Century Communities
Annual Report 2022

Download report (PDF) Advanced Search
Loading PDF...

More annual reports from Century Communities:

2023 Report
2022 Report
2021 Report
2020 Report
2019 Report

Share your feedback:

Plain-text annual report

REDUCING CYBER RISK GLOBALLY Annual Report and Accounts 2022 for the year ended 31 December 2022 Contents Strategic Report Financial Highlights About Crossword Cybersecurity Chair’s Statement Chief Executive Officer’s Statement Performance Review Operational Review Section 172(1) Statement Corporate Social Responsibility Principal Risks & Uncertainties Governance Report The Board Corporate Governance Report Directors’ Report & Statement of Directors’ Responsibilities Financial Statements Independent Auditor’s Report Consolidated Statement of Comprehensive Income Statement of Financial Position Statement of Changes in Equity Statement of Cash Flows Notes to the Financial Information Notice of AGM Company Information 04 06 07 08 10 12 24 26 28 32 38 50 56 66 67 68 69 70 96 99 About Crossword Cybersecurity plc Crossword offers a range of cyber security solutions to help companies understand and reduce cyber security risk. We do this through a combination of people and technology, in the form of SaaS and software products, consulting, and managed services. Crossword’s areas of emphasis are cyber security strategy and risk, supply chain cyber, threat detection and response, and digital identity. We partner with organisations to keep them secure in the digital world, reducing cyber risks by providing a portfolio of innovative products and services, powered by university and other research driven insights. In the area of cybersecurity strategy and risk our consulting services include cyber maturity assessments, industry certifications, and virtual chief information security officer (vCISO) managed services. Crossword’s end-to-end supply chain cyber standard operating model (SCC SOM) is supported by our industry leading SaaS platform, Rizikon Assurance, along with cost- effective cyber audits, security testing services and complete managed services for supply chain cyber risk management. Threat detection and response services include our Nightingale AI-based network monitoring, our Trillion™ and Arc breached credentials tracking platforms, and incident response. Crossword’s work in digital identity is based on the World Wide Web Consortium W3C verifiable credentials standard and our current solution, Identiproof, enables secure digital verification of individuals to prevent fraud. Crossword serves medium and large clients including FTSE 100, FTSE 250 and S&P listed companies in various sectors, such as defence, insurance, investment and retail banks, private equity, education, technology and manufacturing and has offices in the UK, Poland, Oman and Singapore. Crossword is traded on the AIM market of the London Stock Exchange. Visit Crossword at www.crosswordcybersecurity.com R E P O R T S T R A T E G C I R E P O R T G O V E R N A N C E S T A T E M E N T S F I N A N C A L I Building a portfolio of cyber security products and services with recurring revenue models www.crosswordcybersecurity.com 3 3 3 Highlights Financial Highlights Operational Highlights 68% revenue growth to £3.65m £ 55% organic revenue growth 81% growth in ARR in 2022 • Rizikon grew to over 1,000 users by end 2022 • Leonardo UK selected Rizikon to assist with assessment of supply chain cyber risks, underlining Rizikon’s capacity to deliver at scale • Acquisition of Threat Status Limited, adding two new products: Trillion™ (credential breach SaaS platform) and Arc (account protection for e-commerce platforms and organisations) 54% recurring revenue in 2022 • Size of sales deals being secured by Trillion increased significantly compared to before its acquisition by Crossword in March 2022 Average revenue per client up 40% year on year Consulting gross profit margin improved as proportion of larger clients increased Oversubscribed £3.6m equity fund raise in September 2022 Total loss for the year £3.4m £2.1m cash and cash equivalents at year end • Consulting increased its cross selling drive, selling services into numerous Rizikon clients and successfully introducing Nightingale to numerous Consulting clients • Integration of Arc into Sticky Password, one of the industry’s most well-established secure password vaults • Opened an office in Singapore to support the 24/7 monitoring services provided by Nightingale. • Launch of specialist Supply Chain Cyber Risk practice, with Rizikon wrapped in a full-service consulting offer 4 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 R E P O R T S T R A T E G C I • Oman Data Park (ODP) signed a strategic cooperation agreement to provide cyber security risk services to over 800 government, corporate and SME organisations and enhance the protection of the cyber security structure of sensitive information in Oman • Crossword’s employees grew to 63 during 2022, up from 51 in 2021, representing a 24% increase Post Period Highlights • Launch of Ransomware Readiness Assessment service in March 2023, helping organisations reduce their exposure to ransomware attacks Outlook • Targeting revenue growth of circa 50% in 2023 • Having invested significantly for rapid growth in 2022, focus in 2023 is on a clear path to profitability • Increased emphasis on targeting larger clients that can make full use of Crossword’s range of products and services www.crosswordcybersecurity.com 5 Crossword Cybersecurity keeps organisations secure in the digital world through a combination of software products and expert-led cybersecurity consulting and services Since admission to AIM in 2018, Crossword has grown revenues almost three-fold from £1.3 million (excluding discontinued operations) in 2019 to £3.65 million in 2022, through a combination of organic growth and acquisitions. Crossword’s services Crossword’s services have gained a strong reputation in the market thanks to a deep expertise in cyber security and a hands-on approach. Crossword’s full-service consulting team provides strategy, assessment and risk management services. The constantly evolving nature and increasing number of cyberattacks means that demand for our consulting services keeps growing strongly. Our May 2022 report “Strategy and collaboration: a better way forward for effective cybersecurity” showed that over 40% of respondents believed their existing cyber strategy will be outdated in two years, and a further 37% in three years. This dynamic creates growing demand for the expert consulting that Crossword provides. Crossword’s products Crossword’s products are driven by research from some of the UK’s leading universities and other research-driven insights. Crossword has developed strong and extensive research and development relationships with many UK university academic centres of excellence in cyber security. Crossword offers a portfolio of cyber security software products, having successfully integrated three acquisitions since its admission to AIM. Crossword’s products serve some of the fastest growing sectors in cyber security, including supply chain risks, threat intelligence and credentials breaches. Cyber security industry drivers Several inter-connected factors are driving the growth in cyber security software and services. • • • Increasing use of cyber-attacks by nation states against each other as a result of a significant intensification in geopolitical confrontation; Increased interconnectivity of networks and trust domains; Increased proliferation and commercial availability of cyber capabilities; • • • Increasing number of devices, including from operational technology and internet of things, and interactions drives growth in attack opportunities; Increase in remote working (accelerated by the pandemic) and resultant movement of data to the cloud; Increased dependency on third party suppliers of managed services; • Commoditisation of higher-end cyber capabilities, lowering the barrier to entry for cyberthreat actors; With 39% of UK businesses experiencing a cyber-attack in 2022, according to the UK’s National Cyber Security Centre (NCSC), the constantly increasing number and growing sophistication of cyberattacks means that spending on cyber security defence is a key priority for business and governments. As a result, Gartner predicts end-user spending for the information security and risk management market will grow from $172.5 billion in 2022 to $267.3 billion in 2026, attaining a compound annual growth rate (CAGR) of 11%, with 84% of C-level executives agreeing that cyber resilience is a business priority for their organisations in 2022, according to the WEF Global Cybersecurity Outlook Report 2022. The UK is home to the largest, most concentrated and accessible cyber security market in Europe, worth over £10bn, growing 14% in 2021 and representing twice the growth on the previous year. The UK’s reputation as a centre of cyber security excellence means it is the third largest exporter of cyber security services globally, worth £4.2bn in 2020, as reported in the UK Cyber Security Sector Analysis commissioned by the UK Government’s Department for Digital, Culture, Media & Sport. As one of the UK’s leading cyber security commercialisation specialists, Crossword is well positioned to benefit from sector growth, both in the UK and internationally. The above cyber security industry drivers, combined with a strong set of products and services, mean that Crossword is well positioned to keep growing strongly. 6 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Chair’s statement Sir Richard Dearlove KCMG OBE Chair, Crossword Cybersecurity R E P O R T S T R A T E G C I Growth accelerates rapidly in 2022 Crossword continued to build a strong and stable business, backed by our strategy of building a significant intellectual property-based, AIM quoted cyber security business. Crossword recorded impressive revenue growth of 68% in 2022. The Company completed its third acquisition and continued to reap the benefits of successfully integrating previous acquisitions, with annual recurring revenue growing by 81%. Rizikon ended 2022 with over 1,000 organisations using the platform and our blue chip cyber security consulting team is growing its client base with major FTSE and Fortune clients. Our focus now is to drive to profitability, underpinned by targeting healthy revenue growth of over 50% in 2023. Further progress with our acquisition strategy Crossword continued to build on its acquisition strategy in 2022 with the successful acquisition of Threat Status Ltd., a threat intelligence company. This added two additional products to the Crossword portfolio, Trillion™ and Arc. Arc is a similar product to Nixer, so post-acquisition, management took the decision to merge the two products, under the Arc product brand. Later in the year, in line with its stated acquisition strategy, Crossword tested a further acquisition opportunity and decided it would not be in the interests of the company to proceed at that time. This exploratory approach signals the scale of Crossword’s ambition to build a scaled up, profitable cyber security company. A strong balance sheet and robust governance To ensure that we had the funds to progress with our rapid growth, Crossword issued additional £550k of Convertible Loan Notes in July 2022 and carried out a £3.6m oversubscribed equity fund raise in September 2022. We are very pleased that our shareholders continue to see the growth opportunities for Crossword and we would like to thank them for their commitment. To ensure that we maintain a robust framework of controls and high standards, the Board continues to adhere to the Quoted Companies Alliance (“QCA”) Corporate Governance Code (the “QCA Code”) in line with the London Stock Exchange’s requirement for all AIM quoted companies to adopt a recognised corporate governance code. The Corporate Governance Statement on page 38 of this report provides further details. Continued healthy growth with a clear path to profitability Having invested significantly in 2022 to achieve impressive growth of nearly 68% over the past year, Crossword has now shifted its focus to defining a clear path to profitability. This is backed by strong current momentum, which aims to grow revenue in the region of 50% in 2023. I am very proud of what our expert team has achieved over the past year and I would like to acknowledge them all. Crossword has a very strong culture and its core values of responsibility, openness, flexibility and learning underpin everything we do and are a source of particular strength that we will leverage to grow into a strong, stable and profitable business. Sir Richard Dearlove KCMG OBE Chair, Crossword Cybersecurity 18 April 2023 www.crosswordcybersecurity.com 7 Chief Executive Officer’s review Tom Ilube Chief Executive Officer Crossword Cybersecurity It is my pleasure, as Chief Executive Officer, to present the Annual Report and audited accounts for Crossword Cybersecurity Plc (‘Crossword’ or the ‘Company’ or the ‘Group’) for the financial year ended 31 December 2022. Crossword grew revenue by a very impressive 68% to reach £3.65m in 2022, its highest growth rate since admission to AIM in 2018. This proves that Crossword’s services and products have achieved real traction with a wide range of clients. With this momentum, we expect to see our growth rate continue strongly into 2023, whilst we drive towards profitability, which