 2020, we began to experience some of the aforementioned scenarios, and this continued through the remainder of 2020, due to, we believe, global economic uncertainty connected with the continued seriousness of the COVID-19 pandemic. While we hope that the negative consequences on our business associated with the COVID-19 pandemic will subside in 2021, we cannot predict the impact with certainty.

If the restrictions on our employees, customers and others in the world continue or increase in order to limit the spread of COVID-19, the potential effects could continue and could be exacerbated, and our results of operations and overall financial performance may be harmed. The duration and extent of the impact from the COVID-19 pandemic depends on future developments that cannot be accurately predicted at this time, such as the severity and transmission rate of the virus, the extent and effectiveness of containment actions and the impact of these and other factors on our employees, customers, partners and vendors. If we are not able to respond to and manage the impact of such events effectively, our business will be harmed.

A significant portion of our sales are to a limited number of customers. The loss of substantial sales to any one of them could have an adverse effect on revenues and profits.

We derive a substantial portion of our revenue from a limited number of customers, many of which are financial institutions. The loss of substantial sales to any one of them could adversely affect our operations and results. In fiscal 2020, 2019, and 2018, our top 10 largest customers contributed 21%, 29%, and 24%, respectively, of total worldwide revenue.

The return of a worldwide recession and/or regional economic downturns may further impact our business.

Our business is subject to economic conditions that may fluctuate in the major markets in which we operate. Factors that could cause economic conditions to fluctuate include, without limitation, recession, inflation, deflation, interest rates, unemployment, consumer debt levels, general retail or commercial markets and consumer or business purchasing power or preferences.

If global economic and financial market conditions remain uncertain and/or weak for an extended period of time, any of the following factors, among others, could have a material adverse effect on our financial condition and results of operations:

slower consumer or business spending may result in reduced demand for our products and services, reduced orders from customers for our products, order cancellations, lower revenues, increased inventories, and lower gross margins;

12

continued volatility in the global markets and fluctuations in exchange rates for foreign currencies and contracts or purchase orders in foreign currencies could negatively impact our reported financial results and condition;
continued volatility in the prices for commodities and raw materials we use in our products could have a material adverse effect on our costs, gross margins, and ultimately our profitability;
restructurings, reorganizations, consolidations and other corporate events could affect our customers’ budgets and buying cycles, particularly in the banking industry;
if our customers experience declining revenues, or experience difficulty obtaining financing in the capital and credit markets to purchase our products and services, this could result in reduced orders, order cancellations, inability of customers to timely meet their payment obligations to us, extended payment terms, higher accounts receivable, reduced cash flows, greater expense associated with collection efforts and increased bad debt expense;
in the event of a contraction of our sales, dated inventory may result in a need for increased obsolescence reserves;
a severe financial difficulty experienced by our customers may cause them to become insolvent or cease business operations, which could reduce sales, cash collections and revenue streams.
any difficulty or inability on the part of manufacturers of our products or other participants in our supply chain in obtaining sufficient financing to purchase raw materials or to finance general working capital needs may result in delays or non-delivery of shipments of our products.

We are unable to predict potential future economic conditions, disruptions in the sovereign debt markets or other financial markets, regional recessions, or the effect of any such disruption or disruptions on our business and results of operations, but the consequences may be materially adverse. We believe that our business in the Banking market in Europe would be impacted most directly by any such disruption and that the consequences may be materially adverse, as approximately 53% of our consolidated revenues originated in the EMEA region in 2020.

Disruptions in markets or the European Union may affect our liquidity and capital resources.

We believe our financial resources are adequate to meet our operating needs. However, disruptions in the sovereign debt markets or other financial markets, the Euro Monetary Union or the European Union, could materially adversely affect our liquidity and capital resources and expose us to additional currency fluctuation risk. Sufficiently adverse effects could cause us to modify our business plans.

Furthermore, in an adverse economic environment there is a risk that customers may delay their orders until the economic conditions improve further. If a significant number of orders are delayed for an indefinite period of time, our revenue and cash receipts may not be sufficient to meet the operating needs of the business. If this is the case, we may need to significantly reduce our workforce, sell certain of our assets, enter into strategic relationships or business combinations, discontinue some or all of our operations, or take other similar restructuring actions. While we expect that these actions would result in a reduction of recurring costs, they also may result in a reduction of recurring revenue and cash receipts. It is also likely that we would incur substantial non-recurring costs to implement one or more of these restructuring actions.

We could incur substantial accounting related costs if we are unable to maintain an effective system of internal control over financial reporting.

In response to the material weakness in our internal control over financial reporting disclosed as of December 31, 2018, we expended significant resources to improve our internal control over financial reporting and the

13

effectiveness of our disclosure controls and procedures. We expended significant resources, including accounting related costs and significant management oversight as we corrected the deficiencies. Management has determined that full remediation of the prior deficiencies in internal control over financial reporting that led to this material weakness occurred, disclosed in Item 9A of the annual report on Form 10-K for the year ended December 31, 2019. Investments will continue to be made to improve the control environment.

We cannot provide absolute assurance that additional material weaknesses, or significant deficiencies, in our internal controls will not be identified in the future. Failure to maintain effective controls or implement new or improved controls could result in significant deficiencies or material weaknesses, affect management evaluations and auditor attestations regarding the effectiveness of our internal controls, failure to meet periodic reporting obligations, and material misstatements in our financial statements. Material misstatement of our financial statements may result in a restatement, loss of investor and customer confidence, a decline in the market price of the Company’s common stock, and potential sanctions or investigations by NASDAQ, the Securities and Exchange Commission or other regulatory authorities. Failure to remedy any material weakness in the Company’s internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict the Company’s future access to the capital markets.

We have a long operating history, but only modest accumulated profit.

Although we have reported net income (loss) of $(5.5) million, $8.8 million, and $3.8 million for the years ended December 31, 2020, 2019, and 2018, respectively, our retained earnings were $173.7 million at December 31, 2020. Over our 25 year operating history, we have operated at a loss for many of those years. Depending on the economic environment’s changing rules and regulations, and our investment strategies, it may be difficult for us to sustain profitability on a GAAP basis. We may choose to invest for long term value which could decrease or eliminate short term profit.

We derive revenue from a limited number of products.

A significant portion of our revenue is derived from the sales of our legacy authentication hardware, software, and related services. We anticipate a substantial portion of future revenue, will be derived from authentication, products and related services. If the sale of these products and services is impeded for any reason and we have not diversified our offerings into more software, our business and results of operations would be negatively impacted. Further, we expect our hardware product sales to decline over the long term in our traditional markets. If the rate of decline is more than expected and the aforementioned diversification is not enough to offset the decline, our results could be uneven and overall could be negative.

The sales cycle for our products and technology is long, and we may incur substantial expenses for sales that do not occur when anticipated.

The sales cycle for our products, which is the period of time between the identification of a potential customer and completion of the sale, is typically lengthy and subject to a number of significant risks over which we have little control. If revenue falls significantly below anticipated levels, our business would be seriously harmed.

A typical sales cycle in the financial services market is often six months or more. Larger banking transactions may take up to 18 months or more. Purchasing decisions for our products and services may be subject to delays due to many factors that are not within our control, such as:

Time required for a prospective customer to recognize the need for our products;
Significant expense of many security products and systems;
Customer budgeting process; and
Customer evaluation, testing and approval process.

14

As our operating expenses are based on anticipated revenue levels, a small fluctuation in the timing of sales can cause our operating results to vary significantly between periods.

We have a great dependence on a limited number of suppliers and the loss of their manufacturing capability could materially impact our operations.

In the event that the supply of components or finished products is interrupted or relations with any of our principal vendors is terminated, there could be increased costs and considerable delay in finding suitable replacement sources to manufacture our hardware products. Our hardware Digipass authentication devices are assembled at facilities located in mainland China. The importation of these products from China exposes us to the possibility of product supply disruption and increased costs in the event of changes in the policies of the Chinese government, political unrest or unstable economic conditions in China or developments in the United States or European Union that are adverse to trade, including enactment of protectionist legislation. In 2019, a portion of our hardware products became subject to tariffs. If such tariffs increase in amount or scope, our financial results could be negatively affected. In part to address these risks of manufacturing in mainland China, in 2020 we launched an initiative to establish limited manaufacturing in the European Union. At this time, we do not know whether this project will be successful or how much this project could mitigate the risks related to Chinese manufacturing. Regardless of the location of manufacturing, we continue to be exposed to supply chain risks and uncertainties related to disruptions caused by the COVID-19 pandemic.

We order some hardware components, such as processors, in advance of expected use and often produce finished goods prior to the receipt of executed customer orders. If orders are not received, we could suffer losses related to inventory that cannot be sold at full value.

In an attempt to minimize the risk of not having an adequate supply of component parts to meet demand and to take advantage of volume purchasing benefits, especially in situations where we have been notified that key processors will no longer be manufactured, we sometimes purchase multiple years’ supply of parts based on internal forecasts of demand. In addition, to meet customers’ demands for accelerated delivery of product, we sometimes produce finished product for existing customers before we receive the executed order from the customer. Should our forecasts of future demand be inaccurate or if we produce product that is never ordered, we could incur substantial losses related to the realization of our inventory.

Our success depends on establishing and maintaining strategic relationships with other companies to distribute our technology and products and, in some cases, for us to incorporate their technology into our products and our products and services.

Part of our business strategy is to enter into strategic alliances and other cooperative arrangements with other companies in our industry. We currently are involved in cooperative efforts with respect to the incorporation of our products into products of others and vice versa, research and development efforts, marketing efforts and reseller arrangements. These relationships are generally non-exclusive, and some of our strategic partners also have cooperative relationships with certain of our competitors. If we are unable to enter cooperative arrangements in the future or if we lose any of our current strategic or cooperative relationships, our business could be harmed. We do not control the time and resources devoted to such activities by parties with whom we have relationships. In addition, we may not have the resources available to satisfy expectations, which may adversely affect these relationships. These relationships may not continue, may not be commercially successful, or may require our expenditure of significant financial, personnel and administrative resources from time to time. Further, certain of our products and services compete with the products and services of our strategic partners.

We may not be able to maintain effective product distribution channels, which could result in decreased revenue.

We rely on both our direct sales force and an indirect channel distribution strategy for the sale and marketing of our products. We may be unable to attract distributors, resellers and integrators, as planned, that can market our products effectively and provide timely and cost-effective customer support and service. There is also a risk that some or all of our distributors, resellers or integrators may be acquired, may change their business models or may go out of business,

15

any of which could have an adverse effect on our business. Further, our distributors, integrators and resellers may sell competing products. The loss of important sales personnel, distributors, integrators or resellers could adversely affect us.

We depend on our key personnel for the success of our business and the loss of one or more of our key personnel could have an adverse effect on our ability to manage our business or could be negatively perceived in the capital markets.

Our success and our ability to manage our business depend, in large part, upon the efforts and continued service of our senior management team. The loss of one or more of our key personnel could have a material adverse effect on our business and operations. It could be difficult for us to find replacements for our key personnel, as competition for such personnel is often intense. Further, such a loss could be negatively perceived in the capital markets, which could reduce the market value of our securities.

If we fail to continue to attract and retain qualified personnel, our business may be harmed.

Our future success depends upon our ability to attract and retain highly qualified technical, sales and managerial personnel. Competition for such personnel is often intense and there can be no assurance that we can attract other highly qualified personnel in the future. If we cannot retain or are unable to hire such key personnel, our business, financial condition and results of operations could be significantly adversely affected.

Changes in our effective tax rate may have an adverse effect on our results of operations.

Our future effective tax rates may be adversely affected by a number of factors including the distribution of income among the various countries in which we operate, changes in the valuation of our deferred tax assets, increases in expenses not deductible for tax purposes, including the impairment of goodwill in connection with acquisitions, changes in share-based compensation expense, and changes in tax laws or the interpretation of such tax laws and changes in generally accepted accounting principles. Any significant increase in our future effective tax rates could adversely impact net income for future periods; and a reduction in our U.S. tax rate could negatively impact our deferred tax assets which could also adversely impact our net income.

Our worldwide income tax provisions and other tax accruals may be insufficient if any taxing authorities assume taxing positions that are contrary to our positions.

Significant judgment is required in determining our provision for income taxes and other taxes such as sales and VAT taxes. There are many transactions for which the ultimate tax outcome is uncertain. Some of these uncertainties arise as a consequence of intercompany agreements to purchase intellectual properties, allocate revenue and costs, and other factors, each of which could ultimately result in changes once the arrangements are reviewed by taxing authorities. Although we believe that our approach to determining the amount of such arrangements is reasonable, we cannot be certain that the final tax authority review of these matters will not differ materially from what is reflected in our historical income tax provisions and other tax accruals. Such differences could have a material effect on our income tax provisions or benefits, or other tax accruals, in the period in which such determination is made, and consequently, on our results of operations for such period.

Changes in global tax laws or in their interpretation or enforcement, could have a material adverse effect on our effective tax rate, results of operations, cash flows and financial condition.

We could be materially adversely affected by future changes in tax law or policy (or in their interpretation or enforcement) in the jurisdictions where we operate. These changes could be exacerbated by economic, budget or other challenges facing these jurisdictions. For example, foreign jurisdictions could impose tax rate changes along with additional corporate tax provisions that would disallow or tax perceived “base erosion” or profit shifting amongst jurisdictions. In addition, aspects of U.S. tax reform may lead foreign jurisdictions to respond by enacting additional tax legislation that results in an adverse effect on our effective tax rate, results of operations, cash flows and financial condition.

16

Acquisitions, divestitures and other strategic transactions present many risks, and failure to realize the financial and strategic goals we anticipate could have a material adverse effect on our business, results of operations, cash flows and financial condition.

We may evaluate and consider potential strategic transactions, including acquisitions of, or investments in, complementary businesses, technologies, services, products and other assets, divestitures, alliances, joint ventures and other portfolio actions. We also may enter into relationships with other businesses to expand our products and platform, which could involve preferred or exclusive licenses, additional channels of distribution, discount pricing or investments in other companies.

Our success depends, in part, upon our ability to identify suitable transactions; negotiate favorable contractual terms; comply with applicable regulations and receive necessary consents, clearances and approvals (including regulatory and antitrust clearances and approvals); integrate or separate businesses, operations technology and personnel; realize the full extent of the benefits, cost savings or synergies presented by strategic transactions; minimize potential losses of customers, business partners and key technical and managerial personnel; and minimize indemnities and potential disputes with buyers, sellers and strategic partners. In addition, execution or oversight of strategic transactions may result in the diversion of management attention from our existing business and may present financial, managerial and operational risks, including disruptions in our business because of the allocation of resources to consummate these transactions. Moreover, we might incur asset impairment charges related to acquisitions or divestitures that reduce our earnings.

