Century Communities
Annual Report 2021

Download report (PDF) Advanced Search
Loading PDF...

More annual reports from Century Communities:

2023 Report
2022 Report
2021 Report
2020 Report
2019 Report

Share your feedback:

Plain-text annual report

C C R R O O S S S S W W O O R R D D C C Y Y B B E E R R S S E E C C U U R R I I T T Y Y P P L L C C A A n n n n u u a a l l R R e e p p o o r r t t a a n n d d a a c c c c o o u u n n t t s s 2 2 0 0 2 2 1 1 ANNUAL REPORT AND ACCOUNTS for the year ended 31 December 2021 30826 19 April 2022 2:21 pm V8 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 Crossword Cybersecurity PLC is the parent company of the Crossword group of companies which focuses on the cyber security sector. Crossword’s vision is to partner with organisations to keep them secure in the digital world. The Group reduces cyber risks for their clients by providing a portfolio of innovative products and services, powered by university and other research-driven insights. Crossword Cybersecurity plc focuses on the development and commercialisation of cyber security and risk management- related software and cyber security consulting. The Group’s specialist cyber security product development and software engineering teams develop the concept into a fully- fledged commercial product that it will then take to market. The Group has built up a portfolio of revenue-generating, intellectual property-based, cyber security products. Rizikon Assurance, Crossword’s leading product, is a SaaS platform that enables companies of all sizes to assess and manage all risks from their suppliers. Nixer CyberML is a new tool for businesses that want to solve advanced security and cybercrime problems, such as detecting and dealing with compromised accounts, fraud, and in-application denial of service attacks. Identiproof, Crossword’s third product, is the World Wide Web Consortium (W3C) verifiable credentials compatible middleware and wallet technology. Trillion™ and Arc are the latest additions to Crossword’s product suite, offering some of the strongest and most advanced credential leak monitoring services in the market. Crossword’s team of expert cyber security consultants leverages years of experience in national security, defence and commercial cyber intelligence and operations to provide bespoke cyber security consulting advice tailored to its clients’ business needs, including threat monitoring using Nightingale, the world class platform. SERVICES CYBERSECURITY CONSULTING Crossword has a full-service cyber security consulting team that provides strategy, assessment and risk management services. NIGHTINGALE SECURITY MONITORING A comprehensive security monitoring service which brings together multiple facets and services to identify organisational assets, users, traffic, networks and endpoints, to mitigate the threats and vulnerabilities an organisation faces. CONTENTS Strategic report Financial Highlights Chairman’s Statement Chief Executive Officer’s Statement Performance Review Section 172(1) Statement Corporate Social Responsibility Principal Risks & Uncertainties Governance The Board Corporate Governance Report Directors’ Report & Statement of Directors’ Responsibilities Financial statements 02 03 04 06 07 08 10 18 23 35 Independent Auditor’s Report 38 Consolidated Statement of Comprehensive Income Statements of Financial Position Statements of Changes in Equity Statements of Cash Flows Notes to the Financial Information Notice of AGM Company Information 44 45 46 47 48 72 76 Identiproof enhances the security and privacy of your digital credentials Using the W3C standard for Verifiable Credentials and advanced cryptography, Identiproof makes it easier than ever to create, manage and authenticate identities online, reducing the risk of fraud and identity theft, while ensuring that the individual’s privacy is protected. TRILLION™ Managed Service Providers keep their customers’ infrastructure protected with Trillion™ Trillion™ is the Breached Account Mining platform that continuously tracks, correlates and analyses billions of stolen usernames and passwords, hunting for Digital Identities that could belong to your customers. ARC Account protection for eCommerce platform owners Arc is a service which enables your customer facing authentication services to query, in real time, for access attempts, using username and password pairs already known to criminals – so you can instantly step in and avoid losses. PRODUCTS Rizikon Assurance helps organisations take control of Supplier Assurance and Supply-chain Risk Management • Secure online Questionnaires in your own branded portal • Audit trails on all answers • 360-degree Supplier Scorecards • Dashboard of the risk across all suppliers and a host of other features • Use our standard Cyber Security, GDPR, Modern Slavery, General On-boarding, Anti-bribery & corruption, COVID-19, National Minimum Wage, and Equality & Diversity questionnaires or create your own using our Question-set Editor • Creditsafe integration • Darkbeam instant digital risk audit integration Detect and Mitigate Credential Attacks with Nixer CyberML Nixer can stop your users from using breached passwords and intelligently protect your applications from Credential Stuffing attacks without killing usability. Find out more about how integrating Nixer’s open source Java plug-in can protect your applications from Credential Attacks. www.crosswordcybersecurity.com 01 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 Highlights 2021 FINANCIAL 2021 OPERATIONAL HIGHLIGHTS HIGHLIGHTS £2.3m 2021 REVENUE* * INCLUDES GRANT INCOME 56% PRODUCT AND SERVICES REVENUE GROWTH ARR DOUBLED 43% REVENUE GROWTH £1.6m EQUITY FUND RAISE FEB 2021 £5.0m EQUITY FUND RAISE JULY 2021 • Rizikon users grew to over 500 by the end of 2021. • Integrated DarkBeam’s real-time cyber risk audits into Rizikon, significantly enhancing its functionality. • New distribution partners for Rizikon. • Completed grant-funded feasibility study with Liverpool John Moores University to investigate the underlying problems and causes of failures in supply chain risk and assurance. • Conceived of, designed, architected and market-tested a completely new product in the privacy governance space, called PRC, for the University of Glasgow. • The IASME Consortium Limited commenced using Rizikon to deliver its Counter Fraud Fundamentals Certification. This is as well as delivering its Internet of Things security certification, and was followed early in 2022, by IASME choosing Rizikon to deliver its Counter Fraud Fundamental certifications. • Consulting secured two more FTSE250 clients. • Busiest penetration testing year. • Crossword Cybersecurity LLC was formed in the Sultanate of Oman, 90% owned by Crossword Cybersecurity Plc with the remaining 10% owned by Al Rawahy Holdings LLC. Crossword Cybersecurity LLC will be the exclusive third-party distributor of Crossword’s existing and future cyber security products, including Rizikon. Crossword’s full range of cyber security services will also be made available – helping companies in the region improve their cyber security posture to achieve best practices with the latest solutions. • Crossword acquired two companies, Stega UK Limited and Verifiable Credentials Limited, and in March 2022 have acquired Threat Status Limited, a threat intelligence company, resulting in the acquisition of three companies within 12 months. • With Stega UK Limited, Crossword acquired a brilliant team and managed security services platform, Nightingale, with a new set of customers and are already selling these new services into the Consulting client base. • With the acquisition of Verifiable Credentials Limited, IdentiProof was added to the product portfolio. • Refreshed the Board with the appointment of Dr Robert Coles and Tara Cemlyn-Jones, and we strengthened our Advisory Board with two leading industry CISOs, Alison Dyer of Urenco, taking over as Chair, and Naina Bhattacharya of Danone. • Share split where each Ordinary Share of 5p was sub-divided into 10 new ordinary shares of 0.5p. The capital reorganisation aimed to improve the market liquidity of and trading activity in the Company’s shares and attract new investors. • Crossword’s team grew from 37 to 60 during 2021, a 62% increase in team size. • Great progress on gender diversity with the Board being 37.5% women and Advisory Board at 50:50 parity. The Women at Crossword Group was established and has met 3 times covering an interesting range of topics and speakers. • Office move in London from Richmond to a new Waterloo office which since then has been expanded to provide capacity to cope with the evergrowing team. • Looked after our health and well- being in many ways, including online yoga classes, a Wellness Week and post-COVID-19, the re-establishment of the social committee who organised several enjoyable events. • Thought about people other than ourselves. In Krakow, the team supported the incredible Noble Box charity again this year delivering amazing gifts to a chosen family and since we started working with SPEAR, the homelessness charity, the London team have raised over £6,500 and donated clothes and furniture to SPEAR. We also joined a salary sacrifice for vaccinations scheme to support roll-out of vaccines to areas in need worldwide. 02 Chairman’s Statement Management and staff are to be congratulated on achieving 43% revenue growth in 2021, as the economy emerged gradually from a very tough period. We look forward to continuing to build value for shareholders in the year ahead.” SIR RICHARD DEARLOVE KCMG OBE 13 April 2022 STRONG GROWTH AS THE ECONOMY EMERGES FROM THE PANDEMIC As the world emerged slowly from the challenging pandemic period, Crossword continued to progress rapidly with our strategy of building a significant intellectual property-based, AIM quoted cyber security business. By the end of 2021, Crossword had grown revenue including Grant Income by a very healthy 43%. 2022 has started positively, and the company is confident of achieving growth of circa 75% in the coming year. Rizikon now has over 500 organisations using the platform, we have integrated two acquisitions and our first-class specialist cyber security consulting team is building on its major client relationships. Management and staff are to be congratulated on achieving 43% revenue growth in 2021, as the economy emerged gradually from a very tough period. We look forward to continuing to build value for shareholders in the year ahead. A series of smart acquisitions During 2021, Crossword continued to expand its product portfolio and www.crosswordcybersecurity.com accelerate growth through a series of targeted acquisitions. Crossword acquired Verifiable Credentials Limited in the first half of the year and Stega UK Limited in the second half. The company also signed a head of terms to acquire a cyber threat company, Threat Status Limited, in December and the transaction completed in March 2022. Robust Governance We strengthened the Group Balance Sheet in 2021 by completing two equity fund raises, with significant shareholder support and new investors coming on board. We completed a £1.6m fundraise early in the year followed by a £5m raise in July. We would like to thank our shareholders for their support as we build for the future. We were delighted to welcome aboard two new Board members, Dr Robert Coles and Tara Cemlyn-Jones, at the AGM. Once again, I would like to take this opportunity to thank Dr David Stupples and Gordon Matthew for their invaluable contributions as they retired from the Board. The Board maintains a robust framework of controls and high standards, enabling the company to adapt quickly and securely in a way that safeguards our stakeholders longer- term interests. The Board continues to adhere to the Quoted Companies Alliance Corporate Governance Code (the ‘QCA Code’) in line with the London Stock Exchange’s requirement for all AIM listed companies to adopt a recognised corporate governance code. The Chairman’s Corporate Governance Statement on page 23 of this report provides further details. Significant growth in 2021, set to accelerate in 2022 The last year has been one of rapid growth once again as we emerge from the worst of the pandemic. Crossword is well set for faster growth in 2022. We have experienced leadership, an expert cyber security team and a strong set of best-in-class cyber security products and services to offer in the fast-growing cyber security market. Our diverse and committed team of employees has performed remarkably during this period and I would like to acknowledge them all. Crossword’s core values of responsibility, openness, flexibility and learning underpin everything we do and will enable our company to accelerate in 2022 and beyond. SIR RICHARD DEARLOVE KCMG OBE 13 April 2022 03 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT Chief Executive Officer’s Review I am incredibly pleased with the progress Crossword made in 2021, achieving 43% total revenue growth, and 56% growth in our product and services revenue. We expanded our product portfolio with the addition of Identiproof, our services offering with the addition of Nightingale, and our geographical reach with the opening of our Oman office. We were delighted to welcome new institutional investors in our February and July 2021 fund raises and are appreciative of the ongoing support of our shareholders. We have welcomed the teams from Stega UK Ltd and Verifiable Credentials into the Crossword fold during 2021, and the team from Threat Status Ltd in March 2022. Crossword employees continue to embody our culture and values of responsibility, openness, flexibility and learning.” TOM ILUBE CBE 13 April 2022 It is my pleasure, as Chief Executive Officer, to present the Annual Report and audited accounts for Crossword Cybersecurity Plc (‘Crossword’ or the ‘Company’ or the ‘Group’) for the financial year ended 31 December 2021. Crossword grew strongly in 2021, as the economy and wider society started to emerge from the pandemic albeit with stops and starts along the way. Overall, the business grew by an impressive 43% through the year. In the period under review, product and services revenue (including Grant Income) grew by 56% over the comparative period. The Group revenue growth of 43% includes software development services to related party which has now discontinued. We were particularly pleased to see consulting services recurring revenue increase by almost 100% over the prior year. Despite the pandemic reaching new heights and negatively impacting the economy worldwide, the field of cyber security experienced high demand and demonstrated its resilience with another consecutive record year of investment in cyber security firms. Crossword’s products and services have seen a growing demand throughout 2021 leading to another successful year of operations. According to the UK Cyber Security Sectoral Analysis 2022, the UK remains the largest cyber security market in Europe with a total revenue of £10.15bn, which represents growth of 14% from last year’s figure (£8.9bn). The UK maintained its spot as the biggest exporter of cyber services in Europe, increasing its exports from £3.9bn to £4.24bn. Going into 2021, after a tough period the previous year due to the pandemic, the Executive team was determined to make solid progress in building the business. We decided to accelerate our growth and enhance our product portfolio through a series of tactical acquisitions, and we successfully completed two transactions during the year. The first was Verifiable Credentials Limited which has been assigned intellectual property from the University of Kent, adding its product ‘Identiproof’ to our product portfolio. Identiproof addresses the growing ‘digital credentials’ market whereby tens of millions of physical certificates (such as academic certificates, insurance documents, health certificates and many others) will be converted into digital certificates that need to be verified to confirm their authenticity. Identiproof was created by Professor David Chadwick, an acknowledged expert and co-author of the global W3C standard in the digital credentials field, who joined Crossword’s team. The second, Stega UK Limited, the threat intelligence and monitoring company that is particularly strong in the financial services and hedge fund sector, added significant technical expertise, in-depth cyber threat data and thirty new clients, bringing our revenue generating services client base to over 100 organisations. We also signed a heads of terms for our third acquisition, Threat Status Limited, a threat intelligence company, that we completed in March 2022. Following the acquisition of Threat Status Limited, products Trillion™ and Arc will be incorporated into Crossword’s product suite, completing our aim of having five products in the market by the end of 2022. Rizikon, Crossword’s leading product, continued to make strong progress as we rolled it out to a wide range of clients, driven by our membership body programme. Our agreement to launch Rizikon to the 10,000 Chartered Institute of Information Security members resulted in great take-up. We also signed up a number of other membership organisations. As a result, we ended 2021 with more than 500 organisations using Rizikon, either in trials or contracted. We also enhanced the product by integrating Darkbeam cyber risk audits into Rizikon. 04 of 260 pence per share. In May, we competed a 10:1 share split to support liquidity and following the share split, we raised £5m at a price of 30 pence in July 2021. I was delighted with the level of support from our existing shareholders through this period and was very pleased to welcome several major new shareholders. At our AGM in May 2021, we welcomed two new Board members, Dr Robert Coles and Tara Cemlyn-Jones. Robert was lead partner for KPMG’s Information Security consulting business prior to moving into industry where he held a number of CISO positions at large corporations including GlaxoSmithKline. Robert previously chaired Crossword’s Advisory Board and continues to chair our consulting business. Tara has 28 years experience in financial services with specialist knowledge of capital markets, M&A, strategy and digital transformation. We would like to thank Dr David Stupples and Gordon Matthew for their excellent contribution over the years as they retired from the Board at the AGM. As Crossword continues to grow and mature as an organisation, a keen focus is kept on our wider stakeholder and social responsibilities. Our Polish team reacted quickly to the suffering of Ukrainians evacuating to Poland, putting a donations scheme in place, and sharing experiences with the whole group. Crossword is considering the BCorp accreditation, as we believe that this will provide external parties with confidence that Crossword holds itself to high standards in relation to stakeholders, in areas such as governance, employees, community, environment and customers. I want to close by thanking all those who helped Crossword accelerate through a tricky year which ended with an excellent result. As we look forward, 2022 looks incredibly exciting for Crossword. We are aiming for 75% revenue growth across the Group and with Crossword’s outstanding team and our culture of responsibility, openness, flexibility and learning, I am confident that we will achieve our goals. TOM ILUBE Chief Executive Officer 13 April 2022 Our R&D team, who work closely with universities on cyber risk intellectual property-based product ideas, completed a revenue generating project with the University of Glasgow on privacy governance software. They also completed an Innovate UK-funded project to investigate Manufacturing Supply Chain Risk with Liverpool John Moores University and a number of industry partners. Concepts generated by this project will be used to enhance Rizikon over the coming year. Crossword’s Consulting division continued to secure projects with major FTSE, mid-market and fast-growing entrepreneurial companies. We are particularly pleased that our consulting services division has secured a good mix of vCISO revenue contracts, which will deliver recurring revenue through 2022 and beyond. vCISO is a virtual/remote CISO (Chief Information Security Officer) service, provided by Crossword Consulting cyber security experts at a fraction of the cost of an in-house CISO. Crossword services recurring revenue, strengthened by the acquisition of Stega UK Ltd, increased by almost 100% over the prior year. Following consulting and market research projects carried out in the region in 2020, Crossword established an Oman subsidiary, in partnership with Al-Rawahy Holdings, a significant Omani Group with extensive interests across the Gulf region. Our subsidiary, Crossword Cybersecurity LLC, will be the exclusive third-party distributor of Crossword’s existing and future cyber security products, including Rizikon. Our full range of products and services will be made available across the region to help organisations improve their cyber security posture. On the corporate front, Crossword strengthened its balance sheet, completing a £1.6m equity fundraise in 2021 through a placing and subscription of Crossword Ordinary Shares at a price 05 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com Performance Review FINANCIAL REVIEW Financial Position Crossword Cybersecurity plc finished the year with a cash balance of £3.4m. Results 2021 income (including grant income £152k) was £2.3m; an increase of £696k, 43% on the prior year. The planned termination of the one remaining software development contract resulted in a 39% reduction in development revenue and a 56% increase in product and services (consulting and Nightingale) revenue, Crossword’s core offerings. The shape of the revenue has changed over the previous years; in 2018, software development accounted for 38% of revenue, reducing to 6% in 2021. In 2021, product income (including grant income £152k) grew by 268% (2020: 95%) and accounted for 22% (2020: 8%). Services income grew by 33% (2020: 35%) and accounted for 72% (2020: 78%). Total comprehensive loss for the year was £2.46m. Total cost of sales and administrative expenses increased by £1.3m in 2021 compared to 2020. The increase is primarily driven by the increase in staff with full-time equivalents (“FTE”) increasing by 74% compared to the closing FTE at the end of 2020. Organic FTE growth was 48%, with the balance driven by the two acquisitions during the year, Stega UK Limited (“Stega”) and Verifiable Credentials Limited (“VCL”). In 2021, Crossword continued to invest in sales and marketing, and product development, which are the areas which saw the largest FTE growth. An increase in professional fees in 2021 was driven by two equity fundraises, two acquisitions and the opening of an overseas company in Oman. Crossword completed a £1.6m equity fundraise in February 2021 through a placing and subscription of Crossword ordinary shares at a price of 260 pence per share. In May, 10:1 share split to support liquidity was completed and, following the share split, a £5m equity fundraise at a price of 30 pence in July 2021 was completed. In May 2021, Crossword acquired the whole of the share capital of VCL, the provider of Identiproof™, the World Wide Web Consortium (“W3C”) verifiable credentials compatible middleware and wallet technology. In August 2021, the acquisition of the whole of the share capital of Stega, the threat intelligence and monitoring company, was announced. This acquisition brought the additional capability of threat intelligence and monitoring services, using its sophisticated in-house platform, Nightingale. Consultancy cost increases were a result of the requirement to use third-party providers to deliver consulting revenue due to a shortage of internal capacity. The gain on revaluation of financial assets reflects the fair value of shares held. Cashflows Net cash inflows of the Group in 2021 were £2.4m. Excluding proceeds from issue of loan notes and cash paid for acquisitions, net cash outflows of the Group were £3.3m (2020: £1.6m). Taxation The Group continues to claim research and development tax credits, with £206k accounted for in 2021 (2020: £210k). KPIS Average product and services revenue per client Number of product and services clients 120 100 80 60 40 20 0 2017 2018 2019 2020 2021 2017 2018 2019 2020 2021 £25,000 £20,000 £15,000 £10,000 £5,000 £0 06 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 Section 172(1) Statement The Company has complied with the requirements of s414CZA of the Companies Act 2006 by including certain information within the Strategic and Governance Reports, that informs members of the Company how the Directors have considered the matters set out in section 172(1)(a) to (f) of the Companies Act 2006 when performing their duty under section 172 to promote the success of the Company. The following table outlines where the key content as required by the regulations can be found in this report. Matters considered by the Board Where to read more in this Annual Report The likely consequences of any decision in the long term The interests of the Company’s employees The need to foster the Company’s business relationships with suppliers, customers and others Strategic Report on page 02 Corporate Governance Report on page 23 Directors Report on page 35 Corporate Social Responsibility on page 08 Corporate Governance Report on page 23 Corporate Governance Report on page 23 The impact of the Company’s operations on the community and the environment Corporate Social Responsibility on page 08 Corporate Governance Report on page 23 The desirability of the Company maintaining a reputation for high standards of business conduct The need to act fairly as between members of the Company Performance Review on page 06 Strategic Report on page 02 Corporate Governance Report on page 23 Corporate Governance Report on page 23 Directors Report on page 35 07 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 Corporate Social Responsibility I believe every employee will affirm this; Crossword Cybersecurity is an exceptional company that truly cares.” OMOLOLA ADEYEMI Technical Product Associate ENVIRONMENTAL, SOCIAL & GOVERNANCE As Crossword continues to grow and mature as an organisation, a keen focus is kept on our wider stakeholder and social responsibilities. Crossword is considering the BCorp accreditation. Certified B Corporations, or B Corps, are companies verified by B Lab to meet high standards of social and environmental performance, transparency, and accountability. We believe that this accreditation will provide external parties with confidence that Crossword holds itself to high standards in relation to stakeholders, in areas such as governance, employees, community, environment and customers. Crossword recognises that we have a responsibility to manage our environmental impacts carefully, including meeting all legal and regulatory requirements. We are committed to reducing our environmental impact and continually improving our environmental performance as an integral part of our business strategy and operating methods, with regular review points. We will encourage customers, suppliers and other stakeholders to do the same. At Crossword, we value the people and we believe our greatest strength is a good team of experts. We aim to make progress on gender diversity with the Board being 37.5% women and Advisory Board at 50:50 parity. The Women at Crossword Group was established during 2021 and has met 3 times covering an interesting range of topics and speakers. Our culture Our culture is that distinct differentiator which drives our decisions and actions. We are energetic, agile and passionate about the quality of work we deliver. We encourage responsibility early in the lifecycle of an employee’s career, along with which comes valuable learning. We make sure we have fun while doing our work and look out for each other by being open, transparent and flexible to adapt to each other’s needs and the needs of our customers and stakeholders. The Board is committed to promoting a strong ethical and values-driven culture throughout the Company and has a people- oriented ethos where hard work and commitment is recognised. The benefit of experience The make-up of our team gives us something unique to offer. It’s rare to find such richness of leadership experience in a small organisation and the advantage of our size is that our leadership team are present, accessible and engaged with the whole team. Employees will get to know the leadership well and our staff tell us time and time again that they find this level of exposure invaluable in developing their own knowledge and business acumen. In 2021, we looked after our health and well-being in many ways, including with online yoga classes, a Wellness Week and post-COVID-19, the re-establishment of the Social Committee who organised several enjoyable events. A Mental Health First Aider was appointed to provide support where required. We have a ‘Balance’ channel on Slack, which is a dedicated space to bring interesting articles, blogs, websites and general content about Mental Wellbeing. Our Mental Wellbeing Policy outlines our provisions to prevent and address mental health issues among our employees. Mental Health is just as important as physical health. Mental ill health may be detrimental to a person as it impacts happiness, productivity, and collaboration. Crossword in the UK has an Employee Assistance Programme (EAP) which includes a wealth of resources like confidential health assessments, online resources, and telephone support. 