is our main priority now. We were particularly pleased to see annual recurring revenue increase by 81% over the prior year and reach £2.4m. Whilst acquisitions naturally contributed to this strong growth in revenues, Crossword also recorded 55% growth in organic revenues. The constantly increasing number and the growing sophistication of cyberattacks means that spending on cyber security defence is a key priority for business and governments. In 2021, the average number of cyberattacks and data breaches increased by 15.1 per cent. from the previous year. Over the next two years, security executives from over 1,200 companies polled by ThoughtLab in its 2022 cybersecurity benchmarking study see a rise in attacks from social engineering and ransomware as nation-states and cybercriminals grow more sophisticated. As a result, “Cybersecurity failure” was ranked as a top-five risk over the next two years in East Asia and the Pacific as well as in Europe in the World Economic Forum’s 2022 Global Risks Report, while four countries, namely Australia, Great Britain, Ireland and New Zealand ranked it as the number one risk. Many small, highly digitalized economies such as Denmark, Israel, Japan, Taiwan (China), Singapore and the United Arab Emirates also ranked the risk as a top-five concern. With the ever increasing cybersecurity market, in 2022 we made it our mission to achieve critical mass by investing for growth. The executive team wanted to accelerate Crossword’s growth aiming to achieve real momentum that would carry us into 2023 and beyond. We also made the decision to continue with our acquisition strategy and we succeeded in closing another excellent transaction by securing Threat Status Limited. Threat Status brought two excellent products into Crossword’s portfolio, Trillion™ and Arc. Both products deliver recurring revenue to the business and brought a range of new clients to Crossword. Trillion™ is a data breach platform that contains billions of carefully curated and continuously updated credentials that organisations can search to check the status of their usernames and passwords. Arc makes this same vast pool of information available in a different form to product websites to protect against credential attacks. Due to Arc’s overlap with our existing product, Nixer, we made the decision to merge the two products, under the product brand name of Arc. Rizikon, Crossword’s lead product, ended 2022 with more than 1,000 organisations using the freemium version, trialling or contracted to use the product. In June we launched a new service, Supply Chain Cyber, with Rizikon at its heart wrapped in a full-service consulting offer. We are developing new leading edge modules for Rizikon and are in conversation with several potential large scale supply chain cyber clients. Increasing regulatory pressure on companies to monitor and take control of supply chain cybersecurity risks is also aiding the growth of Rizikon’s sales pipeline. 8 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 R E P O R T S T R A T E G C I Crossword is now a 70-strong, well respected, British cyber security business, with a growing reputation in the UK and beyond. We take our wider social responsibilities seriously and have supported our Polish colleagues in their efforts to help Ukrainians exiled in Poland, by matching staff donations each month for a period of 6 months up to PLN 2,500 each month. As I close, I particularly wish to thank everyone who has helped Crossword achieve this record revenue growth which, at 68% is our fastest annual growth rate since Crossword joined AIM. Having invested significantly for rapid growth in 2022, we have now shifted our focus in 2023 towards a clear path to profitability. The momentum from last year places us in a strong position to achieve at least 50% revenue growth in 2023 and our focus on margin improvement will ensure that there is a clear, carefully managed route to achieving profitability in the medium term. Crossword’s exceptional team and its culture of responsibility, openness, flexibility and learning, gives me and the whole Executive team the confidence that we will achieve our goals for our staff, our clients and our investors. Tom Ilube, Chief Executive Officer Crossword Cybersecurity 18 April 2023 Crossword’s profitable and fast growing consulting business is now a trusted supplier to a number of large and medium sized companies, as well as continuing to work with smaller, entrepreneurial companies. Our vCISO (virtual Chief Information Security Officer) service, continues to be popular with all sizes of client and delivers a growing stream of recurring revenue. Along with our Nightingale network monitoring platform, which we acquired the previous year with the Stega acquisition, the Services business saw very positive overall growth of 80%, of which 51% is recurring. On the international front, Crossword invested time and effort to firmly establish itself in Oman and is using that as a base to explore opportunities in the wider Gulf region. This effort has put us in prime position for a major Government contract in the region that, if we are successful, will generate significant revenue as well as make Crossword a strategic cyber security supplier across Government. We also signed a distribution agreement with Oman’s major cloud services provider who will offer our Trillion™ product and other Crossword services to their 600 client organisations. Outside of Oman, we won business in the insurance sector in Bermuda as well as established a small team in Singapore to enable us to offer our Nightingale network monitoring service on a 24 hour basis to major clients. During 2022, Crossword took steps to ensure that it had the funding it needed to continue executing on its strategy. Crossword extended its Convertible Loan Note programme by adding a further £550k of loan notes in July and completed a £3.6m equity fundraise in September through an oversubscribed subscription of Crossword Ordinary Shares. I was very pleased to welcome several major new shareholders and delighted that our existing shareholders continue to back our vision and support our commitment to the journey. www.crosswordcybersecurity.com 9 Performance review Financial review Financial review Strong growth in revenue and ARR Crossword recorded revenue of £3.65m in 2022. This represented a large increase of £1.5m vs. the prior year, equating to 68% growth. All revenue streams recorded strong growth, other than software development with related parties, which ceased during 2021. The Company achieved an excellent 81% growth in ARR, with 54% recurring revenue at year end. ARR growth rates continued, with Rizikon ARR growing by 43% during the year, Nightingale ARR growing by 29%, and vCISO ARR growing by 68%. vCISO, ‘virtual chief information security officer’ is a bespoke service offered by Crossword’s experienced consulting team which supports clients of all sizes in improving their cybersecurity posture. In 2022 for the first time, Crossword completed delivery of a project focused on cyber security engineering services to a strategic partner. It is expected that additional engineering services will be provided in 2023. Investing for growth Total comprehensive loss for the year was £3.4m. Total cost of sales and administrative expenses increased by £2.6m in 2022 compared to 2021. The increase reflects the acquisition of Threat Status Limited in March 2022, and the inclusion of Stega UK Limited, acquired in August 2021, and Verifiable Credentials Limited, acquired in April 2021, for a full year in the 2022 accounts. Legal and professional fees increased by c£250k, which included £346k for a potentially transformational transaction which did not progress because the vendor made other choices for their business. This reflects Crossword’s ongoing drive for acquisitions during 2022. A primary driver for the increase in costs was a 30% increase in the number of staff compared to the closing FTE (full time employee) count at the end of 2021. In 2022, Crossword invested significantly in sales and marketing and product development, which are the areas which saw the largest FTE growth. A significant improvement in Consulting gross margin was achieved while an improved and larger deployment of services was delivered by a higher number of staff. We are pleased to see that Crossword’s increased investment in sales and marketing and products development is reaping results, with average product and consulting revenue per client increasing to £28.7k per client, up from £20.5k in 2021. Focus on profitability Staff numbers have stabilised in 2023, with a strong foundation in place to drive the revenue growth and path to profitability on which the Company is currently focused. Profitability will be underpinned by improving margins, as Consulting revenue scales to achieve critical mass and as product revenues increase. Crossword’s diversified product and services offering will drive scale while containing risk. Acquisitions Loss before taxation using the 2021 presentation was £3.8m (2021: £2.4 million). In March 2022, Crossword acquired the entire share capital of Threat Status Limited, the threat intelligence company and provider of Trillion™, the cloud based software as a service (SaaS) platform for enterprise- level credential breach intelligence. Threat Status’s more recently released product, Arc, protects the users of customer-facing applications from the threat of account takeovers. Equity fundraise In September 2022 Crossword completed a £3.6m equity fundraise through a placing and subscription of Crossword ordinary shares at a price of 21.7 pence per share. Cashflows Net cash outflows of the Group in 2022 were £1.3m. Excluding proceeds from issue and repayments of loan notes, the equity fuindraise and cash paid for acquisitions, net cash outflows of the Group were £4.4m (2021: £3.3m). Taxation The Group continues to claim research and development tax credits, with £747k accounted for in 2022 (2021: £206k). R&D Tax Credits in FY2022 accounts have been reported in Tax, due to the majority of the claim being under the SME scheme. Historically, R&D Tax Credits have been reported as Other Operating Income. There has also been a prior year adjustment to R&D Tax Credits in FY2021. Financial Position Loss before taxation using the 2021 presentation was £3.8m (2021: £2.4 million). Crossword Cybersecurity plc finished the year with a cash balance of £2.1m. 10 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Crossword recorded an excellent 81% growth in ARR, with 54% recurring revenue in 2022 R E P O R T S T R A T E G C I Average product and consulting revenue per client Number of clients £30,000 £25,000 £20,000 £10,000 £10,000 £5,000 0 140 120 100 80 60 40 20 0 2018 2019 2020 2021 2022 2018 2019 2020 2021 2022 www.crosswordcybersecurity.com 11 Operational review Services In 2022, Crossword saw increased strong demand across all offerings in its Services division. Crossword continued successfully progressing in its strategy of increasing the proportion of midmarket and larger clients in its client mix, which are in an ideal position to make more widespread use of Crossword’s full range of growing services and products. This is leading to increased annual recurring revenues from such clients. Services recorded very positive overall growth of 80%, of which 51% is recurring The value of the acquisitions made by Crossword in recent years shone through powerfully in 2022. Additionally vCISO (Virtual Chief Information Security Officer) ARR grew by 68% and Nightingale monitoring services ARR grew by 29%. In 2022, Services won its first FTSE 100 client project and carried out international work in new territories including Bermuda and the Caribbean. Consulting Crossword’s consulting services delivered outstanding results in 2022, achieving 63% year on year growth. Consulting increased its cross-selling drive, selling services into numerous Rizikon clients and successfully introducing Nightingale to numerous Consulting clients. This is increasing the level of recurring revenues that the Consulting division generates, as well as strengthening client relationships as we meet their evolving needs and grow with them. To address the increased demand for consulting and product in supply chain cyber risk, in 2022 we launched the Supply Chain Cyber practice, which offers consulting services wrapped around a new set of strategic Rizikon modules with a recurring revenue proposition. The proposition targets the needs of large organisations regarding their third party supplier cyber risk and continued to be well received by larger clients, thereby adding to incremental revenue per client. The Consulting division grew to a total of 18 specialists by year end. With higher staffing levels, we continued to improve our consulting methodologies and develop a more scalable model to provide our services. This is leading to work with larger clients with multi-faceted and more complex needs. Crossword’s team of expert consultants provides bespoke cyber security consulting advice tailored to clients’ business needs. The team leverages years of experience in national security, defence and commercial cyber intelligence and operations. Crossword’s full-service cyber security consulting team provides strategy, assessment and risk management services. Crossword’s consulting services play a strategic role in its growth and are an integral part of its offering. By