With respect to acquisitions in particular, our failure to successfully structure or manage the transactions could seriously harm our financial condition or operating results. The expected benefits of any acquisition may not be realized. In connection with our recent acquisitions and any future purchases, we could face additional financial and operational risks beyond those described above, including: dilution of our stockholders, if we issue equity to fund these transactions; reduced liquidity, increased debt and higher amortization expenses; assumption of operating losses, increased expenses and liabilities; discovery of unanticipated issues and liabilities; failure to meet expected returns; and difficulty in maintaining financial reporting and internal control processes needed to be compliant with requirements applicable to companies subject to SEC reporting.

We also regularly review our portfolio for contributions to our objectives and alignment with our strategy, and we may pursue divestiture activities as a result of these reviews. However, we may not be successful in separating any underperforming or non-strategic assets, and gains or losses on any divestiture of, or lost operating income from, such assets may adversely affect our results of operations. Divestitures could also expose us to unanticipated liabilities or result in ongoing obligations, including transition service obligations and indemnity obligations.

Reported revenue may fluctuate widely due to the interpretation or application of accounting rules.

Our sales arrangements often include multiple elements, including hardware, services, software, maintenance and support. In addition, we have sold software related arrangements in multiple forms, including perpetual licenses, term-based licenses and SaaS subscriptions, each of which may be treated differently under accounting rules. The accounting rules for such arrangements are complex and subject to change from time to time. The nature of the arrangement can create variations in the timing of revenue recognition.

Provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.

Our agreements with customers, solution partners and channel partners generally include provisions under which we agree to indemnify them for losses suffered or incurred as a result of claims of intellectual property infringement and, in some cases, for damages caused by us to property or persons or for other damages. In addition, we make certain representations and warranties and incur obligations under our contracts in the ordinary course of business, including for items related to data security and potential data privacy breaches. Not all of our potential losses under our contracts are covered by insurance policies, which could increase the impact of any such loss should it occur. Large

17

indemnity payments or damages resulting from our contractual obligations could harm our business, operating results and financial condition.

The evolution of our business requires more complex development and go-to-market strategies, which involve significant risk.

Our increasing focus on developing and marketing a platform of solutions for identity management, authentication, risk analysis, fraud detection, digital business processes and related areas requires different development and go-to-market strategies than our historic hardware authentication business. We are developing, buying and licensing technology weighted toward software solutions and investment in research, development, product management, sales training and senior management. This transformation strategy is currently in progress and brings with it significant risks related to our choice of solutions and our ability to execute the strategy successfully. This strategy requires a greater focus on marketing and selling product suites and software solutions rather than selling hardware products for authentication and transaction signing. Consequently, we are developing, and must continue to develop, new strategies for marketing and selling our offerings. In addition, marketing and selling new solutions to enterprises requires significant investment of time and resources in order to train our employees and educate our customers on the benefits of our new product offerings. These investments can be costly and the additional effort required to educate both customers and our own sales force can distract from efforts to sell existing products and services.

Risks Related to the Market

We face significant competition and if we lose or fail to gain market share our financial results will suffer.

The market for security products and services is highly competitive. Our competitors include organizations that provide security products based upon approaches similar to and different from those that we employ. Many of our competitors have significantly greater financial, marketing, technical and other competitive resources than we do. As a result, our competitors may be able to adapt more quickly to new or emerging technologies and changes in customer requirements, or to devote greater resources to the promotion and sale of their products.

A decrease of average selling prices for our products and services could adversely affect our business.

The average selling prices for our solution offerings may decline as a result of competitive pricing pressures or a change in our mix of products, software and services. In addition, competition continues to increase in the market segments in which we participate and we expect competition to further increase in the future, thereby leading to increased pricing pressures. Furthermore, we anticipate that the average selling prices and gross profits for our products will decrease over product life cycles. To maintain or realize our revenue and gross margins, we must continue to develop, or purchase and introduce new products and services that incorporate new technologies or increased functionality. If we experience such pricing pressures or fail to deliver new products and services relevant to our markets, our revenue and gross margins could decline, which could harm our business, financial condition and results of operations.

We may need additional capital in the future and our failure to obtain capital would interfere with our growth strategy.

Our ability to obtain financing will depend on a number of factors, including market conditions, our operating performance and investor or creditor interest. These factors may make the timing, amount, terms and conditions of any financing unattractive. They may also result in our incurring additional indebtedness or accepting stockholder dilution. If adequate funds are not available or are not available on acceptable terms, we may have to forego strategic acquisitions or investments, defer our product development activities, or delay the introduction of new products.

18

We experience variations in quarterly operating results and sales are subject to seasonality, both of which may result in a volatile stock price.

In the future, as in the past, our quarterly operating results may vary significantly, resulting in a volatile stock price. Factors affecting our operating results include:

The level of competition;
The size, timing, cancellation or rescheduling of significant orders;
New product announcements or introductions by competitors;
Technological changes in the market for security products including the adoption of new technologies and standards;
Changes in pricing by competitors;
Our ability to develop, introduce and market new products and product enhancements on a timely basis, if at all;
Component costs and availability;
Achievement of significant market share in particular markets followed by declines as buying cycles may be multiple years apart;
The variability of revenue realized from individual customers as their buying patterns can vary significantly from period to period and is affected by the individual solutions purchased and the structure of the contract;
Our success in expanding our sales and marketing programs;
Market acceptance of new products and product enhancements;
Changes in foreign currency exchange rates; and
General economic conditions in the countries in which we operate.

We also experience seasonality or variation across the year in our markets. These trends can include the summer months, particularly in Europe, or the second half of the fiscal year is generally higher than the first half in terms of sales.

Our stock price may be volatile for reasons other than variations in our quarterly operating results.

The market price of our common stock may fluctuate significantly in response to factors, some of which are beyond our control, including the following:

Actual or anticipated fluctuations in our quarterly or annual operating results;
Differences between actual operating results and results estimated by analysts that follow our stock and provide estimates of our results to the market;
Differences between guidance relative to financial results, if given, and actual results;

19

Changes in market valuations of other technology companies, and cybersecurity companies in particular;
Investor acceptance of our strategies and the perception of our success in executing those strategies;
Announcements by us or our competitors of significant technical innovations, contracts, acquisitions, strategic partnerships, joint ventures or capital commitments;
Additions or departures of key personnel;
Future sales of common stock;
The inclusion or exclusion of our stock in ETF’s, indices and other benchmarks, and changes made to methodologies connected therewith;
Trading volume fluctuations; and
Reactions by investors to uncertainties in the world economy and financial markets.

Our stock repurchase program could affect the price of our common stock and increase volatility and may be suspended or terminated at any time, which may result in a decrease in the trading price of our common stock

On June 10, 2020, the Board of Directors authorized a share repurchase program (“program”). Under the program, we are authorized to repurchase shares of our common stock from time to time in the open market, in privately negotiated transactions, or otherwise, at prices that the Company deems appropriate and subject to market conditions, applicable law and other factors deemed relevant in the Company’s sole discretion, up to an aggregate purchase price of $50.0 million. The timing and actual number of shares repurchased depend on a variety of factors including the timing of open trading windows, price, corporate and regulatory requirements, and other market conditions. The program does not obligate the Company to repurchase any dollar amount or number of shares of common stock. The authorization is effective until June 10, 2022. Repurchases pursuant to our stock repurchase program could affect our stock price and increase its volatility. The existence of a stock repurchase program could also cause our stock price to be higher than it would be in the absence of such a program and could potentially reduce the market liquidity for our stock. There can be no assurance that any stock repurchases will enhance stockholder value because the market price of our common stock may decline below the levels at which we repurchased shares of common stock. Although our stock repurchase program is intended to enhance long-term stockholder value, short-term stock price fluctuations could reduce the program’s effectiveness.

A small group of persons control a substantial amount of our common stock and could delay or prevent a change of control.

Mr. T. Kendall Hunt, our founder and former Chairman of the Board, beneficially owns approximately 12% of the outstanding shares of our common stock. In addition, Blackrock, Inc. holds approximately 12% of ownership, Legion Partners Asset Management holds approximately 7% of ownership, The Vanguard Group holds approximately 6% of ownership, Legal & General Investment Management LTD holds approximately 5% of ownership, and Sylebra Capital LTD holds approximately 5% of ownership.

The concentration of ownership may have the effect of discouraging, delaying or preventing a change in control and may also have an adverse effect on the market price of our common stock.

Certain provisions of our charter and of Delaware law make a takeover of our Company more difficult.

Our corporate charter and Delaware law contain provisions, such as a class of authorized but unissued preferred stock which may be issued by our board without stockholder approval that might enable our management to resist a takeover of our Company. Delaware law also limits business combinations with interested stockholders. These

20

provisions might discourage, delay or prevent a change in control or a change in our management. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors and take other corporate actions. The existence of these provisions could limit the price that investors might be willing to pay in the future for shares of our common stock.

Future issuances of blank check preferred stock may reduce voting power of common stock and may have anti-takeover effects that could prevent a change in control.

Our corporate charter authorizes the issuance of up to 500,000 shares of preferred stock with such designations, rights, powers and preferences as may be determined from time to time by our Board of Directors, including such dividend, liquidation, conversion, voting or other rights, powers and preferences as may be determined from time to time by the Board of Directors without further stockholder approval. The issuance of preferred stock could adversely affect the voting power or other rights of the holders of common stock. In addition, the authorized shares of preferred stock and common stock could be utilized, under certain circumstances, as a method of discouraging, delaying or preventing a change in control.

Our business could be adversely affected as a result of actions of activist stockholders.

Although we strive to maintain constructive, ongoing communications with all of our stockholders, and welcome their views and opinions with the goal of enhancing value for all of our stockholders, our stockholders may from time to time engage in proxy solicitations, advance stockholder proposals or otherwise attempt to effect changes or acquire control of the Company. Campaigns by stockholders to effect changes at publicly traded companies are sometimes led by investors seeking to increase short-term stockholder value through actions such as stock repurchases or sales of assets or the entire company. Responding to proxy contests and other actions by activist stockholders can be costly and time-consuming and could divert the attention of our Board of Directors and senior management from the management of our operations and the pursuit of our business strategy.

Any perceived uncertainties as to our future direction and control, our ability to execute on our strategy or changes to the composition of our Board of Directors or senior management team arising from proposals by activist stockholders or a proxy contest could lead to the perception of a change in the direction of our business or instability that may be exploited by our competitors and/or other activist stockholders, result in the loss of potential business opportunities, result in the loss of our employees and business partners and make it more difficult to pursue our strategic initiatives or attract and retain qualified personnel and business partners, any of which could have an adverse effect on our business, financial condition and operating results.

Further, actual or perceived actions of activist stockholders may cause significant fluctuations in our stock price based upon temporary or speculative market perceptions or other factors that do not necessarily reflect the Company’s underlying fundamentals and prospects.

Risks Related to Technology and Intellectual Property

Technological changes occur rapidly in our industry and our development of new products is critical to maintain our revenue.

The introduction by our competitors of products embodying new technologies and the emergence of new industry standards could render our existing products obsolete and unmarketable. Our future revenue growth and operating profit will depend in part upon our ability to enhance our current products and develop innovative new solutions to distinguish us from the competition and to meet customers’ changing needs. Security-related product developments and technology innovations by others may adversely affect our competitive position and we may not successfully anticipate or adapt to changing technology, industry standards or customer requirements on a timely basis.

21

Our business could be negatively impacted by cyber security incidents and other disruptions.

Our use of technology is increasing and is critical in at least three primary areas of our business:

1.Software and information systems that we use to help us run our business more efficiently and cost effectively, which are increasingly cloud-based tools;
2.The products we have traditionally sold and continue to sell to our customers contain technology that incorporates the use of secret numbers and encryption technology; and
3.Solutions delivered on a software-as-a-service basis, from both public and private cloud models, which may process and store confidential, personal, health and financial information and which may rely on third parties for some or all of the solution.

A cyber incident in any of these areas of our business could disrupt our ability to take orders or deliver products or services to our customers, cause us to suffer significant monetary and other losses and significant reputational harm, or substantially impair our ability to grow the business. We expect that there will continue to be hacking attempts intended to capture business information or exploit computing power to impede the performance of our products, to access our customers’ information, or harm our reputation as a company. The processes used by hackers to access or sabotage technology products, services and networks are evolving in sophistication and increasing in frequency. We could experience a security incident due to various causes including intentional or unintentional conduct of our employees, vendors, technology partners and others that have access to or store our information.

In July 2011, we discovered a cyber-incident related to DigiNotar B.V. shortly after we purchased the company. The hacking incident at DigiNotar B.V. led to the termination of DigiNotar B.V’s registration as a certification service provider and DigiNotar B.V.’s bankruptcy. Since that time, we have experienced several security incidents, although none have been material. Even though we have established teams, processes and strategies to protect our corporate and solution assets, we may incur losses from such events as a result of unanticipated costs associated with data security incidents.

In addition, because we are in the cyber security industry, we could be targeted by hackers more than other companies and if a material cyber security breach occurred related to corporate or customer information, the reputational harm and potential lost future business could be greater than other companies not in our industry. We have taken various measures to strengthen the security of our products and our systems, to establish information security governance procedures and to train our employees. However, we are the subject of a large volume of hacking attempts and our defenses might not always be effective. If a hacking attempt were to be successful and lead to a material data breach, then it could harm our business, financial condition and results of operations, both in the current period and for a significant future period of time.

We rely upon Amazon Web Services to operate portions of our platform and any disruption of or interference with our use of Amazon Web Services or other vendors’ material would adversely affect our business, results of operations and financial condition

We outsource portions of our cloud infrastructure to Amazon Web Services, or AWS. Customers of our products need to be able to access our platform at any time, without interruption or degradation of performance. AWS runs its own platform that we access, and we are, therefore, vulnerable to service interruptions at AWS. We have experienced and expect that in the future we may experience interruptions, delays and outages in service and availability from time to time due to a variety of factors, including infrastructure changes, human or software errors, website hosting disruptions and capacity constraints. Capacity constraints could be due to a number of potential causes including technical failures, natural disasters, fraud or security attacks. In addition, if our security, or that of AWS, is compromised, our products or platform are unavailable or our users are unable to use our products within a reasonable amount of time or at all, then our business, results of operations and financial condition could be adversely affected. In some instances, we may not be able to identify the cause or causes of these performance problems within a period of time acceptable to our customers. It may become increasingly difficult to maintain and improve our platform

22

performance, especially during peak usage times, as our products become more complex and the usage of our products increases. To the extent that we do not effectively address capacity constraints, either through AWS or alternative providers of cloud infrastructure, our business, results of operations and financial condition may be adversely affected. In addition, any changes in service levels from AWS may adversely affect our ability to meet our customers' requirements.

Any of the above circumstances or events may harm our reputation, possibly move customers to stop using our products, impair our ability to increase revenue from existing customers, impair our ability to grow our customer base, subject us to financial penalties and liabilities under our service level agreements and otherwise harm our business, results of operations and financial condition. These risks are also present with our other cloud service infrastructure vendors beside AWS. In addition, we also utilize strategic vendors to resell or incorporate third party technology and if these material vendors experienced a data breach, outage in service or other failure, we could be prevented from meeting our customers’ requirements.