08 Company values Flexibility We adapt to changing needs and empower our employees with the trust and autonomy they need to deliver high quality work. Learning We promote continuous learning culture and believe that knowledge and competence drives performance and growth of the individual and organisation. Responsibility We take the ownership to demonstrate a high standard of work as we are personally responsible for the work we deliver. Openness We encourage openness between all employees and with clients, we are inclusive adaptive collaborative, and committed to accepting people from diverse backgrounds. More reasons to join us Leadership support Asking for help and support is celebrated and highly encouraged at Crossword. The support can be available in the form of Mentoring, knowledge sharing and we also have a ‘Buddy system’ for new starters. The Executive team is committed to their team’s professional development. Great working environment We strive to better the employee experience by providing proper work equipment and also through workplace engagement surveys which encourage open communication and feedback. Our offices are modern and equipped with kitchen and shower facilities, coffee machines and breakout spaces. Inclusivity & Diversity Work-life balance Our collective strength is in our individual uniqueness and the range of experiences we can bring to the table. When we recruit, we don’t look for a ‘Culture fit’, to fit any specific but rather what the person brings, but Our culture is extremely collaborative and adapts to cater to the needs of our biggest asset – our people! We are focused on achievements at work, not how long you spend in the office. We believe in being agile and adapt to work around employees’ commitments and working styles. We prioritise our employees’ mental well-being above everything else. All employees are encouraged to take timely breaks to spend time doing what they love and pursue their recreations. Some of the initiatives which highlight the elements of our culture are as follows: • Employee Engagement through our Corporate Social • Excellent communication channels like Slack, Google Responsibility initiative drives a common goal and brings employees together for a higher purpose. We have partnered with SPEAR, a local charity in Richmond, to raise funds and help the homeless. Our Krakow office employees carry out philanthropic initiatives every year to help the disadvantaged and needy. • We also have other interesting employee engagement events like our company away days, social events, lunch Mondays, etc. Meet, virtual fortnightly coffee mornings allow for an easy flow of communication. • Flexible and family-friendly policies which enable an enviable work environment. • Open recognition initiatives as well as a 5-year Long Service Award to acknowledge hard work and commitment to the business. 09 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 Principal Risks and Uncertainties The Board has overall responsibility for ensuring that risk is appropriately managed throughout the business. The Board is aware of the need to conduct regular risk assessments to identify any deficiencies in the controls currently operating over all aspects of the Company. Risks to the achievement of strategic objectives are identified by the Executive. The degree of risk is evaluated by reference to the impact and probability of the risk, considering inherent and residual risk. The Executive considers the nature and extent of the risks, the threat of such risks becoming reality, the ability to reduce the incidence and impact on its business if the risk materialises, and the costs and benefits resulting from operating relevant controls. A Risk Register is prepared and regularly reviewed by the Executive, and shared with the Audit Committee for independent review and robust challenge. The Risk Register includes a plan for mitigation of risks above the risk appetite of the business. RISKS RELATING TO THE GROUP AND THE INDUSTRY IN WHICH IT OPERATES 1 2 INTELLECTUAL PROPERTY ACQUISITION AND DEVELOPMENT Crossword acquires intellectual property (IP) rights from universities via licensing, IP transfer arrangements and acquisitions, and then develops this IP into commercial products. Failure to secure good quality IP deals, and to quickly and appropriately meet new cyber security challenges, will make it difficult for the Group to generate new products. The success of this strategy depends on the ability of Crossword to source suitable IP and use its expertise in business management, marketing and product development to build solutions attractive to its potential customer base. Ultimately, Crossword will only succeed if it is able to acquire design, develop and sell new software solutions in a timely fashion that deliver operational reliability and effectiveness. TECHNOLOGICAL CHANGES Generally, product markets are exposed to rapid technological change, changes in use, changes to customer requirements and preferences, and services employing new technologies and the emergence of new industry standards and practices. The Group operates in a market with such changes, which have the potential to render the Group’s existing technology and products obsolete or uncompetitive. To remain competitive, the Group must ensure continued product improvement, and the development of new markets and capabilities to maintain a pace congruent with changing technology. This added strain may stretch the Company’s capital resources, which may adversely impact the revenues and profitability of the Company. The Company’s success is dependent on the ability to effectively respond and adapt to technological changes and changes to customer preferences. There can be no assurance that the Company will be able to effectively anticipate future technological changes or changes in customer preferences. Furthermore, there is also no assurance that the Company will have sufficient financial resources to effectively respond in a timely manner if such a change is anticipated. 10 10 3 4 REPUTATIONAL RISKS COMPETITION As a cyber security company, Crossword is very conscious of its external reputation. If the Group is compromised as a result of a cyber incident, it would impact its clients’ confidence. Crossword has an experienced cyber security expert acting as its Chief Information Security Officer (CISO) and a strong technical team who actively seek to mitigate threats. Nonetheless, should an event take place which adversely affects the reputation of the Group, its future prospects and value could suffer. There is no guarantee against new entrants or current competitors providing superior technologies, products or services to the market. There is no certainty that new entrants or current competitors will not provide equivalent products for a lower price. The Company may be forced to make changes to one or more of its products or to its pricing strategy to effectively respond to changes in customer preferences in order to remain competitive. This may impact negatively on the Company’s financial performance. The Group’s consulting division operates in an environment that includes large international accounting firms and consultancies and a number of smaller niche players. There are very low start-up costs for any new entrant into the market and the Group cannot prevent any person or organisation from seeking to compete with it. There is a risk that an existing competitor or a new entrant may, over time, be able to win work from the Group’s existing and future customers. In addition, larger competitors may, in the future, adopt more aggressive expansion strategies, which could include hiring additional experienced consultants and changing their business model and service offering to one that is directly comparable to that of the Group. This could, in theory, result in a material loss of customers from the Group to larger competitors and therefore have a material adverse impact on the financial performance of the Group. 11 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 Principal Risks and Uncertainties CONTINUED RISKS RELATING TO THE GROUP AND THE INDUSTRY IN WHICH IT OPERATES 5 6 KEY SYSTEM FAILURE, DISRUPTION OR INTERRUPTION The Company’s reliance on technology exposes the Company to a significant risk in the event that such technology, or the Company’s systems, experience damage, interruption or failure in some form. A malfunctioning of the Company’s technology and systems, or those of key parties, could result in a diminished confidence in the Company’s services, resulting in a consequential material adverse effect on the Company’s operations and results. DEPENDENCE ON THIRD PARTIES AND BUSINESS CONTINUITY Key components of Crossword’s technology platform may be dependent on the continuing availability of a particular supplier. The software development environment or data processing platforms may become unavailable for an extended period of time thereby disrupting customers’ experience of Crossword’s products and services. Crossword’s business is at risk from disruption of key systems and assets on which it depends. The functioning of the IT systems on which it relies could be disrupted for reasons either within or beyond its control, including but not limited to: accidental damage; disruption to the supply of utilities or services; security breaches; extreme weather events; systems failure; or workforce actions. There is a risk that such disruption may materially and adversely affect Crossword’s ability to offer services to customers and therefore materially and adversely affect its reputation, performance or financial condition. 12 12 GENERAL BUSINESS RISKS 7 8 9 ABILITY TO RECRUIT AND RETAIN SKILLED PERSONNEL The Company believes that it has the appropriate incentive structures and culture to attract and retain the calibre of employees and contractors necessary to ensure the efficient management and development of the Company. However, any difficulties encountered in hiring, and retaining, appropriate employees and/or contractors and the failure to do so, or a change in market conditions that renders current incentive structures unattractive, may have a detrimental effect upon the trading performance of the Company. With recognised shortage of skilled technical people post COVID-19, the ability to attract new employees and contractors with the appropriate expertise and skills cannot be guaranteed. FINANCIAL CONTROLS AND INTERNAL REPORTING PROCEDURES The Company’s future growth and prospects will depend on its ability to manage growth and to continue to maintain, expand and improve operational, financial and management information systems on a timely basis, whilst at the same time maintaining effective cost controls. Any damage to, failure of or inability to maintain, expand and upgrade effective operational, financial and management information systems and internal controls in line with the Company’s growth could have a material adverse effect on the Company’s business, financial condition and results of operations. TAXATION RISK The Company is subject to taxation and the application of such taxes may change over time due to changes in laws, regulations or interpretations by the relevant tax authorities. The recent proposed changes to the research and development tax incentives may have an adverse effect on the Company’s results of operations. The continuing status of the Ordinary Shares as a qualifying holding for VCT and/or EIS purposes will be conditional (amongst other things) on the qualifying conditions being satisfied throughout the period of ownership. There can be no assurance that the Company will continue to conduct its activities in a way that will secure or retain qualifying status for VCT and/or EIS purposes. 13 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 Principal Risks and Uncertainties CONTINUED GENERAL BUSINESS RISKS 10 11 12 COUNTERPARTY CREDIT RISK There is a risk that parties with whom the Company trades or has other business relationships (including partners, customers, suppliers, subcontractors and other parties) may become insolvent. This may be as a result of general economic conditions or factors specific to that company, or exceptional circumstances such as COVID-19. In the event that a party with whom the Company trades becomes insolvent, this could have an adverse impact on the revenues and profitability of the Company. LEGAL RISK INSURANCE RISK Legal risks include the inability to enforce security arrangements, an absence of adequate protection for intellectual property rights, an inability to enforce foreign judgments relating to contracts entered into by the Company that are governed by law outside England and Wales, absence of a choice of law, and an inability to refer disputes to arbitration or to have a limited choice with regard to arbitration rules, venue and language. Mitigation measures for these risks may also be limited. There can be no certainty that the Group’s insurance cover is adequate to protect against every eventuality. The occurrence of an event for which the Group did not have adequate insurance cover could have a materially adverse effect on the Group’s business, revenue, financial condition, profitability, results, prospects and/or future operations. 14 13 14 15 ECONOMIC CONDITIONS The Group could be affected by unforeseen events outside its control including economic and political events and trends, inflation and deflation or currency exchange fluctuations. There is likely to be global economic impact as a result of the Ukraine crisis. The impact is likely to include interrupted power supply, disruption to financial markets and higher inflation. Any economic downturn either globally or locally in any area in which the Group operates may have an adverse effect on the demand for the Group’s products and services. A more prolonged economic downturn may lead to an overall decline in the volume of the Group’s activities and sales, restricting the Group’s ability to realise a profit. The markets in which the Group offers its services are directly affected by many national and international factors that are beyond the Group’s control. CURRENCY EXCHANGE RISK The Group’s functional currency is Sterling. One subsidiary, Crossword Cybersecurity Sp. Z.o.o is based in Poland, and another subsidiary, Crossword Cybersecurity LLC, is based in Oman. Crossword Cybersecurity Sp. Z.o.o, where the functional currency is zloty, accounts for approximately 11 per cent of the total costs of the business. Crossword Cybersecurity LLC‘s functional currency is Omani rials, which is pegged to the US Dollar. Exposure to this and other exchange rates may effect the Company’s results. The Company may consider implementing policies to limit its currency exposure and will consider currency hedging instruments when they prove to be available and cost- effective. GOING CONCERN RISK The £6.6m placings in February and July 2021, put the Company in a strong financial position at that time. The acquisition of Threat Status Limited in March 2022, reduced cash resources by £714k. In December 2022, the £1.4m convertible loan notes mature. There is an expectation by the Directors, based on current growth plans, that the Company will replace the convertible loan notes with further debt. There is a risk that the Group will not be able to raise cash when it is required. This could be as a result of poor performance within the Group or turmoil within the markets following COVID-19, or other economic issues such as the Ukraine crisis. 15 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com Rizikon Assurance RIZIKON HELPS YOU STAY ON TOP OF YOUR CYBER SECURITY AND SUPPLY CHAIN RISK Rizikon is an online platform that improves third-party assurance and risk management, by providing efficiency, automation and better visibility. You count on third party companies to fulfil essential services for your business. You also count on them to protect the security of the data and the availability of the services with which they are entrusted. Your customers, partners, regulators and board count on you to keep track of all your suppliers and continuously monitor for security risks. Many organisations use manual processes for their cyber security based supplier assessments, sending spreadsheet, Word or PDF questionnaires by email, but this quickly becomes a cumbersome manual process. Rizikon Assurance makes it easy to manage, assess and act on your cyber based supply chain risks. AUTOMATION AND EFFICIENCY IN YOUR CYBER SECURITY ASSESSMENT PROCESS: Create and send cyber security questionnaires at scale from a single online portal Control of all assessments and responses in a single place with tracking of any changes and an audit trail of updates Suppliers receive a link to an intuitive online interface with smart questionnaires meaning a supplier only sees the questions that are appropriate to them - no more supplier confusion Assessments instantly generate a report with a visual scorecard of risk as soon as the assessment is completed and submitted by the supplier Track progress, send reminders and communicate with your suppliers all in one place Flag answers to suppliers and provide notes, such as requests for clarification or additional evidence upload A document repository for suppliers to upload evidence, such as policies and certifications which can be tracked for expiry dates A single heatmap view of your suppliers based on the results of the assessments completed Run non-intrusive digital risk audits on demand to generate a technical cyber risk rating and to identify indicators of weakness in the cyber posture of your suppliers 16 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 Customer testimonials We continue in our mission to reduce the cyber risks for our clients by providing a portfolio of innovative products and services.” TOM ILUBE CEO 14 March 2022 Rizikon has helped us make our supplier onboarding processes more efficient, improving the consistency of communications with suppliers, which has given us insight into new ways of reviewing risks. NNL can manage any query related to the completion of assessments securely through this platform, which makes the process quicker and more efficient, especially with features such as credit checks, and integration with Dark Beam for cyber security audits.” VICTORIA McCONVILLE Senior Business Analyst – Procurement, at National Nuclear Laboratory All of our supplier onboarding communication and management now takes place in Rizikon. As a result, we have halved the time we spend on supplier management and made the process easier for our suppliers. All the information and discussions about questionnaires is kept in one place and we can clearly see when forms were completed and by whom, removing any nonrepudiation risk.” VICTOR MIHAILESCU Head of Security at Spotlight Sports Group The solution developed by Rizikon Assurance will become one of our key tools in identifying, quantifying and managing the risk and compliance with our suppliers and service providers. The customisable nature of this system has enabled us to focus the attention on the areas which are of the greatest significance to our business.” RICHARD JOHNSON Leader for Procurement & Supply Chain at Barron McCann www.crosswordcybersecurity.com 17 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 The Board The Directors in office during the year and at the date of this report are as shown below: Sir Richard Dearlove KCMG OBE Thomas Ilube CBE Mary Dowd Dr Robert Coles Non-Executive Chairman Chief Executive Officer Chief Financial Officer Independent Non-Executive Director Appointment Date: 1 September 2016 Appointment Date: 6 March 2014 Appointment Date: 14 June 2018 Appointment Date: 25 May 2021 Skills and Experience: Sir Richard brings to the Board extensive experience across government, education and global business. Sir Richard joined MI6 in 1966, undertaking various overseas and head office roles before being promoted to Chief of the Secret Intelligence Service in 1999. He retired from the Service in 2004. External Appointments: Sir Richard is presently Chair of Trustees of University of London, Chairman of Ascot Underwriting Limited at Lloyd’s of London and a Director of Kosmos Energy, the New York Stock Exchange listed oil and gas exploration company. Sir Richard is a Director of The Cambridge Security Initiative 2017 and the Cambridge Arts Theatre Trust Limited. He also holds several advisory roles. Committee Memberships: None Skills and Experience: Robert is a highly experienced IT Risk and Cyber Security leader. He is the former Chief Information Security Officer of GlaxoSmithKline (GSK) and of the NHS, with over 30 years’ commercial experience. Prior to his time at the NHS, Robert worked for GSK from 2013 and was the company’s Chief Information Security Officer (CISO). Before GSK, Robert served as CISO for the National Grid and Merrill Lynch. Robert has extensive links with major industry information security networking groups and government security agencies. Robert is Chair of the Group’s subsidiary, Crossword Consulting Limited. External Appointments: Honorary Professor at UCL, Governor of University of Brighton. Committee Memberships: Nomination (Member) Skills and Experience: Tom is founder and CEO of Crossword. Tom served as Chief Information Officer of Egg Banking PLC, which at the time was a pioneering main market listed UK internet bank. Tom chaired the UK Government Technology Strategy Board’s Network Security Innovation panel. He was a member of the High Level Expert Group on cyber security at the International Telecommunication Union (ITU), a Geneva-based UN agency. He was awarded a Doctor of Science (Honoris Causa) by City, University of London, an Honorary Doctor of Technology by the University of Wolverhampton and was appointed a CBE in the 2018 Birthday Honours for services to Technology and Philanthropy. External Appointments: Non- Executive Director of WPP PLC and Chair of the RFU. Director of Iternal Limited, Advisory Fellow of St Anne’s College, Oxford and member of African Gifted Foundation. Committee Memberships: None Skills and Experience: Mary was most recently Chief Operating Officer for Europe, the Middle East and Africa, and previously Chief Financial Officer at Cordium Consulting Group Limited, a leading provider of governance, risk and compliance services, with operations in London, Hong Kong, Malta, New York, Boston and San Francisco. Mary brings over 20 years’ experience of working alongside business leaders. She has demonstrated a track record of managing finance teams to ensure timely delivery of relevant financial information to all stakeholders, providing clear leadership, continuous process improvement, and excellent communication. She also brings to Crossword extensive experience of working in acquisitive businesses and providing transactional support. Mary graduated from University College Galway, Ireland and has a postgraduate Diploma in Business Studies from the same university. She is a Fellow of the Chartered Institute of Management Accountants. External Appointments: The Groundwork South Trust Limited. Committee Memberships: None 18 Dr David Secher Ruth Anderson Tara Cemlyn-Jones Independent Non-Executive Director Appointment Date: 16 June 2014 Skills and Experience: David is an international expert in intellectual property, technology transfer and research management. His experience includes Japan, Jordan, South Africa, Brazil, Chile, Australia, Argentina, India, Saudi Arabia and Lebanon as well as Europe and the USA. David is a Life Fellow and until 2018 was Senior Bursar at Gonville & Caius College, Cambridge where he was responsible for the investment of a £210m endowment. David was co-founder and chairman of Praxis (now PraxisAuril), the leading UK technology transfer training programme, of which he is now Patron. He served as Director of Research Services, University of Cambridge, where he was responsible for creating and directing a new division of 80 staff, for designing and implementing an intellectual policy for the university and for technology transfer throughout the university resulting in £2m licensing revenue, 40 new licences and six spin outs per year. David was Chief Executive of N8 Limited, a consortium of eight research-intensive universities in the North of England, securing initial funding of £6m from Regional Development Agencies. His earlier career was in molecular biology research with MRC Laboratory of Molecular Biology, Celltech Limited and Cancer Research Campaign (now Cancer Research UK). David held or was named on three patents and is the holder of a Lifetime Queen’s Award for Enterprise Promotion for creating ‘environments that favour enterprise, specialising in the practical aspects of commercialising the results of academic research’. External Appointments: David is a Director of Cambridge KT Limited, Trustee of Cambridge United Charities, Chairman of Fitzwilliam Museum (Enterprises) Limited and Hon. Treasurer of the César and Celia Milstein Foundation. David is Interim Bursar of Trinity College, Cambridge. Committee Memberships: Audit (Chair), and Remuneration (Member). Independent Non-Executive Director Independent Non-Executive Director Appointment Date: 1 February 2018 Appointment Date: 25 May 2021 Skills and Experience: Tara has 28 years’ experience in financial services with specialist knowledge of capital markets, M&A, strategy and digital transformation across many sectors, including financial services (asset & wealth management, retail banking and fintech), energy & infrastructure and healthcare. Tara was head of M&A at Lastminute.com and has held senior positions at Schroders, Citigroup and Espirito Santo Investment Bank. External Appointments: 25x25 Ltd Skills and Experience: Ruth has over 15 years’ experience in the fields of security, intelligence, cyber crime and risk management. She brings to the Board extensive experience across defence and law enforcement sectors and within financial services, developing and implementing cyber risk governance frameworks. Ruth is currently Chief Operating Officer for Technology, Security and Data divisions at Lloyds Banking Group. She was previously a Director of Cyber in the Financial Services Department of KPMG. She served as the Head of Specialist Operational Support and also as the Head of Intelligence at the Child Exploitation and Online Protection Centre, where she delivered the first-ever strategic threat assessment on child abuse in the online environment. Prior to this, Ruth served in intelligence and security in the British Army. External Appointments: None. Committee Memberships: Audit (member), Remuneration (Member) and Nomination (Member). 