consulting 12 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 R E P O R T S T R A T E G C I on clients’ needs and challenges, Crossword gains valuable market insights that help inform its product development. In turn, the products business provides consulting opportunities, such as the many third party and other, risk consulting opportunities that have arisen out of Rizikon Assurance product sales. Crossword’s consultants work with over 100 clients across multiple sectors, including insurance, professional services, financial services, nuclear energy and technology. Consulting clients include one of the world’s largest, global S&P500 insurance brokers, several FTSE 250 companies and a FTSE 100 company. vCISO (Virtual Chief Information Security Officer) vCISO ARR grew by 68% vCISO recorded very strong growth of 68% in ARR thanks to its integrated and tailor-made service designed to meet clients’ evolving cyber security needs. Through the vCISO service, clients can avail themselves of the breadth and depth of cyber security services offered by Crossword. vCISO provides a fixed and predictable operational cost for clients, in contrast to the high costs and recruitment challenges that building an in-house cyber security capability entails. Nightingale ARR grew by 29% Nightingale The integration of Nightingale continued to deliver on expectations and saw significant successes in the period, with ARR growing by 29%. These included new investment management clients, deployment to a major insurance company in a dual running assessment and carrying out a cyber incident response at a top ten law firm. To service the needs of global clients, Nightingale’s capabilities were increased and we opened an office in Singapore to support its 24/7 global monitoring services. In March 2023, Crossword launched its Ransomware Readiness Assessment Service. Conducted by the Nightingale team, an organisation’s current exposure, control systems and ability to respond to a ransomware incident is analysed in detail by using an industry-specific approach and cyber incident response forensics. The service helps organisations reduce their exposure to ransomware attacks, provides detailed assessments on areas requiring protection and recommends how they should respond to attacks. Nightingale, Crossword’s world class platform, is a comprehensive security monitoring service. It mitigates the cyber threats and vulnerabilities an organisation faces by bringing together multiple facets to identify and monitor organisational assets, users, traffic, networks and endpoints. www.crosswordcybersecurity.com 13 Crossword Services timeline 2016 First consulting services revenues FTSE 250 2021 Two FTSE 250 clients acquired 2020 £1m+ in annual consulting revenues reached August 2021 Completion of acquisition of Stega UK Limited (threat intelligence and monitoring company) and its in-house monitoring platform, Nightingale 2022 First engagement with a FTSE 100 company, delivering high end cyber consulting services May 2022 “Strategy and collaboration: a better way forward for effective cybersecurity” Crossword launches research report based on interviews with over 200 CISOs (Chief Information Security Officer) and senior UK cyber security professionals June 2022 Launch of specialist Supply Chain Cyber Consultancy practice 14 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Crossword Cybersecurity products Crossword’s product portfolio addresses some of the most pressing needs in the cyber security sector, including supply chain security, credential attacks, account breaches and account protection. Crossword’s product portfolio currently numbers four products and is the result of both internal development and acquisitions. For products developed internally, Crossword’s specialist product development and software engineering teams develop the initial concept into a fully-fledged commercial product that Crossword then takes to market. Crossword has an established tradition in commercialising cyber security research from leading UK universities. Rizikon, Crossword’s flagship product focused on supply chain risk management, was based on research by the Centre for Cyber Security Sciences at City University, London, whilst Nixer CyberML was developed in collaboration with Imperial College, University of London. Nixer CyberML applies machine-learning to user behaviour analysis to detect and prevent credential stuffing and other account takeover attacks. The acquisitions undertaken to date are Trillion™ and Arc (acquisition of Threat Status Ltd completed in March 2022) and Identiproof (acquisition of Verifiable Credentials Limited completed in May 2021). Capitalising on other Crossword assets, e.g. the launch of the Supply Chain Cyber practice in May 2022, which leverages the Rizikon Platform. R E P O R T S T R A T E G C I Rizikon Identiproof Supply chain risk management Wallet verification technology Rizikon Assurance helps organisations of all sizes to assess and manage their supply chain risk at scale, in a cost-effective way. Rizikon is Crossword’s leading product and is provided as a SaaS platform. Identiproof is a credentials verification wallet technology that is compatible with the World Wide Web Consortium (W3C) standards. Trillion™ Arc Breached Account Mining platform Account protection for eCommerce platform owners Trillion™ continuously tracks, correlates and analyses billions of stolen usernames and passwords, searching for digital identities that could belong to client customers or users. www.crosswordcybersecurity.com Arc queries for access attempts in real time, using username and password pairs already known to criminals. This enables clients to instantly step in and avoid losses. Trillion™ and Arc are the latest additions to Crossword’s product suite, offering some of the strongest and most advanced credential leak monitoring services in the market 15 Products Crossword’s product portfolio addresses some of the most pressing needs in the cyber security sector, including supply chain security, credential attacks, account breaches and account protection. Rizikon and Trillion™ are well established products with distinct USPs. This led to strong growth in their revenues in 2022, with Rizikon ARR growing 43% Crossword currently offers four products, with three products being revenue generating and one in development. Rizikon and Trillion™ are well established products with distinct USPs, which led to strong growth in their revenues in 2022. Rizikon Rizikon is a supplier assurance and third party risk management platform and is Crossword’s flagship product. In 2022, Rizikon continued its strong sales growth with ARR growing 43% during the period. Rizikon enjoys a strong position in the market as a leading product for supply chain risk management, with organisations using it growing to over 1,000 by the end of 2022. As Crossword’s first product to be developed in 2015, Rizikon benefits highly from its accumulated expertise in supply chain cyber risk assessment. There is a clear need in the market for specialist providers focused on supply chain cyber risk management. In 2022, the UK arm of international defence and security company Leonardo selected Rizikon to assist in its assessment of cyber risk in its supply chain. This very significant client win underlined Rizikon’s capacity to deliver at scale and serve the largest of companies. In 2022 we increased our focus on growing Rizikon Assurance, which is aimed at mid-market and larger companies with a higher number of users per client. Rizikon Assurance is a highly versatile product that can be tailored to meet the different risk appetites of clients with different levels of risk modelling. Key to successful implementation is understanding a client’s supplier ecosystem. This is carried out in an initial consulting exercise for Rizikon Assurance clients. To ensure Rizikon remains strongly positioned we made substantial progress in re-engineering Rizikon, by moving its coding from Java to ReactJS + Java. This will speed up future development and enable Rizikon to keep quickly addressing emerging supply chain cyber security needs. Other notable product developments for Rizikon included the completion of analysis & designs for new higher value modules, and a number of improved features for Rizikon. In the second half of 2022, work continued on readying new modules for launch in 2023. The supply chain cyber risk sector Preventing cyber risk attacks in supply chains is a fast growing market. For organisations of any size, the greatest threats to cybersecurity are suppliers, third parties and connected technologies given they are so hard to control. Recent research independently conducted for Crossword of over 200 Chief Information Security Officers (CISOs) found that 83 per cent. of CISOs viewed “ensuring that the entire supply chain is water-tight in its ability to defend and recover against threat actors” as a challenge. The European Union Agency for Cybersecurity (ENISA) reported in 2021 that it expected supply chain attacks to quadruple over the following 12 months. Simultaneously, supply chains are going through a period of digital transformation, with automation increasing efficiencies, whilst at the same time introducing possible vulnerabilities to businesses. As a result, industries including but not limited to banking, retail and manufacturing are under mounting financial, reputational and regulatory pressure to monitor and take control of supply chain cybersecurity risks. These include the Supervisory Statement SS2/21 by the Bank of England’s Prudential Regulation Authority (PRA), in effect since 31st March 2022 and the EU’s NIS2 Directive and Digital Operational Resilience Act, in effect since 16th January 2023, amongst others. 16 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Nixer CyberML was a product in development by Crossword and sharing similar features to Arc. Operating in the same sector as Arc, it uses machine learning to match application credentials against a list of 555M+ leaked username/ password combinations, making recommendations if matches are made. As with Arc, it does so with zero friction to user experience. Given that ARC and Nixer Cyber ML operate in similar focus areas, in 2022 Crossword took the decision to merge the best features from both products in order to provide a best in class proposition to clients, retaining the name Arc for this product. In December 2022, Arc gained its first commercial contract when Sticky Password, one of the industry’s most well- established secure password vaults, announced a partnership with Arc. R E P O R T S T R A T E G C I Identiproof The advantages of being able to easily access and share qualifications through digital wallets is driving strong demand worldwide for verifiable credentials software. During the period we made good progress on both product development and go-to-market plans for Identiproof, which is our credentials verification wallet technology. A new demo portal was made available enabling demos of Identiproof to potential customers. It covers both flows in which the verifier requests credentials to the mobile wallet, and in which users want to share their credentials as badges. Experimental R&D proof of concept work continued with grant funded development in the areas of interoperability and trustability. Progress was made on the second major version of the Identiproof suite of products. The new versions will have a new architecture and use later versions of the development stack for better scalability, reliability and resilience. Trillion™ Trillion™ saw strong revenue growth in 2022, with the size of sales deals being secured becoming noticeably larger compared to before being acquired by Crossword. Since its launch in 2017, Trillion™ benefits from being a more mature and established product with each year that passes. Together with continuous product development, this enables Trillion™ to maintain a premium product offering excellent value for money. Trillion’s revenue growth in 2022 was supported by an increase in dedicated and specialist sales people, an increase in cross-selling, supporting a number of Consulting activities, and inclusion in the sales partnerships launched by Crossword during the period. In parallel, we continued with our sales strategy of seeking to include Trillion™ into third- party MSPs (managed service providers). On the development side, we improved product functionality to support much larger multi-organisational clients as well as multi-tiered SAAS providers. This dramatically increased the revenue universe which Trillion™ can target. Trillion™ continuously tracks, correlates and analyses billions of stolen usernames and passwords, searching for digital identities that could belong to client’s customers. Trillion™ was one of two products that Crossword added to its product portfolio as a result of its acquisition of Threat Status Limited in March in 2022, the other product being Arc. ARC Arc provides account protection for eCommerce platforms and organisations, querying for access attempts in real time, using username and password pairs already known to criminals. This enables clients to instantly step in and avoid losses. www.crosswordcybersecurity.com 17 Crossword Products timeline 2015 Rizikon launched 2016 Worked with Coventry University to help create CyberOwl Ltd 2017 Worked closely with our university partners, Warwick and EPFL, to create ByzGen Ltd 2019 Accepted