Some of our products contain third-party, open-source software and failure to comply with the terms of the underlying open-source software licenses could restrict our ability to sell our products or otherwise result in claims against us.

Our products are distributed with software programs licensed to us by third-party authors under open-source licenses, which may include the GNU General Public License, the GNU Lesser Public License, the BSD License and the Apache License. Third-party, open-source programs are typically licensed to us for no fee and the underlying license agreements could require us to make available to users the source code for such programs, as well as the source code for any modifications or derivative works we create based on these third-party, open-source software programs.

We do not provide end users a copy of the source code to our proprietary software because we believe that the manner in which our proprietary software is aligned or communicates with the relevant open-source programs does not create a modification, derivative work or extended version of, or a work based on, that open-source program requiring the distribution of our proprietary source code.

Our ability to commercialize our products by incorporating third-party, open-source software may be restricted because, among other reasons:

the terms of open-source license agreements are unclear and subject to varying interpretations, which could result in unforeseen obligations regarding our proprietary products or claims of infringement;
it may be difficult to determine the developers of open-source software and whether such licensed software infringes another party’s intellectual property rights;
competitors may have equal access to these open source products, which may help them develop competitive products; and
open-source software potentially increases customer support costs because licensees can modify the software and potentially introduce errors, which could also increase the risk of vulnerabilities available to hackers.

We must continue to attract and retain highly skilled technical personnel for our research and development efforts.

The market for highly skilled technical talent is highly competitive. If we fail to attract, train, assimilate and retain qualified technical personnel for our research and development and product management efforts, we will experience delays or failures in introductions of new or modified products, and services, failures in adequate analysis of technology or acquisitions in the market, loss of clients and market share and a reduction in revenue.

23

We cannot be certain that our research and development activities will be successful.

While management is committed to enhancing our current product offerings and introducing new products, we cannot be certain our research and development activities will be successful. Furthermore, we may not have sufficient financial resources to identify and develop new technologies and bring new products to market in a timely and cost effective manner, and we cannot ensure that any such products will be commercially successful.

Failure to effectively manage our product and service lifecycles could harm our business.

As part of the natural lifecycle of our products and services, we periodically inform customers that products or services will be reaching their end of life or end of availability and will no longer be supported or receive updates and security patches. Failure to effectively manage our product and service lifecycles could lead to customer dissatisfaction and contractual liabilities, which could adversely affect our business and operating results.

SaaS offerings, which involve various risks, constitute an important part of our business.

As we continue to acquire, develop and offer SaaS versions of products, we will need to continue to evolve our processes to meet a number of regulatory, intellectual property, contractual and service compliance challenges. These challenges include compliance with licenses for open source and third party software embedded in our SaaS offerings, maintaining compliance with export control and privacy regulations, including HIPAA and GDPR, protecting our services from external threats, maintaining continuous service levels and data security expected by our customers, preventing inappropriate use of our services and adapting our go-to-market efforts. In addition to using our internal resources, we also utilize third party resources to deliver SaaS offerings, such as third party data hosting vendors. The failure of a third party provider to prevent service disruptions, data losses or security breaches may require us to issue credits or refunds or indemnify or otherwise be liable to customers or third parties for damages that may occur. Additionally, if these third-party providers fail to deliver on their obligations, our reputation could be damaged, our customers could lose confidence in us and our ability to maintain and expand our SaaS offerings. Finally, our SaaS offerings need to be designed to operate at significant transaction volumes. When combined with third party software and hosting infrastructure, our SaaS offerings may not perform as designed which could lead to service disruptions and associated damages.

We depend significantly upon our proprietary technology and intellectual property and the loss of or successful challenge to our proprietary rights could require us to divert management attention and could reduce revenue and increase our operating costs.

From time to time, we receive claims that we have infringed the intellectual property rights of others, including claims regarding patents, copyrights, and trademarks. Because of constant technological change in the segments in which we compete, the extensive patent coverage of existing technologies, and the rapid rate of issuance of new patents, it is possible that the number of these claims may grow. In addition, former employers of our former, current, or future employees may assert claims that such employees have improperly disclosed to us the confidential or proprietary information of these former employers. Any such claim, with or without merit, could result in costly litigation and distract management from day-to-day operations. If we are not successful in defending such claims, we could be required to stop selling, delay shipments, redesign our products, pay monetary amounts as damages, enter into royalty or licensing arrangements, or satisfy indemnification obligations with our customers. Royalty or licensing arrangements we may seek in such circumstances may not be available to us on commercially reasonable terms or at all. We have made and expect to continue making significant expenditures to establish our intellectual property rights and to investigate, defend and settle claims related to the use of technology and intellectual property rights as part of our strategy to manage this risk. In addition, we license and use software from third parties in our business. These third party software licenses may not continue to be available to us on acceptable terms or at all, and may expose us to additional liability. This liability, or our inability to use any of this third party software or technology, could result in shipment delays or other disruptions in our business that could materially and adversely affect our operating results.

We rely principally on trade secrets to protect much of our intellectual property in cases where we do not believe patent protection is appropriate or obtainable. However, trade secrets are difficult to protect. Although our

24

employees are subject to confidentiality obligations, this protection may be inadequate to deter or prevent misappropriation of our confidential information. We may be unable to detect unauthorized use of our intellectual property or otherwise take appropriate steps to enforce our rights. Failure to obtain or maintain trade secret protection could adversely affect our competitive business position. If we are unable to prevent third parties from infringing or misappropriating our copyrights, trademarks or other proprietary information, our competitive position could be adversely affected. In the course of conducting our business, we may inadvertently infringe the intellectual property rights of others, resulting in claims against us or our customers. Our contracts generally indemnify our customers for third-party claims for intellectual property infringement by the services and products we provide. In the past, we have resolved several claims of patent infringement brought against us and a claim brought against a customer related to our technology. None of these claims were material to our financial results but this may not always be the case. The expense of defending these claims may adversely affect our financial results and may not be covered by any insurance policies we maintain. In addition, any such disputes and litigation could divert management attention and harm our reputation in the market.

Our patents may not provide us with competitive advantages.

We hold numerous patents in the United States and in other countries, which cover multiple aspects of our technology. A substantial part of our patents cover the Digipass product line. Our patents expire between now and more than 10 years from now. There can be no assurance that we will continue to develop proprietary products or technologies that are patentable, that any issued patent will provide us with any competitive advantages or will not be challenged by third parties, or that patents of others will not hinder our competitive advantage. Although certain of our technologies are patented, there are other organizations that offer products with comparable functionality that employ different technological solutions and compete with us for market share.

We are subject to warranty and product liability risks.

A malfunction of or design defect in our products which results in a breach of a legal obligation or physical harm or damage from our products could result in tort or warranty claims against us. We seek to reduce the risk of these losses by using qualified engineers in the design, manufacturing and testing of our hardware products, proper development and testing of our software solutions, attempting to negotiate warranty disclaimers and liability limitation clauses in our sales agreements, and maintaining customary insurance coverage. However, these measures may ultimately prove ineffective in limiting our liability for damages.

In addition to any monetary liability for the failure of our products, an actual or perceived breach of network or security at one of our customers or publicly known defect or perceived defect in our products could adversely affect the market’s perception of us and our products, and could have an adverse effect on our reputation and the demand for our products. Similarly, an actual or perceived breach of security within our own systems could damage our reputation and have an adverse effect on the demand for our products.

There is significant government regulation of technology imports and exports and to the extent we cannot meet the requirements of the regulations we may be prohibited from exporting some of our products, which could negatively impact our revenue.

Our international sales and operations are subject to risks such as the imposition of government controls, new or changed export license requirements, restrictions on the export of critical technology, trade restrictions and changes in tariffs. If we are unable to obtain regulatory approvals on a timely basis our business may be impacted. Certain of our products are subject to export controls under U.S. law. The list of products and countries for which export approval is required, and the regulatory policies with respect thereto, may be revised from time to time and our inability to obtain required approvals under these regulations could materially and adversely affect our ability to make international sales. Violations of export control and international trade laws could result in penalties, fines, adverse reputational consequences, and other materially adverse consequences. In the past, we voluntarily disclosed a trade control matter to the U.S. government. Although this matter was closed during 2018 with no fines, penalties, or finding of wrongdoing, we cannot guarantee that such issues will not arise in the future. In addition, we cannot predict the future government regulation of aspects of our business and such regulation could be detrimental to our results.

25

We employ cryptographic technology in our authentication products that uses complex mathematical formulations.

A portion of our products are based on cryptographic technology. With cryptographic technology, a user is given a key that is required to encrypt and decode messages. The security afforded by this technology depends on the integrity of a user’s key and in part on the application of algorithms, which are advanced mathematical factoring equations. These codes may eventually be broken or become subject to government regulation regarding their use, which would render our technology and products less effective. The occurrence of any one of the following could result in a decline in demand for our technology and products:

Any significant advance in techniques for attacking cryptographic systems, including the development of an easy factoring method or faster, more powerful computers;
Publicity of the successful decoding of cryptographic messages or the misappropriation of keys; and
Increased government regulation limiting the use, scope or strength of cryptography.

Risks Related to International Operations

We face a number of risks associated with our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue.

In 2020, approximately 88% of our revenue and approximately 73% of our operating expenses were generated/incurred outside of the U.S. In 2019, approximately 89% of our revenue and approximately 72% of our operating expenses were generated/incurred outside of the U.S. In 2018, approximately 91% of our revenue and approximately 71% of our operating expenses were generated/incurred outside of the U.S. A severe economic decline in any of our major foreign markets could adversely affect our results of operations and financial condition.

In addition to exposures to changes in the economic conditions of our major foreign markets, we are subject to a number of risks any or all of which could result in a disruption in our business and a decrease in our revenue. These include:

Inconsistent regulations and unexpected changes in regulatory requirements;
Export controls relating to our technology;
Difficulties and costs of staffing and managing international operations, including maintaining internal controls and closing or restructuring such operations;
Potentially adverse tax consequences;
Wage and price controls or protection;
Uncertain protection for intellectual property rights, contractual rights and collecting accounts receivable;
Imposition of trade barriers;
Differing technology standards;
Uncertain demand for our solutions in individual countries, even if there were past sales;
Linguistic and cultural differences;

26

A widely distributed workforce;
Difficulty in providing support and training to customers in certain international locations;
Economic and political instability, including uncertainties in market conditions caused by the COVID-19 pandemic; and
Social unrest, health crises, and cultural barriers or changes.

We are subject to foreign currency exchange rate fluctuations and risks, and improper management of that risk could adversely affect our business, results of operations, and financial conditions.

Because a significant number of our principal customers are located outside the United States, we expect that international sales will continue to generate a significant portion of our total revenue. We are subject to foreign exchange fluctuations and risks because the majority of our product costs are denominated in U.S. Dollars, whereas a significant portion of the sales and expenses of our foreign operating subsidiaries are denominated in various foreign currencies. A decrease in the value of any of these foreign currencies relative to the U.S. Dollar could adversely affect our revenue and profitability in U.S. Dollars of our products sold in these markets. We do not currently hold forward exchange contracts to exchange foreign currencies for U.S. Dollars to offset currency rate fluctuations.

Changes in the European regulatory environment regarding privacy and data protection regulations could have a material adverse impact on our results of operations.

In Europe, we are subject to the 1995 European Union (“EU”) Directive on Data Protection (“1995 Data Protection Directive”), which requires EU member states to impose minimum restrictions on the collection and use of personal data that, in some respects, are more stringent, and impose more significant burdens on subject businesses, than current privacy standards in the United States. We may also face audits or investigations by one or more foreign government agencies relating to our compliance with these regulations that could result in the imposition of penalties or fines. The EU member state regulations establish several obligations that organizations must follow with respect to use of personal data, including a prohibition on the transfer of personal information from the EU to other countries whose laws do not protect personal data to an adequate level of privacy or security. In addition, certain member states have adopted more stringent data protection standards. The Company addressed these requirements by certification to the U.S.-EU Safe Harbor Frameworks prior to such Frameworks being invalidated in October 2015 by the European Court of Justice. The General Data Protection Regulation (“GDPR”) replaced the 1995 Data Protection Directive effective May 25, 2018, creating significant impacts on how businesses can collect and process the personal data of EU individuals. We have expended significant resources to comply, but those methods may be subject to scrutiny by data protection authorities in EU member states. The costs of compliance with, and other burdens imposed by, such laws, regulations and policies that are applicable to us may limit our use of personal data and solutions and could have a material adverse impact on our results of operations.

We must comply with governmental regulations setting environmental standards.

Governmental regulations setting environmental standards influence the design, components or operation of our products. New regulations and changes to current regulations are always possible and, in some jurisdictions, regulations may be introduced with little or no time to bring related products into compliance with these regulations. Our failure to comply with these regulations may prevent us from selling our products in a certain country. In addition, these regulations may increase our cost of supplying the products by forcing us to redesign existing products or to use more expensive designs or components. In these cases, we may experience unexpected disruptions in our ability to supply customers with products, or we may incur unexpected costs or operational complexities to bring products into compliance. This could have an adverse effect on our revenues, gross profit margins and results of operations and increase the volatility of our financial results.

We are subject to the Restriction on the Use of Hazardous Substances Directive 2002/95/EC (also known as the “RoHS Directive”) and the Waste Electrical and Electronic Equipment Directive (also known as the “WEEE Directive”).

27

These directives restrict the distribution of products containing certain substances, including lead, within applicable geographies and require a manufacturer or importer to recycle products containing those substances.

These directives affect the worldwide electronics and electronics components industries as a whole. If we or our customers fail to comply with such laws and regulations, we could incur liabilities and fines and our operations could be suspended.

The vote by the United Kingdom (UK) to leave the European Union (EU) could adversely affect our financial results.

In June 2016, UK voters approved a referendum to withdraw the UK's membership from the EU, which is commonly referred to as "Brexit". We have operations in the UK and the EU, and as a result, we face risks associated with the potential uncertainty and disruptions that may follow Brexit, including with respect to volatility in exchange rates and interest rates and potential material changes to the regulatory regime applicable to our operations in the UK. Brexit could adversely affect European or worldwide political, regulatory, economic or market conditions and could contribute to instability in global political institutions, regulatory agencies and financial markets. Any of these effects of Brexit, and others we cannot anticipate or that may evolve over time, could adversely affect our business, financial condition, and operating results.

We or our suppliers may be impacted by new regulations related to climate change.

In addition to the European environmental regulations noted above, we or our suppliers may become subject to new laws enacted with regards to climate change. In the event that new laws are enacted or current laws are modified in countries in which we or our suppliers operate, our flow of product may be impacted and/or the costs of handling the potential waste associated with our products may increase dramatically, either of which could result in a significant negative impact on our ability to operate or operate profitably.

The effects of regulations relating to conflict minerals may adversely affect our business.