19 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 The Board CONTINUED THE EXECUTIVE BOARD Andy Gueritz Independent Non-Executive Director Thomas Ilube CBE Chief Executive Officer Mary Dowd Chief Financial Officer and billing systems; a call centre based on workflow and CTI technologies; and a client-server insurance claims handling system, incorporating document image processing. Prior to 4Front, Andy was a Development Executive at McDonnell Douglas Information Systems and also worked for Marconi Defence Systems on a number of electronic warfare and guided weapons projects. Andy is a Chartered Fellow of the BCS (FBCS), Chartered IT Practitioner (CITP), Chartered Engineer (C.Eng), Fellow of the IET (FIET), and a European Engineer registered at FEANI. He holds a First Class Honours degree in Electrical and Electronic Engineering with Computer Science from Queen Mary University of London. External Appointments: None. Committee Memberships: Audit (member), Remuneration (Chair) and Nomination (Chair). Appointment Date: 6 March 2014 Appointment Date: 14 June 2018 Skills and Experience: Tom is founder and CEO of Crossword. Tom chaired the UK Government Technology Strategy Board’s Network Security Innovation panel. He was a member of the High Level Expert Group on cyber security at the International Telecommunication Union (ITU), a Geneva-based UN agency. Tom was appointed a CBE in the 2018 Birthday Honours for services to Technology and Philanthropy. External Appointments: Non- Executive Director of WPP PLC, chair of RFU, Director of Iternal Limited, Advisory Fellow of St Anne’s College, Oxford and member of African Gifted Foundation. Skills and Experience: Mary brings over 20 years’ experience of working alongside business leaders. She has demonstrated a track record of managing finance teams to ensure timely delivery of relevant financial information to all stakeholders, providing clear leadership, continuous process improvement, and excellent communication. She also brings to Crossword extensive experience of working in acquisitive businesses and providing transactional support. Mary graduated from University College Galway, Ireland and has a postgraduate Diploma in Business Studies from the same university. She is an associate member of the Chartered Institute of Management Accountants. External Appointments: The Groundwork South Trust Limited. Appointment Date: 21 September 2015 Skills and Experience: Andy is an experienced Senior Advisor with a successful track record in helping clients improve and transform their business by managing technology better and creating new technology-based ventures. In recent years, Andy has advised clients in a broad range of industries on topics such as business/ technology strategy and investment planning; customer data analytics; transformation for innovation and agility; performance improvement and cost optimisation, and other ways using technology to get and deliver better value. As a Vice President at marchFIRST (formerly Mitchell Madison Group), Andy led the European B2B eCommerce Strategy and IT Strategy Practices. Before becoming a consultant, he attained Board-level responsibility in a successful career in software development and systems implementation. At K2 Systems PLC (subsidiary of 4Front Technology Inc.), he was Customer Service and Development Director, responsible for all client service and delivery operations, amongst other roles. Notable systems implemented in his time at K2/4Front include, bespoke procurement, telesales 20 Jake Holloway Chief Product Officer Stuart Jubb Group Managing Director Sean Arrowsmith Sean Arrowsmith Group Sales Director Group Sales Director Stuart joined Crossword from KPMG where he was Associate Director, Defence & Security. Prior to that, he was Chief Operating Officer of a global consulting team of over 200 in KPMG Advisory. Stuart spent nine years as an officer in HM Forces, after Sandhurst, serving in Afghanistan, NATO and elsewhere. Jake has over 30 years of experience in technology across a wide range of industries and roles – including as CTO and Head of Product for two well-known software houses, and as CEO/Founder of an innovative Online Systems House. In his two most recent roles before joining Crossword, he was advising Worldpay on their separation from RBS, and founded Xendpay, a Fintech startup, where he was COO. Jake authored books on project management in 2015 and 2016. Sean has over 20 years’ sales Sean has over 20 years’ sales experience in cyber/information experience in cyber/information security and technology. security and technology. He was previously Group Sales He was previously Group Sales Director at IRM Limited, the Director at IRM Limited, the World Class Centre in Cyber World Class Centre in Cyber Security of Altran Technologies Security of Altran Technologies SA, the global innovation and SA, the global innovation and engineering consulting firm. engineering consulting firm. Here, Sean was accountable Here, Sean was accountable for revenue target achievement for revenue target achievement across all of IRM’s business across all of IRM’s business streams including consulting, streams including consulting, software and training. software and training. Prior to that, Sean was Prior to that, Sean was responsible for leading responsible for leading consulting sales at Siemens consulting sales at Siemens Insight Consulting. Insight Consulting. 21 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 The Board CONTINUED THE ADVISORY BOARD Alison Dyer Chair of the Advisory Board Alison Dyer joined URENCO, a global supplier of enrichment services and fuel cycle products, in 2018 and is responsible for all aspects of their information and cyber security, covering both information and operational technology. Prior to this, Alison was Director of GlaxoSmithKline’s (GSK) global cyber security programme, where she led multiple strategic delivery workstreams including security technology, governance, culture, third party management and operational technology security. Alison holds a BEng in Mechanical Engineering from Imperial College, London and an MSc in Information Security from Royal Holloway University. General Nick Houghton, Baron Houghton of Richmond, GCB CBE DL Advisory Board Member General the Lord Nick Houghton (Baron Houghton of Richmond) brings unparalleled experience across both government and business. In July 2013, General Houghton assumed the appointed position of Chief of the Defence Staff of the British Armed Forces, retiring in 2016. Previously General Houghton was Vice Chief of the Defence Staff from May 2009. Educated at Sandhurst and Oxford, General Houghton commanded 1st Battalion The Green Howards and an Infantry Brigade in Northern Ireland. Following his retirement from the army, General Houghton became the 160th Constable of the Tower of London and a Trustee of Historic Royal Palaces. Professor David Stupples Naina Bhattacharya Advisory Board Member Advisory Board Member Naina Bhattacharya is Global Chief Information Security Officer at Danone S.A., the multinational food product corporation with over 100,000 staff in 120 countries. She is responsible for delivering the cyber security vision and roadmap for the company. Prior to Danone, she worked in consulting and had the privilege of working on complex cyber security and data privacy projects across multiple companies in several industries. She is passionate about diversity and inclusion with a specific interest in increasing the representation of women in technology. Naina holds a BEng in Computer Science from BITS, Pilani, India and a post- graduation in management from the Indian School of Business in Hyderabad. David is currently Director of the Centre for Cyber and Security Sciences at City University London. In his early career, he was employed as an engineer in signals intelligence in the Royal Air Force followed by a period of intensive research into surveillance systems at the Royal Signal and Radar Establishment, Malvern. He spent three years developing highly secure communications for surveillance satellites for Hughes Aircraft Corporation in the United States of America. Later, he became a senior partner with PA Consulting Group where he undertook surveillance and intelligence systems research for Ministry of Defence (Navy) and was responsible for consultancy in secure communications and surveillance systems for world- wide clients. Since 2003, David has been researching internet security at City University focused on cyber terrorism and organized cyber crime for both the UK government and commercial companies. However, he still maintains an active interest in radar surveillance research. Professor Stupples is a member of the Defence Scientific Advisory Council (DSAC), the Defence Procurement Agency’s Independent Advisory Board on Systems Integration, and he consults worldwide in cyber intelligence. 22 Corporate Governance Report CHAIRMAN’S INTRODUCTION The Directors acknowledge the importance of high standards of corporate governance and have adopted the principles set out in the Quoted Companies Alliance Corporate Governance Code for Small and Mid-Size Quoted Companies (the ‘QCA Code’) 2018, given the Group’s size and the constitution of the Board. The QCA Code sets out a standard of minimum best practice for small and mid-size quoted companies, particularly AIM companies. The Chairman and the Board accept the importance and responsibility of setting good corporate culture, values and behaviours. The Board also acknowledges its responsibility in delivering the long-term success of the Company for the benefit of shareholders and other stakeholders. This Corporate Governance Report describes how the Company has applied the principles and standards set out in the Code during the year and, to the extent it has not done so, any deviations from them. It is the Board’s view that the Company has complied with all of the provisions of the Code during the year ended 31 December 2021. PRINCIPLE 1: ESTABLISH A STRATEGY AND BUSINESS MODEL WHICH PROMOTE LONG-TERM VALUE FOR SHAREHOLDERS The Company’s Strategic Report is on pages 02 to 17 of this report. Crossword’s vision is to partner with organisations to keep them secure in the digital world. The Group reduces cyber risks for their clients by providing a portfolio of innovative products and services, powered by university and other research-driven insights. Crossword Cybersecurity plc focuses on the development and commercialisation of cyber security and risk management-related software and cyber security consulting and threat intelligence services. The Group’s specialist cyber security product development and software engineering teams develop the concept into a fully- fledged commercial product that it will then take to market. The Group’s aim is to build up a portfolio of revenue generating, intellectual property-based, cyber security products. Rizikon Assurance, Crossword’s leading product, is a SaaS platform that enables medium to large companies to assess and manage all risks from their suppliers. Nixer CyberML is a new tool for businesses that want to solve advanced security and cybercrime problems, such as detecting and dealing with compromised accounts, fraud, and in-application denial of service attacks. Identiproof, Crossword’s third product, is the World Wide Web Consortium (W3C) verifiable credentials compatible middleware and wallet technology. Trillion™ and Arc are the latest additions to Crossword’s product suite, offering some of the strongest and most advanced credential leak monitoring services in the market. Crossword’s team of expert cyber security consultants leverages years of experience in national security, defence and commercial cyber intelligence and operations to provide bespoke cyber security consulting advice tailored to its clients’ business needs, including threat monitoring using Nightingale, our world class platform. Where appropriate, Crossword will transfer the IP to separate companies in which it will retain a commercial interest. So far, Crossword has been instrumental in the development of two such companies, ByzGen Limited and CyberOwl Limited. PRINCIPLE 2: SEEK TO UNDERSTAND AND MEET SHAREHOLDER NEEDS AND EXPECTATIONS Crossword is committed to engaging with its shareholders to ensure that its strategy, business model and performance is clearly understood. The Company communicates with shareholders and potential investors through a variety of channels, including webinars, regular financial reporting, direct contact with its major shareholders and release of regulatory announcements, which are available on its website. Regulatory announcements include details of the Company’s website and the relevant contact at the Company, as well as its professional advisors. The Annual General Meeting (AGM) provides another opportunity for dialogue between shareholders and the Board. The Chair of the Board and of the Committees, together with other Directors, routinely attend the AGM and are available to answer questions 23 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com Corporate Governance Report CONTINUED raised by the shareholders. At the meeting, each vote, the number of proxy votes received for, against and withheld is announced. The results of the AGM are subsequently published on the Company’s website and released via a regulatory information service provider. A range of corporate information, including all Company announcements, is also available to shareholders, investors and the public on the Company’s corporate website, www.crosswordcybersecurity.com. PRINCIPLE 3: TAKE INTO ACCOUNT WIDER STAKEHOLDER AND SOCIAL RESPONSIBILITIES AND THEIR IMPLICATIONS FOR LONG-TERM SUCCESS Apart from our shareholders, our most important stakeholder groups are our employees, our clients and partners and the universities we work with. The Board is regularly updated on stakeholder feedback and their potential impact on our business to enable them to understand and consider the feedback in decision- making. The Board understands that maintaining the support of all its stakeholders is paramount for the long- term success of the Company. Employees Crossword aims to provide an environment which will attract, retain and motivate its team. The Company has a growing number of permanent staff employed across the UK and Poland and therefore employee engagement with the senior management, who pride themselves on their availability and flexibility, is frequent through daily discussions and meetings. Staff are encouraged to give regular feedback in relation to their needs, interests and expectations on away days, general discussions or one-to-one meetings with their line managers. These can then be addressed at the fortnightly management meeting to all senior members of the team where further actions will be discussed. Furthermore, the team engages in a weekly call where staff are able to communicate with all levels of the team across both countries. Crossword reviews its processes and policies, which are guided by our values of Responsibility, Openness, Learning and Flexibility, to make continuous improvements for its staff. The Company has developed its induction programme for new staff, engages with employees to maintain its culture and values and expected behaviours, performs exit interviews in the event people decide to leave the business, and follow-up interviews with new employees. Crossword is supportive of career development of its employees and provides training programmes and Masters degree opportunities where appropriate. Crossword’s clients and partners Crossword develops mutually beneficial commercial relationships with companies to support sourcing and commercialising cyber security intellectual property originating from university and other research projects and evaluating and exploiting routes to distributing and reselling its products. Crossword recognises that the establishment of a close working relationship with its partners is essential for its long-term success. Crossword maintains its relationship with its partners through regular meetings, mutual understanding and aligned objectives. Feedback from partners is communicated to the relevant teams and the Board as appropriate. Crosswords interacts closely with its clients to understand the cyber issues organisations are facing, in order to support clients and help them to reduce cyber risks. Crossword provides a portfolio of innovative products and services, aimed at addressing risks clients have identified. Universities Crossword has excellent connections with universities in the UK and elsewhere through members of the Board and Management, who include some of the most highly regarded experts in IP commercialisation and the cyber security sector. Crossword maintains regular interaction with the universities with which it engages. This is predominantly achieved by digital means (e.g. frequent email exchanges and video calls), in which both parties can feedback to one another to ensure their needs are being met. The team also has face-to-face meetings with academics and works alongside universities at various events, such as talks and conferences. This continuous engagement with universities is paramount to the long-term success of the Company. Social responsibility Crossword partners with charities both in UK and Poland, where our offices are based. Crossword employees propose and vote on which charity they would like to support. Previously work has been undertaken to help a charity in their efforts to support the homeless and lead them to independence. In Poland, Crossword is supporting one of the largest, most recognisable and effective social schemes in Poland which implements and develops a system of smart, personalised aid that is unique in the world. 24 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 PRINCIPLE 4: EMBED EFFECTIVE RISK MANAGEMENT, CONSIDERING BOTH OPPORTUNITIES AND THREATS, THROUGHOUT THE ORGANISATION Audit, risk and internal control Financial controls The Group has an established framework of internal financial controls, the effectiveness of which is regularly reviewed by the Executive Management, the Audit Committee and the Board, in light of an ongoing assessment of significant risks facing the Group. • The Board is ultimately responsible for the effectiveness of the Group’s system of internal controls. Its key strategy has been to establish financial reporting procedures that provide the Board of Directors with a reasonable basis upon which to make judgements as to the financial position and prospects of the Group. Executive Directors and Non-Executive Directors have been appointed by the Board to assist with the implementation of this strategy and report progress to the Board. • The Audit Committee has the primary responsibility for monitoring the quality of internal controls to ensure that the financial performance of the Group is properly measured and reported on. It receives and reviews reports from the Group’s management and external auditors relating to the interim and annual accounts and the accounting and internal control systems in use throughout the Group. The Audit Committee meets not less than three times in each financial year and has unrestricted access to the Group’s external auditors. • Regular budgeting and forecasting is conducted to monitor the Group’s ongoing cash requirements and cash flow forecasts are circulated to the Board. The Group continues to review its system of internal control to ensure compliance with best practice, whilst also having regard to its size and the resources available. Standards and policies The Board is committed to maintaining appropriate standards for all the Group’s business activities and ensuring that these standards are set out in written policies. Key examples of such standards and policies include: • Anti-bribery and Corruption Policy • Information Security Policy • Data Protection Policy • Share Dealing Code. All policies are documented and senior managers and Directors are responsible for monitoring the compliance of these policies. Approval process All contracts are required to be reviewed and signed by a Director of the Company. • The Group has a Risk Register which identifies the potential possibility and impact of risks associated with the Group and allocates an owner to mitigate each risk. The Risk Register is updated by the Chief Financial Officer and reviewed by the Executive, the Audit Committee and the Board. Non-financial controls The Board has ultimate responsibility for the Group’s system of internal control and for reviewing its effectiveness. However, any such system of internal control can provide only reasonable, but not absolute, assurance against material misstatement or loss. The Board considers that the internal controls in place are appropriate for the size, complexity and risk profile of the Group. The principal elements of the Group’s internal control system include: • Close management of the day-to- day activities of the Group by the Executive Directors; • An organisational structure with defined levels of responsibility, which promotes entrepreneurial decision-making and rapid implementation whilst minimising risks; • Central control over key areas such as capital expenditure authorisation and banking facilities; • A comprehensive annual budgeting process producing a detailed integrated profit and loss, balance sheet and cash flow, which is approved by the Board; and • Detailed monthly reporting of performance against budget. 25 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com Corporate Governance Report CONTINUED PRINCIPLE 5: MAINTAINING THE BOARD AS A WELL-FUNCTIONING, BALANCED TEAM, LED BY THE CHAIR Composition, qualification and independence of the board The Board comprises six Non-Executive and two Executive Directors. The names and responsibilities of the current Directors, together with their biographical details, are set out on pages 18 to 20. 37.5% 62.5% Female Male The Board considers each of the Non-Executive Directors to be independent in character and judgement. Two of the Non-Executive Directors do not meet the strict criteria for independence set out in the QCA Code, due to their participation in the Company’s share option arrangements, as part of their remuneration arrangements. The Board considers that the ownership of shares and participation in the Company’s share options to certain of the Non-Executive Directors encourages the alignment of their interests with those of the Company’s shareholders and are not material enough to compromise their independence, character and judgement. 26 Therefore, the Company considers all Non-Executive Directors to be independent for the purposes of the QCA Code. The Non-Executive Directors provide independent, robust and constructive challenge to the Executive Management and monitor the performance of the management team in delivering the agreed objectives. All Directors have disclosed their other significant commitments and confirmed that they have sufficient time to discharge their duties effectively. Appointment and tenure The Board makes decisions regarding the appointment and removal of Directors and there is a formal, rigorous and transparent procedure for appointments, some of which has been delegated to the Nomination Committee. Appointments are made on merit, taking account of the balance of skills, experience and knowledge required. The Company’s Articles of Association require that all Directors retire by rotation at regular intervals and that any new Directors appointed during the year must stand for election at the AGM immediately following their appointment. PRINCIPLE 6: ENSURE THAT, BETWEEN THEM, THE DIRECTORS HAVE THE NECESSARY UP-TO-DATE EXPERIENCE, SKILLS AND CAPABILITIES The names and responsibilities of the current Directors, together with their biographical details, are set out on pages 18 to 20. The Board believes that its composition brings a desirable range of skills and experience in light of the Group’s challenges and opportunities following Admission, while at the same time ensuring that no individuals or a small group of individuals can dominate the Board’s decision-making. The current Board, although considered to have a sufficient level of skills in all areas of the business, is always looking to improve and further its knowledge of the industry. All Directors receive regular and timely information on the Group’s operational and financial performance and on technical issues. Induction Upon appointment, all Directors are provided with training in respect of their legal, regulatory and governance responsibilities and obligations, in accordance with the UK regulatory regime. The induction includes face-to-face meetings with Executive Management and site visits to orientate and familiarise the new Directors with the Company’s industry, organisation, business, strategy, commercial objectives and key risks. The Board is kept up to date on legal, regulatory and governance matters at Board meetings. Additional training is available on request, where appropriate, so that Directors can update their skills and knowledge as applicable. Independent advice All Directors are able to take independent professional advice in the furtherance of their duties, if necessary, at the Company’s expense. In addition, the Directors have direct access to the advice and services of the Company Secretary and Chief Financial Officer. CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 PRINCIPLE 7: EVALUATE BOARD PERFORMANCE BASED ON CLEAR AND RELEVANT OBJECTIVES, SEEKING CONTINUOUS IMPROVEMENT Board effectiveness review The Board undertook a further evaluation of its performance for the during the financial year. Some of the main themes and focus areas resulting from the evaluation included: • Focus on strategy and Company culture; • Managing and communicating risk and implementing internal controls; • Shareholder sentiment; • Diversity; and • Board Development and Succession Planning. The Board has continued throughout the year to measure progress against the recommendations resulting from the Board evaluation and will continue to assess its effectiveness in implementing new processes to achieve the recommendations. Furthermore, the Board conducted an evaluation in March 2022 to assess current performance and the progress made against the key focus areas. The Nomination Committee and Board were satisfied that previous recommendations and focus areas had been implemented and were being continually assessed. The Nominations Committee will regularly review the structure, size and composition (including the skills, knowledge, independence, experience and diversity) of the Board and make recommendations concerning plans for succession for both Executive and Non-Executive Directors and in particular for the key roles of Chair and Chief Executive Officer. PRINCIPLE 8: PROMOTE A CORPORATE CULTURE THAT IS BASED ON ETHICAL VALUES AND BEHAVIOURS The Board is committed to promoting a strong ethical and values-driven culture throughout the Company and has a people-oriented ethos where hard work and commitment is recognised. The Company has articulated its values as Responsibility, Openness, Learning and Flexibility, and develops its values and expected behaviours on an ongoing basis. Crossword also recognises that employees will have interests outside work and consequently supports flexibility around these interests. PRINCIPLE 9: MAINTAIN GOVERNANCE STRUCTURES AND PROCESSES THAT ARE FIT FOR PURPOSE AND SUPPORT GOOD DECISION-MAKING BY THE BOARD The role of the Board The Board is responsible for the long- term success and strategic leadership of the Group. It is responsible for reviewing, formulating and approving the strategy of the Group and its subsidiaries, corporate actions and overseeing the Group’s progress towards its goals. In addition, it also approves the annual and interim results and monitors the exposure to key business risks. The Board’s full responsibilities are set out in a schedule of matters reserved for the Board. The matters reserved for the attention of the Board include: • The approval of interim and annual financial statements, dividends and significant changes in accounting practices; • Review of bi-monthly financial statements; • Board membership, reviewed by NOMAD, and powers including the appointment and removal of Board members, determining the terms of reference of the Board and establishing the overall control framework; • AIM-related issues including the approval of communications to the London Stock Exchange and communications with shareholders will be dealt with by the Market Disclosure Committee and reviewed by the NOMAD, or delegated by the Board to the Executive Directors; • Senior management, remuneration, contracts, and the grant of share options will be addressed by the Remuneration Committee; • Key commercial matters where the financial commitment is in excess of £50,000 per annum; • Taking of loans or other credit; • Financial matters including the approval of the budget and financial plans and performance against such plans and budgets; • Approval of the appointment of the current period auditor, year-end audited statutory accounts and audit-related queries addressed by the Audit Committee; • Risk management review; • Changes to the Company’s capital structure, its business strategy, acquisitions and disposals of businesses, and capital expenditures outside of budget approval; and • Other matters including, but not limited to, health and safety policy, insurance and legal compliance. 