onto the UK Government G-Cloud framework 2019 Nixer CyberML machine-learning version launched 2019 Rizikon Assurance 2.0 launched; designed with Creditsafe integration, 360-degree Supplier Scorecards and an Assurance Framework Dashboard 2020 Launch of Rizikon Pro May 2021 Completion of acquisition of Verifiable Credentials Limited, adding Identiproof to the product portfolio March 2022 Acquired Threat Status Limited, the cyber intelligence company, in March 2022, adding Trillion™ and Arc to Crosssword’s product portfolio November 2021 Integrated DarkBeam’s cyber risk audits into Rizikon, significantly enhancing Rizikon’s functionality 18 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Sales & Business Development Focus on high retention rates and increased contract value The customer success team continued to ensure high retention rates and increased contract value by demonstrating the value of products to clients. We saw this markedly in the case of Rizikon, leading to high levels of contract renewals as supply chain risks increase and become more widely recognised. Sales team restructured In 2022, Crossword’s sales team was restructured into direct and indirect/ channel sales to keep improving results. As part of this restructure, for direct sales we are placing more emphasis on sector-based sales campaigns, e.g. targeting sectors such as large clients facing supply chain risks for Rizikon. For indirect/channel sales we are expanding channel sales via resellers and distributors. To generate a better sales pipeline and results overall we also implemented the MEDDICC sales methodology, whilst continuing to further develop CRM and sales reporting/automation. New sales partnerships We were pleased to establish several new sales partnerships during the period. Sales partnerships are part of Crossword’s indirect/channel sales and enable Crossword to reach large audiences quickly and effectively. The new partnerships included BESA (British Educational Suppliers Association), the SWCRC (South West Cyber Resilience Centre), techUK, (the UK digital technology trade association), the Chartered Insurance Institute and the International Federation of Consulting Engineers. We were also delighted that the IASME Consortium Limited, a UK Government Cyber Essentials Partner, selected Rizikon Assurance as the core platform to support a new Maritime Security certification, taking the number of certifications it delivers via Rizikon to three. In 2022, Crossword also supported the British Educational Suppliers Association with Cyber Essentials and Rizikon, as well as techUK’s SMEs with Cyber Essentials and Rizikon Assurance. R E P O R T S T R A T E G C I 19 Rizikon - Expertise in supply chain cybersecurity Time consuming, arms length assurance process • Assessing cyber security risk emanating from hundreds of suppliers, usually at arms- length, is very inefficient and highly labour intensive without technology support • Creates strong demand for integrated single point software solutions that can address this and give clients a top-down view of their supply chain risk Increased Regulatory Pressure • Regulatory developments are increasing pressure on companies to monitor and react to supply chain risk • In the UK, the Network and Information Systems Regulations 2018 (NIS), which are currently being consulted upon under three pillars, and the UK Prudential Regulation Authority (PRA), are of particular importance Increasing and evolving supply chain risk • Supply chain cyber security has suffered from under investment in relation to other cyber sectors, such as combating Ransomware • Hackers are targeting the vulnerabilities and evolving their attacks within increasingly complex integrated supply chains • Has created pent-up demand to improve supply chain cyber security Rizikon reduces risk and improves compliance in supply chain cyber risk management Increased Cost Efficiency Improved Compliance Reduced Cyber Risk • Increased automation is driving better use of resources and improved ROI • Rapid assessment of regulatory and other cyber risk compliance • Rapid assessment of supply chain cyber risks in the supply chain • Enhanced ability to focus activities on areas of greatest need and higher risk • Simple scheduling and timely deployment of assessment activities • Scalable SaaS solution that grows with clients, from small to very large supplier chains • Enhances client’s capability by building on Crossword knowledge base, advisory support and services • Efficient planning and tracking of mitigating actions • Effective escalation and senior level reporting • Continuous improvement based on Crossword’s accumulated supply chain cyber expertise 20 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 • Comprehensive overview of risk mitigation pipeline • Customisable categorisation for speedy prioritisation • Fast and efficient planning and tracking of mitigation & transformation • Timely escalation and senior level reporting Trillion™ - A sole focus on credential breach detection since 2017 R E P O R T S T R A T E G C I Trillion’s attractiveness derives from its sole focus on solving one core problem area: stolen passwords, otherwise known as credential breach detection. Trillion’s specialisation since its launch in 2017 has led to an outstanding degree of expertise that is highly regarded in the market. Trillion™ focuses on serving the corporate market, for which password/credential breach protection is one of the highest priorities. Trillion’s hallmarks of speed of service, quality of data and confidentiality are highly valued by corporate clients. Trillion™ is strongly positioned in the feature rich yet price accessible higher segment of the market, combining highly automated processes that are driven by AI, thereby simplifying onboarding and operation for its clients. Trillion’s distinct servicing model serves as an additional strong differentiator, in contrast to providers that will limit themselves to dumping raw and unstructured data on clients. Trillion’s USPs 1. Privacy. Trillion™ maximises privacy whilst continuously filtering through constantly increasing amounts of stolen data. When it alerts clients about stolen data, it does so by only disclosing data appropriate for risk management while restricting all critical privacy elements to the data subject themselves. 2. Relevant and cleanest data. Trillion™ prioritizes the most relevant data through a number of methods, including automatically testing whether discovered email addresses are still active or defunct. 3. Most dangerous users. Trillion™ targets the highest risk people by identifying top offenders of password re-use. www.crosswordcybersecurity.com 21 Delivering credential protection at scale for Spain’s public administration Protecting large, distributed organisations, such as exist in the public sector, where many individual entities exist is one of the more challenging aspects of cyber security at scale. Crossword considers CCN-CERT a true business partner, and we learn as much from their feedback on our products as they do from our data. By listening closely to clients’ needs, we are continuously enhancing Trillion™ to support the cybersecurity needs of organisations operating at the top of their game” Jon Inns, Product Director for Arc and Trillion™ Covid-19 During the height of the Covid-19 pandemic, CCN-CERT needed to act immediately to enhance the cybersecurity of Spain’s national health infrastructure. Time Once the team at CCN was given access to Trillion™, in a matter of hours every health organisation across Spain was configured in the platform and breached credential data was being fed back into the CERT. CCN-CERT CCN-CERT is the Information Security Incident Response Team (CERT) of the National Cryptologic Centre in Spain (CCN), which is accountable to the Spanish National Intelligence Centre. Support Head of the cybersecurity department at CCN contacted the Trillion™ operations team after Trillion’s global offer of support to help protect digital identities within health services. 22 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 R E P O R T S T R A T E G C I Certification Crossword collaborated with the CERT to implement new features which would enable it to extend the use of Trillion™ to local Government departments and organisations, while still maintaining a central, national view within the CERT. Expansion CCN-CERT decided that a wider scope for Trillion™ will protect the wider Spanish public services infrastructure. Success Trillion™ is now monitoring hundreds of organisations, thousands of domains and reporting leaked data on hundreds of thousands of public workers across Spain. Roll out Trillion™, with the new features, was rolled out over the following weeks. CCN-CERT invited hundreds of local authorities, municipalities, town halls and central government departments to come on board using simple automated signups, which took a matter of minutes to complete. www.crosswordcybersecurity.com 23 Section 172 (1) Statement The Company has complied with the requirements of s414CZA of the Companies Act 2006 by including certain information within the Strategic and Governance Reports, that informs members of the Company how the Directors have considered the matters set out in section 172(1)(a) to (f) of the Companies Act 2006 when performing their duty under section 172 to promote the success of the Company. The following table outlines where the key content as required by the regulations can be found in this report. Crossword in the UK has an Employee Assistance Programme (EAP) which includes a wealth of resources like confidential health assessments, online resources, and telephone support. Matters considered by the Board Where to read more in this Annual Report The likely consequences of any decision in the long term The interests of the Company’s employees The need to foster the Company’s business relationships with suppliers, customers and others Strategic Report on page 3 Corporate Governance Report on page 38 Directors’ Report on page 50 Corporate Social Responsibility on page 26 Corporate Governance Report on page 38 Corporate Governance Report on page 38 The impact of the Company’s operations on the community and the environment Corporate Social Responsibility on page 26 Corporate Governance Report on page 38 The desirability of the Company maintaining a reputation for high standards of business conduct The need to act fairly as between members of the Company Performance Review on page 10 Strategic Report on page 3 Corporate Governance Report on page 38 Corporate Governance Report on page 38 Directors’ Report on page 50 24 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 R E P O R T S T R A T E G C I 25 Corporate Social Responsibility It’s a really lively, young, fast moving company. Everyone is very engaged it’s a really great company to work for. The atmosphere is second to none” The greatest thing about Crossword is the culture. I find our CEO very charismatic and focused on keeping the culture alive but not being not being something which is forced on people. It feels very natural, very modern, a great place to work.” ENVIRONMENTAL, SOCIAL & GOVERNANCE As Crossword continues to grow and mature as an organisation, a keen focus is kept on our wider stakeholder and social responsibilities. Crossword holds itself to high standards in relation to stakeholders, in areas such as governance, employees, community, environment and customers. Crossword recognises that we have a responsibility to manage our environmental impacts carefully, including meeting all legal and regulatory requirements. We are committed to reducing our environmental impact and continually improving our environmental performance as an integral part of our business strategy and operating methods, with regular review points. We encourage customers, suppliers and other stakeholders to do the same. At Crossword, we value the people and we believe our greatest strength is a good team of experts. We are focussed on gender diversity with the Board being 37.5% women and Advisory Board at 50:50 parity. The Women at Crossword Group was established during 2021 and has met 3 times covering an interesting range of topics and speakers. Our culture Our culture is that distinct differentiator which drives our decisions and actions. We are energetic, agile and passionate about the quality of work we deliver. We encourage responsibility early in the lifecycle of an employee’s career, along with which comes valuable learning. We make sure we have fun while doing our work and look out for each other by being open, transparent and flexible to adapt to each other’s needs and the needs of our customers and stakeholders. The Board is committed to promoting a strong ethical and values-driven culture throughout the Company and has a people- oriented ethos where hard work and commitment is recognised. The benefit of experience The make-up of our team gives us something unique to offer. It’s rare to find such richness of leadership experience in a small organisation and the advantage of our size is that our leadership team are present, accessible and engaged with the whole team. Employees get to know the leadership well and our staff tell us time and time again that they find this level of exposure invaluable in developing their own knowledge and business acumen. In 2022, we looked after our health and well-being in many ways, including with online yoga classes, laughter yoga, financial wellbeing workshop, celebrating Men’s Health week, a Wellness Week and several enjoyable social events. We have a Mental Health First Aider to provide support where required. We have a ‘Balance’ channel on Slack, which is a dedicated space to bring interesting articles, blogs, websites and general content about Mental Wellbeing. Our Mental Wellbeing Policy outlines our provisions to prevent and address mental health issues among our employees. Mental Health is just as important as physical health. Mental ill health may be detrimental to a person as it impacts happiness, productivity, and collaboration. Crossword in the UK has an Employee Assistance Programme (EAP) which includes a wealth of resources like confidential health assessments, online resources, and telephone support. 