The Dodd-Frank Wall Street Reform and Consumer Protection Act contains provisions to improve transparency and accountability concerning the supply of certain minerals and derivatives (collectively “Conflict Minerals”) which may originate from the conflict zones of the Democratic Republic of Congo (DRC) and adjoining countries (collectively, “Covered Countries”). As a result, in August 2012 the SEC established annual disclosure and reporting requirements for companies using Conflict Minerals in their products, including products manufactured by third parties. Like many electronic devices, our hardware products contain Conflict Minerals and are subject to the disclosure and reporting requirements. Compliance with these rules also requires due diligence including country of origin inquiries to determine the sources of Conflict Minerals used in our products.

As required, we filed our annual reports related to products manufactured. We reported that we determined we had no reason to believe Conflict Minerals used in our products may have originated in Covered Countries.

We may incur continued costs associated with complying with these disclosure requirements. These requirements may affect pricing, sourcing and availability of Conflict Minerals used to produce our devices. We may be unable to verify the origin of all Conflict Minerals in our products. We may encounter challenges with customers and stakeholders if we are unable to certify that our products are conflict free.

U.S. investors may have difficulties in making claims for any breach of their rights as holders of shares because some of our assets and key employees are not located in the United States.

Several of our key employees are full-time or part-time residents of foreign countries, and a substantial portion of our assets and those of some of our key employees are located in foreign countries. As a result, it may not be possible for investors to effect service of process on those persons located in foreign countries, or to enforce judgments against some of our key employees based upon the securities or other laws of jurisdictions in those foreign countries.

28

Our business in countries with a history of corruption and transactions with foreign governments increase the risks associated with our international activities.

We are subject to the U.S. Foreign Corrupt Practices Act (FCPA), and other laws that prohibit improper payments or offers of payments to foreign governments and their officials and political parties by U.S. and other business entities for the purpose of obtaining or retaining business. We have operations, deal with and make sales to governmental or quasi-governmental customers in countries known to experience corruption, particularly certain countries in the Middle East, Africa, East Asia and South and Central America, and further expansion of our international selling efforts may involve additional regions. Our activities in these countries create the risk of unauthorized payments or offers of payments by one of our employees, consultants, sales agents or channel partners that could be in violation of various laws, including the FCPA and the U.K. Bribery Act, even though these parties are not always subject to our control. Violations of the FCPA may result in severe criminal or civil sanctions, including suspension or debarment from U.S. government contracting, and we may be subject to other liabilities, which could negatively affect our business, operating results and financial condition. Violations of the U.K. Bribery Act may result in severe criminal or civil sanctions and we may be subject to other liabilities that could negatively affect our business operating results and financial condition.

Item 1B - Unresolved Staff Comments

None.

Item 2 - Properties

Our corporate headquarters is located in Chicago, Illinois. Our international headquarters is in Zurich, Switzerland. Our European operational headquarters is in Brussels, Belgium, along with our logistics facility. We conduct sales and marketing, research and development and customer support activities from various locations. Our primary global research and development center is in Montreal, Canada. We have additional research and development facilities in the Netherlands, Cambridge, United Kingdom, Bordeaux, France and Vienna, Austria.

We have sales personnel in our offices near Brussels, Belgium, Singapore, Tokyo, Japan, Dubai, Zurich, Switzerland, Chicago, Illinois, London, United Kingdom, Boston, Massachusetts, Sydney, Australia, and in several field offices around the world.

All of our properties are leased.

Item 3 - Legal Proceedings

We are a party to or have intellectual property subject to litigation and other proceedings that arise in the ordinary course of our business. These types of matters could result in fines, penalties, compensatory or treble damages or non-monetary sanctions or relief. We believe the probability is remote that the outcome of each of these matters, including the legal proceedings described below, will have a material adverse effect on the corporation as a whole, notwithstanding that the unfavorable resolution of any matter may have a material effect on our financial results in any particular interim reporting period. Among the factors that we consider in this assessment are the nature of existing legal proceedings and claims, the asserted or possible damages or loss contingency (if estimable), the progress of the case, existing law and precedent, the opinions or views of legal counsel and other advisers, our experience in similar cases and the experience of other companies, the facts available to us at the time of assessment and how we intend to respond to the proceeding or claim. Our assessment of these factors may change over time as individual proceedings or claims progress.

Although we cannot predict the outcome of legal or other proceedings with certainty, where there is at least a reasonable possibility that a loss may have been incurred, U.S. GAAP requires us to disclose an estimate of the reasonably possible loss or range of loss or make a statement that such an estimate cannot be made. We follow a process in which we seek to estimate the reasonably possible loss or range of loss, and only if we are unable to make such an estimate do we conclude and disclose that an estimate cannot be made. Accordingly, unless otherwise indicated below in

29

our discussion of legal proceedings, a reasonably possible loss or range of loss associated with any individual legal proceeding cannot be estimated.

We include various types of indemnification clauses in our agreements. These indemnifications may include, but are not limited to, infringement claims related to our intellectual property, direct damages and consequential damages. The type and amount of such indemnifications vary substantially based on our assessment of risk and reward associated with each agreement. We believe the estimated fair value of these indemnification clauses is minimal, and we cannot determine the maximum amount of potential future payments, if any, related to such indemnification provisions. We have no liabilities recorded for these clauses as of December 31, 2020.

We have been involved in an ongoing dispute with a German company, Onespin solutions GmbH, regarding the co-existence of, or alleged infringement with, its trademark in certain jurisdictions for “ONESPIN” and our trademark in certain jurisdictions for “ONESPAN”. Onespin sells integrated circuit integrity verification solutions for use in the system on chip software development process flow. During the fourth quarter of 2020, we reached a settlement with Onespin on these matters. The amount of the settlement was not material from a financial perspective. We consider this matter to now be closed.

A complaint was filed on August 20, 2020 against OneSpan and certain of its officers, asserting claims for purported violations of Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 (the “Exchange Act”), and SEC Rule 10b-5 promulgated thereunder, based on certain alleged material misstatements and omissions. The case is captioned Almendariz v. OneSpan Inc., et al., No. 1:20-cv-04906 (N.D. Ill.) (the “Securities Class Action”). Specifically, the plaintiff in the Securities Class Action alleges, among other things, that certain statements about OneSpan’s business were misleading because of defendants’ failure to disclose that OneSpan purportedly had inadequate internal procedures and controls over financial reporting and related disclosures; and OneSpan purportedly downplayed the negative impacts of immaterial errors in its financial statements.

A complaint, related in subject matter to the Securities Class Action, was filed on October 23, 2020 against certain of OneSpan’s officers and directors, and names OneSpan as a nominal defendant. The case is captioned Klein v. Boroditzky, et al., No. 1:20-cv-06310 (N.D. Ill.) (the “Derivative Action” and, collectively with the Securities Class Action, the “Litigation”). The plaintiff asserts claims for breach of fiduciary duty, abuse of control and corporate waste, as well as a claim for contribution under Sections 10(b) and 21D of the Exchange Act, based on the same alleged wrongdoing pled in the Securities Class Action. We intend to defend against the Litigation vigorously.

From time to time, we have been involved in litigation and claims incidental to the conduct of our business, such as compensation claims from current or former employees in Europe. We expect that to continue. Excluding matters specifically disclosed above, we are not a party to any lawsuit or proceeding that, in management’s opinion, is likely to have a material adverse effect on its business, financial condition or results of operations.

Item 4 - Mine Safety Disclosures

Not applicable.

30

PART II

Item 5 - Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities

Our common stock, par value $0.001 per share, trades on the NASDAQ Capital Market under the symbol OSPN.

The following table sets forth the range of high and low daily closing prices of our common stock on the NASDAQ Capital Market for the past two years.

2020

    

High

    

Low

Fourth quarter

$

26.60

$

18.20

Third quarter

 

32.96

 

18.84

Second quarter

 

27.93

 

14.89

First quarter

 

20.39

 

10.95

2019

High

Low

Fourth quarter

$

19.74

$

14.13

Third quarter

 

16.68

 

12.95

Second quarter

 

19.41

 

13.40

First quarter

 

21.55

 

12.40

On February 18, 2021, there were 111 registered holders and approximately 9,670 street name holders of the Company’s common stock.

We have not paid any dividends on our common stock since incorporation. The declaration and payment of dividends will be at the sole discretion of the Board of Directors and subject to certain limitations under the General Corporation Law of the State of Delaware. The timing, amount and form of dividends, if any, will depend, among other things, on the Company’s results of operations, financial condition, cash requirements, plans for expansion and other factors deemed relevant by the Board of Directors. The Company intends to retain any future earnings for use in its business and therefore does not anticipate paying any cash dividends in the foreseeable future.

Recent Sales of Unregistered Securities

None

Issuer Purchases of Equity Securities

On June 10, 2020, the Board of Directors authorized a share repurchase program (“program”), pursuant to which the Company can repurchase up to $50.0 million of issued and outstanding common stock. Share purchases under the program will take place in open market transactions or in privately negotiated transactions and may be made from time to time depending on market conditions, share price, trading volume, and other factors. The timing of the repurchases and the amount of stock repurchased in each transaction is subject to OneSpan’s sole discretion and will depend upon market and business conditions, applicable legal and credit requirements and other corporate considerations. The authorization is effective until June 10, 2022 unless the total amount has been used or authorization has been cancelled.

During the year ended December 31, 2020, the Company repurchased 0.3 million shares of the Company’s stock for $5.0 million in the aggregate at an average cost of $20.10 per share under its repurchase program. An additional 0.1 million shares of its common stock were withheld to satisfy the mandatory tax withholding requirements upon vesting of restricted stock for $2.0 million at an average cost of $21.08 per share.

31

The following table provides information relating to our purchase of shares of our common stock in the fourth quarter of 2020 (in thousands, except per share amounts):

Total Number

of Shares

Maximum

Purchased as

Dollar Value of Shares

Total

Part of Publicly

that May Yet Be

Number of

Average

Announced

Purchased Under

Shares Purchased 

Price Paid

Plans or

the Plans or

Period

    

(1)

    

per Share

    

Programs

    

Programs

October 1, 2020 through October 31, 2020

 

 

$

 

 

50,000

November 1, 2020 through November 30, 2020

 

50

$

18.94

 

50

 

49,050

December 1, 2020 through December 31, 2020

 

204

$

20.78

 

200

 

44,970

(1)Transactions represent surrender of vested shares in satisfaction of tax withholdings by grantees under the Company’s Equity Incentive Plans.

Stock Performance Graph

The Stock Performance Graph below compares the cumulative total return through December 31, 2020 assuming reinvestment of dividends, by an investor who invested $100.00 on December 31, 2015, in each of (i) our common stock, (ii) the Russell 2000 index, (iii) the Standard Industrial Code Index 3577 – Computer Peripheral Equipment, NEC and (iv) a comparable industry (the peer group) index selected by the Company. The peer group for this purpose consists of: American Software, Inc., Appian Corporation, BlackLine, Inc., CPI Card Group, Inc., FireEye, Inc., ProofPoint, Inc., PROS Holdings, Inc., Q2 Holdings, Inc., QAD, Inc., Qualys, Inc., Rapid7, Inc., SecureWorks Corp., Varonis Systems, Inc. The stock price performance shown on the graph below is not necessarily indicative of future price performance.

Graphic

32

Item 6 - Selected Financial Data (in thousands, except per share data)

The following table presents selected consolidated financial data for the periods indicated. The following information should be read in conjunction with the consolidated financial statements and the accompanying notes and "Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations" included in our Annual Report on Form 10-K. We have revised the prior period consolidated financial statements for the years ended December 2019 and 2108 to reflect immaterial errors identified and described within Note 2 - Summary of Significant Accounting Policies and summarized within Note 3 - Revision of Prior Period Financial Statements.

Year Ended December 31, 

    

2020

    

2019

    

2018*

    

2017*

    

2016*

Statements of Operations Data:

 

  

 

  

 

  

 

  

 

  

Revenue

$

215,691

$

253,484

$

211,336

$

193,291

$

192,304

Operating income (loss)

 

(5,258)

 

14,189

 

(920)

 

6,192

 

9,599

Net income (loss)

 

(5,455)

 

7,864

 

3,044

 

(22,399)

 

10,514

Diluted net income (loss) per common share

 

(0.14)

 

0.20

 

0.08

 

(0.56)

 

0.27

Balance Sheet Data:

 

 

 

 

  

 

  

Cash and equivalents

$

88,394

$

84,282

$

76,708

$

78,661

$

49,345

Working capital

 

131,874

 

135,989

118,797

 

161,784

 

139,199

Total assets

 

375,203

 

382,542

351,882

 

337,622

 

327,270

Long term obligations

 

42,559

 

46,436

28,028

 

33,539

 

6,148

Total stockholders equity

 

257,340

 

262,294

251,639

 

237,930

 

253,162

*Prior period amounts are presented under ASC 605 and ASC 985-20.

Item 7 - Management’s Discussion and Analysis of Financial Condition and Results of Operations (in thousands, except head count, ratios, time periods and percentages)

The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our financial statements and related notes appearing elsewhere in this Annual Report on Form 10-K. In addition to historical financial information, the following discussion may contain predictions, estimates and other forward-looking statements that involve a number of risks and uncertainties, including those discussed under Item 1A – Risk Factors and elsewhere in this Form 10-K. These risks could cause our actual results to differ materially from any future performance suggested below. Please see “Forward Looking Statements” at the beginning of this Form 10-K.

The Company has excluded discussion of the comparison of the years ended December 31, 2019 and 2018 from this Form 10-K., which can be found in the annual report on Form 10-K for the period ended December 31, 2019, filed on March 16, 2020.

Revision of Previously Issued Financial Statements

This information should be read in conjunction with the consolidated financial statements and the notes thereto included in this Annual Report. We have revised our prior period financial statements to reflect the correction of immaterial errors as described in this Annual Report in Notes to the Consolidated Financial Statements, Note 3 – Revision of Previously Issued Financial Statements.

COVID-19 Pandemic Response and Impact

In March 2020, the World Health Organization recognized a novel strain of coronavirus (COVID-19) as a pandemic. In response to the pandemic, the United States and various foreign, state and local governments have, among other actions, imposed travel and business restrictions and required or advised communities in which we do business to adopt stay-at-home orders and social distancing guidelines, causing some businesses to adjust, reduce or suspend

33

operating activities. The pandemic and the various governments’ response have caused significant and widespread uncertainty, volatility and disruptions in the U.S. and global economies, including in the regions in which we operate.

Financial Results and Outlook

Beginning in the Summer of 2020 and continuing through the year ended December 31, 2020, we experienced lengthened sales cycles and reduced demand for some of our security solutions due to economic uncertainty connected with the COVID-19 pandemic. The most significant impact of the pandemic on our business has been a sharp drop in demand for our hardware authentication products and delays in the implementation of certain software security solutions.

In addition, we believe demand for our hardware offerings declined in favor of our mobile and cloud security solutions as customers increasingly adopted digital alternatives in 2020. Finally, we saw strong demand for our hardware solutions in Europe during 2019 that did not repeat in 2020 due to many of our customers complying with banking regulations imposed by Payment Services Directive 2 (“PSD2”). As a result, our hardware revenues for 2020 were substantially below such revenues as compared to 2019.