27 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com Corporate Governance Report CONTINUED Role of the Chairman and Chief Executive Officer There is a clear division of responsibility at the head of the Company. The Chairman is responsible for running the business of the Board and for ensuring appropriate strategic focus and direction, whilst the Chief Executive Officer is responsible for proposing the strategic focus to the Board, implementing it once approved, and overseeing the management of the Company through the Executive Management. The Chief Executive Officer is also responsible for communicating with shareholders, assisted by the Chief Financial Officer. This separation of responsibilities is clearly defined and agreed by the Board. Board and Committee meetings The Board meets at least six times each year, in accordance with its scheduled meeting calendar (these may be supplemented by additional meetings as and when required) to review, formulate and approve the Group’s strategy, budgets, corporate actions and oversee the Group’s progress towards its goals. At each meeting, the Board considers a number of matters, which include technical, operational, financial, risk and corporate governance reports, in addition to an update from its Committees, where applicable. Any Director can challenge proposals, and decisions are taken democratically after discussion. Any Director who feels that any concern remains unresolved after discussion may ask for that concern to be noted in the minutes of the meeting, which are then circulated to all Directors. Specific actions arising from such meetings are agreed by the Board or relevant committee and then followed up by Management. The Group has established an Audit Committee, a Remuneration Committee, and a Nomination Committee, each with formally delegated duties and responsibilities outlined within terms of reference reviewed and approved by the Board on an annual basis. From time to time, separate committees may be set up by the Board to consider specific issues when the need arises. The Board and its Committees are supported by the Company Secretary, who ensures that the Board receives regular and timely information ahead of each meeting. A formal agenda is produced for each meeting and the Company Secretary distributes papers several days before meetings take place to provide the Board with sufficient time to consider the matters to be discussed. Each Committee has access to such resources, information and advice as it deems necessary, at the cost of the Company, to enable it to discharge its duties. The table below sets out the attendance record of individual Directors at the scheduled and unscheduled Board meetings held during the year: Name Richard Dearlove Tom Ilube Andy Gueritz Ruth Anderson David Secher David Stupples* Gordon Matthew* Mary Dowd Tara Cemlyn Jones* Robert Coles* Board Meetings 3/6 6/6 6/6 6/6 6/6 3/3 2/3 6/6 3/3 3/3 Audit – – 2/2 2/2 2/2 – – – – – Nomination Remuneration – – 1/1 0/1 1/1 0/1 – – – – – – 2/2 1/2 – 1/2 1/2 – – 1/1 * Both David Stupples and Gordon Matthew resigned from the Board on the 25 May 2021. Tara Cemlyn-Jones and Robert Coles were appointed to the Board on the 25 May 2021. 28 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 PRINCIPLE 10: COMMUNICATE HOW THE COMPANY IS GOVERNED AND IS PERFORMING BY MAINTAINING A DIALOGUE WITH SHAREHOLDERS AND OTHER RELEVANT STAKEHOLDERS The Board attaches considerable importance to the maintenance of constructive relationships with shareholders and its other stakeholders. As mentioned above, the Company communicates with shareholders through the Annual Report and accounts, full-year and half-year results announcements, the AGM and one-to-one meetings with large existing or potential new shareholders. The Company regularly releases regulatory and other announcements covering operational and corporate matters. A range of corporate information (including all Company announcements) is also available to shareholders, investors and the public on the Company’s corporate website, www.crosswordcybersecurity.com including: • Our Articles of Association and admission document; • A detailed account of how we have applied the principles of the QCA Code; • Latest Crossword Cybersecurity news and press releases; and • Annual and Interim Reports. The Board receives regular updates on the views of shareholders through briefings from the Chief Executive Officer, Chief Financial Officer and the Company’s brokers. Sir Richard Dearlove KCMG OBE Chairman 13 April 2022 29 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com Corporate Governance Report CONTINUED AUDIT COMMITTEE REPORT I am pleased to present the Committee’s report for the year ended 31 December 2021. The following pages provide an insight into how the Committee discharged its responsibilities during the year and the key topics that it considered in doing so. The role of the Audit Committee is to monitor the integrity of the Group’s Financial Statements, including its annual and half-yearly reports and any other formal statements relating to its financial performance. It monitors and reviews the effectiveness of the Group’s system of internal financial control systems that identify, assess, manage and monitor financial risks, and other internal control and risk management systems. Committee membership and governance The Audit Committee is comprised of three independent Non-Executive Directors, currently David Secher, Ruth Anderson and Andrew Gueritz. David Secher, Chair of the Committee, is considered by the Board to have recent and relevant financial experience and the Committee as a whole has competence relevant to the sector in which the Company operates. At the request of the Chair of the Committee, the Chief Executive Officer, Chief Financial Officer and other members of the senior management team may also be invited to attend meetings as guests. The Audit Committee aims to meet twice in each financial year and has unrestricted access to the Group’s external Auditor. The Committee works to a planned programme of activities focused on key events in the annual financial reporting cycle and standing items that it considers regularly under its Terms of Reference. Principal activities during the year The Committee held two meetings during the year under review and considered the following: • The external Auditor’s 2020 year-end audit report and opinion; • The Company’s Report for the financial year ended 31 December 2020 and the related results announcements and the Half-Yearly Report to 30 June 2021; • Evaluation of the performance of the external Auditor including their independence, objectivity and the effectiveness of the audit process; • The re-appointment of MHA MacIntyre Hudson as the external Auditor for the Company; • The Committee’s Terms of Reference; and • The Company’s Risk Register as well as the internal controls and risk management systems in place. The Committee is planning the following activities during 2022: • Review the Company’s procedures, systems and controls for the prevention of bribery or fraud; • Review the adequacy and security of the Company’s arrangements for its employees to raise concerns, in confidence, about possible wrongdoing in financial reporting or other matters. The Committee shall ensure that these arrangements allow proportionate and independent investigation of such matters and appropriate follow-up action; • Review and approve the FY22 external Auditor’s plan, including the proposed materiality threshold, the scope of the audit, the significant audit risks and fees; • Review the Committee’s internal audit role, in the absence of an external provider of an internal audit service; and • Risk – review and challenge the Risk Register, and consider the risk appetite of the business. The Committee members’ attendance at meetings during the year is set out on page 28 above. External Auditor MHA MacIntyre Hudson has been the external Auditor of the Group since 2014. The continued appointment of MHA MacIntyre Hudson is reviewed by the Committee each year, taking into account the relevant legislation, guidance and best practice appropriate for a Company of Crossword’s size, nature and stage of development. The Committee considers a number of areas when reviewing the external Auditor appointment, namely its performance in discharging the audit, the scope of the audit and terms of engagement, its independence and objectivity, and its reappointment and remuneration. The breakdown of fees between audit and non-audit services paid to MHA MacIntyre Hudson during the financial year is set out in Note 8 to the Group’s Consolidated Financial Statements. The non-audit fees relate to tax advice. Following Implementation of the Revised Ethical Standard by MHA MacIntyre Hudson, non-audit services have ceased. Internal audit The Audit Committee presently considers it appropriate that the Group uses the audit committee to undertake the internal audit function. This is due to the effectiveness of the Group’s internal financial control systems that identify, assess, manage and monitor financial risks, and other internal control and risk management systems, and the close involvement of the Executive Directors and senior management on a day-to- day operational basis. However, the need for an internal audit function will be kept under review by the Audit Committee on behalf of the Board. DAVID SECHER Chair, Audit Committee 13 April 2022 30 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 NOMINATION COMMITTEE REPORT The Nomination Committee is responsible for reviewing the composition of the Board taking into account the skills, experience and diversity of the Directors in light of the challenges and opportunities facing the Company and makes recommendations for the appointment and reappointment of Board members. Committee membership and governance The Nomination Committee is chaired by Andrew Gueritz and its other members are Ruth Anderson and Robert Coles. Under the Committee’s Terms of Reference, the Committee is required to meet at least twice in each financial year and must comprise of at least three members, two of whom must be independent Non-Executive Directors. The Committee held two meetings during the year. The Committee members’ attendance at meetings during 2021 is set out on page 28. Board effectiveness review In compliance with the QCA Code, the Board undertook an evaluation of its performance in January 2021. The evaluation was conducted by way of a questionnaire designed to assess the effectiveness of the Board, the Directors and the Chairman, as well as the Board’s Committees and identify any areas for improvement. The results of the evaluation were presented to the Board for review in early April 2021 and revealed no significant concerns amongst Directors about the effectiveness of the Board. Actions arising from recommendations to further improve the effectiveness of the Board are being implemented and include the review of succession plans for key members of management and Board members. Diversity The Company has not adopted a formal policy on diversity and, therefore, has no measurable objectives to disclose. Appointments, including appointments to the Board and senior management positions, are made on merit, taking account of the balance of skills and experience required. Key areas of focus for 2022: • Review the time committed to the development of individual Directors and the Board as a whole; • Put in place succession plans for both Executive and Non-Executive Directors and, in particular, for the key roles of Chair and Chief Executive Officer; and • Conduct a further internal evaluation of the Board, its Committees and individual Directors, to assess improvements in the key focus areas, using questionnaires. ANDREW GUERITZ Chair, Nomination Committee 13 April 2022 31 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com Corporate Governance Report CONTINUED REMUNERATION COMMITTEE REPORT The Remuneration Committee is responsible for determining and agreeing with the Board the framework or broad policy for the remuneration of all Executive Directors, the Chair of the Board, including pension rights and any compensation payments, and such other members of the senior management as it is designated to consider. In addition, the Committee makes recommendations to the Board on proposals for the granting of share options and other equity incentives, pursuant to any employee share option scheme or equity incentive plans in operation from time to time. Committee membership and governance The Remuneration Committee is a formal committee of the Board and has powers delegated to it under the Articles of Association. Its remit is set out in Terms of Reference formally adopted by the Board, which are reviewed annually. The Remuneration Committee is currently comprised of Andrew Gueritz (as Chair), David Secher and Ruth Anderson. The Committee meets at least once in each financial year and held four meetings during the year. The Committee members’ attendance at meetings during the year is set out on page 28. Letters of appointment, service contracts and termination Thomas IIube (Chief Executive Officer) Tom Ilube is appointed as Chief Executive Officer under an Executive service contract dated 1 April 2014 (as amended). The employment commenced on 1 April 2014 and will continue unless terminated by either party giving 12 months’ written notice. The Company may terminate the contract without notice (or with payment in lieu of notice) if, inter alia, Tom is guilty of gross misconduct, commits a serious breach of the employment contract, commits a criminal offence, is declared bankrupt or becomes of unsound mind. The Company may, after giving or receiving notice of termination, immediately end the employee’s employment and make payment in lieu of salary with no other benefit for the remaining period of notice. Mary Dowd (Chief Financial Officer) Mary Dowd is employed as Chief Financial Officer under an employee service contract dated 10 May 2018. The employment commenced on 16 May 2018 and will continue unless terminated by either party giving six months’ written notice. The Company may terminate the contract on shorter notice if the employee is absent from work for an extended period through sickness or injury and may terminate without notice (or with payment in lieu of notice) if, inter alia, Mary is guilty of gross misconduct, commits a serious breach of the employment contract, commits a criminal offence, is declared bankrupt or becomes of unsound mind. The Company may, after giving or receiving notice of termination, immediately end the employee’s employment and make payment in lieu of salary with no other benefit for the remaining period of notice. Following termination of employment, Mary is subject to certain restrictions for a period of six months, including a restriction on dealing with the Company’s customers and suppliers and from working for a competing business. Non-Executive Directors All Non-Executive Directors, including the Chairman, serve on the basis of letters of appointment which are terminable by three months’ written notice and are available for inspection at the Company’s registered office. Subject to continued satisfactory performance, the Board does not think it appropriate at this time to limit the term of appointment of the Non-Executive Directors. The Executive Directors’ service contracts are also available for inspection at the Company’s registered office. 32 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 The remuneration of the Directors who served in the current year was as follows: Executive Directors Tom Ilube* Mary Dowd Non-Executive Directors Sir Richard Dearlove Ruth Anderson Andy Gueritz Gordon Matthew Dr David Secher Prof David Stupples Robert Coles Tara Cemlyn-Jones Total Basic Salary and Fees £ Bonus £ Taxable Benefits £ Employer’s Pension Contribution £ Total £ 128,311 130,000 25,000 12,000 16,000 6,000 16,000 4,750 7,250 7,231 352,542 – – – – – – – – – – – 3,942 – 25,000 – – – – – – – 28,942 1,318 10,000 133,572 140,000 – – – – – – – – 11,318 50,000 12,000 16,000 6,000 16,000 4,750 7,250 7,231 392,802 Directors’ shareholdings and share interests The table below sets out the Directors’ interests in the ordinary shares of the Company as at 31 December 2021. There have been no changes in the current Directors’ interests in shares or options granted by the Company between the end of the financial year and 26 April 2021. Name Tom Ilube* Dr David Secher Number of Issued Ordinary Shares 14,560,250 263,650 % of Issued Shares 19.42% 0.35% * Thomas Ilube’s shareholding is made up of 12,255,810 shares held by him personally and 1,304,440 held by Share Nominees Limited on his behalf. 33 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com Corporate Governance Report CONTINUED Share option and incentivisation arrangements The Board considers employee share ownership to be an important part of its strategy for employee incentivisation and retention. The Group has established share option programmes that entitle certain employees to purchase shares in the Company. These were issued in July 2014, November 2014, July 2015, December 2015, January 2016, June 2016, September 2016, June 2017, January 2018, May 2018, July 2018, October 2018, June 2019, November 2019, June 2020, October 2020, August 2021, and November 2021. There are no performance conditions attaching to these options, other than to awards made under the Long-Term Incentive Plan awards issued in Nov 2021. The Directors hold the following shares under option: Name Sir Richard Dearlove Sir Richard Dearlove Sir Richard Dearlove Sir Richard Dearlove Sir Richard Dearlove Sir Richard Dearlove Dr David Secher Mary Dowd Mary Dowd Mary Dowd Number of Ordinary Shares under option 131,580 67,570 45,870 52,080 94,340 70,423 150,000 79,360 100,000 25,000 Date of grant 03/10/2016 25/05/2018 04/06/2019 28/11/2019 16/10/2020 10/08/2021 18/07/2014 24/10/2018 04/06/2019 18/06/2020 Exercise Price 19p 37p 54.5p 48p 26.5p 35.5p 5.4p 31.5p 54.5p 30.5p Vesting Conditions 1 1 1 1 1 1 1 1 1 1 Expiry Date 03/10/2026 25/05/2028 04/06/2029 28/11/2029 16/10/1930 10/08/1931 17/07/2024 24/10/2028 04/06/2029 18/06/1930 (1) Option Shares to vest in three equal tranches on the first, second and third anniversary of the date of grant. In addition, the Company has issued 1,202,213 options to members of staff and up to 3,000,000 share options to Executives. EMI share option plan The Company has established an enterprise management incentive share option plan under scheme rules dated 21 May 2014 (‘EMI Option Plan’) for the purposes of recruiting and retaining its staff. The Company may grant an Option intended to be a qualifying option under the Income Tax (Earnings and Pensions) Act 2003 (‘ITEPA 2003’) (‘EMI Option’) to any eligible employee it chooses, subject to the limitations and conditions of the EMI Option Plan. EMI Options may not be granted where prohibited by law or any corporate governance code which applies to the Company or after the tenth anniversary of the date of the EMI Option Plan. Long-Term Incentive Plan During the year, the Company implemented a Long-Term Incentive Plan (LTIP) whereby awards have been made to the following Executives – Mary Dowd, Stuart Jubb, Jake Holloway and Sean Arrowsmith. Each award is of nominal cost (0.5p) options to acquire up to 750,000 Crossword ordinary shares of 0.5p each which vest at the average mid-market price of the Ordinary Shares over the 20 trading days preceding the end of the performance period which ends on 30 September 2024. 25% of the options will vest if the Award Price is 50p, and 100% will vest if the Award Price is equal to or greater than 100p, with straight-line vesting between 50p and 100p. ANDREW GUERITZ Chair, Remuneration Committee 13 April 2022 34 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 Directors’ Report & Statement of Directors’ Responsibilities DIRECTORS’ REPORT This Directors’ Report includes the information required to be included under the Companies Act 2006 or, where provided elsewhere, an appropriate cross-reference is given. The Corporate Governance Report approved by the Board is provided on pages 23 to 34 and incorporated by reference into this Directors’ Report. Principal activity, review of the business and future developments Crossword Cybersecurity PLC (08927013) is a public company, limited by shares, incorporated in the United Kingdom under the Companies Act, with operations in the UK, Poland and Oman. Its shares are traded on AIM, a sub-market of the London Stock Exchange (‘AIM’). Crossword Cybersecurity PLC focuses on the development and commercialisation of university research-based cyber security and risk management related software and cyber security consulting. The Group’s specialist cyber security product development and software engineering teams work with its university partners to develop the research concept into a fully-fledged commercial product that it will then take to market. The Group’s aim is to build up a portfolio of revenue generating, intellectual property based, cyber security products. Rizikon Assurance, Crossword’s leading product, is a SaaS platform that enables medium to large companies to assess and manage all risks from their suppliers. Nixer CyberML, another Crossword product, is a new tool for businesses that want to solve advanced security and cybercrime problems, such as detecting and dealing with compromised accounts, fraud, and in-application denial of service attacks. Identiproof, Crossword’s most recent product, is the World Wide Web Consortium (W3C) verifiable credentials compatible middleware and wallet technology. Trillion™ and Arc are the latest additions to Crossword’s product suite, offering some of the strongest and most advanced credential leak monitoring services in the market. Crossword’s team of expert cyber security consultants leverages years of experience in national security, defence and commercial cyber intelligence and operations to provide bespoke cyber security consulting advice tailored to its clients’ business needs, including threat monitoring using Nightingale, our world class platform. More details on the strategy, nature of the Group’s operations and future developments are set out in the Strategic Report on pages 02 to 17. Share capital and rights attaching to the shares The number of shares in issue as at the date of publication of this report was 74,957,150 (31 December 2020: 5,761,890 ordinary shares of 5 pence) ordinary shares of 0.5 pence, each with one vote. In accordance with applicable laws and the Company’s Articles of Association, holders of ordinary shares are entitled to: • Receive shareholder documentation including the notice of any general meeting; • Attend, speak and exercise voting rights at general meetings, either in person or by proxy; and • A dividend, where declared and paid out of profits available for such purposes. On a return of capital on a winding up, holders of ordinary shares are entitled to participate in such a return. Articles of Association The Company’s Articles of Association can only be amended by special resolution and are available at https://www.crosswordcybersecurity.com Engagement with employees With the continuing growth in staff numbers, the Directors recognise the need to ensure excellence in engagement with employees. Two staff away days took place during 2019 with feedback from staff forming a prioritised action plan. Included was an action to ensure that the Company’s culture is maintained during its growth. To this effect, a project to define the Company’s culture was started. At the end of this project, the Company was in a position to state its values and expected behaviours. The values were shared with all staff at an away day in February 2020. Engagement with charities was another action from the away days. In 2020, the Company supported two charities. In Richmond, Surrey, the Company is working with SPEAR, a charity for people experiencing homelessness in South West London. In Kraków, Poland, the Company supported Noble Gift, a charity which provides aid in the form of Christmas gifts in response to the actual needs of the recipients, providing an impulse for change and motivation for them to become independent and take responsibility for their lives. During 2021, Crossword continued to support these charities. More details are available on page 09. Sustainability and climate change The group does not need to comply with SECR. The Directors take their responsibilities relating to the environment seriously and aim to minimise the impact of the Company’s activities on the environment. 