26 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Company values Flexibility We adapt to changing needs and empower our employees with the trust and autonomy they need to deliver high quality work. Learning We promote continuous learning culture and believe that knowledge and competence drives performance and growth of the individual and organisation. R E P O R T S T R A T E G C I Responsibility We take the ownership to demonstrate a high standard of work as we are personally responsible for the work we deliver. Openness We encourage openness between all employees and with clients, we are inclusive adaptive collaborative, and committed to accepting people from diverse backgrounds. More reasons to join us Leadership support Asking for help and support is celebrated and highly encouraged at Crossword. The support can be available in the form of Mentoring, knowledge sharing and we also have a ‘Buddy system’ for new starters. The Executive team is committed to their team’s professional development. Great working environment We strive to better the employee experience by providing proper work equipment and also through workplace engagement surveys which encourage open communication and feedback. Our offices are modern and equipped with kitchen and shower facilities, coffee machines and breakout spaces. Inclusivity & Diversity Work-life balance Our collective strength is in our individual uniqueness and the range of experiences we can bring to the table. When we recruit, we don’t look for a ‘Culture fit’, to fit any specific but rather what the person brings, but our culture is extremely collaborative and adapts to cater to the needs of our biggest asset – our people! We are focused on achievements at work, not how long you spend in the office. We believe in being agile and adapt to work around employees’ commitments and working styles. We prioritise our employees’ mental well-being above everything else. All employees are encouraged to take timely breaks to spend time doing what they love and pursue their recreations. Some of the initiatives which highlight the elements of our culture are as follows: • Employee Engagement through our Corporate Social Responsibility initiative drives a common goal and brings employees together for a higher purpose. We have partnered with SPEAR, a local charity in Richmond, to raise funds and help the homeless. Our Krakow office employees carry out philanthropic initiatives every year to help the disadvantaged and needy. • We also have other interesting employee engagement events like our company away days, social events, lunch Mondays, etc. • Excellent communication channels like Slack, Google Meet, virtual fortnightly coffee mornings allow for an easy flow of communication. • Flexible and family-friendly policies which enable an enviable work environment. • Open recognition initiatives as well as a 5-year Long Service Award to acknowledge hard work and commitment to the business www.crosswordcybersecurity.com 27 Principal Risks & Uncertainties The Board has overall responsibility for ensuring that risk is appropriately managed throughout the business. The Board is aware of the need to conduct regular risk assessments to identify any deficiencies in the controls currently operating over all aspects of the Company. Risks to the achievement of strategic objectives are identified by the Executive. The degree of risk is evaluated by reference to the impact and probability of the risk, considering inherent and residual risk. The Executive considers the nature and extent of the risks, the threat of such risks becoming reality, the ability to reduce the incidence and impact on its business if the risk materialises, and the costs and benefits resulting from operating relevant controls. A Risk Register is prepared and regularly reviewed by the Executive, and shared with the Audit Committee for independent review and robust challenge. The Risk Register includes a plan for mitigation of risks above the risk appetite of the business. RISKS RELATING TO THE GROUP AND THE INDUSTRY IN WHICH IT OPERATES 1 INTELLECTUAL PROPERTY ACQUISITION AND DEVELOPMENT 2 TECHNOLOGICAL CHANGES Generally, product markets are exposed to rapid technological change, changes in use, changes to customer requirements and preferences, and services employing new technologies and the emergence of new industry standards and practices. The Group operates in a market with such changes, which have the potential to render the Group’s existing technology and products obsolete or uncompetitive. To remain competitive, the Group must ensure continued product improvement, and the development of new markets and capabilities to maintain a pace congruent with changing technology. This added strain may stretch the Company’s capital resources, which may adversely impact the revenues and profitability of the Company. The Company’s success is dependent on the ability to effectively respond and adapt to technological changes and changes to customer preferences. There can be no assurance that the Company will be able to effectively anticipate future technological changes or changes in customer preferences. Furthermore, there is also no assurance that the Company will have sufficient financial resources to effectively respond in a timely manner if such a change is anticipated. 3 REPUTATIONAL RISKS As a cyber security company, Crossword is very conscious of its external reputation. If the Group is compromised as a result of a cyber incident, it would impact its clients’ confidence. As Crossword expands its products and services, it is holding more client data and intellectual property, increasing the potential impact in the event of a cyber incident. Crossword acquires intellectual property (IP) rights from universities via licensing, IP transfer arrangements and acquisitions, and then develops this IP into commercial products. Failure to secure good quality IP deals, and to quickly and appropriately meet new cyber security challenges, will make it difficult for the Group to generate new products. Crossword has an experienced cyber security expert acting as its Chief Information Security Officer (CISO) and a strong technical team who actively seek to mitigate threats. Nonetheless, should an event take place which adversely affects the reputation of the Group, its future prospects and value could suffer. The success of this strategy depends on the ability of Crossword to source suitable IP and use its expertise in business management, marketing and product development to build solutions attractive to its potential customer base. Ultimately, Crossword will only succeed if it is able to acquire design, develop and sell new software solutions in a timely fashion that deliver operational reliability and effectiveness. 4 COMPETITION There is no guarantee against new entrants or current competitors providing superior technologies, products or services to the market. There is no certainty that new entrants or current competitors will not provide equivalent products for a lower price. The Company may be forced to make changes to one or more of its products or to its pricing strategy to effectively respond to changes in customer preferences in order to remain competitive. This may impact negatively on 28 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 R E P O R T S T R A T E G C I the Company’s financial performance. The Group’s consulting division operates in an environment that includes large international accounting firms and consultancies and a number of smaller niche players. There are very low start-up costs for any new entrant into the market and the Group cannot prevent any person or organisation from seeking to compete with it. There is a risk that an existing competitor or a new entrant may, over time, be able to win work from the Group’s existing and future customers. In addition, larger competitors may, in the future, adopt more aggressive expansion strategies, which could include hiring additional experienced consultants and changing their business model and service offering to one that is directly comparable to that of the Group. This could, in theory, result in a material loss of customers from the Group to larger competitors and therefore have a material adverse impact on the financial performance of the Group. 5 KEY SYSTEM FAILURE, DISRUPTION OR INTERRUPTION The Company’s reliance on technology exposes the Company to a significant risk in the event that such technology, or the Company’s systems, experience damage, interruption or failure in some form. A malfunctioning of the Company’s technology and systems, or those of key parties, could result in a diminished confidence in the Company’s services, resulting in a consequential material adverse effect on the Company’s operations and results. 6 DEPENDENCE ON THIRD PARTIES AND BUSINESS CONTINUITY and therefore materially and adversely affect its reputation, performance or financial condition. 7 ABILITY TO RECRUIT AND RETAIN SKILLED PERSONNEL The Company believes that it has the appropriate incentive structures and culture to attract and retain the calibre of employees and contractors necessary to ensure the efficient management and development of the Company. However, any difficulties encountered in hiring, and retaining, appropriate employees and/or contractors and the failure to do so, or a change in market conditions that renders current incentive structures unattractive, may have a detrimental effect upon the trading performance of the Company. With recognised shortage of skilled technical people, the ability to attract new employees and contractors with the appropriate expertise and skills cannot be guaranteed. 8 FINANCIAL CONTROLS AND INTERNAL REPORTING PROCEDURES The Company’s future growth and prospects will depend on its ability to manage growth and to continue to maintain, expand and improve operational, financial and management information systems on a timely basis, whilst at the same time maintaining effective cost controls. Any damage to, failure of or inability to maintain, expand and upgrade effective operational, financial and management information systems and internal controls in line with the Company’s growth could have a material adverse effect on the Company’s business, financial condition and results of operations. Key components of Crossword’s technology platform may be dependent on the continuing availability of a particular supplier. GENERAL BUSINESS RISKS 9 TAXATION RISK The software development environment or data processing platforms may become unavailable for an extended period of time thereby disrupting customers’ experience of Crossword’s products and services. Crossword’s business is at risk from disruption of key systems and assets on which it depends. The Company is subject to taxation and the application of such taxes may change over time due to changes in laws, regulations or interpretations by the relevant tax authorities. The recent proposed changes to the research and development tax incentives may have an adverse effect on the Company’s results of operations. The functioning of the IT systems on which it relies could be disrupted for reasons either within or beyond its control, including but not limited to: accidental damage; disruption to the supply of utilities or services; security breaches; extreme weather events; systems failure; or workforce actions. There is a risk that such disruption may materially and adversely affect Crossword’s ability to offer services to customers The continuing status of the Ordinary Shares as a qualifying holding for VCT and/or EIS purposes will be conditional (amongst other things) on the qualifying conditions being satisfied throughout the period of ownership. There can be no assurance that the Company will continue to conduct its activities in a way that will secure or retain qualifying status for VCT and/or EIS purposes. www.crosswordcybersecurity.com 29 10 COUNTERPARTY CREDIT RISK 14 CURRENCY EXCHANGE RISK The Group’s functional currency is Sterling. One subsidiary, Crossword Cybersecurity Sp. Z.o.o is based in Poland, and another subsidiary, Crossword Cybersecurity LLC, is based in Oman. Crossword Cybersecurity Sp. Z.o.o, where the functional currency is zloty, accounts for approximately 11 per cent of the total costs of the business. Crossword Cybersecurity LLC‘s functional currency is Omani rials, which is pegged to the US Dollar. Exposure to this and other exchange rates may effect the Company’s results. The Company may consider implementing policies to limit its currency exposure and will consider currency hedging instruments when they prove to be available and cost-effective. 