In the current and future periods, we may experience weaker customer demand, requests for discounts or extended payment terms, customer bankruptcies, supply chain disruption, employee staffing constraints and difficulties, government restrictions or other factors that could negatively impact the Company and its business, operations and financial results.

As we cannot predict the duration or scope of the pandemic or its impact on economic and financial markets, any negative impact to our results cannot be reasonably estimated, but it could be material. We continue to monitor closely the Company’s financial health and liquidity and the impact of the pandemic on the Company. We are able to serve the needs of our customers while taking steps to protect the health and safety of our employees, customers, partners, and communities. See Part I – Item 1A – Risk Factors of this Form 10-K for additional information regarding the potential impact of COVID-19 on the Company.

Overview

We design, develop and market digital solutions for identity, security, and business productivity that protect and facilitate electronic transactions via mobile and connected devices. We are a global leader in providing anti-fraud and digital transaction management solutions to financial institutions and other businesses. Our solutions secure access to online accounts, data, assets, and applications for global enterprises; provide tools for application developers to easily integrate security functions into their web-based and mobile applications; and facilitate end-to-end financial agreement automation including digital identity verification, electronic signature and electronic notarization. Our core technologies, multi-factor authentication, electronic signature, and transaction signing, strengthen the process of preventing hacking attacks against online and mobile transactions. This allows companies to transact business safely and with an improved customer experience for remote customers.

We offer cloud based and on-premises solutions using both open standards and proprietary technologies. Some of our proprietary technologies are patented. Our products and services are used for authentication, fraud mitigation, e-signing transactions and documents, and identity management in Business-to-Business (“B2B”), Business-to-Employee (“B2E”) and Business-to-Consumer (“B2C”) environments. Our target market is business processes using an electronic interface, particularly the Internet, where there is risk of account takeover or new account fraud. Our products can increase security associated with accessing business processes, reduce losses from unauthorized access, help customers comply with regulations, enhance the end-user experience, and reduce the cost of business processes by automating activities previously performed manually.

Online and mobile application owners and publishers benefit from our expertise in multi-factor authentication, document signing, transaction signing, application security, remote customer onboarding, and in mitigating hacking attacks. Our convenient and proven security solutions enable low friction and trusted interactions between businesses, employees, and consumers across a variety of online and mobile platforms.

34

Our primary growth strategy is to make digital banking more accessible, secure, easy and valuable. Our key growth objectives include:

Expanding our portfolio of services that enable institutions to mitigate fraud, reduce operational costs, comply with regulations, easily on-board customers, and adaptively authenticate transactions and reduce time to deploy;
Automating and securing digital customer journeys to remotely verify identities, mitigate application fraud and secure account opening and transactions;
Increasing sales to existing customers and acquiring new customers;
Driving increased demand for our products in new applications, new markets, and new territories;
Expanding our channel partner ecosystem; and
Strategically acquiring companies that expand our technology portfolio or customer base and increase our recurring revenue.

Our Business Model

We offer our products through a product sales and licensing model or through our services platform, which includes our cloud-based service offerings.

Our solutions are sold worldwide through our direct sales force, as well as through distributors, resellers, systems integrators, and original equipment manufacturers. Our sales force is able to offer customers a choice of an on-site implementation using our traditional on-premises model or a cloud implementation for some solutions using our services platform.

Industry Growth

Economic instability related to the COVID-19 pandemic impacted our results for the year ended December 31, 2020. As economic conditions recover, we believe the global markets for authentication, fraud mitigation, agreement automation, and electronic signature solutions will continue to grow driven by dynamic and growing threat environments, increased focus on the digital experience for mobile and online users, new government regulations, and continued growth in electronic commerce. The rate of growth in each country around the world may vary significantly based on local culture, competitive position, economic conditions, and the use of technology.

Economic Conditions

Our revenue may vary significantly with changes in the economic conditions in the countries in which we currently sell products. With our current concentration of revenue in Europe and specifically in the banking and finance vertical market, significant changes in the economic outlook for the European Banking market may have a significant effect on our revenue.

The COVID-19 pandemic and the various responses of governments around the world have caused significant and widespread uncertainty, volatility and disruptions in the U.S. and global economies, including in the regions in which we operate. See Part I, Item 1A – Risk Factors of this Form 10-K for additional information regarding the potential impact of COVID-19 on the Company.

35

Cybersecurity Risks

Our use of technology is increasing and is critical in three primary areas of our business:

1.Software and information systems that we use to help us run our business more efficiently and cost effectively;
2.The products we have traditionally sold and continue to sell to our customers for integration into their software applications contain technology that incorporates the use of secret numbers and encryption technology; and
3.New products and services that we introduced to the market are focused on processing information through our servers or in the cloud.

We believe that the risks and consequences of potential incidents in each of the above areas are different.

In the case of the information systems we use to help us run our business, we believe that an incident could disrupt our ability to take orders or deliver product to our customers, but such a delay in these activities would not have a material impact on our overall results. To minimize this risk, we actively use various forms of security and monitor the use of our systems regularly to detect potential incidents as soon as possible.

In the case of products that we have traditionally sold, we believe that the risk of a potential cyber incident is minimal. We offer our customers the ability to either create the secret numbers themselves or have us create the numbers on their behalf. When asked to create the numbers, we do so in a secure environment with limited physical access and store the numbers on a system that is not connected to any other network, including other OneSpan networks, and similarly, is not connected to the Internet.

In the case of our cloud-based solutions, which involve the processing of customer information, we believe a cyber incident could have a material impact on our business. While our revenue from cloud-based solutions comprises a minority of our revenue today, we believe that these solutions will provide substantial future growth. A cyber incident involving these solutions in the future could substantially impair our ability to grow the business and we could suffer significant monetary and other losses and significant reputational harm.

To minimize the risk, we review our product security and procedures on a regular basis. Our reviews include the processes and software code we are currently using as well as the hosting platforms and procedures that we employ. We mitigate the risk of cyber incidents through a series of reviews, tests, tools and training. Certain insurance coverages may apply to certain cyber incidents. Overall, we expect the cost of securing our networks will increase in future periods, whether through increased staff, systems or insurance coverage.

While we are not aware of any cyber incidents during the year ended December 31, 2020 that had a significant impact on our business, it is possible that we could experience an incident in future years, which could result in unanticipated costs.

Currency Fluctuations

In 2020, approximately 88% of our revenue and approximately 73% of our operating expenses were generated/incurred outside of the U.S. In 2019, approximately 89% of our revenue and approximately 72% of our operating expenses were generated/incurred outside of the U.S. In 2018, approximately 91% of our revenue and approximately 71% of our operating expenses were generated/incurred outside of the U.S. As a result, changes in currency exchange rates, especially the Euro exchange rate and the Canadian Dollar exchange rate, can have a significant impact on revenue and expenses.

While the majority of our revenue is generated outside of the U.S., a significant amount of our revenue earned during the year ended December 31, 2020 was denominated in U.S. Dollars. In 2020, approximately 44% of our revenue was denominated in U.S. Dollars, 51% was denominated in Euros and 5% was denominated in other currencies. In 2019,

36

approximately 47% of our revenue was denominated in U.S. Dollars, 49% was denominated in Euros and 9% was denominated in other currencies. In 2018, approximately 58% of our revenue was denominated in U.S. Dollars, 30% was denominated in Euros, and 12% was denominated in other currencies.

In general, to minimize the net impact of currency fluctuations on operating income, we attempt to denominate an amount of billings in a currency such that it would provide a hedge against the operating expenses being incurred in that currency. We expect that changes in currency rates may also impact our future results if we are unable to match amounts of revenue with our operating expenses in the same currency. If the amount of our revenue in Europe denominated in Euros continues as it is now or declines, we may not be able to balance fully the exposures of currency exchange rates on revenue and operating expenses.

The financial position and the results of operations of our foreign subsidiaries, with the exception of our subsidiaries in Switzerland, Singapore and Canada, are measured using the local currency as the functional currency. Accordingly, assets and liabilities are translated into U.S. Dollars using current exchange rates as of the balance sheet date. Revenues and expenses are translated at average exchange rates prevailing during the year. Translation adjustments arising from differences in exchange rates generated comprehensive gain of $4.5 million in 2020, comprehensive gain of $1.5 million in 2019 and comprehensive loss of $5.5 million in 2018. These amounts are included as a separate component of stockholders’ equity. The functional currency for our subsidiaries in Switzerland, Singapore and Canada is the U.S. Dollar.

Gains and losses resulting from foreign currency transactions are included in the consolidated statements of operations in other income (expense). Foreign exchange transaction gains aggregated less than $0.1 million for the year ended December 31, 2020. We reported foreign exchange transaction losses of $1.5 million and $0.2 million during the years ended December 31, 2019 and 2018, respectively.

Components of Operating Results

Revenue

We generate revenue from the sale of our hardware products, software licenses, subscriptions, maintenance and support, and professional services. We believe comparison of revenues between periods is heavily influenced by the timing of orders and shipments reflecting the transactional nature of significant parts of our business.

Product and license revenue. Product and license revenue includes hardware products and software licenses, which can be provided on a perpetual or term basis.
Service and other revenue. Service and other revenue includes subscription solutions (which is our definition of software-as-a-service solutions), maintenance and support, and professional services.

Cost of Goods Sold

Our total cost of goods sold consists of cost of product and license revenue and cost of service and other revenue. We expect our cost of goods sold to increase in absolute dollars as our business grows, although it may fluctuate as a percentage of total revenue from period to period.

Cost of product and license revenue. Cost of product and license revenue primarily consists of direct product and license costs.
Cost of service and other revenue. Cost of service and other revenue primarily consists of costs related to subscription solutions, including personnel and equipment costs, and personnel costs of employees providing professional services and maintenance and support.

37

Gross Profit

Gross profit as a percentage of total revenue, or gross margin, has been and will continue to be affected by a variety of factors, including our average selling price, manufacturing costs, the mix of products sold, and the mix of revenue among products, subscriptions and services. We expect our gross margins to fluctuate over time depending on these factors.

Operating Expenses

Our operating expenses are generally based on anticipated revenue levels and fixed over short periods of time. As a result, small variations in revenue may cause significant variations in the period-to-period comparisons of operating income or operating income as a percentage of revenue.

Generally, the most significant factor driving our operating expenses is headcount. Direct compensation and benefit plan expenses generally represent between 60% and 65% of our operating expenses. In addition, a number of other expense categories are directly related to headcount. We attempt to manage our headcount within the context of the economic environments in which we operate and the investments we believe we need to make for our infrastructure to support future growth and for our products to remain competitive.

Historically, operating expenses have been impacted by changes in foreign exchange rates. We estimate the change in currency rates in 2020 compared to 2019 resulted in an increase in operating expenses of approximately $0.7 million in 2020.

The comparison of operating expenses can also be impacted significantly by costs related to our stock-based and long-term incentive plans. For full-year 2020, 2019, and 2018, operating expenses included $6.0 million, $5.3 million, and $6.1 million, respectively, related to stock-based and long-term incentive plans. Long-term incentive plan compensation expense includes both cash and stock-based incentives.

Sales and marketing. Sales and marketing expenses consist primarily of personnel costs, commissions and bonuses, trade shows, marketing programs and other marketing activities, travel, outside consulting costs, and long-term incentive compensation. We expect sales and marketing expenses to increase in absolute dollars as we continue to invest in sales resources in key focus areas, although our sales and marketing expenses may fluctuate as a percentage of total revenue.
Research and development. Research and development expenses consist primarily of personnel costs and long-term incentive compensation. We expect research and development expenses to increase in absolute dollars as we continue to invest in our future solutions, although our research and development expenses may fluctuate as a percentage of total revenue.
General and administrative. General and administrative expenses consist primarily of personnel costs, legal and other professional fees, and long-term incentive compensation. We expect general and administrative expenses to increase in absolute dollars although our general and administrative expenses may fluctuate as a percentage of total revenue.
Amortization/impairment of intangible assets. Acquired intangible assets are amortized over their respective amortization periods, and are periodically evaluated for impairment.

Interest Income, Net

Interest income consists of income earned on our cash equivalents and short term investments. Our cash equivalents and short term investments are invested in short-term instruments at current market rates.

38

Other Income (Expense), Net

Other income (expense), net primarily includes exchange gains (losses) on transactions that are denominated in currencies other than our subsidiaries’ functional currencies, subsidies received from foreign governments in support of our research and development in those countries and other miscellaneous non-operational expenses.

Income Taxes

Our effective tax rate reflects our global structure related to the ownership of our intellectual property (“IP”). All our IP in our traditional authentication business is owned by two subsidiaries, one in the U.S. and one in Switzerland. These two subsidiaries have entered into agreements with most of the other OneSpan entities under which those other entities provide services to our U.S. and Swiss subsidiaries on either a percentage of revenue or on a cost plus basis or both. Under this structure, the earnings of our service provider subsidiaries are relatively constant. These service provider companies tend to be in jurisdictions with higher effective tax rates. Fluctuations in earnings tend to flow to the U.S. company and Swiss company. In 2020, earnings flowing to the U.S. company are expected to be taxed at a rate of 21% to 25%, while earnings flowing to the Swiss company are expected to be taxed at a rate ranging from 11% to 12%, plus Swiss withholding tax of an additional 5%. A Canadian and UK subsidiary currently sell to and service global customers directly. In addition, many of our OneSpan entities operate as distributors for all of our OneSpan products.

As the majority of our revenues are generated outside of the U.S., our consolidated effective tax rate is strongly influenced by the effective tax rate of our foreign operations. Changes in the effective rate related to foreign operations reflect changes in the geographic mix of earnings and the tax rates in each of the countries in which it is earned. The statutory tax rate for the primary foreign tax jurisdictions ranges from 11% to 35%.

The geographic mix of earnings of our foreign subsidiaries primarily depends on the level of pretax income of our service provider subsidiaries and the benefit realized in Switzerland through the sales of product. The level of pretax income in our service provider subsidiaries is expected to vary based on:

1.the staff, programs and services offered on a yearly basis by the various subsidiaries as determined by management, or
2.the changes in exchange rates related to the currencies in the service provider subsidiaries, or
3.the amount of revenues that the service provider subsidiaries generate.

For items 1 and 2 above, there is a direct impact in the opposite direction on earnings of the U.S. and Swiss entities. Any change from item 3 is generally expected to result in a larger change in income in the U.S. and Swiss entities in the direction of the change (increased revenues expected to result in increased margins/pretax profits and conversely decreased revenues expected to result in decreased margins/pretax profits).

In addition to the provision of services, the intercompany agreements transfer the majority of the business risk to our U.S. and Swiss subsidiaries. As a result, the contracting subsidiaries’ pretax income is reasonably assured while the pretax income of the U.S. and Swiss subsidiaries varies directly with our overall success in the market.

In November 2015, we acquired OneSpan Canada Inc. (formerly eSignLive), a foreign company with substantial IP and net operating losses and other tax carryforwards. The tax benefit of the carryforwards has been fully reserved as realization has not been deemed more likely than not.