35 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com Directors’ Report & Statement of Directors’ Responsibilities CONTINUED The key points of their strategy to achieve this are: • Minimise waste by evaluating operations and ensuring they are as efficient as possible; • Minimise toxic emissions through the selection and use of its power requirement; • Actively promote recycling; • Source and promote a product range to minimise the environmental impact of both production and distribution; and • Meet or exceed all the environmental legislation that relates to the Company. Powers of Directors The Directors may exercise powers subject to applicable legislation and regulations and the Company’s Articles of Association. The Directors in office at the date of this Annual Report are shown on pages 18 to 20. Directors’ conflict of interest The Board may authorise, to the fullest extent permitted by law, any matter which, if not so authorised, would or may result in a Director infringing his or her duty to avoid a situation in which he/she can have a direct or indirect interest that conflicts, or possibly may conflict, with the interests of the Company and which may reasonably be regarded as likely to give rise to a conflict of interest. The Company has effective procedures in place to monitor and deal with conflicts of interest. The Board is aware of the other commitments and interests of its Directors, and changes to these commitments and interests are reported to and, where appropriate, agreed with the rest of the Board. Directors’ insurance and indemnity The Group maintains Directors’ and Officers’ liability insurance which gives appropriate cover for any legal action brought against its Directors. In accordance with Section 234 of the Companies Act 2006, qualifying third-party indemnity provisions are in place for the Directors in respect of liabilities incurred as a result of their office to the extent permitted by law. Purchase of own shares The Company has not acquired any of its own shares in the period to 31 December 2020, nor in the period up to the date of approval of this Annual Report. Subsequent events On the 14th March 2022, Crossword Cybersecurity Plc acquired the whole of the share capital of Threat Status Limited, the threat intelligence company and provider of Trillion™, the cloud based software as a service (SaaS) platform for enterprise-level credential breach intelligence, for a total consideration of £1,529,000. Dividend The Directors do not intend that the Company will declare a dividend in the near term, but instead channel the available cash resources into funding the expansion of the Group. The Board intends to commence the payment of dividends only when it becomes commercially prudent to do so, having regard to the Group’s earnings, financial position, cash requirements and availability of distributable profits, as well as the provisions of relevant laws and/or generally accepted accounting principles from time to time. Political donations No political donations have been made during this financial year. Principal shareholder Tom Ilube is the Company’s principal shareholder, holding a total of 1,456,025 ordinary shares, representing 25.27% of the voting rights attached to the current issued share capital of the Company. Of the 1,456,025 shares held, 1,325,581 shares are held by Tom Ilube directly and 130,444 shares are held on his behalf by Share Nominees Limited. Annual General Meeting The Annual General Meeting of the Company will be held on the 5 May 2022 at 3.00 pm at the offices of Shakespeare Martineau LLP, 6th Floor, 60 Gracechurch Street, London EC3V 0HR. The Notice of Meeting will be available to view on the Company’s website in advance of that meeting. Approval of Directors’ Report This Directors’ Report, including the Corporate Governance Statement and Strategic Report, was approved for and on behalf of the Board on 13 April 2021. STATEMENT OF DIRECTORS’ RESPONSIBILITIES IN RESPECT OF THE ANNUAL REPORT AND THE FINANCIAL STATEMENTS The Directors are responsible for preparing the Annual Report and the financial statements in accordance with applicable law and regulations. Company law requires the Directors to prepare financial statements for each financial year. Under that law, the Directors have elected to prepare the consolidated and parent company financial statements in accordance with International Accounting Standards as adopted in the United Kingdom (“UK adopted IFRS”). Under Company law, the Directors must not approve the 36 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 DISCLOSURE OF INFORMATION TO THE AUDITOR We, the Directors of the Company who held office at the date of approval of these financial statements as set out above, each confirm, so far as we are aware, that: • There is no relevant audit information of which the Company’s Auditor is unaware; and • We have taken all the steps that we ought to have taken as Directors in order to make ourselves aware of any relevant audit information and to establish that the Company’s Auditor is aware of that information. This Statement of Responsibilities and the Directors’ Report were approved by the Board on 13 April 2022. TOM IIUBE Chief Executive Officer 13 April 2022 Crossword Cybersecurity PLC 60 Gracechurch Street, London EC3V 0HR e: info@crosswordcybersecurity.com twitter: @crosswordcyber t: +44 (0)333 090 2587 financial statements unless they are satisfied that they give a true and fair view of the state of affairs and profit or loss of the Group and parent company for that period. In preparing the financial statements, the Directors are required to: • Select suitable accounting policies and then apply them consistently; • Make judgements and accounting estimates that are reasonable and prudent; • State whether applicable UK adopted IFRS has been followed, subject to any material departures disclosed and explained in the financial statements; and • Prepare the financial statements on the going concern basis, unless it is inappropriate to presume that the Group and parent company will continue in business. The Directors are responsible for keeping adequate accounting records that are sufficient to show and explain the Group and parent company’s transactions and disclose with reasonable accuracy at any time the financial position of the Group and parent company and enable them to ensure that the financial statements and the Directors’ Remuneration Report comply with the Companies Act 2006. They are also responsible for safeguarding the assets of the Group and parent company and, hence, for taking reasonable steps for the prevention and detection of fraud and other irregularities. The Directors are responsible for the maintenance and integrity of the parent company’s website. Legislation in the United Kingdom governing the preparation and dissemination of financial statements may differ from legislation in other jurisdictions. Responsibility Statement of the Directors in respect of the Annual Report and Accounts The Directors consider that the Annual Report and accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the Group and parent company’s position, performance, business model and strategy. Each of the Directors, whose names and functions are listed in the Corporate Governance Section confirm to the best of our knowledge, that: • The parent company and Group financial statements, prepared in accordance with International Financial Reporting Standards in conformity with the requirements of the Companies Act 2006, give a true and fair view of the assets, liabilities, financial position and profit or loss of the Company and the undertakings included in the consolidation as a whole; • The Annual Report includes a fair review of the development and performance of the business and the position of the Company and the undertakings included in the consolidation taken as a whole, together with a description of the principal risks and uncertainties that they face; • The Annual Report and accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for the shareholders to assess the Group and parent company’s position, performance, business model and strategy; and • The Strategic Report includes a fair review of the development and performance of the business and the position of the Group and parent company, together with a description of the principal risks and uncertainties that it faces. 37 GOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORTwww.crosswordcybersecurity.com Independent Auditor’s Report To the Members of Crossword Cybersecurity PLC For the purpose of this report, the terms “we” and “our” denote MHA MacIntyre Hudson in relation to UK legal, professional and regulatory responsibilities and reporting obligations to the members of Crossword Cybersecurity plc. For the purposes of the table on pages 39 to 40 that sets out the key audit matters and how our audit addressed the key audit matters, the terms “we” and “our” refer to MHA MacIntyre Hudson. The Group financial statements, as defined below, consolidate the accounts of Crossword Cybersecurity plc and its subsidiaries (the “Group”). The “Parent Company” is defined as Crossword Cybersecurity plc. The relevant legislation governing the Parent Company is the United Kingdom Companies Act 2006 (“Companies Act 2006”). OPINION We have audited the financial statements of Crossword Cybersecurity plc for the year ended 31 December 2021. The financial statements that we have audited comprise: • Consolidated Statement of Comprehensive Income; • Statements of Financial Position; • Statements of Changes in Equity; • Statements of Cashflows; • Notes 1 to 29 to the financial statements, including significant accounting policies. The financial reporting framework that has been applied in their preparation is applicable law and UK adopted international financial reporting standards. In our opinion, the financial statements: • give a true and fair view of the state of the Group’s and of the Parent Company’s affairs as at 31 December 2021 and the group’s loss for the year then ended; • have been properly prepared in accordance with UK adopted international financial reporting standards; and • have been prepared in accordance with the requirements of the Companies Act 2006. BASIS FOR OPINION We conducted our audit in accordance with International Standards on Auditing (UK) (ISAs (UK)) and applicable law. Our responsibilities under those standards are further described in the auditor’s responsibilities for the audit of the financial statements section of our report. We are independent of the group in accordance with the ethical requirements that are relevant to our audit of the financial statements in the UK, including the FRC’s Ethical Standard as applied to listed entities, and we have fulfilled our ethical responsibilities in accordance with these requirements. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our opinion. MATERIAL UNCERTAINTY RELATE TO GOING CONCERN We draw your attention to note 1.3 of the financial statements, which indicates that for the Group and Parent to continue as a going concern they will require fundraising in 2022 to support the cash flow requirement of the Group’s business model, aims for growth and the contractual repayment of £1.4M convertible loan notes which mature in December 2022. As stated in note 1.3, these events or conditions, along with the other matters as set forth in note 1.3, indicate that a material uncertainty exists that may cast significant doubt on the Group and Parent Company’s ability to continue as a going concern. Our opinion is not modified in respect of this matter. In auditing the financial statements, we have concluded that the directors’ use of the going concern basis of accounting in the preparation of the financial statements is appropriate. Our evaluation of the directors’ assessment of the entity’s ability to continue to adopt the going concern basis of accounting included: • The consideration of inherent risks to the group’s operations and specifically its business model. • The evaluation of how those risks might impact on the group’s available financial resources. 38 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 • Where additional resources may be required the reasonableness and practicality of the assumptions made by the Directors when assessing the probability and likelihood of those resources becoming available. • Liquidity considerations including examination of cash flow projections. • Solvency considerations including examination of budgets and forecasts and their basis of preparation, including review and assessment of the model’s mechanical accuracy and the reasonableness of assumptions included within. • Consideration of availability of funds required to settle funding facilities due for repayment during the going concern review period. Assessing the reasonableness and practicality of the mitigation measures identified by management in their conservative case scenario and considered by them in arriving at their conclusions about the existence of any uncertainties in respect of going concern. Our responsibilities and the responsibilities of the directors with respect to going concern are described in the relevant sections of this report. OVERVIEW OF OUR AUDIT APPROACH Materiality Group 2021 £100,000 2020 £77,000 2% of aggregate of cost of sales and administrative expenses Parent company £99,000 £76,000 2% of aggregate of cost of sales and administrative expenses reduced to below group materiality Key Audit Matters Event driven Recurring Parent • Accounting for the business combinations • Valuation of investment and non-current loans to its subsidiaries KEY AUDIT MATTERS Key Audit Matters are those matters that, in our professional judgement, were of most significance in our audit of the financial statements of the current period and include the most significant assessed risks of material misstatement (whether or not due to fraud) that we identified. These matters included those matters which had the greatest effect on: • • the overall audit strategy; the allocation of resources in the audit; and • directing the efforts of the engagement team and our results from those procedures. These matters were addressed in the context of our audit of the financial statements as a whole, and in forming our opinion thereon, and we do not provide a separate opinion on these matters. 39 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT Independent Auditor’s Report CONTINUED To the Members of Crossword Cybersecurity PLC ACCOUNTING FOR THE BUSINESS COMBINATIONS Key audit matter description Business combinations in the year are material to the Croup and Parent Company financial statements. Business combinations must be accounted for in accordance with IFRS 3 ‘Business combinations’ which requires management to fair value the consideration payable, and account for the fair value of identifiable assets and liabilities acquired and the resultant determination of any goodwill arising from the business combinations. How the scope of our audit responded to the key audit matter These estimates give rise to the risk of material misstatement relating to the accounting of Business Combinations and have been the focus our audit enquiry relating to the accounting of the Business Combinations in the year. Our procedures included: • A detailed review of the discount rate applied to determining the fair value of deferred and contingent consideration and the fair value of assets acquired in the business combinations. • We challenged management whether they had recognised all assets and liabilities that should have been recorded as part of the business combination. • We reviewed the computation of the accounting of the Business Combination in determining the amount recognised as goodwill. • We reviewed and challenged management’s assumptions used to determine the level of contingent consideration. Key observations • Ensured that the disclosures in the financial statements are adequate. We concluded that the business combinations were correctly accounted for and disclosed in accordance with the requirements of IFRS 3. VALUATION OF INVESTMENT AND NON-CURRENT LOANS TO ITS SUBSIDIARIES Key audit matter description The Parent Company makes non-interest-bearing loans available to its subsidiary Crossword Consulting Limited through a mix of debt finance and loans. The investment and loans owed to the Parent Company have been subject to an impairment review to determine whether an expected credit loss provision is required. As no interest is charged on these loans then a notional interest is assumed to be embedded in the principal amount of the loan which is computed and treated as a further capital contribution by the Parent Company in its subsidiary, Crossword Consulting Limited. Our procedures included: • Challenged management’s allocation of the financing arrangement between a capital contribution and loans in the subsidiary. • Challenged management’s assessment of expected credit losses. • Benchmarked the discount rate used in management’s assessment. • Reviewed and checked management’s amortised cost calculations. • Considered management’s assessment of the strategy options which the Parent Company would pursue in recovering the amounts due from the subsidiary. • Reviewed management’s assessment as to the impairment of the Parent Company’s investment in its subsidiary, Crossword Consulting Limited. • Ensured that the disclosures in the financial statements are adequate. We concluded that the financing arrangement at Parent Company level was correctly classified between capital contribution and loans due from its subsidiary and that the carrying amounts exceeded the recoverable amount and no impairment was required of these non-current assets at the Parent Company level. How the scope of our audit responded to the key audit matter Key observations 40 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 OUR APPLICATION OF MATERIALITY Our definition of materiality considers the value of error or omission on the financial statements that, individually or in aggregate, would change or influence the economic decision of a reasonably knowledgeable user of those financial statements. Misstatements below these levels will not necessarily be evaluated as immaterial as we also take account of the nature of identified misstatements, and the particular circumstances of their occurrence, when evaluating their effect on the financial statements as a whole. Materiality is used in planning the scope of our work, executing that work, and evaluating the results. Materiality in respect of the group was set at £100,000 (2020: £77,000) which was determined based on 2% of aggregate of cost of sales and administrative expenses in both years. This was deemed to be the most appropriate metric for materiality as this is primarily what the users of the financial statements are concerned with. Performance materiality is the application of materiality at the individual account or balance level, set at an amount to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. Performance materiality for the group was set at £85,000 (2020: £65,500) which represents 85% (2020: 85%) of the above materiality level. The determination of performance materiality reflects our assessment of the risk of undetected errors existing, the nature of the systems and controls and the level of misstatements arising in previous audits. Materiality in respect of the Parent Company was set at £99,000 (2020: £76,000) which was determined based on 2% of the Parent Company’s aggregate of costs of sales and administrative expenses reduced to below group materiality. Performance materiality for the Parent Company was set at £84,150 (2020: £64,600) which represents 85% (2020: 85%) of the above materiality level. In addition, we applied the following materiality to the audit of specific financial statement areas: • Related Party transactions and disclosure £5,000 We agreed to report any corrected or uncorrected adjustments exceeding £5,000 to the Audit Committee as well as differences below this threshold that in our view warranted reporting on qualitative grounds. OTHER INFORMATION The other information comprises the information included in the annual report other than the financial statements and our auditor’s report thereon. The directors are responsible for the other information contained within the annual report. Our opinion on the financial statements does not cover the other information and, except to the extent otherwise explicitly stated in our report, we do not express any form of assurance conclusion thereon. Our responsibility is to read the other information and, in doing so, consider whether the other information is materially inconsistent with the financial statements, or our knowledge obtained in the course of the audit, or otherwise appears to be materially misstated. If we identify such material inconsistencies or apparent material misstatements, we are required to determine whether this gives rise to a material misstatement in the financial statements themselves. If, based on the work we have performed, we conclude that there is a material misstatement of this other information, we are required to report that fact. We have nothing to report in this regard. 41 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT Independent Auditor’s Report CONTINUED To the Members of Crossword Cybersecurity PLC OPINIONS ON OTHER MATTERS PRESCRIBED BY THE COMPANIES ACT 2006 In our opinion, based on the work undertaken in the course of the audit: • the information given in the strategic report and the directors’ report for the financial year for which the financial statements are prepared is consistent with the financial statements; and • the strategic report and the directors’ report have been prepared in accordance with applicable legal requirements. MATTERS ON WHICH WE ARE REQUIRED TO REPORT BY EXCEPTION In the light of the knowledge and understanding of the group and the Parent Company and their environment obtained in the course of the audit, we have not identified material misstatements in the strategic report or the directors’ report. We have nothing to report in respect of the following matters in relation to which the Companies Act 2006 requires us to report to you if, in our opinion: • adequate accounting records have not been kept by the Parent Company, or returns adequate for our audit have not been received by branches not visited by us; or • the Parent Company financial statements are not in agreement with the accounting records and returns; or • certain disclosures of directors’ remuneration specified by law are not made; or • we have not received all the information and explanations we require for our audit. RESPONSIBILITIES OF DIRECTORS As explained more fully in the directors’ responsibilities statement, the directors are responsible for the preparation of the financial statements and for being satisfied that they give a true and fair view, and for such internal control as the directors determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error. In preparing the financial statements, the directors are responsible for assessing the Group and Parent Company’s ability to continue as a going concern, disclosing, as applicable, matters related to going concern and using the going concern basis of accounting unless the directors either intend to liquidate the group or the Parent Company or to cease operations, or have no realistic alternative but to do so. AUDITOR’S RESPONSIBILITIES FOR THE AUDIT OF THE FINANCIAL STATEMENTS Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor’s report that includes our opinion. Reasonable assurance is a high level of assurance but is not a guarantee that an audit conducted in accordance with ISAs (UK) will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of these financial statements. Irregularities, including fraud, are instances of non-compliance with laws and regulations. We design procedures in line with our responsibilities, outlined above, to detect material misstatements in respect of irregularities, including fraud. Because of the inherent limitations of an audit, there is a risk that we will not detect all irregularities, including those leading to a material misstatement in the financial statements or non-compliance with regulation. This risk increases the more that compliance with a law or regulation is removed from the events and transactions reflected in the financial statements, as we will be less likely to become aware of instances of non-compliance. The risk is also greater regarding irregularities occurring due to fraud rather than error, as fraud involves intentional concealment, forgery, collusion, omission or misrepresentation. 42 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 The specific procedures for this engagement and the extent to which these are capable of detecting irregularities, including fraud is detailed below: • Obtaining an understanding of the legal and regulatory frameworks that the Group operates in, focusing on those laws and regulations that had a direct effect on the financial statements. The key laws and regulations we considered in this context included the UK Companies Act 2006, AIM regulations and applicable tax legislation. In addition, we considered compliance with the UK Bribery Act and employee legislation, as fundamental to the Group’s operations. • Enquiry of management to identify any instances of non-compliance with laws and regulations. • Enquiry of management around actual and potential litigation and claims. • Review of legal expenses incurred during the year and post year end to identify potential actual or contingent liabilities in existence as at the year end. • Enquiry of management to identify any instances of known or suspected instances of fraud. • Discussing among the engagement team regarding how and where fraud might occur in the financial statements and any potential indicators of fraud. • Reviewing minutes of those charged with governance. • Review of revenue recognition policies adopted and substantive testing of revenue transactions. • Performing audit work over the risk of management override of controls, including testing of journal entries and other adjustments for appropriateness, evaluating the business rationale of significant transactions outside the normal course of business, and reviewing accounting estimates for bias; and • Challenging assumptions and judgements made by management in their significant accounting estimates, in particular with respect to the fair value of options granted to employees, accounting for business combinations, and consideration of the valuation of the investment and non-current loans to subsidiaries. A further description of our responsibilities for the financial statements is located on the FRC’s website at: www.frc.org.uk/auditorsresponsibilities This description forms part of our auditor’s report. USE OF OUR REPORT This report is made solely to the Company’s members, as a body, in accordance with Chapter 3 of Part 16 of the Companies Act 2006. Our audit work has been undertaken so that we might state to the Company’s members those matters we are required to state to them in an auditor’s report and for no other purpose. To the fullest extent permitted by law, we do not accept or assume responsibility to anyone other than the Company and the Company’s members as a body, for our audit work, for this report, or for the opinions we have formed. ANDREW MOYSER FCA FCCA (Senior Statutory Auditor) for and on behalf of MHA MacIntyre Hudson, Statutory Auditor London, United Kingdom 13 April 2022 43 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT Consolidated Financial Statements for Crossword Cybersecurity PLC company number 08927013 CONSOLIDATED STATEMENT OF COMPREHENSIVE INCOME 12 Months ended 31 December 2021 2,171,137 (1,957,178) 213,959 12 Months ended 31 December 2020 1,627,611 (1,582,194) 45,416 Notes 2 3 3,4 (3,260,139) (2,320,675) 6 7 22 358,727 4,956 (220,545) 456,803 (2,446,239) 209,647 (3,205) (204,679) – (2,273,497) 9 172,615 (4,840) (2,273,624) (2,278,336) (13,220) (13,220) 9,595 9,595 (2,286,844) (2,268,741) (2,229,296) (44,328) (2,273,624) (2,249,707) (28,629) (2,278,336) (2,242,516) (44,328) (2,286,844) (2,240,112) (28,629) (2,268,741) 20 (0.03) (0.03) (0.05) (0.05) Revenue Cost of Sales Gross Profit Administrative expenses Other operating income Finance income-bank interest income and foreign exchange Finance costs-other interest expense Gain on revaluation of financial assets Loss for the year before taxation Tax credit / (expense) Loss for the Year Other Comprehensive Income Items that may be reclassified to profit or loss: Foreign exchange translation Gain / (Loss) Other Comprehensive Income Total Comprehensive Loss Loss for the period attributable to: Owners of the parent Non-controlling interests Total Loss for the Year Total comprehensive loss for the period attributable