15 GOING CONCERN RISK There is a risk that the Group will not be able to raise cash when it is required. This could be as a result of poor performance within the Group or turmoil within the markets following COVID-19, or other economic issues such as the Ukraine crisis. The Strategic Report was approved by the Board of Directors on 18 April 2023. TOM ILUBE CEO 18 April 2023 There is a risk that parties with whom the Company trades or has other business relationships (including partners, customers, suppliers, subcontractors and other parties) may become insolvent. This may be as a result of general economic conditions or factors specific to that company, or exceptional circumstances such as COVID-19. In the event that a party with whom the Company trades becomes insolvent, this could have an adverse impact on the revenues and profitability of the Company. 11 LEGAL RISK Legal risks include the inability to enforce security arrangements, an absence of adequate protection for intellectual property rights, an inability to enforce foreign judgments relating to contracts entered into by the Company that are governed by law outside England and Wales, absence of a choice of law, and an inability to refer disputes to arbitration or to have a limited choice with regard to arbitration rules, venue and language. Mitigation measures for these risks may also be limited. 12 INSURANCE RISK There can be no certainty that the Group’s insurance cover is adequate to protect against every eventuality. The occurrence of an event for which the Group did not have adequate insurance cover could have a materially adverse effect on the Group’s business, revenue, financial condition, profitability, results, prospects and/or future operations. 13 ECONOMIC CONDITIONS The Group could be affected by unforeseen events outside its control including economic and political events and trends, inflation and deflation or currency exchange fluctuations. The impact is likely to include interrupted power supply, disruption to financial markets and higher inflation. Any economic downturn either globally or locally in any area in which the Group operates may have an adverse effect on the demand for the Group’s products and services. A more prolonged economic downturn may lead to an overall decline in the volume of the Group’s activities and sales, restricting the Group’s ability to realise a profit. The markets in which the Group offers its services are directly affected by many national and international factors that are beyond the Group’s control. 30 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Governance Report The Board The Directors in office during the year and at the date of this report are as shown below: Sir Richard Dearlove KCMG OBE Tom Ilube CBE Mary Dowd Non-Executive Chair Chief Executive Officer Chief Financial Officer Appointment Date: 1 September 2016 Skills and Experience: Sir Richard brings to the Board extensive experience across government, education and global business. Sir Richard joined MI6 in 1966, undertaking various overseas and head office roles before being promoted to Chief of the Secret Intelligence Service in 1999. He retired from the Service in 2004. External Appointments: Sir Richard is presently Chair of Trustees of University of London, Chair of Ascot Underwriting Limited at Lloyd’s of London and a Director of Kosmos Energy, the New York Stock Exchange listed oil and gas exploration company. Sir Richard is also a Director of The Cambridge Security Initiative 2017, the Cambridge Arts Theatre Trust Limited, Lower Tamar Fishing Club Limited and Endsleigh Fishing Club Limited. He also holds several advisory roles. Committee Memberships: None Appointment Date: 6 March 2014 Skills and Experience: Tom is founder and CEO of Crossword. Tom served as Chief Information Officer of Egg Banking PLC, which at the time was a pioneering main market listed UK internet bank. Tom chaired the UK Government Technology Strategy Board’s Network Security Innovation panel. He was a member of the High Level Expert Group on cyber security at the International Telecommunication Union (ITU), a Geneva- based UN agency. He was awarded a Doctor of Science (Honoris Causa) by City, University of London, an Honorary Doctor of Technology by the University of Wolverhampton and was appointed a CBE in the 2018 Birthday Honours for services to Technology and Philanthropy. External Appointments: Non-Executive Director of WPP plc and Chair of the RFU. Director of Iternal Limited, Honorary Fellow of St Anne’s College, Oxford and of Jesus College, Oxford and Chair of the African Gifted Foundation. Committee Memberships: None Appointment Date: 14 June 2018 Skills and Experience: Mary brings over 20 years’ experience of working alongside business leaders. She has demonstrated a track record of managing finance teams to ensure timely delivery of relevant financial information to all stakeholders, providing clear leadership, continuous process improvement, and excellent communication. She also brings to Crossword extensive experience of working in acquisitive businesses and providing transactional support. Mary graduated from University College Galway, Ireland and has a postgraduate Diploma in Business Studies from the same university. She is a Fellow of the Chartered Institute of Management Accountants. External Appointments: Trustee at The Groundwork South Trust Limited and member of the Audit and Risk Committee of the University of Essex. Committee Memberships: None 32 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Dr Robert Coles Dr David Secher Independent Non-Executive Director Appointment Date: 25 May 2021 Skills and Experience: Robert is a highly experienced IT Risk and Cyber Security leader.  He has over 30 years commercial experience, including Chief Information Security Officer of the NHS.  Prior to this, Robert worked for GSK, National Grid, and Merrill Lynch. He held various senior information security roles at Royal Bank of Scotland and he was a partner in KPMG. Robert is a Senior Fellow at the Centre for Assurance Research and Engineering at George Mason University, Washington DC. He is also an Honorary Professor at UCL. He was awarded a PhD in psychology by the University of Leeds for his work on the perceptions of information and IT risk and has published and presented on this and other topics. He continues to undertake research in these areas. He was also awarded an MBA from Manchester Business School. He has extensive links with major industry information security networking groups. Robert is Chair of the Group’s subsidiary, Crossword Consulting Limited. External Appointments: Director & Chair of Cumberland House Consulting Ltd, Director & Chair of Think Cyber Security Ltd, Governor/Trustee and Audit Committee Member of the University of Brighton. Committee Memberships: Audit and Nomination (Member) www.crosswordcybersecurity.com Independent Non-Executive Director Appointment Date: 16 June 2014 Skills and Experience: David is an international expert in intellectual property, technology transfer and research management. His experience includes Japan, Jordan, South Africa, Brazil, Chile, Australia, Argentina, India, Saudi Arabia and Lebanon as well as Europe and the USA. David is a Life Fellow and until 2018 was Senior Bursar at Gonville & Caius College, Cambridge where he was responsible for the investment of a £210m endowment. David was co-founder and chair of Praxis (now PraxisAuril), the leading UK technology transfer training programme, of which he is now Patron. He served as Director of Research Services, University of Cambridge, where he was responsible for creating and directing a new division of 80 staff, for designing and implementing an intellectual policy for the university and for technology transfer throughout the university resulting in £2m licensing revenue, 40 new licences and six spin outs per year. David was Chief Executive of N8 Limited, a consortium of eight research-intensive universities in the North of England, securing initial funding of £6m from Regional Development Agencies. His earlier career was in molecular biology research with MRC Laboratory of Molecular Biology, Celltech Limited and Cancer Research Campaign (now Cancer Research UK). David held or was named on three patents and is the holder of a Lifetime Queen’s Award for Enterprise Promotion for creating ‘environments that favour enterprise, specialising in the practical aspects of commercialising the results of academic research’ External Appointments: David is a Director of Cambridge KT Limited, Trustee of Cambridge United Charities, Chair of Fitzwilliam Museum (Enterprises) Limited, Trustee of The Trinity Challenge, a Governor of Coventry University Group and Treasurer of the César and Celia Milstein Foundation. Committee Memberships: Audit (Chair), and Remuneration (Member). R E P O R T G O V E R N A N C E 33 The Board continued Ruth Anderson Tara Cemlyn-Jones Andy Gueritz Independent Non-Executive Director Appointment Date: 25 May 2021 Skills and Experience: Tara has over 30 years’ experience in financial services namely in capital markets, M&A, strategy and digital transformation across many sectors, including financial services (banking, asset & wealth management,and fintech), energy & infrastructure and healthcare. Tara was head of M&A at Lastminute. com and has held senior positions at Schroders, Citigroup and Espirito Santo Investment Bank. External Appointments: 25x25 Limited. Committee Memberships: None Independent Non-Executive Director Appointment Date: 1 February 2018 Skills and Experience: Ruth has over 15 years’ experience in the fields of security, intelligence, cyber crime and risk management. She brings to the Board extensive experience across defence and law enforcement sectors and within financial services, developing and implementing cyber risk governance frameworks. Ruth is currently Chief Operating Officer for Technology, Security and Data divisions at Lloyds Banking Group. She was previously a Director of Cyber in the Financial Services Department of KPMG. She served as the Head of Specialist Operational Support and also as the Head of Intelligence at the Child Exploitation and Online Protection Centre, where she delivered the first-ever strategic threat assessment on child abuse in the online environment. Prior to this, Ruth served in intelligence and security in the British Army. External Appointments: Halifax Share Dealing Limited. Committee Memberships: Audit (member), Remuneration (Member) and Nomination (Member). Independent Non-Executive Director Appointment Date: 21 September 2015 Skills and Experience: Andy is an experienced Senior Advisor with a successful track record in helping clients improve and transform their business by managing technology better and creating new technology-based ventures. In recent years, Andy has advised clients in a broad range of industries on topics such as business/technology strategy and investment planning; customer data analytics; transformation for innovation and agility; performance improvement and cost optimisation, and other ways using technology to get and deliver better value. Before becoming a consultant, he attained Board-level responsibility in a successful career in software development and systems implementation. Andy is a Chartered Fellow of the BCS (FBCS), Chartered IT Professional (CITP), Chartered Engineer (C.Eng), Fellow of the IET (FIET), and a European Engineer registered at FEANI. He holds a First Class Honours degree in Electrical and Electronic Engineering with Computer Science from Queen Mary University of London. External Appointments: Sixhills Consulting Limited. Committee Memberships: Audit (member), Remuneration (Chair) and Nomination (Chair). 