In May 2018, we acquired Dealflo Limited (“Dealflo”), a foreign company with substantial IP and net operating losses. The tax benefit of the loss carryforwards will be reserved to the extent they exceed the deferred tax liabilities recognized upon acquisition as realization has not been deemed more likely than not.

39

Results of Operations

The following tables summarize our consolidated results of operations for the periods presented.

Revenue

Revenue by Product: We generate revenue from the sale of our hardware products, software licenses, subscriptions, professional services, and maintenance and support. Product and license revenue includes hardware products and software licenses. Service and other revenue includes subscription solutions (which is our definition of software-as-a-service solutions), maintenance and support, and professional services.

Years ended December 31,

Change

    

2020

    

2019

    

$

%

(in thousands)

Revenue

 

  

 

 

  

 

  

  

Hardware

$

81,849

$

127,005

$

(45,156)

(36)%

Software licenses

51,137

56,308

 

(5,171)

(9)%

Subscription

27,788

22,280

5,508

25%

Professional services

5,689

5,759

(70)

(1)%

Maintenance, support and other

49,228

42,132

7,096

17%

Total revenue

$

215,691

$

253,484

 

$

(37,793)

(15)%

Total revenue decreased $37.8 million or 15%, during the year ended December 31, 2020 compared to the year ended December 31, 2019. The overall decrease in revenue was comprised of a $45.2 million decrease in hardware revenue and a $13.7 million decrease in perpetual software license revenue, partially offset by an increase in recurring revenue, which is the portion of our revenue subject to future renewal. Recurring revenue, comprised of subscription, term-based software license, and maintenance, support and other revenue, increased $21.1 million or 26% during the year ended December 31, 2020, compared to the year ended December 31, 2019. Year-over-year revenue comparisons were affected by the one-time positive impact on 2019 revenue from the PSD2 regulation deadline. We also experienced reduced demand for our hardware products and perpetual software licenses due to an uncertain near-term business outlook for certain of our customers as a result of the pandemic.

Product and license revenue decreased $50.3 million or 27% during the year ended December 31, 2020 compared to the year ended December 31, 2019, which was largely driven by a decrease in hardware sales. Hardware sales increased during the year ended December 31, 2019 related to the PSD2 regulation deadline. The decrease in hardware sales in 2020 is attributed to a reduction in demand following the PSD2 deadline, increased adoption of digital alternatives, and reduced demand due to the pandemic. Perpetual software license sales also decreased during the year ended December 31, 2020 compared to the year ended December 31, 2019, which we attribute to our strategy focused on growing recurring software revenue over perpetual licenses combined with softened demand as a result of the pandemic.

Services and other revenue increased by $12.5 million, or 18% during the year ended December 31, 2020 compared to the year ended December 31, 2020. The increase for the year ended December 31, 2020 compared to the same period in 2019 was driven by higher subscription and maintenance revenue.

We believe comparison of revenues between periods is heavily influenced by the timing of orders and shipments reflecting the transactional nature of significant parts of our business. As a result of the volatility in our business, we believe that the overall strength of our business is best evaluated over a longer term where the impact of transactions in any given period is not as significant as in a quarter-over-quarter comparison.

40

Revenue by Geographic Regions: We classify our sales by customer location in three geographic regions: 1) EMEA, which includes Europe, Middle East and Africa; 2) the Americas, which includes sales in North, Central, and South America; and 3) Asia Pacific (APAC), which also includes Australia, New Zealand, and India. The breakdown of revenue in each of our major geographic areas was as follows:

Years ended December 31, 

    

2020

    

2019

$ Change

    

% Change

(in thousands)

Revenue

 

  

 

  

  

 

  

EMEA

$ 117,086

$ 145,942

($ 28,856)

(20)%

Americas

53,171

61,577

 

(8,406)

(14)%

APAC

45,434

45,965

(531)

(1)%

Total revenue

$ 215,691

$ 253,484

 

($ 37,793)

(15)%

% of Total Revenue

EMEA

54%

58%

Americas

25%

24%

APAC

21%

18%

For the year ended December 31, 2020, revenue generated in EMEA was $28.9 million or 20% lower than the same period in 2019, driven by lower hardware sales, partially offset by higher maintenance and professional services revenue. Hardware revenue comparisons were affected by the one-time positive impact on 2019 revenue from the PSD2 regulation deadline.

For the year ended December 31, 2020, revenue generated in the Americas was $8.4 million or 14% lower than the same period in 2019, driven by lower hardware and software license revenue, partially offset by higher subscription revenue.

For the year ended December 31, 2020, revenue generated in the Asia Pacific region was $0.5 million or 1% lower than the same period in 2019, driven by lower hardware revenue, partially offset by higher maintenance and professional services revenue.

Cost of Goods Sold and Gross Margin

Year ended December 31, 

    

2020

2019

$

    

% Change

(in thousands)

Cost of goods sold

 

  

 

  

  

 

  

Product and license

$ 41,820

$ 63,393

($ 21,573)

(34)%

Services and other

21,619

18,569

 

3,050

16%

Total cost of goods sold

$ 63,439

$ 81,962

 

($ 18,523)

(23)%

Gross profit

$ 152,252

$ 171,522

(19,270)

(11)%

Gross margin

Product and license

69%

65%

Services and other

74%

74%

Total gross margin

71%

68%

The cost of product and license revenue decreased $21.6 million or 34% during the year ended December 31, 2020 compared to the year ended December 31, 2019. The decrease in cost of product and license was driven by lower hardware sales.

41

The cost of services and other revenue increased by $3.1 million, or 16% during the year ended December 31, 2020 compared to the year ended December 31, 2019. The increase in cost of services and other revenue is reflective of higher subscription revenue, which has increased cloud-based infrastructure costs.

Gross profit decreased $19.3 million, or 11% during the year ended December 31, 2020 compared to the year ended December 31, 2019. Gross profit margin was 71% for the year ended December 31, 2020, compared to 68% for the year ended December 31, 2019. The increase in profit margin for the year ended December 31, 2020 was driven by stronger margins for product and license.

The majority of our inventory purchases are denominated in U.S. Dollars. Our sales are denominated in various currencies including the Euro. The impact of changes in currency rates are estimated to have increased revenue by $2.0 million for the year ended December 31, 2020. Had currency rates in 2020 been equal to rates in 2019, the gross profit margins would have been approximately one percentage point lower for the year ended December 31, 2020.

Operating Expenses

Year ended December 31, 

    

2020

2019

$

    

% Change

(in thousands)

Operating costs

 

  

 

  

  

 

  

Sales and marketing

$

60,856

$

61,503

($ 647)

(1)%

Research and development

41,194

42,463

 

(1,269)

(3)%

General and administrative

46,338

43,897

 

2,441

6%

Amortization of intangible assets

9,122

9,470

 

(348)

(4)%

Total operating costs

$

157,510

$

157,333

 

$ 177

0%

Sales and Marketing Expenses

Sales and marketing expenses decreased $0.6 million, or 1% during the year ended December 31, 2020 compared to the year ended December 31, 2019. Lower travel spend were partially offset by costs associated with higher headcount during the year ended December 31, 2020.

Average full-time sales and marketing employee headcount for year ended December 31, 2020 was 356, compared to 319 for year ended December 31, 2019. Average headcount in 2020 was 12% higher than in 2019.

Research and Development Expenses

Research and development expenses decreased $1.3 million, or 3% during the year ended December 31, 2020 compared to the year ended December 31, 2019. The decrease in expense for the year ended December 31, 2020 was primarily driven by lower cloud computing costs for our test environment and lower travel costs, partially offset by higher personnel costs.

Average full-time research and development employee headcount for year ended December 31, 2020 was 328, compared to 302 for year ended December 31, 2019. Average headcount in 2020 was 9% higher than in 2019.

General and Administrative Expenses

General and administrative expenses increased $2.4 million, or 6% during the year ended December 31, 2020 compared to the year ended December 31, 2019. The increase in general and administrative expenses for the year ended December 31, 2020 was driven by higher personnel costs which included additional stock comp due to an increase in eligible participants. The increase in expense was also driven by higher consulting spend, additional expense for subscription software tools and higher bad debt expense driven by a higher allowance for the likely adverse impact of the COVID-19 pandemic. Lower travel costs partially offset spend increases.

42

Average full-time general and administrative employee headcount for year ended December 31, 2020 was 125, compared to 113 for the year ended December 31, 2019. Average headcount in 2020 was 11% higher than in 2019.

Amortization of Intangible Assets

Amortization of intangible assets for the year ended December 31, 2020 was $9.1 million, compared to $9.5 million for the year ended December 31, 2019, a decrease of $0.3 million or 4%. The decrease was driven by certain technology assets becoming fully amortized during the year.

Interest Income, net

Year ended December 31, 

    

2020

2019

$ Change

    

% Change

(in thousands)

Interest income, net

$ 404

$ 747

($ 343)

(46)%

Interest income, net was $0.4 million for the year ended December 31, 2020, compared to $0.7 million for the year ended December 31, 2019. The decrease in interest income for 2020 compared to 2019 reflects a decrease in interest rates during the year ended December 31, 2020.

Other Income, Net

Year ended December 31, 

    

2020

2019

$ Change

    

% Change

(in thousands)

Other income (expense), net

$ 1,434

($ 527)

$ 1,961

(372)%

Other income (expense) , net primarily includes exchange gains (losses) on transactions that are denominated in currencies other than our subsidiaries’ functional currencies, subsidies received from foreign governments in support of our research and development in those countries, and other miscellaneous non-operational, non-recurring expenses.

Other income (expense), net for the year ended December 31, 2020 was $1.4 million, compared to $(0.5) million for the year ended December 31, 2019. Higher income for the year ended December 31, 2020 was primarily driven by exchange gains on transactions that are denominated in currencies other than our subsidiaries’ functional currencies.

Provision for income taxes

Year ended December 31, 

    

2020

2019

$

    

% Change

(in thousands)

Provision for income taxes

$ 2,035

$ 6,545

($ 4,510)

(69)%

Income tax expense for the year ended December 31, 2020 was $2.0 million compared to $6.5 million for the year ended December 31, 2019. The decrease in expense was attributable to decreased profits in the period excluding losses at entities where we cannot record a tax benefit, as well as a higher uncertain tax positions recorded in 2019 of $1.6 million.

43

Loss Carryforwards Available

At December 31, 2020, we have gross deferred tax assets of $30.0 million resulting from foreign and state NOL carryforwards of $119.5 million and other foreign deductible carryforwards of $64.7 million. At December 31, 2020, we have a valuation allowance of $19.8 million against deferred tax assets related to certain carryforwards. See Note 13 – Income taxes for more information regarding carryforwards and valuation allowances.

Liquidity and Capital Resources

As of December 31, 2020, we had net cash balances (total cash and cash equivalents) of $88.4 million and short-term investments of $26.9 million. Short term investments consist of U.S. treasury bills and notes, government agency notes, corporate notes and bonds, and high quality commercial paper with maturities at acquisition of more than three months and less than twelve months. At December 31, 2019, we had net cash balances of $84.3 million and short-term investments of $25.5 million.

We are in a lease agreement that required a letter of credit in the amount of $0.8 million to secure the obligation. The restricted cash related to this letter of credit is recorded in other non-current assets on the Consolidated Balance Sheet at December 31, 2020 and December 31, 2019.

As of December 31, 2020, we held $52.0 million of cash and cash equivalents in subsidiaries outside of the United States. Of that amount, $51.4 million is not subject to repatriation restrictions, but may be subject to taxes upon repatriation.

We believe that our financial resources are adequate to meet our operating needs over the next twelve months.

Our cash flows are as follows:

Year ended December 31, 

    

2020

2019

2018

(in thousands)

Cash provided by (used in):

 

  

 

  

Operating activities

$ 14,922

$ 18,244

1,226

Investing activities

(4,664)

(9,893)

 

194

Financing activities

(7,060)

(569)

(970)

Effect of foreign exchange rate changes on cash and cash equivalents

914

(208)

(1,556)

Operating Activities

Cash generated by operating activities is primarily comprised of net income, as adjusted for non-cash items, and changes in operating assets and liabilities. Non-cash adjustments consist primarily of amortization and impairment of intangible assets, depreciation of property and equipment, and stock-based compensation. We expect cash inflows from operating activities to be affected by increases or decreases in sales and timing of collections. Our primary uses of cash from operating activities have been for personnel costs. We expect cash outflows from operating activities to be affected by increases in personnel cost as we grow our business.

For the year ended December 31, 2020, $14.9 million of cash was provided by operating activities. Cash of $18.2 million and $1.2 million was provided by operating activities for the years ended December 31, 2019 and 2018, respectively.

Our working capital at December 31, 2020 was $131.9 million, a decrease of $4.1 million or 3% from $136.0 million at December 31, 2019. The decrease is due to lower accounts receivable and higher deferred revenue, driven by the timing of revenue contracts with customers.

44

Investing Activities

The changes in cash flows from investing activities primarily relate to timing of purchases, maturities and sales of investments, purchases of property and equipment, and activity in connection with acquisitions. We expect to continue to purchase property and equipment to support the continued growth of our business as well to continue to invest in our infrastructure and activity in connection with acquisitions.

For the year ended December 31, 2020 and December 31, 2019, cash of $4.7 million and $9.9 million, respectively, was used in investing activities, which was primarily driven by the purchase of property and equipment, as well as purchases of short term investments which were partially offset by the maturity of short term investments.

For the year ended December 31, 2018, cash of $0.2 million was provided by investing activities, which was driven by the maturity of short term investments, partially offset by the purchase of Dealflo and purchase of short term investments.

Financing Activities

The changes in cash flows from financing activities primarily related to the purchases of common stock under our share repurchase program and tax payments for restricted stock issuances.

On June 10, 2020, the Board of Directors authorized a share repurchase program (“program”), pursuant to which the Company can repurchase up to $50.0 million of issued and outstanding common stock. Share purchases under the program will take place in open market transactions or in privately negotiated transactions and may be made from time to time depending on market conditions, share price, trading volume, and other factors. The timing of the repurchases and the amount of stock repurchased in each transaction is subject to OneSpan’s sole discretion and will depend upon market and business conditions, applicable legal and credit requirements and other corporate considerations. During the year ended December 31, 2020, the Company repurchased 0.3 million shares of the Company’s stock for $5.0 million in the aggregate at an average cost of $20.10 per share under its repurchase program. The authorization is effective until June 10, 2022 unless the total amount has been used or authorization has been cancelled.

For the year ended December 31, 2020, net cash used in financing activities was $7.1 million, which was comprised of $5.0 million of common stock repurchased and $2.0 million of tax payments for restricted stock issuances.

Cash of $0.6 million and $1.0 million was used in financing activities during the years ended December 31, 2019 and December 31, 2018, respectively. The cash usage was comprised of tax payments for restricted stock issuances in both periods.

Off-Balance Sheet Arrangements

The Company has no off-balance sheet arrangements.