to: Owners of the parent Non-controlling interests Total Comprehensive Loss Loss Per Share (basic)* Loss Per Share (diluted) All results are derived from continuing operations * 2020 Loss per share was re-stated following share split in 2021 44 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 STATEMENTS OF FINANCIAL POSITION AS AT 31 DECEMBER Group 2021 £ Group 2020 £ Company 2021 £ Company 2020 £ Notes Non-Current Assets Intangible assets Tangible assets Investments in subsidiaries Goodwill Unlisted investment Intercompany receivable greater than one year Total non-current assets Current Assets Trade and other receivables Cash and cash equivalents Total current assets TOTAL ASSETS EQUITY Attributable to the owners of the Company Share Capital Share premium account Other reserves Retained earnings Translation of foreign operations Attributable to owners of the parent Non-controlling interests Total equity LIABILITIES Current Liabilities Trade and other payables Other current liabilities Total current liabilities Long Term Liabilities Other non-current liabilities Total long term liabilities Total Liabilities Total Equity & Liabilities 11 12 14 10 13 15 19 19 21 16 17 18 1,103,679 5,460 - 875,277 456,834 - 2,441,250 - 70,064 - - 31 - 70,095 521,603 - 1,637,518 - 456,834 918,206 3,534,161 - 38,392 458,164 - 31 653,316 1,149,902 1,066,076 3,373,062 4,439,138 6,880,388 497,912 958,341 1,456,253 1,526,348 838,622 3,106,817 3,945,439 7,479,600 275,680 824,667 1,100,347 2,250,249 374,786 14,971,221 240,310 (11,827,351) (14,992) 3,743,974 (139,127) 3,604,847 256,605 8,518,391 181,618 374,786 14,971,221 240,310 (9,598,055) (10,800,700) - 4,785,617 - 4,785,617 (1,772) (643,213) (94,799) (738,012) 256,605 8,518,391 181,618 (8,835,874) - 120,740 - 120,740 1,413,658 1,368,638 2,782,296 929,038 - 929,038 1,049,960 1,351,471 2,401,431 794,187 - 794,187 493,245 493,245 1,335,322 1,335,322 292,552 292,552 1,335,322 1,335,322 3,275,541 6,880,388 2,264,360 1,526,348 2,693,983 7,479,600 2,129,509 2,250,249 The company’s loss for the year was £1,964,825 (2020: £1,921,160). The financial statements were approved by the Board and authorised for issue on 13 April 2022. They were signed on its behalf by TOM ILUBE Chief Executive Officer 45 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT STATEMENTS OF CHANGES IN EQUITY Group 2021 £ At 1 January Issue of shares Transaction costs Employee share schemes - value of employee services Loss for the period Other comprehensive loss for the period At 31 December Group 2020 At 1 January Issue of shares Transaction costs Employee share schemes - value of employee services Transfer on issue of shares to non-controlling interest Gain from issue of shares to non-controlling interest Loss for the period Other comprehensive loss for the period At 31 December Company 2021 £ At 1 January Issue of shares Transaction costs Employee share schemes - value of employee services Loss for the period At 31 December Company 2020 At 1 January Issue of shares Transaction costs Employee share schemes - value of employee services Loss for the period At 31 December Share Capital 256,605 118,181 – Share Premium 8,518,391 6,770,954 (318,124) Equity Reserve 181,618 – – Retained Earnings (9,598,056) – – Translation Reserve (1,772) – – Non- controlling interests (94,799) – – Total (738,012) 6,889,135 (318,124) – – – – 58,692 – – (2,229,296) – – – (44,328) 58,692 (2,273,624) – 374,786 – 14,971,221 – 240,310 – (11,827,351) (13,220) (14,992) – (139,127) (13,220) 3,604,847 234,061 22,543 – 7,515,744 1,021,108 (18,461) 128,826 – – (7,428,818) – – (11,367) – – – – – – – – – – 52,792 – – – – 66,169 14,300 (2,249,707) – – – – – – – – 438,447 1,043,651 (18,461) 52,792 (66,169) – – (28,629) 14,300 (2,278,336) – 256,605 – 8,518,391 – 181,618 (9,598,056) 9,595 (1,772) – (94,799) 9,595 (738,012) Share Capital 256,605 118,181 – Share Premium 8,518,391 6,770,954 (318,124) Equity Reserve 181,618 – – Retained Earnings (8,835,874) – – Translation Reserve – – – Non- controlling interests – – – – – 374,786 – – 14,971,221 58,692 – 240,310 – (1,964,825) (10,800,699) 234,061 22,543 – – – 256,605 7,515,744 1,021,108 (18,461) 128,826 – – (6,914,714) – – – – 8,518,391 52,792 – 181,618 – (1,921,160) (8,835,874) – – – – – – – – – – – – – – – – – – Total 120,740 6,889,135 (318,124) 58,692 (1,964,825) 4,785,618 963,917 1,043,651 (18,461) 52,792 (1,921,160) 120,740 46 Consolidated Financial StatementsCONTINUEDCROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 STATEMENTS OF CASHFLOWS Years Loss for the year / period Cashflows From Operating Activities Movement in trade and other receivables Movement in trade and other payables Depreciation Amortisation Finance Costs Gain on measurement of financial assets Employee share schemes Tax (credit) / expense Tax paid Net Cashflow from Operating Activities Cashflow From Investing Activities Investment in intangible assets Purchase of tangible assets Acquisition of subsidiaries, net of cash acquired Net Cashflow from Investing Activities Cashflows From Financing Activities Proceeds from issue of ordinary shares Share issuance costs Interest paid on convertible loan notes Proceeds from issue of shares in subsidiary to non-controlling interests Interest paid Payments for right of use assets Net Cash Inflow from Financing Activities 12 Months ended 31 December Group 2021 £ (2,273,624) 12 Months ended 31 December Group 2020 £ (2,278,336) 12 Months ended 31 December Company 2021 £ (1,964,825) 12 Months ended 31 December Company 2020 £ (1,921,160) Notes 3 3 7 22 4 9 11 12 10 (412,005) 86,231 66,243 37,881 220,545 (456,803) 58,692 (172,615) (5,396) (2,850,851) 128,385 457,260 10,740 139,697 204,681 – 52,792 4,840 (4,840) (1,284,780) (837,873) 40,374 38,392 9,931 138,742 (456,803) 58,692 – – (2,973,370) 450,691 (265,054) 7,774 98,478 200,844 – 52,792 – – (1,375,635) (183,796) – (645,390) (829,186) – (2,001) – (2,001) (183,796) – (700,000) (883,796) – – – – 6,639,135 (318,124) (168,000) 1,043,651 (18,461) (168,000) 6,639,135 (318,124) (168,000) 1,043,651 (18,461) (168,000) – (1,638) (43,734) 6,107,639 14,300 (1,592) (148,536) 721,362 – (186) (13,507) 6,139,319 – (460) (108,513) 748,217 Net Increase in Cash & Cash Equivalents Foreign Currency Translation Difference Cash and Cash Equivalent at the beginning of the period Cash and Cash Equivalent at the end of the period 2,427,602 (12,881) 958,341 3,373,062 (565,419) 9,595 1,514,166 958,341 2,282,149 - 824,667 3,106,816 (627,418) - 1,452,085 824,667 47 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT NOTES TO THE FINANCIAL INFORMATION 1. ACCOUNTING POLICIES 1.1 The Group and its operations Crossword Cybersecurity plc (the “Company”) is a Company incorporated on 6 March 2014 in England and Wales under the Companies Act 2006. The Company is the parent company of the Crossword Group of Companies focusing on the cyber security sector. The principal activities are the development and commercialisation of university research-based cyber security related software and cyber security consulting. The financial information includes the results of the Company and its subsidiaries (together referred to as the “Group” and individually as “Group entities”). The principal accounting policies applied in the preparation of the financial information are set out below. These policies have been consistently applied to all the periods presented, unless otherwise stated. 1.2 Basis of preparation of financial information The financial information has been prepared in accordance with the requirements of the London Stock Exchange plc AIM Rules for Companies and in accordance with International Financial Reporting Standards as adopted in the United Kingdom (“UK adopted IFRS”) and those parts of the Companies Act 2006 applicable to companies reporting in accordance with UK adopted IFRS. The financial information has been prepared on the historical cost basis. The preparation of financial information in conformity with UK adopted IFRS requires the use of certain critical accounting estimates. It also requires management to exercise its judgement in the process of applying the Group’s accounting policies. Changes in assumptions may have a significant impact on the financial information in the year the assumptions changed. Management believes that the underlying assumptions are appropriate. The areas involving a higher degree of judgement or complexity, or areas where assumptions and estimates are significant to the financial information are disclosed in note 1.21. Changes in accounting policy and disclosures There were no changes in the accounting policy and disclosures in the current financial year. At the year end, the following standards and interpretations which have not been applied in these financial statements were in issue but not yet effective. The group is considering their impact but do not expect a material on the future results of the Group. New standards, interpretations and amendments adopted in current period The following new standards or amendments to existing standards were applicable for the first time and have not had an impact on the financial statements. Amendments to IFRS 9, IAS 39, IFRS 7, IFRS 4 and IFRS 16 Interest Rate Benchmark Reform – Phase 2 (issued in August 2020) The amendments are aimed at helping companies to provide investors with useful information about the effects of the reform of interest rate benchmarks on those companies’ financial statements. The amendments complement those issued in 2019 and focus on the effects on financial statements when a company replaces the old interest rate benchmark with an alternative benchmark rate as a result of the reform. The Phase 2 amendments relate to: • changes to contractual cash flows – a company will not have to derecognise or adjust the carrying amount of financial instruments for changes required by the reform, but will instead update the effective interest rate to reflect the change to the alternative benchmark rate; • hedge accounting – a company will not have to discontinue its hedge accounting solely because it makes changes required by the reform, if the hedge meets other hedge accounting criteria; and • disclosures – a company is required to disclose information about new risks arising from the reform and how it manages the transition to alternative benchmark rates. The Group has not had a material impact on its consolidated financial statements from these amendments. New standards, interpretations and amendments not yet adopted The Group adopt early the following amendments to standards which are not yet mandatory. IFRS 17 Insurance Contracts (including the June 2020 Amendments to IFRS 17, effective from 1 January 2023) Amendments to IFRS 3 Business Combinations – Reference to the Conceptual Framework (effective from 1 January 2022) Amendments to IAS 16 Property, Plant and Equipment – Proceeds before Intended Use (effective from 1 January 2022). Amendments to IAS 8 Accounting Policies, Changes in Accounting Estimates and Errors – Definition of Accounting Estimates (effective 1 January 2023). 48 Consolidated Financial StatementsCONTINUEDCROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 Amendments to IAS 1 Presentation of Financial Statements and IFRS Practice Statement 2: Disclosure of Accounting policies (effective 1 January 2023). Amendments to IAS 12 Income Taxes – Deferred Tax related to Assets and Liabilities arising from a Single Transaction (effective 1 January 2023). Amendments to IAS 1 Presentation of Financial Statements – Classification of Liabilities as Current or Non-current (effective 1 January 2024). 1.3 Going Concern The financial information has been prepared on a going concern basis. The Group’s business model has been enhanced following the two acquisitions in 2021 and a further acquisition in early 2022. The Group’s operations have incurred a loss in the financial year whilst the Group’s products and services continue to be enhanced, developed and brought to market. The Directors forecast in 2022 show a trading loss with net cash outflows as the business continues to develop and enhance its products and services and grows revenue. In 2021, the Groups operations have been supported by cash inflows from customers and from the issue of £6.3m equity net of costs during 2021. The Directors have considered the Group’s future and forecast business and cash requirements. Following the completion of successful fundraises in 2021, the Directors have determined that the group wants to continue to expand, potentially through future acquisitions, which will require a further fund raise in 2022. In December 2022, the £1.4m convertible loan notes mature and will either be converted to equity, repaid, or re- negotiated. The outcome of the settlement of the convertible loan notes is uncertain but may require further finance for repayment of the debt. Whilst the Group has £3.4m as cash and cash equivalent at 31 December 2021, on 14 March 2022, the Group acquired another acquisition for a total consideration of £1.5m. The Directors have concluded that these circumstances could give rise to a material uncertainty arising from events or conditions that may cast significant doubt on the entity’s ability to continue as a going concern if a further fund raise was unsuccessful. However, considering recent successful fund raises the Directors are confident that they can continue to adopt the going concern basis in preparing the financial statements. The financial statements do not include any adjustment that may arise in the event that the Group is unable to raise finance, realise its assets and discharge its liabilities in the normal course of business. 1.4 Basis of consolidation Subsidiaries are fully consolidated from the date on which control is transferred to the Group. Control exists when then the Group has: − − − the power over the investee; exposure, or rights, to variable returns from its involvement with the investee; and the ability to use its power over the investee to affect the amount of the investor’s returns. All intra-Group transactions balances income and expenses are eliminated on consolidation. Uniform accounting policies are applied by the Group entities to ensure consistency. 1.5 Revenue Revenue comprises the fair value of consideration received or receivable for licence income and the rendering of services in the ordinary course of the Group’s activities. Revenue is shown net of value added tax and trade discounts. Income is reported as follows: (a) Licence income Technology and product licensing revenue represents amounts earned for licences granted under licensing agreements and recognized over time. Revenues relating to up-front payments are recognised when the obligations related to the revenues have been completed. Revenues for maintenance and support services are recognised in the accounting periods in which the services are rendered. (b) Rendering of Services Services relate to implementation and deployment fees for the technology and products licensed to customers. Revenue is recognised in the accounting periods in which the services are rendered. (c) Consulting Consulting revenue is recognised when the performance obligation is met, primarily at a point of time. Contracts are structured to support the revenue recognition process by stating what the objectives and deliverables are for each part of the project, and the revenue attributable to each deliverable 1.6 Functional and presentation currency The presentation currency of the Group is pounds sterling (GBP). The functional currency of the Company is pounds sterling. The functional currency of the Company’s polish subsidiary is Polish Zloty (PLN). 49 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT 1. ACCOUNTING POLICIES CONTINUED 1.7 Business combinations The acquisition of subsidiaries is accounted for using the acquisition method. The cost of the acquisition is measured as the aggregate of the fair values, at the date of exchange, of assets given, liabilities incurred or assumed, and equity instruments issued by the Group in exchange for control of the acquiree. Acquisition related costs are recognised in the income statement as incurred. Any contingent consideration to be transferred by the Group is recognised at fair value at the acquisition date. Subsequent changes to the fair value of the contingent consideration that is deemed to be an asset or liability is recognised in the consolidated income statement. Contingent consideration that is classified as equity is not remeasured, and its subsequent settlement is accounted for within equity. Goodwill arising on acquisition is recognised as an asset and initially measured at cost, being the excess of the cost of the business combination over the Group’s interest in the net fair value of the identifiable assets, liabilities and contingent liabilities recognised. For the purpose of impairment testing, goodwill acquired in a business combination is, from the acquisition date, allocated to the cash generating unit (“CGU”) that is expected to benefit from the synergies of the combination. CGU to which goodwill has been allocated is tested for impairment annually, or more frequently when there is an indication that the unit may be impaired. Any impairment loss is recognised directly in the income statement. 1.8 Foreign operations The assets and liabilities of foreign operations are translated into Pound sterling using the exchange rates at the reporting date. The revenues and expenses of foreign operations are translated into Pound sterling using the average exchange rates, which approximate the rates at the dates of the transactions, for the period. All resulting foreign exchange differences are recognised in other comprehensive income through the foreign currency reserve in equity. On disposal of a foreign operation, the cumulative exchange differences recognised in the foreign exchange reserve relating to that operation up to the date of disposal are transferred to the consolidated statement of comprehensive income as part of the profit or loss on disposal. 1.9 Intangible assets – research and development Expenditure on research is written off in the period in which it is incurred. Development expenditure incurred on specific projects is capitalised where the management is satisfied that the following criteria have been met: • it is technically feasible to complete the software product so that it will be available for use; • management intends to complete the software product and use or sell it; • • there is an ability to use or sell the software product; it can be demonstrated how the software product will generate probable future economic benefits; • adequate technical, financial and other resources to complete the development and to use or sell the software product are available; and • the expenditure attributable to the software product during its development can be reliably measured. Directly attributable costs that are capitalised as part of the software product include the software development employee costs and an appropriate portion of relevant overheads. Other development expenditure that does not meet these criteria is recognised as an expense as incurred. 1.10 Property, plant and equipment Property, plant and equipment is stated at purchase price less accumulated depreciation and impairment losses. The cost includes all expenses directly related to the purchase of a relevant asset. All other repair and maintenance costs are charged to the income statement for the period during the reporting period in which they are incurred. 1.11 Depreciation and amortisation Each item of property, plant and equipment is depreciated using the straight-line method over the estimated useful life and depreciation charge is included in the income statement for the period. The depreciation is charged to the income statement for the period and determined using the straight-line method over the estimated useful life of the item of property, plant and equipment. 50 Consolidated Financial StatementsCONTINUEDCROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 The expected useful lives of property, plant and equipment in the reporting and comparative periods are as follows: Computers Furniture & fittings Useful lives in years 3.33 3.33 Computer software development expenditure recognised as assets is amortised on a straight-line basis over their estimated useful lives, which does not exceed 5 years. 1.12 Impairment of non-financial assets The residual value of an asset is the estimated amount that the Group would currently obtain from disposal of the asset less the estimated costs of disposal, if the asset was already of the age and in the condition expected at the end of its physical life. The assets’ residual values and useful lives are reviewed, and adjusted if appropriate, at each reporting date. At the end of each reporting period management assesses whether the indicators of impairment of property, plant and equipment exists. The carrying amounts of property, plant and equipment and all other non-financial assets are reviewed for impairment if there is any indication that the carrying amount may not be recoverable. For the purpose of impairment testing the recoverable amount is measured by reference to the higher of value in use (being the net present value of expected future cashflows of a relevant cash generating unit) and fair value less costs to sell (the amount obtainable from the sale of an asset or cash generating unit in an arm’s length transaction between knowledgeable, willing parties who are independent from each other less the costs of disposal). Where there is no binding sale agreement or active market, fair value less costs to sell is based on the best information available to reflect the amount the Group would receive for the cash generating unit. A cash generating unit is the smallest identifiable group of assets that generates cash inflows that are largely independent of the cash inflows from other assets or groups of assets. If the carrying amount of the asset exceeds its recoverable amount, the asset is impaired and an impairment loss is charged to the income statement so as to reduce the carrying amount in the statement of financial position to its recoverable amount. A previously recognised impairment loss is reversed if the recoverable amount increases as a result of a reversal of the conditions that originally resulted in the impairment. This reversal is recognised in profit or loss for the period and is limited to the carrying amount that would have been determined, net of depreciation, had no impairment loss been recognised in prior years. 1.13 Financial Instruments Financial assets and financial liabilities are recognised when the Company becomes a party to the contractual provisions of the instrument. Financial assets and financial liabilities are initially measured at fair value. Transaction costs that are directly attributable to the acquisition or issue of financial assets and financial liabilities (other than financial assets and financial liabilities at fair value through profit or loss) are added to or deducted from the fair value of the financial assets or financial liabilities, as appropriate, on initial recognition. Transaction costs directly attributable to the acquisition of financial assets or financial liabilities at fair value through profit or loss are recognised immediately in profit or loss. All financial instruments are classified in accordance with the principles of IFRS 9 Financial Instruments. 1.13 (a) Financial assets Classification of financial assets Debt instruments that meet the following conditions are subsequently measured at amortised cost: • • the financial asset is held within a business model whose objective is to hold financial assets in order to collect contractual cash flows; and the contractual terms of the financial asset give rise on specified dates to cash flows that are solely payments of principal and interest on the principal amount outstanding. Debt instruments that meet the following conditions are subsequently measured at FVTOCI: • • the financial asset is held within a business model whose objective is achieved by both collecting contractual cash flows and selling the financial assets; and the contractual terms of the financial asset give rise on specified dates to cash flows that are solely payments of principal and interest on the principal amount outstanding. By default, all other financial assets are subsequently measured at FVTPL. Amortised cost and effective interest method The effective interest method is a method of calculating the amortised cost of a debt instrument and of allocating interest income over the relevant period. 51 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT 1. ACCOUNTING POLICIES CONTINUED For financial instruments other than purchased or originated credit-impaired financial assets, the effective interest rate is the rate that exactly discounts estimated future cash receipts (including all fees and points paid or received that form an integral part of the effective interest rate, transaction costs and other premiums or discounts) excluding expected credit losses, through the expected life of the debt instrument, or, where appropriate, a shorter period to the gross carrying amount of the debt instrument on initial recognition. For purchased or originated credit-impaired financial assets, a credit-adjusted effective interest rate is calculated by discounting the estimated future cash flows, including expected credit losses, to the amortised cost of the debt instrument on initial recognition. The amortised cost of a financial asset is the amount at which the financial asset is measured at initial recognition minus the principal repayments, plus the cumulative amortisation using the effective interest method of any difference between that initial amount and the maturity amount, adjusted for any loss allowance. On the other hand, the gross carrying amount of a financial asset is the amortised cost of a financial asset before adjusting for any loss allowance. Impairment of financial assets The Company recognises a loss allowance for expected credit losses on financial assets that are measured at amortised cost. The amount of expected credit losses is updated at each reporting date to reflect changes in credit risk since initial recognition of the respective financial instrument. Expected credit loss measurement The consolidated entity has applied the simplified approach to measuring expected credit losses, which uses a lifetime expected loss allowance. To measure the expected credit losses, trade receivables have been grouped based on days overdue. 1.13 (b) Financial liabilities and equity Debt and equity instruments are classified as either financial liabilities or as equity in accordance with the substance of the contractual arrangement. Equity instruments An equity instrument is any contract that evidences a residual interest in the assets of an entity after deducting all of its liabilities. Equity instruments issued by the Company entity are recognised at the proceeds received, net of direct issue costs. Financial liabilities All financial liabilities are subsequently measured at amortised cost using the effective interest method or at ‘Fair Value Through Profit or Loss’ (‘FVTPL’). Financial liabilities at FVTPL Financial liabilities are classified as at FVTPL when the financial liability is contingent consideration of an acquirer in a business combination to which IFRS 3 applies, or it is designated as at FVTPL. Financial liabilities subsequently measured at amortised cost Financial liabilities that are not 1) contingent consideration of an acquirer in a business combination, 2) held-for-trading, or 3) designated as at FVTPL, are subsequently measured at amortised cost using the effective interest method. The effective interest method is a method of calculating the amortised cost of a financial liability and of allocating interest expense over the relevant period. The effective interest rate is the rate that exactly discounts estimated future cash payments (including all fees and points paid or received that form an integral part of the effective interest rate, transaction costs and other premiums or discounts) through the expected life of the financial liability, or (where appropriate) a shorter period, to the amortised cost of a financial liability. Derecognition of financial liabilities The Company derecognises financial liabilities when, and only when, the Company’s obligations are discharged, cancelled or they expire. The difference between the carrying amount of the financial liability derecognised and the consideration paid and payable, including any non-cash assets transferred or liabilities assumed, is recognised in the statement of comprehensive income. 