34 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 The Executive board R E P O R T G O V E R N A N C E Tom Ilube CBE Mary Dowd Jake Holloway Chief Executive Officer Chief Financial Officer Chief Product Officer Skills and Experience: Jake has over 30 years of experience in technology across a wide range of industries and roles – including as CTO and Head of Product for two well-known software houses, and as CEO/Founder of an innovative Online Systems House. In his two most recent roles before joining Crossword, he was advising Worldpay on their separation from RBS, and founded Xendpay, a Fintech startup, where he was COO. Jake authored books on project management in 2015 and 2016. Appointment Date: 6 March 2014 Appointment Date: 14 June 2018 Skills and Experience: Tom is founder and CEO of Crossword. Tom served as Chief Information Officer of Egg Banking PLC, which at the time was a pioneering main market listed UK internet bank. Tom chaired the UK Government Technology Strategy Board’s Network Security Innovation panel. He was a member of the High Level Expert Group on cyber security at the International Telecommunication Union (ITU), a Geneva- based UN agency. He was awarded a Doctor of Science (Honoris Causa) by City, University of London, an Honorary Doctor of Technology by the University of Wolverhampton and was appointed a CBE in the 2018 Birthday Honours for services to Technology and Philanthropy. External Appointments: Non-Executive Director of WPP plc and Chair of the RFU. Director of Iternal Limited, Honorary Fellow of St Anne’s College, Oxford and of Jesus College, Oxford and Chair of the African Gifted Foundation. Committee Memberships: None Skills and Experience: Mary brings over 20 years’ experience of working alongside business leaders. She has demonstrated a track record of managing finance teams to ensure timely delivery of relevant financial information to all stakeholders, providing clear leadership, continuous process improvement, and excellent communication. She also brings to Crossword extensive experience of working in acquisitive businesses and providing transactional support. Mary graduated from University College Galway, Ireland and has a postgraduate Diploma in Business Studies from the same university. She is a Fellow of the Chartered Institute of Management Accountants. External Appointments: Trustee at The Groundwork South Trust Limited and member of the Audit and Risk Committee of the University of Essex. Committee Memberships: None www.crosswordcybersecurity.com 35 The Executive board Stuart Jubb Sean Arrowsmith Group Managing Director Group Sales Director Skills and Experience: Stuart joined Crossword from KPMG where he was Associate Director, Defence & Security. Prior to that, he was Chief Operating Officer of a global consulting team of over 200 in KPMG Advisory. Stuart spent nine years as an officer in HM Forces, after Sandhurst, serving in Afghanistan, NATO and elsewhere. Skills and Experience: Sean has over 20 years’ sales experience in cyber/information security and technology. He was previously Group Sales Director at IRM Limited, the World Class Centre in Cyber Security of Altran Technologies SA, the global innovation and engineering consulting firm. Here, Sean was accountable for revenue target achievement across all of IRM’s business streams including consulting, software and training. Prior to that, Sean was responsible for leading consulting sales at Siemens Insight Consulting. 36 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 The Advisory board R E P O R T G O V E R N A N C E Alison Dyer Professor David Stupples Naina Bhattacharya Chair of the Advisory Board Advisory Board Member Advisory Board Member Skills and Experience: Naina Bhattacharya is Global Chief Information Security Officer at Danone S.A., the multinational food product corporation with over 100,000 staff in 120 countries. She is responsible for delivering the cyber security vision and roadmap for the company. Prior to Danone, she worked in consulting and had the privilege of working on complex cyber security and data privacy projects across multiple companies in several industries. She is passionate about diversity and inclusion with a specific interest in increasing the representation of women in technology. Naina holds a BEng in Computer Science from BITS, Pilani, India and a post-graduation in management from the Indian School of Business in Hyderabad. Skills and Experience: Alison Dyer joined ASOS.com in August 2022 as CISO. Prior to this, Alison was CISO at URENCO, a global supplier of enrichment services and fuel cycle products. Alison was responsible for all aspects of their information and cyber security, covering both information and operational technology. Alison has also held the position of Director of GlaxoSmithKline’s (GSK) global cyber security programme, where she led multiple strategic delivery workstreams including security technology, governance, culture, third party management and operational technology security. Alison holds a BEng in Mechanical Engineering from Imperial College, London and an MSc in Information Security from Royal Holloway University. Skills and Experience: David is currently Director of the Centre for Cyber and Security Sciences at City University London. In his early career, he was employed as an engineer in signals intelligence in the Royal Air Force followed by a period of intensive research into surveillance systems at the Royal Signal and Radar Establishment, Malvern. He spent three years developing highly secure communications for surveillance satellites for Hughes Aircraft Corporation in the United States of America. Later, he became a senior partner with PA Consulting Group where he undertook surveillance and intelligence systems research for Ministry of Defence (Navy) and was responsible for consultancy in secure communications and surveillance systems for world-wide clients. Since 2003, David has been researching internet security at City University focused on cyber terrorism and organized cyber crime for both the UK government and commercial companies. However, he still maintains an active interest in radar surveillance research. Professor Stupples is a member of the Defence Scientific Advisory Council (DSAC), the Defence Procurement Agency’s Independent Advisory Board on Systems Integration, and he consults worldwide in cyber intelligence. www.crosswordcybersecurity.com 37 Corporate Governance Report CHAIR’S INTRODUCTION The Directors acknowledge the importance of high standards of corporate governance and have adopted the principles set out in the Quoted Companies Alliance Corporate Governance Code for Small and Mid-Size Quoted Companies (the ‘QCA Code’) 2018, given the Group’s size and the constitution of the Board. The QCA Code sets out a standard of minimum best practice for small and mid-size quoted companies, particularly AIM companies. The Chair and the Board accept the importance and responsibility of setting good corporate culture, values and behaviours. The Board also acknowledges its responsibility in delivering the long-term success of the Company for the benefit of shareholders and other stakeholders. This Corporate Governance Report describes how the Company has applied the principles and standards set out in the Code during the year and, to the extent it has not done so, any deviations from them. It is the Board’s view that the Company has complied with all of the provisions of the Code during the year ended 31 December 2022. operating model (SCC SOM) is supported by our best-selling SaaS platform, Rizikon Assurance, along with cost-effective cyber audits, security testing services and complete managed services for supply chain cyber risk management. Threat detection and response services include our Nightingale AI- based network monitoring, our Trillion™ and Arc breached credentials tracking platforms, and incident response. Crossword’s work in digital identity is based on the World Wide Web Consortium W3C verifiable credentials standard and our current solution, Identiproof, enables secure digital verification of individuals to prevent fraud. Crossword serves medium and large clients including FTSE 100, FTSE 250 and S&P listed companies in various sectors, such as defence, insurance, investment and retail banks, private equity, education, technology and manufacturing and has offices in the UK, Poland, Oman and Singapore. Crossword is traded on the AIM market of the London Stock Exchange. Where appropriate, Crossword will transfer the IP to separate companies in which it will retain a commercial interest. So far, Crossword has been instrumental in the development of two such companies, ByzGen Limited and CyberOwl Limited. 1: ESTABLISH A STRATEGY AND BUSINESS MODEL WHICH PROMOTE LONG-TERM VALUE FOR SHAREHOLDERS 2: SEEK TO UNDERSTAND AND MEET SHAREHOLDER NEEDS AND EXPECTATIONS The Company’s Strategic Report is on pages 3 to 30 of this report. Crossword’s vision is to partner with organisations to keep them secure in the digital world. The Group reduces cyber risks for their clients by providing a portfolio of innovative products and services, powered by university and other research-driven insights. Crossword offers a range of cyber security solutions to help companies understand and reduce cyber security risk. We do this through a combination of people and technology, in the form of SaaS and software products, consulting, and managed services. Crossword’s areas of emphasis are cyber security strategy and risk, supply chain cyber, threat detection and response, and digital identity with recurring revenue models in these four areas. We work with UK universities and our products and services are often powered by academic research-driven insights. In the area of cybersecurity strategy and risk our consulting services include cyber maturity assessments, industry certifications, and virtual chief information security officer (vCISO) managed services. Crossword’s end-to-end supply chain cyber standard Crossword is committed to engaging with its shareholders to ensure that its strategy, business model and performance is clearly understood. The Company communicates with shareholders and potential investors through a variety of channels, including webinars, regular financial reporting, direct contact with its major shareholders and release of regulatory announcements, which are available on its website. Regulatory announcements include details of the Company’s website and the relevant contact at the Company, as well as its professional advisors. The Annual General Meeting (AGM) provides another opportunity for dialogue between shareholders and the Board. The Chair of the Board and of the Committees, together with other Directors, routinely attend the AGM and are available to answer questions raised by the shareholders. At the meeting, each vote, the number of proxy votes received for, against and withheld is announced. The results of the AGM are subsequently published on the Company’s website and released via a regulatory information service provider. 38 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 R E P O R T G O V E R N A N C E A range of corporate information, including all Company announcements, is also available to shareholders, investors and the public on the Company’s corporate website, www.crosswordcybersecurity.com 3: TAKE INTO ACCOUNT WIDER STAKEHOLDER AND SOCIAL RESPONSIBILITIES AND THEIR IMPLICATIONS FOR LONG-TERM SUCCESS Crossword considers it’s relationships with internal and external stakeholders. Apart from our shareholders, our most important stakeholder groups are our employees, our clients and partners. The Board is regularly updated on stakeholder feedback and their potential impact on our business to enable them to understand and consider the feedback in decision- making. The Board understands that maintaining the support of all its stakeholders is paramount for the long-term success of the Company. Employees Crossword aims to provide an environment which will attract, retain and motivate its team. The Company has a growing number of permanent staff employed across the UK, Poland, Oman and Singapore. Employee engagement with the senior management, who pride themselves on their availability and flexibility, is frequent through daily discussions and meetings. Staff are encouraged to give regular feedback in relation to their needs, interests and expectations on away days, general discussions or one-to-one meetings with their line managers. These can then be addressed at the fortnightly management meeting to all senior members of the team where further actions will be discussed. Furthermore, the team engages in a bi-weekly call where staff are able to communicate with all levels of the team across all jurisdictions. Crossword reviews its processes and policies, which are guided by our values of Responsibility, Openness, Learning and Flexibility, to make continuous improvements for its staff. The Company has developed its induction programme for new staff, engages with employees to maintain its culture and values and expected behaviours, performs exit interviews in the event people decide to leave the business, and follow-up interviews with new employees. Crossword is supportive of career development of its employees and provides training programmes and Masters degree opportunities where appropriate. Crossword’s clients and partners Crossword develops mutually beneficial commercial relationships with companies to support sourcing and commercialising cyber security intellectual property originating from university and other research projects and evaluating and exploiting routes to distributing and reselling its products. Crossword recognises that the establishment of a close working relationship with its partners is essential for its long-term success. Crossword maintains its relationship with its partners through regular meetings, mutual understanding and aligned objectives. Feedback from partners is communicated to the relevant teams and the Board as appropriate. Crosswords interacts closely with its clients to understand the cyber issues organisations are facing, in order to support clients and help them to reduce cyber risks. Crossword provides a portfolio of innovative products and services, aimed at addressing risks clients have identified. Social responsibility Crossword partners with charities both in UK and Poland. Crossword employees propose and vote on which charity they would like to support. Previously work has been undertaken to help a charity local to the London office in their efforts to support the homeless and lead them to independence and also a national mental health charity. In Poland, Crossword is supporting one of the largest, most recognisable and effective social schemes in Poland which implements and develops a system of smart, personalised aid that is unique in the world. 