Contractual Obligations and Commitments

The following summarizes our contractual obligations and commitments as of December 31, 2020:

Payments due by period

    

    

    

2-3

    

4-5

    

More than

Total

1 year

years

years

5 years

Operating lease obligations

$

15,254

$

2,814

$

4,646

$

2,527

$

5,267

Purchase obligations

 

23,921

 

20,586

 

3,323

 

12

 

Taxes payable

 

7,148

 

1,053

 

3,027

 

3,068

 

$

46,323

$

24,453

$

10,996

$

5,607

$

5,267

45

We have purchase obligations of $23.9 million, including $12.7 million of inventory purchase obligations which are expected to be consummated in the next 12 months, $5.8 million of committed hosting arrangements which will be used in the next one to four years, and $5.4 million for other software agreements related to the administration of our business which range from one to five years.

The operating lease obligations above do not include common area maintenance (“CAM”) charges or real estate taxes under our operating leases, for which the Company is also obligated. These charges are generally not fixed and can fluctuate from year to year.

Taxes payable primarily represents deemed repatriation tax from 2017. The Company had $0.5 million, $2.9 million and $0.4 million of unrecognized tax benefits as of December 31, 2020, December 31, 2019 and December 31, 2018, respectively, which have been set aside in a reserve in accordance with ASC 740 Income Taxes. The amounts are not included in the above table as the timing of payment of such obligations, if any, is not determinable.

Critical Accounting Policies and Estimates

Management’s Discussion and Analysis of Financial Condition and Results of Operations discusses our consolidated financial statements, which have been prepared in accordance with accounting principles generally accepted in the U.S. The preparation of these financial statements requires management to make estimates and assumptions that affect the reported amounts of assets and liabilities and the disclosure of contingent assets and liabilities at the date of the consolidated financial statements and the reported amounts of revenue and expenses during the reporting period.

On an on-going basis, management evaluates its estimates and judgments, including those related to bad debts, net realizable value of inventory and intangible assets. Management bases its estimates and judgments on historical experience and on various other factors that are believed to be reasonable under the circumstances, the results of which form the basis for making judgments about the carrying values of assets and liabilities that are not readily apparent from other sources. Actual results may differ from these estimates under different assumptions or conditions. Management believes the following critical accounting policies affect significant judgments and estimates used in the preparation of its consolidated financial statements.

Revenue Recognition

On January 1, 2018, we adopted FASB Accounting Standards Codification (ASC) Topic 606, “Revenue from Contracts with Customers”, or “Topic 606” using the modified retrospective method applied to those contracts which were not completed as of January 1, 2018. Results for reporting periods beginning after January 1, 2018 are presented under Topic 606. We recorded a net increase to opening Retained Earnings of $11.9 million, net of tax, as of January 1, 2018 due to the cumulative impact of adopting Topic 606, with the impact primarily related to the accounting impacts of our customer contracts that include a term license to our software, as well as the impact of accounting for costs incurred to obtain our contracts. See Note 6 - Revenue for further details. We determine revenue recognition through the following steps:

Identification of the contract, or contracts, with a customer;
Identification of the performance obligations in the contract;
Determination of the transaction price;
Allocation of the transaction price to the performance obligations in the contract; and
Recognition of revenue when, or as, we satisfy a performance obligation.

Revenues are recognized when control of the promised goods or services is transferred to our customers, in an amount that reflects the consideration we expect to be entitled to in exchange for those products or services, which excludes any sales incentives and amounts collected on behalf of third parties. Taxes assessed by a governmental authority that are both imposed on and concurrent with a specific revenue-producing transaction, that are collected by the Company from a customer, are excluded from revenue. Shipping and handling costs associated with outbound freight

46

after control over a product has transferred to a customer are accounted for as a fulfillment cost and are included in cost of goods sold.

Nature of Goods and Services

We derive our revenues primarily from Product and License Revenue, which includes hardware products and software licenses, and Services and Other, which is inclusive of software-as-a-service (which we refer to as “subscription”, or “SaaS”), maintenance and support, and professional services. 

Product Revenue: Revenue from the sale of security hardware is recorded upon shipment, which is the point at which control of the goods are transferred and the completion of the performance obligations, unless there are specific terms that would suggest control is transferred at a later date (e.g. delivery). No significant obligations or contingencies typically exist with regard to delivery, customer acceptance or rights of return at the time revenue is recognized. Customer invoices and subsequent payments normally correspond with delivery.

License Revenue: Revenue from the sale of software licenses is recorded upon the latter of when the customer receives the ability to access the software or when they are legally allowed to use the software.  No significant obligations or contingencies exist with regard to delivery, customer acceptance or rights of return at the time revenue is recognized. Contracts with customers for distinct licenses of intellectual property include perpetual licenses, which grant the customer unlimited access to the software, and term licenses which limit the customer’s access to the software to a specific time period. We offer term licenses ranging from one to five years in length.  Customer payments normally correspond with delivery for perpetual licenses.  For term licenses, payments are either on installment or in advance.  In limited circumstances, we integrate third party software solutions into our software products.  We have determined that, consistent with our conclusion under prior revenue recognition rules, generally we act as the principal with respect to the satisfaction of the related performance obligation and record the corresponding revenue on a gross basis from these transactions. For transactions in which we do not act as the principal, we would recognize revenue on a net basis.  The fees owed to the third parties are recognized as a component of cost of goods sold when the revenue is recognized.

Subscription Revenue: We generate subscription revenues from our cloud services offerings. Subscription revenues mostly include fees from customers for access to the OneSpan Sign, TID, and Dealflo solutions. Our standard customer arrangements do not provide the customer with the right to take possession of the software supporting the cloud-based application service at any time. As such, these arrangements are considered service contracts and revenue is recognized ratably over the service period of the contract. Customer payments are normally in advance for annual service.

Maintenance, Support and Other: Maintenance and support agreements generally call for us to provide software updates and technical support, respectively, to customers. The annual fee for maintenance and technical support is recognized ratably over the term of the maintenance and support agreement as this is the period the services are delivered.  Customer payments are normally in advance for annual service.

Professional Services: Professional services revenues are primarily comprised of implementing, automating and extending business processes, technology infrastructure, and software applications. Professional services revenues are recognized over time as services are rendered, usually over a period of time that is generally less than a few months. Most projects are performed on a time and materials basis, while a portion of revenues is derived from projects performed on a fixed fee. For time and material contracts, revenues are generally recognized and invoiced by multiplying the number of hours expended in the performance of the contract by the contractual hourly rates. For fixed fee contracts, revenues are generally recognized using an input method based on the ratio of hours expended to total estimated hours to complete the services. Customer payments normally correspond with delivery.

47

Multiple-Element Arrangements

In our typical multiple-element arrangement, the primary deliverables include:

1.A client component (i.e. an item that is used by the person being authenticated in the form of either a new standalone hardware device or software that is downloaded onto a device that the customer already owns);
2.Server system software that is installed on the customer’s systems (i.e., software on the server system that verifies the identity of the person being authenticated) or licenses for additional users on the server system software if the server system software had been installed previously; and
3.Post contract support (PCS) in the form of maintenance on the server system software or support.

Our multiple-element arrangements may also include other items that are usually delivered
prior to the recognition of any revenue are incidental to the overall transaction such as initialization of the hardware device, customization of the hardware device itself or the packaging in which it is delivered, deployment services where we deliver the device to our customer’s end-use customer or employee and, in some limited cases, professional services to assist with the initial implementation of a new customer.

Significant Judgments

We enter into contracts to deliver a combination of hardware devices, software licenses, subscriptions, maintenance and support and, in some situations, professional services.  The Company evaluates the nature of the goods or services promised in these arrangements to identify the distinct performance obligations. Determining whether products and services are considered distinct performance obligations that should be accounted for separately versus together may require significant judgment depending on the terms and conditions of the respective customer arrangement. When a hardware client device and licenses to server software are sold in a contract, they are treated as a single performance obligation because the software license is deemed to be a component of the hardware that is integral to the functionality of the hardware that is used by our customers for identity authentication.  When a software client device is sold in a contract server software, the licenses are considered a single performance obligation to deliver the authentication solution to the customer. In either of these types of arrangements, maintenance and support and professional services are typically distinct separate performance obligations from the hardware or software solutions.  Our contracts to deliver subscription services typically do not include multiple performance obligations; however, in certain limited cases customers may purchase professional services that are distinct performance obligations.

For contracts that contain multiple performance obligations, the transaction price is allocated to the separate performance obligations based on their estimated relative standalone selling price. Judgment is required to determine the stand-alone selling price (“SSP”) of each distinct performance obligation. We determine SSP for maintenance and support and professional services based on observable inputs; specifically, the range of prices charged to customers to renew annual maintenance and support contracts and the range of hourly rates we charge our customers in standalone professional services contracts. In instances where SSP is not directly observable, and when we sell at a highly variable price range, such as for transactions involving software licenses or subscriptions, we determine the SSP for those performance obligations using the residual method.

Credit Losses

We adopted ASU No. 2016-13, Measurement of Credit Losses on Financial Instruments, on January 1, 2020. As a result of the adoption, we amended the accounting policies for the allowance for credit losses. In accordance with ASU No. 2016-13, the Company evaluates its allowance based on expected losses rather than incurred losses, which is known as the current expected credit loss (“CECL”) model. The allowance is determined using the loss rate approach and is measured on a collective (pool) basis when similar risk characteristics exist. Where financial instruments do not share risk characteristics, they are evaluated on an individual basis. The allowance is based on relevant available information, from internal and external sources, relating to past events, current conditions, and reasonable and supportable forecasts.

48

Income Taxes

As a global company, we calculate and provide for income taxes in each tax jurisdiction in which we operate. The provision for income taxes includes the amounts payable or refundable for the current year, the effect of deferred taxes and impacts from uncertain tax positions. Our provision for income taxes is significantly affected by shifts in the geographic mix of our pre-tax earnings across tax jurisdictions, changes in tax laws and regulations, and tax planning opportunities available in each tax jurisdiction.

Deferred tax assets and liabilities are recognized for the expected future tax consequences of temporary differences between the financial statement and tax bases of our assets and liabilities and for operating losses and tax credit carryforwards. Deferred tax assets and liabilities are measured using enacted tax rates that will apply to taxable income in the years in which those differences are expected to be recovered or settled. Valuation allowances are established for deferred tax assets when it is more likely than not that a tax benefit will not be realized. We recognize the effect of a change in tax rates on deferred tax assets and liabilities and in income in the period that includes the enactment date.

We recognize tax benefits for tax positions that are more likely than not to be sustained upon examination by tax authorities. The amount recognized is measured as the largest amount of benefit that is greater than 50 percent likely to be realized upon ultimate settlement. Unrecognized tax benefits are tax benefits claimed in our income tax returns that do not meet these recognition and measurement standards. Assumptions, judgments, and the use of estimates are required in determining whether the “more likely than not” standard has been met when developing the provision for income taxes.

We recognize the tax impact of including certain foreign earnings in U.S. taxable income as a period cost. We have recognized deferred income taxes for local country income and withholding taxes that could be incurred on distributions of non-U.S. earnings because we do not plan to indefinitely reinvest such earnings.

We monitor for changes in tax laws and reflect the impacts of tax law changes in the period of enactment.

Recently Issued Accounting Pronouncements

In September 2016, the FASB issued ASU 2016-13, Measurement of Credit Losses on Financial Instruments (Topic 326), which amends the Board’s guidance on the impairment of financial instruments. The ASU adds an impairment model that is based on expected losses rather than incurred losses, which is known as the current expected credit loss (“CECL”) model. The CECL model applies to most debt instruments (other than those measured at fair value), trade and other receivables, financial guarantee contracts, and loan commitments. This ASU is effective for fiscal years beginning after December 15, 2019, and interim periods within those fiscal years. The Company adopted ASC 326 as of January 1, 2020, using the cumulative-effect transition method with the required prospective approach. The cumulative-effect transition method enables an entity to record an allowance for expected credit losses at the date of adoption without restating comparative periods. The cumulative-effect adjustment for adoption of ASC 326 resulted in a decrease of $0.3 million in Accounts receivable, net of allowances and Retained Earnings as of January 1, 2020.

In January 2017, the FASB issued ASU 2017-04, Intangibles-Goodwill and Other (Topic 350)Simplifying the Test for Goodwill Impairment. This standard eliminates the requirement to calculate the implied fair value of goodwill to measure a goodwill impairment charge (i.e. Step 2 of the current guidance), instead measuring the impairment charge as the excess of the reporting unit's carrying amount over its fair value (i.e. Step 1 of the current guidance). The guidance was effective for us beginning in the first quarter of 2020, and should be applied prospectively. Early adoption is permitted for impairment testing dates after January 1, 2017. We adopted this standard on January 1, 2020 on a prospective basis. The adoption of this standard did not have a material impact on our consolidated financial statements.

In August 2018, the FASB issued ASU No. 2018-13, Disclosure Framework - Changes to the Disclosure Requirements for Fair Value Measurement (“ASU 2018-13”), which amends ASC 820, Fair Value Measurement. ASU 2018-13 modifies the disclosure requirements for fair value measurements by removing, modifying, or adding certain disclosures. The ASU is effective for annual periods, including interim periods within those annual periods, beginning

49

after December 15, 2019, with early adoption permitted for removed or modified disclosures, and delayed adoption of the additional disclosures until their effective date. We adopted this standard on January 1, 2020 on a retrospective basis. The adoption of this standard did not have a material impact on our consolidated financial statements.

In August 2018, the FASB issued ASU 2018-15, Customer's Accounting for Fees Paid in a Cloud Computing Arrangement, which helps entities evaluate the accounting for fees paid by a customer in a cloud computing arrangement (CCA) by providing guidance for determining when an arrangement includes a software license and when an arrangement is solely a hosted CCA service. Under ASU 2018-15, customers will apply the same criteria for capitalizing implementation costs as they would for an arrangement that has a software license. The new guidance also prescribes the balance sheet, income statement, and cash flow classification of the capitalized implementation costs and related amortization expense, and requires additional quantitative and qualitative disclosures. We adopted this standard on January 1, 2020 on a prospective basis. The adoption of this standard did not have a material impact on our consolidated financial statements.

In August 2018, the FASB issued ASU 2018-14, Compensation—Retirement Benefits—Defined Benefit Plans—General (Topic 715-20): Disclosure Framework—Changes to the Disclosure Requirements for Defined Benefit Plans (ASU 2018-14), which modifies the disclosure requirements for defined benefit pension plans and other postretirement plans. ASU 2018-14 is effective for fiscal years ending after December 15, 2020, and earlier adoption is permitted. The adoption of the standard was not materially impactful to our consolidated financial statements and disclosures.

In December 2019, the FASB issued ASU 2019-12, Simplification for Accounting for Income Taxes, which removes certain exceptions for recognizing deferred taxes for investments, performing intraperiod allocation and calculating income taxes in interim periods. The ASU also adds guidance to reduce complexity in certain areas, including recognizing deferred taxes for tax goodwill and allocating taxes to members of a consolidated group. ASU 2019-12 was effective beginning January 1, 2021. The adoption of this standard did not have a material impact on our financial statements.