1.14 Leases The Company assesses whether a contract is or contains a lease, at inception of the contract. The Company recognises a right-of-use asset and a corresponding lease liability with respect to all lease arrangements in which it is the lessee, except for short-term leases (defined as leases with a lease term of 12 months or less) and leases of low value assets. For these leases, the Company recognises the lease payments as an administrative expense on a straight-line basis over the term of the lease. 1.15 Taxes Current tax is calculated using rates and laws enacted or substantively enacted at the reporting date. Current tax is recognised in profit or loss unless it relates to an item of other comprehensive income or equity whereby it is recognised in other comprehensive income or equity respectively. Deferred income tax is calculated using rates and laws enacted or substantively enacted at the reporting date that are expected to apply on reversal of the related temporary difference, and is determined in accordance with the expected manner of recovery of the related asset. 52 Consolidated Financial StatementsCONTINUEDCROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 Deferred income tax is recognised in profit or loss unless it relates to an item of other comprehensive income or equity whereby it is recognised in other comprehensive income or equity respectively. 1.16 Share-based payments On occasion, the Company has made share-based payments to certain Directors and employees by way of issue of share options. The fair value of these payments is calculated by the Company using the binomial option valuation model and the Monte Carlo simulation model. The expense, where material, is recognised on a straight-line basis over the period from the date of award to the date of vesting, based on the Company’s best estimate of the number of shares that will eventually vest. 1.17 Investments Shares in subsidiary undertakings are stated at cost less provision for impairment. Unlisted investments are measured at fair value through profit or loss. 1.18 Intercompany Financing arrangements The amortised cost methodology is applied to the financing arrangement between the Company and subsidiary Crossword Consulting Limited. An assessment in undertaken to determine weighted average cost of capital to apply discounting with the principal conceptually including a financing element. 1.19 Pension Obligations The Group operates a defined contribution pension scheme for employees in the United Kingdom. A defined contribution scheme is a pension plan under which the Group pays fixed contributions into a separate entity. Contributions payable to the Group’s pension scheme are charged to the income statement in the year to which they relate. The Group has no further payment obligations once the contributions have been paid. In Poland, the Group pays the statutory employer’s contribution into the public pension scheme for each employee, but does not operate any pension schemes. In 2021, the Group implemented the Employee Capital Plans (PPK) programme which involved employee consultation and selection of a financial institution. 1.20 Cash and Cash Equivalents Cash comprises cash-in-hand and demand deposits. Cash equivalents are short-term, highly liquid investments that are readily convertible to known amounts of cash, and which are subject to an insignificant risk of change in value. 1.21 Accounting for Government Grants Government grants are not recognised until there is reasonable assurance that the Group will comply with the conditions attached to them and that the grants will be received. Government grants are recognised as income over the periods necessary to match them with the costs for which they are intended to compensate, on a systematic basis. Government grants that are receivable as compensation for expenses or losses already incurred or for the purpose of giving immediate financial support to the Group with no future related costs are recognised in the income statement in the period in which they become receivable. UK Government Furlough Funding is netted of against Gross Staff Costs in the period in which it is incurred. 1.22 Critical accounting estimates and judgements and key sources of estimation uncertainty Estimates and judgements are continually evaluated and are based on experience and other factors, including expectations of future events that are believed to be reasonable under the circumstances. The following are the key estimates that the directors have made in the process of applying the Group’s accounting policies and have the most significant effect on the amounts recognised in the financial information. There are no further critical accounting judgements. Fair value of options granted to employee The Group uses the Binomial model and Monte Carlo simulation model in determining the fair value of options granted to employees under the Group’s various share schemes. The determination of the fair value of options requires a number of assumptions. The alteration of these assumptions may impact charges to the income statement over the vesting period of the award. Details of the assumptions used are shown in note 4. Convertible Loans The Group has given consideration to the measurement and presentation of the convertible loans. On legal execution of the loans the financial liability is initially measured at its fair value which is the face value of the loans. Immediately after recognition, at fair value, the financial liability is measured at amortised cost, using a reasonable estimate of the Group’s cost of capital. The difference between the fair value and the amortised cost is taken to the P&L account. 53 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT 1. ACCOUNTING POLICIES CONTINUED Impairment An impairment assessment of the carrying value in the Company of the investment in subsidiaries is undertaken using an NPV model over the projected cash flows, with a discount rate based on the assessment of weighted average cost of capital. Business combinations The recognition of business combinations requires management to make estimates in order to determine fair value of consideration payable on acquisition as well as fair value of identifiable assets, particularly intangibles, and liabilities acquired. These estimates are based on all available information and in some cases assumptions with respect to the timing and amount of future revenues and expenses associated with an asset. Deferred tax Deferred tax assets are recognised for unused tax losses to the extent that it is probable that taxable profit will be available against which the losses can be utilised. Significant management judgement is required to determine the amount of deferred tax assets that can be recognised, based upon the likely timing and the level of future taxable profits, together with future tax planning strategies. The company has taxable temporary differences that partly support the recognition of the losses as deferred tax assets based on the above. The company has determined that it cannot recognise deferred tax assets on all of the tax losses carried forward however, based on the likely characteristics, timing and level of future taxable profits, together with future tax planning strategies. Further details on taxes are disclosed in note 9. 2 REVENUE AND SEGMENTAL INFORMATION An analysis of the Group’s revenue for each period for its continuing operations, is as follows: £ Revenue from the sale of goods/licences Revenue from the rendering of services Revenue from Consulting Revenue from Byzgen Limited for software development Revenue from Cyberowl Limited for software development Total Revenue Group 2021 189,252 183,855 1,660,207 137,823 – 2,171,137 Group 2020 136,206 34,675 1,229,000 203,030 24,700 1,627,611 The IFRS 8 Operating segments requires the Group to determine its operating segments based on information which is provided internally. Based on the internal reporting information and management structures within the Group, it has been determined that there are two operating segments established in accordance to differences in products and services provided – Software product and services and Cybersecurity consulting. These operating segments are based on the internal reports that are reviewed and used by the Board of Directors (who are identified as the Chief Operating Decision Makers (‘CODM’)) in assessing performance and in determining the allocation of resources. There is no aggregation of operating segments. The CODM reviews EBITDA (earnings before interest, tax, depreciation and amortisation). The accounting policies adopted for internal reporting to the CODM are consistent with those adopted in the financial statements. The information regarding the Group’s reportable segments is presented below: 54 Consolidated Financial StatementsCONTINUEDCROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 2021 £ Revenue Cost of Sales Gross Profit Administrative expenses Other operating income Financial income and expenses Loss for the year before taxation Tax credit / (expense) Loss for the Year Total Comprehensive Loss Segment assets Segment liabilities EBITDA 2020 £ Revenue Cost of Sales Gross Profit Administrative expenses Other operating income Financial income and expenses Loss for the year before taxation Tax expense Loss for the Year Total Comprehensive Loss Segment assets Segment liabilities EBITDA Software product and services 462,108 (358,333) 103,775 (2,703,009) 358,727 323,725 (1,916,782) 172,615 (1,744,167) (1,757,387) 8,178,282 2,924,439 (2,168,462) Software product and services 553,946 (483,580) 70,366 (2,060,206) 209,647 (102,818) (1,883,011) (4,840) (1,887,850) Cybersecurity consulting 1,784,309 (1,598,845) 185,464 (632,410) – (82,512) (529,457) – (529,457) (529,457) 1,029,509 1,762,053 (414,866) Cybersecurity consulting 1,285,293 (1,098,615) 186,679 (472,097) – (105,067) (390,486) – (390,486) Eliminations (75,280) – (75,280) 75,280 – – – – – – (2,327,403) (1,410,951) – Total 2,171,137 (1,957,178) 213,959 (3,260,139) 358,727 241,213 (2,446,239) 172,615 (2,273,624) (2,286,844) 6,880,388 3,275,541 (2,583,328) Eliminations (211,629) – (211,629) 211,628 – – – – – Total 1,627,611 (1,582,194) 45,416 (2,320,675) 209,647 (207,885) (2,273,497) (4,840) (2,278,336) (1,878,256) 2,480,051 2,129,509 (1,625,501) (390,486) 375,437 1,340,505 (284,918) – (1,329,141) (1,205,654) – (2,268,741) 1,526,348 2,264,360 (1,910,419) During the year ended 31 December 2021 approximately 17% (2020: 32%) of the consolidated entity’s external revenue was derived from sales to a major United Kingdom client. No other clients accounted for 10% or more of the consolidated entity’s external revenue. No analysis of net assets by geographic segment is provided as the net assets are principally all within the UK. 55 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT 3 EXPENSES BY NATURE £ Staff and related costs Consultancy and related costs Professional fees Property-related costs Depreciation Amortisation Capitalised costs Other expenses Total cost of sales and administrative expenses Expenses by geographic segment £ UK Poland Total cost of sales and administrative expenses 4 STAFF COSTS Group 2021 3,305,430 450,028 616,791 172,823 66,243 37,881 (138,067) 706,188 5,217,317 Group 2020 2,643,670 280,917 268,567 82,776 150,437 – – 476,502 3,902,870 Group 2021 4,695,737 521,580 5,217,317 Group 2020 3,410,235 492,635 3,902,870 Staff costs, including Directors’ remuneration, were as follows: £ Wages and salaries Furlough receipts for wages and salary Social security costs Furlough receipts for social security costs Other pension costs Furlough receipts for pension costs Group 2021 2,924,357 – 327,012 – 54,061 – 3,305,430 Company 2021 1,321,393 – 142,103 – 37,003 – 1,500,499 Group 2020 2,454,980 (93,510) 243,642 (6,363) 46,509 (1,588) 2,643,670 Company 2020 1,150,153 (36,218) 119,755 (2,430) 31,470 (625) 1,262,106 The average monthly number of employees, including the Directors, during the period was as follows: Group 2021 42 9 51 Company 2021 17 8 25 Group 2020 34 10 44 Company 2020 13 8 21 Staff Directors Total 56 Consolidated Financial StatementsCONTINUEDCROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 Share-based payments The amount recognised in respect of share-based payments was £58,692 (2020: £52,792). The Group has established share option programmes that entitle certain employees to purchase shares in the Group. There are no performance conditions attaching to these options. 5,840 options were exercised in 2021 (133,330 in 2020). Total options issued as at 31 December 2021 amount to 2,348,653 (2020: 2,065,730, re-stated for share split). See details in Note 13 Loss per share. The share options have been valued using a binomial model applying the following inputs: • Exercise price – equal to the share price at grant date; • Vesting date – all options vest in three tranches, on the first, second and third anniversary from the grant date; • Expiry/Exercise date – 10 years from the grant date; • Volatility (sigma) – 40%. This has been calculated based on the historic volatility of the Company’s share price; • Risk-free rate – yield on a zero coupon government security at each grant date with a life congruent with the expected option life; • Dividend yield – 0%; • Future staff turnover – 0%. We have however adjusted the P+L charge for the current year (and future years) to account for lapsed options due to Leavers; and • Performance conditions – none. Reconciliation of share options – Company 1 January Granted during the period Lapsed during the period Exercised during the period End of the period Weighted average exercise price Weighted average exercise price 2021 2,065,730 352,923 (64,160) (5,840) 2,348,653 2021 0.36 0.36 0.36 0.28 0.36 2020 1,888,890 496,840 (186,670) (133,330) 2,065,730 2020 0.26 0.70 0.31 0.28 0.36 The 2020 numbers and 2021 opening have been re-stated for share split (Note 19). The weighted average share Price at the exercise date was £0.36. The range of exercise prices is from £0.05 to £0.55. The weighted average remaining life of the options was 6.5 years (2020: 6.7 years). 57 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT 5 DIRECTORS’ REMUNERATION The remuneration of the Directors who served in the current year was as follows: 2021 Executive Directors Tom Ilube Mary Dowd* Non-Executive Directors Sir Richard Dearlove Ruth Anderson Andy Gueritz Gordon Matthew Dr David Secher Prof David Stupples Robert Coles Tara Cemlyn-Jones Total 2020 Executive Directors Tom Ilube Mary Dowd* Non-Executive Directors Sir Richard Dearlove Ruth Anderson Andy Gueritz Gordon Matthew Dr David Secher Prof David Stupples Total * Denotes highest paid director. Share Options issued Mary Dowd Sir Richard Dearlove Sir Richard Dearlove Basic Salary and Fees £ 128,311 130,000 25,000 12,000 16,000 6,000 16,000 4,750 7,250 7,231 352,542 Bonus £ – – – – – – – – – Basic Salary and Fees £ Bonus £ 126,622 130,000 25,000 12,000 16,000 12,000 16,000 12,000 349,622 Employer’s Pension Contribution £ Total £ 1,318 10,000 133,572 140,000 Taxable Benefits £ 3,942 25,000 – – – – – – – 28,942 Taxable Benefits £ 3,689 25,000 – – – – – – – – 11,318 Employer’s Pension Contribution £ 1,314 10,000 50,000 12,000 16,000 6,000 16,000 4,750 7,250 7,231 392,802 Total £ 131,625 140,000 – – 50,000 12,000 16,000 12,000 16,000 12,000 389,625 - 28,690 11,314 Year 2020 2020 2021 Share Options 25,000 94,340 70,423 Exercise Price £0.31 £0.27 £0.36 Total Value £2,903 £9,496 £25,000 During the year, the Company implemented a Long-Term Incentive Plan (LTIP) whereas awards have been made to the following Executives – Mary Dowd, Stuart Jubb, Jake Holloway and Sean Arrowsmith. Each award is of nominal cost (£0.005) options to acquire up to 750,000 Crossword ordinary shares of 0.5p each which vest at the average mid-market price of the Ordinary Shares over the 20 trading days preceding the end of the performance period which ends on 30 September 2024. 25% of the options will vest if the Award Price is 50p, and 100% will vest if the Award Price is equal to or greater than 100p, with straight-line vesting between 50p and 100p. 58 Consolidated Financial StatementsCONTINUEDCROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 6 OTHER OPERATING INCOME Research and development tax credits Grant income Group 2021 £ 206,380 152,347 358,727 Group 2020 £ 209,647 – 209,647 The grant income represents award from Innovate UK for Group’s participation in feasibility studies on digital supply chain. 7 FINANCE COSTS Finance Cost of Financial Liabilities (Loan Notes) Interest on deferred consideration Company right to use assets Interest Crossword Cybersecurity sp z.o.o. right to use assets interest Crossword Consulting Ltd Overdraft Annual Fees & Interest Crossword Cybersecurity Spolka z.o.o Interest 8 AUDITOR’S REMUNERATION The expenses for services rendered by the Group Auditor present themselves as follows: £ Fees for the parent company individual and consolidated financial statements Fees for legal audit of subsidiary financial information Fees for tax advisory services Group 2021 £ 184,149 34,978 187 452 735 44 220,545 Group 2021 £ 46,000 17,000 – 63,000 Group 2020 £ 196,546 – 4,298 2,705 876 256 204,679 Group 2020 £ 40,250 6,204 6,000 52,454 59 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT 9 TAX Income tax £ Current income tax expense Deferred tax credit Total tax (credit) / expense Group 2021 5,396 (178,011) (172,615) Group 2020 4,840 – 4,840 There is no tax charge in respect of other comprehensive income. The deferred tax liability arising on fair value revaluation on acquisitions of Verifiable Credentials Ltd and Stega UK Ltd (note 10) has been offset with a deferred tax asset recognised in respect of losses brought forward from prior periods, resulting in deferred tax credit to the statement of comprehensive income. There is a deferred tax liability of £114,201 arising on the fair value uplift of £456,803 of the unlisted investment in CyberOwl Limited. This deferred tax liability has been offset by trading losses of the group. Corporation tax losses carried forward for offset against future year’s trading profits amount to approximately £4,800,000 (2020: £4,400,000). £ Loss before taxation Average rate of corporation tax Tax on loss Effects of: Expenses not deductible for tax purposes Depreciation for the period in excess of capital allowances Trading loss carried forward Total tax charge Group 2021 £ 2,446,239 19.00% (464,785) 24,578 104,124 508,699 172,615 Group 2020 £ 2,273,497 19.00% (431,964) 17,640 150,437 259,047 (4,840) Factors that may affect future tax changes The rate of corporation tax in the United Kingdom had been expected to reduce from 19% to 17% per cent from 1 April 2020. However, in March 2020, it was announced that the rate would continue at 19%. In March 2021, it was announced that UK corporation tax rates would rise to 25% from 2023. Polish Corporation Tax has been 19% until 1 January 2017, when Crossword started to benefit from the new small companies reduced rate of 15% adopted by the Parliament Act amendment to Polish CIT Law. 60 Consolidated Financial StatementsCONTINUEDCROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 10 BUSINESS COMBINATIONS On 26 May 2021 the Group acquired 100% of the issued share capital of Verifiable Credentials Ltd (“VCL”), the provider of Identiproof, the World Wide Web Consortium verifiable credentials compatible middleware and wallet technology. The net consideration used in the acquisition of VCL and the provisional fair value of assets acquired and liabilities assumed on the acquisition date are detailed below: Intangible assets Tangible assets Non-current assets Trade and other receivables Cash and cash equivalents Current assets Other non-current liabilities Deferred tax liabilities Non-current liabilities Trade and other payables Current liabilities Book value 127,306 1,098 128,404 Adjustment 477,728 – 477,728 Fair value 605,034 1,098 606,132 69,538 37,684 107,222 135,953 – 135,953 101,421 101,421 – – – – 95,545 95,545 69,538 37,684 107,222 135,953 95,545 231,498 – – 101,421 101,421 Total fair value of net assets acquired (1,748) 382,183 380,435 Fair value of consideration Cash on completion Shares at acquisition date Deferred consideration in shares Total consideration Goodwill 100,000 150,000 130,435 380,435 – Acquisition costs of £17,345 arose as a result of the transaction, which have been recognised as part of administrative expenses in the statement of comprehensive income. The Share Purchase Agreement stipulates that contingent consideration becomes payable once certain revenue targets are achieved, this can range from 0 to £750k for the first earn-out period (12 months after acquisition) and from 0 to £1.5m for the second earn-out period (24 months after acquisition). The management estimates that it is unlikely that the company will achieve the revenue necessary to trigger earn-out payments for both periods, hence no contingent consideration has been recorded. The company did not generate any revenue in 2021. On 9 August 2021 the Group acquired 100% of the issued share capital of Stega UK Ltd (“Stega”), the threat intelligence and monitoring company. 61 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT 10 BUSINESS COMBINATIONS CONTINUED The net consideration used in the acquisition of Stega and the provisional fair value of assets acquired and liabilities assumed on the acquisition date are detailed below: Intangible assets Tangible assets Non-current assets Trade and other receivables Cash and cash equivalents Current assets Bank loans Deferred tax liabilities Non-current liabilities Trade and other payables Current liabilities Current liabilities Book value – 30,509 30,509 Adjustment 354,301 (24,437) 329,864 Fair value 354,301 6,072 360,373 86,619 16,927 103,546 68,000 – 68,000 82,990 17,000 99,990 – – – – 82,466 82,466 – – – 86,619 16,927 103,546 68,000 82,466 150,466 82,990 17,000 99,990 Total fair value of net assets acquired (33,935) 247,398 213,463 Fair value of consideration Cash on completion Shares at acquisition date Deferred consideration in cash Deferred consideration in shares Contingent consideration in cash Contingent consideration in shares Total consideration Goodwill 600,000 100,000 134,435 84,022 119,604 50,679 1,088,740 875,277 The goodwill relates mainly to the expected synergies and assembled workforce that do not meet criteria for recognition as a separate intangible assets. The acquisition terms include additional consideration which is contingent upon achieving certain revenue targets. The contingent consideration ranges from 0 to £420k for the first earn-out period (12 months after acquisition) and from 0 to £420k for the second earn-out period (18 months after acquisition). The Group has recorded the contingent consideration at management's estimate of fair value. For the specific purpose of estimating the fair value of the contingent liability, management assumes that Stega UK Ltd will achieve revenue target in the second earn-out period, that the contingent consideration will consequently become payable, and that the timing and the amount of the resulting cash outflows will be consistent with the terms outlined in the agreement with the seller. Acquisition costs of £17,780 relating to this transaction have been recognised as part of administrative expenses in the statement of comprehensive income. Since the acquisition date, Stega has contributed £210,650 to group revenues and £93,177 to group loss. If the acquisition had occurred on 1 January 2021, group revenue would have been £2,500,250 and group loss for the period would have been £2,535,237. These two acquisitions help to implement Group’s strategy to create a portfolio of subscription-based, enterprise-class products and services for its clients. 62 Consolidated Financial StatementsCONTINUEDCROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 11 INTANGIBLE ASSETS Software Development £ Cost b/f Acquired through business combinations Additions Accumulated Depreciation B/F Charge for the period C/d Net Book Value Group 2021 – 957,764 183,796 1,141,560 Company 2021 – 347,738 183,796 531,534 – 37,881 37,881 – 9,931 9,931 1,103,679 521,603 Group 2020 – – Company 2020 – – – – – – – – – – – – Intangible assets comprise of 3 different software development projects with remaining useful life of approximate 5 years each and the carrying amounts of £676,022, £326,351 and £101,306. 12 TANGIBLE ASSETS Computers £ Cost b/f Additions Acquired through business combinations Accumulated Depreciation B/F Charge for the period Translation adjustments C/d Net Book Value Furniture and Fittings £ Cost b/f Accumulated Depreciation B/F Charge for the period C/d Net Book Value Group 2021 24,675 – 7,170 31,845 21,124 4,924 337 26,385 5,460 Company 2021 – – – Group 2021 15,157 15,157 Company 2021 15,157 15,157 12,009 3,148 15,157 12,009 3,148 15,157 Group 2020 22,674 2,001 – 24,675 18,157 2,966 – 21,124 3,551 Group 2020 15,157 15,157 4,235 7,773 12,009 Company 2020 – – – Company 2020 15,157 15,157 4,235 7,773 12,009 – – 3,148 3,148 63 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT 12 TANGIBLE ASSETS CONTINUED Right of Use Assets £ Cost b/f Disposals Accumulated Depreciation B/F Charge for the period Translation adjustments Disposals C/d Net Book Value Total £ Cost b/f Additions/(disposals) Acquired through business combinations Accumulated Depreciation B/F Charge for the period Translation adjustments Disposals C/d Net Book Value 13 UNLISTED INVESTMENTS Fair value at 1 January and 31 December Group 2021 344,058 (344,058) – Company 2021 231,935 (231,935) – 280,694 58,171 5,193 (344,058) – 196,687 35,248 – (231,935) – Group 2020 344,058 – 344,058 140,996 139,697 – – 280,694 Company 2020 231,935 – 231,935 98,209 98,478 – – 196,687 – – 63,365 35,248 Group 2021 383,890 (344,058) 7,170 47,002 Company 2021 247,092 (231,935) - 15,157 313,826 66,243 5,530 (344,058) 41,542 208,696 38,396 - (231,935) 15,157 Group 2020 381,889 2,001 - 383,890 163,389 150,437 - - 313,826 Company 2020 247,092 - - 247,092 102,445 106,252 - - 208,696 5,460 - 70,064 38,395 Group 2021 456,834 Company 2021 456,834 Group 2020 31 Company 2020 31 The above Group investment represents Crossword Cybersecurity Plc’s 2021 – 4.4% (2020 – 4.4%) holding in CyberOwl Limited which was purchased on 18 April 2016. The investment has been revalued at a fair value following successful fundraise by CyberOwl in February 2022. 64 Consolidated Financial StatementsCONTINUEDCROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 14 INVESTMENT IN SUBSIDIARIES £ Cost b/f 1 January Acquired during the year Capital contribution Cost c/f 31 December 2021 458,164 1,088,740 90,614 1,637,518 2020 11,017 – 447,147 458,164 The group’s subsidiary undertakings are listed below, including name, country of incorporation, and proportion of ownership interest: Name Crossword Consulting Limited Crossword Cybersecurity SP Z.o.o. Stega UK Ltd Registered office 6th Floor, 60 Gracechurch Street, London EC3N 0HR United Kingdom ul. Wiejska 12a, 00-490 Warszawa, Poland Principal activity Cybersecurity services Cybersecurity services 6th Floor, 60 Gracechurch Street, London EC3N 0HR United Kingdom Cybersecurity services Verifiable Credentials Ltd 6th Floor, 60 Gracechurch Street, London Cybersecurity services Crossword Cybersecurity LLC EC3N 0HR United Kingdom PO Box 808, Alwattayah / Muttrah / Muscat Governorate, Postcode: 100, Oman Cybersecurity services 15 TRADE AND OTHER RECEIVABLES 2021 % 90 100 100 100 90 2020 % 90 100 – – – £ Trade receivables Other receivables Prepayments Accrued income VAT Refund Intercompany receivables within one year Group 2021 509,576 254,451 149,309 140,708 12,033 – 1,066,076 Company 2021 192,975 247,274 105,101 131,025 – 162,247 838,622 Group 2020 289,811 66,714 102,112 27,394 11,881 – 497,913 Company 2020 125,115 63,067 83,749 3,750 – – 275,680 All of the above amounts are considered to be due within one year. The maximum exposure to credit risk at the reporting date is the carrying value as above and the cash and cash equivalents and none are either past or impaired. Of the above amounts held within the Group, £18,419 is denominated in Polish Zloty with the remainder in GBP (2020: £15,529). Foreign exchange risk is currently minimal as balances in Polish Zloty are between the parent and its wholly owned subsidiary. 65 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT 16 TRADE AND OTHER PAYABLES £ Trade payables Tax payables Accruals Deferred income Deferred consideration Other payables Group 2021 331,043 242,642 226,623 331,198 261,606 20,546 1,413,658 Company 2021 459,753 56,790 164,284 94,333 261,606 13,194 1,049,960 Group 2020 204,243 163,002 403,997 101,438 – 56,360 929,038 Company 2020 372,359 38,746 289,488 71,789 – 21,805 794,187 All of the above amounts are considered to be due within one year. The deferred income relates to contract liabilities arising from contracts with customers. Of the Trade and Other Payables amounts held within the Group, £57,836 (2020: £29,630) is denominated in Polish Zloty with the remainder in GBP. 17 OTHER CURRENT LIABILITIES £ Convertible loan notes Bank loan 18 OTHER NON-CURRENT LIABILITIES £ Convertible loan notes Bank loan Deferred consideration Contingent consideration Deferred grant income Group 2021 1,351,471 17,167 1,368,638 Company 2021 1,351,471 – 1,351,471 Group 2020 – – – Company 2020 – – – Group 2021 – 68,000 111,900 180,652 132,693 493,245 Company 2021 – – 111,901 180,652 – 292,552 Group 2020 1,335,322 – – – – 1,335,322 Company 2020 1,335,322 – – – – 1,335,322 66 Consolidated Financial StatementsCONTINUEDCROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 19 SHARE CAPITAL Allotted called up and fully paid Number of shares B/f Shares Issued in period C/d 2021 51,320,900 23,636,250 74,957,150 2020 46,805,610 4,515,290 51,320,900 In May 2021 the company sub-divided each existing ordinary share of £0.05 into 10 new ordinary shares of £0.005 each. The shares issued consequently were ordinary shares of £0.005 issued at a premium of £6,452,830 (2020: £1,002,647). All shares carry the same voting and capital distribution rights. £ Share Capital Cost b/f Shares Issued in period Share Premium B/F Shares Issued in period C/d 20 LOSS PER SHARE 2021 2020 256,605 118,181 374,786 234,061 22,544 256,605 8,518,391 6,452,830 14,971,221 7,515,744 1,002,647 8,518,391 Earnings per share is calculated by dividing the loss for the period attributable to ordinary equity shareholders of the parent by the weighted average number of ordinary shares outstanding during the year. During the year the calculation for basic loss per share was based on the loss for the year attributable to owners of the parent of £2,407,307 (2020: £2,249,707) divided by the weighted average number of ordinary shares of 64,491,462 (2020: 49,819,800, re-stated following share split in 2021). 21 RESERVES The following describes the nature and purpose of each reserve within owners’ equity: Reserve Share capital Share premium Equity reserve Retained earnings Translation of foreign operations Description and purpose This represents the nominal value of shares issued Amounts subscribed for share capital less any issue costs more than nominal value Represents amounts charged on share options that have been granted to employees Cumulative net gains and losses recognised in the consolidated statement of comprehensive income Is the difference that arises due to consolidation of foreign subsidiaries using an average rate during the period and a closing rate for the period end statement of financial position 67 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT 22 FINANCIAL INSTRUMENTS £ Current Financial Assets Financial assets measured at amortised cost Trade and other receivables Cash and cash equivalents Non-Current Financial Assets Financial assets measured at amortised cost Loan to subsidiary Financial assets measured at fair value through profit or loss Financial investments Group 2021 Group 2020 Company 2021 Company 2020 904,735 3,373,062 383,920 958,341 733,521 3,106,817 191,932 824,667 – – 918,206 653,316 456,834 4,734,631 31 1,342,292 456,834 5,215,378 31 1,669,945 The financial investments comprise of investment in CyberOwl Ltd, which has been revalued on the basis of valuation per share at as 1 February 2022 during the investment round, multiplied by the number of shares the Company owns in it. This methodology of determining a fair value equates to a level 2 assessment based on observed transactions of share price in recent transactions in the entity’s equity. £ Current Financial Liabilities Financial liabilities measured at amortised cost Trade and other payables Short-term loans and leases Non-Current Financial Liabilities Financial liabilities measured at amortised cost Loans Non-current deferred consideration Financial liabilities measured at fair value through profit or loss Non-current contingent consideration Group 2021 Company 2021 Group 2020 Company 2020 839,818 1,368,638 898,836 1,351,471 664,599 – 683,653 – 68,000 111,900 – 111,900 1,335,322 – 1,335,322 – 180,652 180,652 – – 2,569,008 2,542,858 1,999,921 2,018,974 The contingent consideration becomes payable upon achieving certain revenue targets stipulated in Share Purchase Agreement of Stega. The fair value of the liability was established by using income approach, i.e. management’s estimate that Stega will achieve its revenue target for the period between 12 and 18 months from the date of acquisition based on the latest internal revenue forecasts (IFRS 13 Level 3 hierarchy approach) and was determined by calculating the present value of estimated future cash outflows using the discount rate adjustment technique (the discount rate of 15% has been applied). 68 Consolidated Financial StatementsCONTINUEDCROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 22 FINANCIAL INSTRUMENTS CONTINUED Reconciliation of Level 3 fair value measurements of financial liabilities: £ B/f Fair value on initial recognition Interest C/d Contingent consideration – 170,283 10,369 180,652 Lease capital liabilities of the group and of the company amounted to £nil in 2021 (2020: £43,734 and £13,416 respectively). 23 FINANCIAL INSTRUMENTS – RISK The Group could be exposed to risks that arise from its use of financial instruments. Risks in relation to financial assets include: Market risk Market risk covers foreign exchange risk, price risk and interest rate risk. As the majority of the Group’s transactions are either in Sterling or in Polish Zloty, the Group considers its exposure to foreign exchange risk to be minimal. There are no derivatives and hedging instruments. The Group is not exposed to price risk given that no securities are held under financial assets. The Group is not exposed to interest rate or cash flow risk due to the fact that the Group has no borrowing or complex financial instruments. Credit risk Credit risk is considered to be the risk of financial loss incurred by the Group in the event that a customer or counterparty to an asset fails to meet contractual obligations. The Group has adopted a policy of only dealing with credit worthy counterparties. The Group’s maximum credit exposure at the reporting date is represented by the carrying value of its financial assets. The Group’s financial instruments do not represent a concentration of credit risk since the Group deals with a variety of counterparties. £ Cash and cash equivalents Trade and other receivables Loan to subsidiary Financial investments Total Group 2021 3,373,062 904,735 - 456,834 4,734,631 Company 2021 3,106,817 733,521 918,206 456,834 5,215,378 Group 2020 958,341 383,920 - 31 1,342,292 Company 2020 824,667 191,932 653,316 31 1,669,945 69 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT 23 FINANCIAL INSTRUMENTS – RISK CONTINUED Liquidity risk Management monitor rolling forecasts of the Group’s liquidity reserves, cash and cash equivalents on the basis of expected cash flows and therefore monitors liquidity risk sufficiently. Financial Liabilities £ Trade payables Accruals Deferred consideration Contingent consideration Other Payables Loans Total 2021 2020 due <1 year 331,043 226,623 261,606 – 20,546 1,368,638 2,208,456 due 1–5 years – – 111,900 180,652 – 68,000 360,552 due <1 year 204,243 403,997 – – 56,360 – 664,600 due 1–5 years – – – – – 1,335,322 1,335,322 24 CAPITAL MANAGEMENT The Group considers its capital to comprise of its equity share capital, share premium, foreign exchange reserve, share options reserve and capital redemption reserve, less its accumulated losses. Quantitative detail is shown in the consolidated statement of changes in equity. The Directors’ objective when managing capital is to safeguard the Group’s ability to continue as a going concern in order to provide returns for the shareholder and benefits for other stakeholders and to maintain an optimal capital structure to reduce the cost of capital. The Executive Directors monitor a number of KPIs at both the Group and individual subsidiary level on a monthly basis. As part of the budgetary process, targets are set with respect to operating expenses in order to effectively manage the activities of the Group. Performance is reviewed on a regular basis and appropriate actions are taken as required. These internal measures indicate the performance of the business against budget/forecast and to confirm that the Group has adequate resources to meet its working capital requirements. 25 PENSIONS Employer contributions to the Group defined contribution pension scheme for employees in the United Kingdom were £46,509 (2019:33,208). A defined contribution scheme is a pension plan under which the Group pays fixed contributions into a separate entity. The Group has no legal or constructive obligations to pay further contributions if the fund does not hold sufficient assets to pay all employees the benefits relating to employee service in the current and prior years. Contributions payable to the Group’s pension scheme are charged to the income statement in the year to which they relate. The Group has no further payment obligations once the contributions have been paid. In Poland, the Group pays the statutory employer’s contribution into the public pension scheme for each employee, but does not operate any pension schemes. 70 Consolidated Financial StatementsCONTINUEDCROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 26 RELATED PARTY TRANSACTIONS Subsidiary Transactions 2021 Services received from £ Services supplied to £ Balance trade payable to £ Balance trade receivable from £ Intercompany loan receivable from £ 2020 Services received from £ Services supplied to £ Balance trade payable to £ Balance trade receivable from £ Intercompany loan receivable from £ Crossword Consulting Limited 274,099 – 150,311 165,757 918,206 Crossword Cybersecurity SP Z.o.o 580,704 – 102,067 – – "Stega UK Limited" 7,000 – 4,200 – – Verifiable Credentials Limited – – – 10,736 – 56,294 145,466 5,629 368,271 653,316 502,374 – 189,541 – – – – – – – – – – – – Tom Ilube, CEO, has made a loan of £250,000 to the Company on the same terms as the other Lenders as described in Note 27. The Company has a related party relationship with its key management who are the Executives: Tom Ilube, Mary Dowd, Jake Holloway, Sean Arrowsmith and Stuart Jubb, whose total compensation amounted to £793,233 (2020: £697,924). In March 2020, the subsidiary Crossword Consulting Limited issued 110,000 A shares to Stuart Jubb, Managing Director of the subsidiary and member of the executive team which equated to 10% of the subsidiary entity, for a subscription price of £15,400, which was estimated to equate to fair value. 27 CONVERTIBLE LOAN NOTES In 2019, the company received funds for £1.4m of Convertible Loan Notes. The term of the loans is three years and the interest is 12% payable quarterly in arrears. Early repayment is at the Company’s sole option, subject to a minimum repayment amount of £10,000. Repayment is at the end of the term, in cash, save that each lender may opt to convert part or all of their loan into Ordinary Shares at £0.48 (value adjusted following share split in 2021). On repayment of the Loans in cash, each lender will be issued warrants valid for three months to subscribe for Ordinary Shares representing 10% of the value of the Loan at £4.80. Included among the commitments is one from Tom Ilube, CEO, for an amount of £250,000. Tom Ilube made a loan to the Company on the same terms as the other Lenders as described above. 28 CONTROLLING PARTY The Company does not have a controlling party. 29 SUBSEQUENT EVENTS On the 14th March 2022, Crossword Cybersecurity Plc acquired the whole of the share capital of Threat Status Limited, the threat intelligence company and provider of Trillion, the cloud based software as a service (SaaS) platform for enterprise- level credential breach intelligence, for a total consideration of £1,529,000 (£500,000 paid on completion and the rest deferred between first and second anniversary of the transaction, all amounts are undiscounted). The acquisition of Threat Status adds a new cyber security offering to the Group’s portfolio, cross sell opportunities are currently being explored with the acquisition, alongside operating synergies. At the date of finalisation of these consolidated financial statements, the necessary market valuations and other calculations in relation to acquisition accounting had not been completed yet. 71 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT Notice of AGM Notice is hereby given that the Annual General Meeting of Crossword Cybersecurity plc (the “Company”) will be held at the offices of Shakespeare Martineau LLP, 6th Floor, 60 Gracechurch Street, London EC3V 0HR on Monday 16 May 2022 at 10.00 am to consider, and if thought fit, to pass the following resolutions, of which 1 to 7 and 9 will be proposed as Ordinary Resolutions and resolution 8 will be proposed as a Special Resolution: Please note that there will be a Shareholder Presentation held on Tuesday 17 May 2022 at 2.00pm. To register for the Shareholder Presentation please visit www.investormeetcompany.com to register. The title of the presentation is “2021 Final Results and Shareholder update’. If you require any assistance please do not hesitate to contact the Company Secretary at ben.harber@shma.co.uk ORDINARY BUSINESS 1. To receive and adopt the report of the directors and the financial statements for the year ended 31 December 2021 and the report of the auditors thereon. 2. To re-elect, as a director of the Company, Thomas Ilube who retires in accordance with Article 93.2 of the Company’s Articles of Association and offers himself for re-election. 3. To re-elect, as a director of the Company, Mary Dowd who retires in accordance with Article 93.2 of the Company’s Articles of Association and offers herself for re-election. 4. To re-elect, as a director of the Company, Tara Cemlyn-Jones who retires in accordance with Article 93.1 of the Company’s Articles of Association and offers herself for re-election. 5. To re-elect, as a director of the Company, Robert Coles who retires in accordance with Article 93.1 of the Company’s Articles of Association and offers himself for re-election. 6. To re-appoint MHA MacIntyre Hudson LLP as auditors of the Company and to authorise the directors to determine the auditor’s remuneration. SPECIAL BUSINESS 7. THAT the Directors be and they are hereby generally and unconditionally authorised pursuant to Section 551 of the Companies Act 2006 (“the Act”), in substitution for all previous powers granted to them, to exercise all the powers of the Company to allot and make offers to allot relevant securities (within the meaning of the Act) up to an aggregate nominal amount of £124,927.00 such authority shall, unless previously revoked or varied by the Company in general meeting, expire on the conclusion of the Annual General Meeting of the Company to be held in 2023 provided that the Company may, at any time before such expiry, make an offer or enter into an agreement which would or might require relevant securities to be allotted after such expiry and the Directors may allot relevant securities pursuant to any such offer or agreement as if the authority conferred hereby had not expired. 8. THAT, subject to and conditional upon the passing of Resolution 7 the Directors be and they are hereby authorised pursuant to Section 570 of the Act to allot equity securities (as defined in Section 560 of the Act) for cash pursuant to the authority conferred by resolution 7 above as if Section 561(1) of the Act did not apply to any such allotment, provided that this power shall be limited to: (a) the allotment of equity securities in connection with an issue in favour of shareholders where the equity securities respectively attributable to the interests of all such shareholders are proportionate (or as nearly as may be practicable) to the respective number of Ordinary Shares in the capital of the Company held by them on the record date for such allotment, but subject to such exclusions or other arrangements as the Directors may deem necessary or expedient in relation to fractional entitlements or legal or practical problems under the laws of, or the requirements of, any recognised regulatory body or any stock exchange, in any territory; (b) the allotment of equity securities arising from the exercise of options or the conversion of any other convertible securities outstanding at the date of this resolution; and (c) the allotment (otherwise than pursuant to sub-paragraph (a) and (b) above) of further equity securities up to an aggregate nominal amount of £124,927.00; 72 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 provided that this power shall, unless previously revoked or varied by special resolution of the Company in general meeting, expire at the conclusion of the Annual General Meeting of the Company to be held in 2023. The Company may, before such expiry, make offers or agreements which would or might require equity securities to be allotted after such expiry and the Directors are hereby empowered to allot equity securities in pursuance of such offers or agreements as if the power conferred hereby had not expired. 9. THAT the aggregate amount of fees paid to Directors, other than Executive directors, in any one financial year, as set out in article 104 of the Articles of Association of the Company, and increased to £125,000 by Ordinary 9 May 2019, be further increased from £125,000 to £135,000. BY ORDER OF THE BOARD B HARBER Company Secretary 13 April 2022 6th Floor 60 Gracechurch Street London EC3V 0HR 73 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT Notice of AGM CONTINUED Notes 1. Members entitled to appoint a proxy to exercise all or any of their rights to attend and to speak and vote on their behalf at the meeting. A proxy need not be a shareholder of the Company. A shareholder may appoint more than one proxy in relation to the Annual General Meeting provided that each proxy is appointed to exercise the rights attached to a different share or shares held by that shareholder. To appoint more than one proxy you may photocopy this form. Please indicate the proxy holder’s name and the number of shares in relation to which they are authorised to act as your proxy (which, in aggregate, should not exceed the number of shares held by you). Please also indicate if the proxy instruction is one of multiple instructions being given. All forms must be signed and should be returned together in the same envelope. To be valid, the form of proxy and the power of attorney or other authority (if any) under which it is signed or a certified copy of such power or authority must be lodged at the offices of the Company’s registrars, Share Registrars Limited, 3 Millennium Centre, Crosby Way, Farnham, Surrey GU9 7XX by hand, or sent by post, so as to be received not less than 48 hours before the time fixed for the holding of the meeting (excluding any part of a day which is not a working day) or any adjournment thereof (as the case may be). Please note the Share Registrars Limited will accept scans of the proxy forms via email sent to the following address: voting@shareregistrars.uk.com with ‘Crossword Cybersecurity plc AGM vote’ in the subject line provided that such email is received not less than 48 hours before the time fixed for the holding of the meeting (excluding any part of a day which is not a working day) or any adjournment thereof (as the case may be). 2. Any member entitled to attend and vote at the meeting may appoint one or more proxies to attend and, on a poll, vote instead of him. A proxy need not also be a member. 3. The completion and return of a form of proxy will not preclude a member from attending in person at the meeting and voting should he wish to do so. 4. CREST members may appoint a proxy through CREST by using the procedures described in the CREST Manual (available via www.euroclear.com/CREST). CREST personal members or other CREST sponsored members and those CREST members who have appointed a voting service provider should refer to their CREST sponsor or voting service provider, who will be able to take the appropriate action on their behalf. In order for a proxy appointment or instruction made using the CREST service to be valid, the appropriate CREST message (“a CREST proxy instruction”) must be properly authenticated in accordance with Euroclear UK & Ireland Limited’s specifications and must contain the information required for such instructions, as described in the CREST Manual. All messages relating to the appointment of a proxy or an instruction to a previously appointed proxy must be transmitted so that they are received by Share Registrars Limited (ID 7RA36) by 3.00 pm (UK time) on 12 May 2022 (or, if the meeting is adjourned, the time that is 48 hours (excluding non- working days) before the time fixed for the adjourned meeting). For this purpose, the time of receipt will be taken to be the time (as determined by the time stamp applied to the message by the CREST Applications Host) from which the issuer’s agent is able to retrieve the message by enquiry to CREST in the manner prescribed by CREST. Any change of instructions to proxies appointed through CREST should be communicated to the appointee through other means. CREST members and, where applicable, their CREST sponsors or voting service providers should note that Euroclear UK & Ireland Limited does not make available special procedures in CREST for any particular message. Normal system timings and limitations will, therefore, apply in relation to the input of CREST proxy instructions. It is therefore the responsibility of the CREST member concerned to take (or procure the taking of) such action as shall be necessary to ensure that a message is transmitted by means of the CREST system by any particular time. In this connection, CREST members and, where applicable, their CREST sponsors or voting service providers are referred, in particular, to those sections of the CREST Manual concerning practical limitations of the CREST system and timings. The Company may treat a CREST Proxy Instruction as invalid in the circumstances set out in Regulation 35(5)(a) of the Uncertificated Securities Regulations 2001. 5. The Company has specified that only those members entered on the register of members at 10.00 am on 12 May 2022 shall be entitled to vote at the meeting in respect of the number of ordinary shares of £0.005 each in the capital of the Company held in their name at that time. Changes to the register after 10.00 am on 12 May 2022 shall be disregarded in determining the rights of any person to attend and vote at the meeting. 6. Resolutions 2 and 5 – Article 93.2 of the Company’s Articles of Association require that a director of the Company who held office at the time of the two preceding annual general meetings and who did not retire at either of them must offer themselves for re-election at the next Annual General Meeting. This year Thomas Ilube and Mary Dowd are offering themselves for re-election. In addition both Tara Cemlyn-Jones and Robert Coles were appointed to the board since the previous AGM and therefore are required to stand for re-election under Article 93.1 of the Company’s Articles of Association. 74 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 7. Resolution 7 – As required by the Act, this resolution, to be proposed as an Ordinary Resolution, relates to the grant to the Directors of authority to allot unissued Ordinary Shares until the conclusion of the Annual General Meeting to be held in 2023, unless the authority is renewed or revoked prior to such time. If approved, this authority is limited to a maximum of 24,985,400 Ordinary Shares. This represents one-third of the issued share capital of the Company. 8. Resolution 8 – The Act requires that if the Directors decide to allot unissued Ordinary Shares in the Company the shares proposed to be issued be first offered to existing shareholders in proportion to their existing holdings. This is known as shareholders’ pre-emption rights. However, to act in the best interests of the Company the Directors may require flexibility to allot shares for cash without regard to the provisions of Section 561(1) of the Act. Therefore this resolution, to be proposed as a Special Resolution, seeks authority to enable the Directors to allot equity securities up to a maximum of 24,985,400 Ordinary Shares. This authority expires at the conclusion of the Annual General Meeting to be held in 2023 and represents one third of the issued share capital. 9. Resolution 9 - The purpose of this resolution is to increase the existing cap set out in the Company’s articles of association to ensure the Company has sufficient headroom to pay fees to non-executive directors. The existing cap was last increased on 9 May 2019 by Ordinary Resolution to £125,000. Resolution 9 proposes to increase the cap by a further £10,000 to £135,000. 75 www.crosswordcybersecurity.comGOVERNANCE REPORTFINANCIAL STATEMENTSSTRATEGIC REPORT Company Information DIRECTORS Sir Richard Dearlove (Chairman) T Ilube (CEO) Dr D Secher A Gueritz R Anderson M Dowd Dr R Coles T Cemlyn Jones REGISTERED NUMBER 08927013 REGISTERED OFFICE 60 Gracechurch Street London EC3V 0HR INDEPENDENT AUDITOR MHA MacIntryre Hudson Chartered Accountants & Statutory Auditors 6th Floor 2 London Wall Place London EC2Y 5AU NOMAD Grant Thornton LLP 30 Finsbury Square London EC2P 2YU CORPORATE BROKER Hybridan LLP 1 Poultry London EC2R 8EJ 76 CROSSWORD CYBERSECURITY PLC Annual Report and accounts 2021 C R O S S W O R D C Y B E R S E C U R I T Y P L C A n n u a l R e p o r t a n d a c c o u n t s 2 0 2 1 Crossword Cybersecurity plc 60 Gracechurch Street, London EC3V 0HR e: info@crosswordcybersecurity.com twitter: @crosswordcyber t: +44 (0) 203 953 8466

Continue reading text version or see original annual report in PDF format above