In March 2020, the FASB issued ASU 2020-04, Facilitation of the Effects of Reference Rate Reform on Financial Reporting. This update provides optional expedients and exceptions for applying generally accepted accounting principles to certain contract modifications and hedging relationships that reference London Inter-bank Offered Rate (LIBOR) or another reference rate expected to be discontinued. The guidance is effective upon issuance and can be applied through December 31, 2022. The adoption of this standard did not have a material impact on the Company’s consolidated financial statements.

From time to time, new accounting pronouncements are issued by the FASB or other standard setting bodies that are adopted by us as of the specified effective date. Unless otherwise discussed, our management believes that the issued standards that are not yet effective will not have a material impact on our consolidated financial statements upon adoption.

Item 7A - Quantitative and Qualitative Disclosures about Market Risk (In thousands)

Foreign Currency Exchange Risk – In 2020, approximately 88% of our business was conducted outside the United States, primarily in Europe, Latin America and Asia/Pacific. A significant portion of our business operations is transacted in foreign currencies. As a result, we have exposure to foreign exchange fluctuations. We are affected by both foreign currency translation and transaction adjustments. Translation adjustments result from the conversion of the foreign subsidiaries’ balance sheets and income statements to U.S. Dollars at year-end exchange rates and weighted average exchange rates, respectively. Translation adjustments resulting from this process are recorded directly into stockholders’ equity. Transaction adjustments result from currency exchange movements when one of our companies transacts business in a currency that differs from its local currency. These adjustments are recorded as gains or losses in our statements of operations. Our business transactions are spread across numerous countries and currencies. This geographic diversity reduces the risk to our operating results. As noted in Management’s Discussion and Analysis above, we attempt to minimize the net impact of currency on operating earnings by denominating an amount of billings in a currency such that it would provide a hedge against the operating expenses being incurred in that currency.

50

Interest Rate Risk – We have minimal interest rate risk. We had no debt outstanding at December 31, 2020. Our cash, cash equivalents, and short term investments are invested in short-term instruments at current market rates. If rates were to increase or decrease by one percentage point, the Company’s interest income would increase or decrease approximately $0.3 million annually.

Item 8 - Financial Statements and Supplementary Data

The information in response to this item is included in our consolidated financial statements, together with the report thereon of KPMG LLP, appearing on pages F-1 through F-41 of this Form 10-K, and in Item 7 under the heading Management’s Discussion and Analysis of Financial Condition and Results of Operations.

Item 9 - Changes in and Disagreements with Accountants on Accounting and Financial Disclosure

None.

Item 9A - Controls and Procedures

Evaluation of Disclosure Controls and Procedures

Our management, with the participation of our Chief Executive Officer and Chief Financial Officer, who, respectively, are our principal executive officer and principal financial officer, conducted an evaluation of the effectiveness of the design and operation of our disclosure controls and procedures (as defined in Rules 13a-15(e) and 15d-15(e) under the Securities Exchange Act of 1934, as amended (the "Exchange Act")) as of December 31, 2020. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure (i) information required to be disclosed by us in our reports that we file or submit under the Exchange Act is recorded, processed, summarized and reported within the time periods specified in the Securities and Exchange Commission’s rules and forms, and (ii) information required to be disclosed by us in our reports that we file or submit under the Exchange Act is accumulated and communicated to our management, including our principal executive and principal financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure. Based upon that evaluation, our management have concluded that the Company's disclosure controls and procedures are effective as of December 31, 2020, to give reasonable assurance that the information required by us in reports filed under the Exchange Act, is recorded, processed, summarized and reported within the time period specified in the rules and forms of the SEC, and is accumulated and communicated to management, including our principal executive officer and principal financial officer, as appropriate, to allow timely decisions regarding required disclosure.

Management’s Annual Report on Internal Control over Financial Reporting

The management of OneSpan Inc. is responsible for establishing and maintaining adequate internal control over financial reporting. Internal control over financial reporting is defined in Rule 13a-15(f) and 15d-15(f) promulgated under the Exchange Act as a process designed by, or under the supervision of, the Company’s principal executive and principal financial officers and effected by the Company’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that: (1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the Company; (2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the Company are being made only in accordance with authorizations of management and directors of the Company; and (3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the Company’s assets that could have a material effect on the financial statements.

Our management, led by our Chief Executive Officer and Chief Financial Officer, assessed the effectiveness of our internal control over financial reporting as of December 31, 2020, using the criteria set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in Internal Control—Integrated Framework (2013).

51

Management’s evaluation of our internal control over financial reporting determined that the Company’s internal control over financial reporting was effective based on those criteria as of December 31, 2020.

KPMG LLP, an independent registered public accounting firm, has audited the consolidated financial statements as of and for the year ended December 31, 2020 included in this Annual Report on Form 10-K, and has issued its report on the effectiveness of the Company’s internal control over financial reporting as of December 31, 2020, included on page 53 of this annual report.

Changes in Internal Control over Financial Reporting

There were no changes in our internal control over financial reporting (as that term is defined in Rule 13a-15(f) and 15d-15(f) under the Exchange Act) during the quarter ended December 31, 2020, that have materially affected, or are reasonably likely to materially affect, our internal control over financial reporting

Limitations on the Effectiveness of Controls

Internal control over financial reporting has inherent limitations. Internal control over financial reporting is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. Internal control over financial reporting also can be circumvented by collusion or improper management override. Because of such limitations, there is a risk that material misstatements will not be prevented or detected on a timely basis by internal control over financial reporting. However, these inherent limitations are known features of the financial reporting process. Therefore, it is possible to design into the process safeguards to reduce, though not eliminate, this risk. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies and procedures may deteriorate.

52

Report of Independent Registered Public Accounting Firm


To the Stockholders and Board of Directors
OneSpan Inc.:

Opinion on Internal Control Over Financial Reporting

We have audited OneSpan Inc. and subsidiaries’ (the Company) internal control over financial reporting as of December 31, 2020, based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission. In our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 2020, based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission.

We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (PCAOB), the consolidated balance sheets of the Company as of December 31, 2020 and 2019, the related consolidated statements of operations, comprehensive income (loss), stockholders’ equity, and cash flows for each of the years in the three-year period ended December 31, 2020, and the related notes and financial statement schedule II (collectively, the consolidated financial statements), and our report dated February 25, 2021 expressed an unqualified opinion on those consolidated financial statements.

Basis for Opinion

The Company’s management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting, included in the accompanying Management’s Annual Report on Internal Control over Financial Reporting. Our responsibility is to express an opinion on the Company’s internal control over financial reporting based on our audit. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.

We conducted our audit in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audit of internal control over financial reporting included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our audit also included performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.

Definition and Limitations of Internal Control Over Financial Reporting

A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.

Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become

53

inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

/s/ KPMG LLP


Chicago, Illinois
February 25, 2021

54

Item 9B – Other Information

On February 24, 2021, Naureen Hassan informed the Company’s Board of Directors that she will resign from the Board of Directors, effective March 1, 2021, as she has accepted a position in the public sector that precludes her continued role as a Board member of a publicly traded company.

Ms. Hassan did not advise the Company of any disagreement with the Company on any matters relating to its operations, policies or practices.

PART III

Item 10 - Directors, Executive Officers and Corporate Governance

All information in response to this Item is incorporated by reference to the “Directors and Executive Officers” and “Section 16(a) Beneficial Ownership Compliance” sections of OneSpan’s Proxy Statement to be filed with the SEC for the 2021 Annual Meeting of Stockholders.

The following sets forth certain information with regard to each executive officer of the Corporation. There are no family relationships between any of the executive officers, and there is no arrangement or understanding between any executive officer and any other person pursuant to which the executive officer was selected.

SCOTT M. CLEMENTS—Mr. Clements has served as OneSpan’s President and Chief Executive Officer since July 2017. From November 2016 to July 2017, he served as the Company’s President and Chief Operating Officer, and prior to that, Mr. Clements served as the Company’s Chief Strategy Officer since he joined the Company in December 2015. Before joining OneSpan, Mr. Clements spent eleven years at Tyco International where he most recently served as Corporate Senior Vice President, Business Development focused on technology acquisitions. Prior to that, Mr. Clements served as President of Tyco Retail Solutions and also as Tyco’s Chief Technology Officer. Before joining Tyco, Mr. Clements spent a decade at Honeywell International in domestic and international financial and operational leadership roles. Mr. Clements is 58 years old.

MARK S. HOYT—In November 2015, the Board of Directors appointed Mr. Hoyt to the positions of Chief Financial Officer and Treasurer. In March 2018, the Board also appointed Mr. Hoyt an Executive Vice President. Prior to joining the Company, Mr. Hoyt was the Chief Financial Officer of operations in Europe, Middle East and Africa for Groupon, Inc., and was based in Switzerland from 2012 to 2015, and from 2010 to 2012, he was Vice President of International Financial Operations of Groupon, Inc. and was based in Chicago. Mr. Hoyt is 53 years old.

STEVEN R. WORTH —Mr. Worth has served as OneSpan’s General Counsel, Chief Compliance Officer and Corporate Secretary since April 2016. Mr. Worth also has executive responsibility for corporate information security and product related security compliance. Prior to joining OneSpan, Mr. Worth spent five years at cloud software company SilkRoad Technology where he served as an Executive Vice President. Prior to that, Mr. Worth served five years as Vice President, General Counsel and Corporate Secretary of Diamond Management and Technology Consultants, an international publicly traded technology services company. Earlier in his career, Mr. Worth practiced law with the international firm Winston & Strawn. Mr. Worth is 50 years old.

Item 11 - Executive Compensation

The information in response to this Item is incorporated by reference to the “Executive Compensation” section of OneSpan’s Proxy Statement to be filed with the SEC for the 2021 Annual Meeting of Stockholders.

Item 12 - Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters

The information in response to this Item is incorporated by reference to the “Security Ownership of Certain Beneficial Owners, Directors and Management” section of OneSpan’s Proxy Statement to be filed with the SEC for the 2021 Annual Meeting of Stockholders.

55

Item 13 - Certain Relationships and Related Transactions, and Director Independence

The information in response to this Item is incorporated by reference to the “Directors and Executive Officers” and “Transactions with Related Persons” sections of OneSpan’s Proxy Statement to be filed with the SEC for the 2021 Annual Meeting of Stockholders.

Item 14 - Principal Accounting Fees and Services

The information in response to this Item is incorporated by reference to the “Report of the Audit Committee” section of OneSpan’s Proxy Statement to be filed with the SEC for the 2021 Annual Meeting of Stockholders.

PART IV

Item 15 - Exhibits and Financial Statement Schedules

(a)  The following documents are filed as part of this Form 10-K.

(1)  The following consolidated financial statements and notes thereto, and the related independent auditors’ report, are included on pages F-1 through F-41 of this Form 10-K:

Report of Independent Registered Public Accounting Firm

Consolidated Balance Sheets as of December 31, 2020 and 2019

Consolidated Statements of Operations for the Years Ended December 31, 2020, 2019 and 2018

Consolidated Statements of Comprehensive Income (Loss) for the Years Ended December 31, 2020, 2019 and 2018

Consolidated Statements of Stockholders’ Equity for the Years Ended December 31, 2020, 2019 and 2018

Consolidated Statements of Cash Flows for the Years Ended December 31, 2020, 2019 and 2018

Notes to Consolidated Financial Statements

(2)  The following consolidated financial statement schedule of the company is included on page F-42 of this Form 10-K:

Schedule II – Valuation and Qualifying Accounts

All other financial statement schedules are omitted because such schedules are not required or the information required has been presented in the aforementioned consolidated financial statements.

(3)  The following exhibits are filed with this Form 10-K or incorporated by reference as set forth at the end of the list of exhibits:

Exhibit
Number 

Description

2.1

Agreement for the Sale and Purchase of the Entire Issued Capital of Cronto Limited dated May 20, 2013. (Incorporated by reference – Form 8-K filed May 23, 2013.)

56

Exhibit
Number 

Description

2.2

Arrangement Agreement, dated October 6, 2015, among VASCO Data Security International, Inc., 685102 N.B. Inc., Silanis Technology Inc., Silanis International Limited, Silanis Canada Inc., and Silanis Agent Inc. (incorporated by reference – Form 8-K filed October 13, 2015.)

2.3

Stock Purchase Agreement, dated May 30, 2018 between VASCO Digital Automation Limited and shareholders of Dealflo Limited (incorporated by reference – Form 8-K filed June 1, 2018.)

2.4

Share Sale and Purchase Agreement by and among VASCO Data Security International, Inc., A.O.S. Holding B.V., Filipan Beheer B.V., Mr. Mladen Filipan and Pijnenburg Beheer N.V., dated February 4, 2005 (Incorporated by reference - Form 8-K filed February 8, 2005.)

3.1

Certificate of Incorporation of Registrant, as amended. (incorporated by reference – Form 8-K filed June 1, 2018.)

3.2

Bylaws of Registrant, as amended and restated January 3, 2019. (Incorporated by reference - Form 8-K filed on January 7, 2019.)

4.1

Specimen of Registrant’s Common Stock Certificate. (Incorporated by reference to the Registrant’s Registration Statement on Form S-4, as amended (Registration No. 333-35563), originally filed on September 12, 1997.)

4.2*

Form of Award Agreement for Restricted Shares under the VASCO Data Security International, Inc. 2009 Equity Incentive Plan with respect to awards granted January 5, 2017. (Incorporated by reference – Form 10-K filed March 10, 2017.)

4.3*

Form of Award Agreement for Restricted Shares under the VASCO Data Security International, Inc. 2009 Equity Incentive Plan with respect to awards granted January 4, 2018. (Incorporated by reference – Form 10-K filed March 8, 2018.)

4.4*

Form of Award Agreement for Performance Shares under VASCO Data Security International, Inc. 2009 Equity Incentive Plan with respect to awards granted January 4, 2018. (Incorporated by reference – Form 10-K filed March 8, 2018.)

4.5*

Fiscal Year 2018 Form of Award Agreement for Deferred Stock under the VASCO Data Security International, Inc. 2009 Equity Incentive Plan. (Incorporated by reference – Form 10-K filed March 8, 2018.)

4.6*

Form of Award Agreement for Restricted Stock Units under the OneSpan Inc. 2019 Omnibus Incentive Plan. (Incorporated by reference – Form 10-K filed March 16, 2020.)

4.7*

Form of Award Agreement for Performance-based Restricted Stock Units under the OneSpan Inc. 2019 Omnibus Incentive Plan. (Incorporated by reference – Form 10-K filed March 16, 2020.)

4.8*

Form of Award Agreement for Restricted Stock Units for Non-Employee Directors under the OneSpan Inc. 2019 Omnibus Incentive Plan. (Incorporated by reference – Form 10-K filed March 16, 2020.)

4.9*

OneSpan Inc. Cash Award Long-Term Incentive Plan Agreement under the OneSpan Inc. 2019 Omnibus Incentive Plan. (Incorporated by reference – Form 10-K filed March 16