4: EMBED EFFECTIVE RISK MANAGEMENT, CONSIDERING BOTH OPPORTUNITIES AND THREATS, THROUGHOUT THE ORGANISATION Audit, risk and internal control Financial controls The Group has an established framework of internal financial controls, the effectiveness of which is regularly reviewed by the Executive Management, the Audit Committee and the Board, in light of an ongoing assessment of significant risks facing the Group. • The Board is ultimately responsible for the effectiveness of the Group’s system of internal controls. Its key strategy has been to establish financial reporting procedures that provide the Board of Directors with a reasonable basis upon which to make judgements as to the financial position and prospects of the Group. Executive Directors and Non- Executive Directors have been appointed by the Board to www.crosswordcybersecurity.com 39 assist with the implementation of this strategy and report progress to the Board. • The Audit Committee has the primary responsibility for monitoring the quality of internal controls to ensure that the financial performance of the Group is properly measured and reported on. It receives and reviews reports from the Group’s management and external auditors relating to the interim and annual accounts and the accounting and internal control systems in use throughout the Group. The Audit Committee meets not less than three times in each financial year and has unrestricted access to the Group’s external auditors. • Regular budgeting and forecasting is conducted to monitor the Group’s ongoing cash requirements and cash flow forecasts are circulated to the Board. • The Group has a Risk Register which identifies the potential possibility and impact of risks associated with the Group and allocates an owner to mitigate each risk. The Risk Register is updated by the Chief Financial Officer and reviewed by the Executive, the Audit Committee and the Board. Non-financial controls The Board has ultimate responsibility for the Group’s system of internal control and for reviewing its effectiveness. However, any such system of internal control can provide only reasonable, but not absolute, assurance against material misstatement or loss. The Board considers that the internal controls in place are appropriate for the size, complexity and risk profile of the Group. The principal elements of the Group’s internal control system include: • Close management of the day-to-day activities of the Group by the Executive Directors; • An organisational structure with defined levels of responsibility, which promotes entrepreneurial decision- making and rapid implementation whilst minimising risks; • Central control over key areas such as capital expenditure authorisation and banking facilities; • A comprehensive annual budgeting process producing a detailed integrated profit and loss, balance sheet and cash flow, which is approved by the Board; and • Detailed monthly reporting of performance against budget. The Group continues to review its system of internal control to ensure compliance with best practice, whilst also having regard to its size and the resources available. Standards and policies The Board is committed to maintaining appropriate standards for all the Group’s business activities and ensuring that these standards are set out in written policies. Key examples of such standards and policies include: • Anti-bribery and Corruption Policy • Information Security Policy • Data Protection Policy • Share Dealing Code. All policies are documented and senior managers and Directors are responsible for monitoring the compliance with these policies. Approval process An approvals matrix exists and is published on the Company’s intranet to ensure clear and appropriate levels of authority across the business. 5: MAINTAINING THE BOARD AS A WELL-FUNCTIONING, BALANCED TEAM, LED BY THE CHAIR Composition, qualification and independence of the board The Board comprises six Non-Executive and two Executive Directors. The names and responsibilities of the current Directors, together with their biographical details, are set out on pages 32 to 37. 37.5% of the Board are female. 62.5% of the Board are male. The Board considers each of the Non-Executive Directors to be independent in character and judgement. Two of the Non-Executive Directors do not meet the strict criteria for independence set out in the QCA Code, due to their participation in the Company’s share option arrangements, as part of their remuneration arrangements. The Board considers that the ownership of shares and participation in the Company’s share options to certain of the Non-Executive Directors encourages the alignment of their interests with those of the Company’s shareholders and are not material enough to compromise their independence, character and judgement. Therefore, the Company considers all Non-Executive Directors to be independent for the purposes of the QCA Code. The Non-Executive Directors provide independent, robust and constructive challenge to the Executive Management and monitor the performance of the management team in delivering the agreed objectives. 40 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 All Directors have disclosed their other significant commitments and confirmed that they have sufficient time to discharge their duties effectively. Appointment and tenure The Board makes decisions regarding the appointment and removal of Directors and there is a formal, rigorous and transparent procedure for appointments, some of which has been delegated to the Nomination Committee. Appointments are made on merit, taking account of the balance of skills, experience and knowledge required. The Company’s Articles of Association require that all Directors retire by rotation at regular intervals and that any new Directors appointed during the year must stand for election at the AGM immediately following their appointment. 6: ENSURE THAT, BETWEEN THEM, THE DIRECTORS HAVE THE NECESSARY UP-TO-DATE EXPERIENCE, SKILLS AND CAPABILITIES The Board believes that its composition brings a desirable range of skills and experience to address the Group’s challenges and opportunities, while at the same time ensuring that no individuals or a small group of individuals can dominate the Board’s decision-making. The current Board, although considered to have a sufficient level of skills in all areas of the business, is always looking to improve and further its knowledge of the industry. All Directors receive regular and timely information on the Group’s operational and financial performance and on technical issues. R E P O R T G O V E R N A N C E An Advisory Board exists to advise and support the main Board. The Advisory Board is not a formal Committee of the Company’s Board. The Advisory Board considers specific cyber security projects that the Company is interested in and share its views on them, ranging from technical innovation, engineering complexity, business viability, attractiveness to partners and investors and any other observations that the Advisory Board has. It also considers and shares thoughts on major trends in cyber security that the Company may want to engage in and share its views on the trends that the Company believes are important. Induction Upon appointment, all Directors are provided with training in respect of their legal, regulatory and governance www.crosswordcybersecurity.com 41 responsibilities and obligations, in accordance with the UK regulatory regime. The induction includes face-to-face meetings with Executive Management and site visits to orientate and familiarise the new Directors with the Company’s industry, organisation, business, strategy, commercial objectives and key risks. The Board is kept up to date on legal, regulatory and governance matters at Board meetings. Additional training is available on request, where appropriate, so that Directors can update their skills and knowledge as applicable. Independent advice All Directors are able to take independent professional advice in the furtherance of their duties, if necessary, at the Company’s expense. In addition, the Directors have direct access to the advice and services of the Company Secretary and Chief Financial Officer. 7: EVALUATE BOARD PERFORMANCE BASED ON CLEAR AND RELEVANT OBJECTIVES, SEEKING CONTINUOUS IMPROVEMENT Board effectiveness review The Board undertook a further evaluation of its performance for the during the financial year and has continued throughout the year to measure progress against the recommendations resulting from the Board evaluation and will continue to assess its effectiveness in implementing new processes to achieve the recommendations. Furthermore, the Board conducted an evaluation in January 2023 to assess current performance and the progress made against the key focus areas. The Nomination Committee and Board were satisfied that previous recommendations and focus areas had been implemented and were being continually assessed. The Nominations Committee will regularly review the structure, size and composition (including the skills, knowledge, independence, experience and diversity) of the Board and make recommendations concerning plans for succession for both Executive and Non-Executive Directors and in particular for the key roles of Chair and Chief Executive Officer. 8: PROMOTE A CORPORATE CULTURE THAT IS BASED ON ETHICAL VALUES AND BEHAVIOURS The Board is committed to promoting a strong ethical and values-driven culture throughout the Company and has a people-oriented ethos where hard work and commitment are recognised. The Company has articulated its values as Responsibility, Openness, Learning and Flexibility, and develops its values and expected behaviours on an ongoing basis. Crossword also recognises that employees will have interests outside work and consequently supports flexibility around these interests. Further details on how the board monitors and assesses the state of the corporate culture are included in the Directors’ Report. 9: MAINTAIN GOVERNANCE STRUCTURES AND PROCESSES THAT ARE FIT FOR PURPOSE AND SUPPORT GOOD DECISION-MAKING BY THE BOARD The role of the Board The Board is responsible for the long-term success and strategic leadership of the Group. It is responsible for reviewing, formulating and approving the strategy of the Group and its subsidiaries, corporate actions and overseeing the Group’s progress towards its goals. In addition, it also approves the annual and interim results and monitors the exposure to key business risks. The Board’s full responsibilities are set out in a schedule of matters reserved for the Board. The matters reserved for the attention of the Board include: • The approval of interim and annual financial statements, dividends and significant changes in accounting practices; • Review of bi-monthly financial statements; • Board membership, reviewed by NOMAD, and powers including the appointment and removal of Board members, determining the terms of reference of the Board and establishing the overall control framework; • AIM-related issues including the approval of communications to the London Stock Exchange and communications with shareholders will be dealt with by the Market Disclosure Committee and reviewed by the NOMAD, or delegated by the Board to the Executive Directors; • Senior management, remuneration, contracts, and the grant of share options will be addressed by the Remuneration Committee; • Key commercial matters where the financial commitment is 42 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 in excess of £50,000 per annum; • Taking of loans or other credit; • Financial matters including the approval of the budget and financial plans and performance against such plans and budgets; • Approval of the appointment of the current period auditor, year-end audited statutory accounts and audit-related queries addressed by the Audit Committee; • Risk management review; • Changes to the Company’s capital structure, its business strategy, acquisitions and disposals of businesses, and capital expenditures outside of budget approval; and • Other matters including, but not limited to, health and safety policy, insurance and legal compliance. Role of the Chair and Chief Executive Officer There is a clear division of responsibility at the head of the Company. The Chair is responsible for running the business of the Board and for ensuring appropriate strategic focus and direction, whilst the Chief Executive Officer is responsible for proposing the strategic focus to the Board, implementing it once approved, and overseeing the management of the Company through the Executive Management. The Chief Executive Officer is also responsible for communicating with shareholders, assisted by the Chief Financial Officer. This separation of responsibilities is clearly defined and agreed by the Board. Board and Committee meetings The Board meets at least six times each year, in accordance with its scheduled meeting calendar (these may be supplemented by additional meetings as and when required) to review, formulate and approve the Group’s strategy, budgets, corporate actions and oversee the Group’s progress towards its goals. At each meeting, the Board considers a number of matters, which include technical, operational, financial, risk and corporate governance reports, in addition to an update from its Committees, where applicable. Any Director can challenge proposals, and decisions are taken democratically after discussion. Any Director who feels that any concern remains unresolved after discussion may ask for that concern to be noted in the minutes of the meeting, which are then circulated to all Directors. Specific actions arising from such meetings are agreed by the Board or relevant committee and then followed up by Management. The Group has established an Audit Committee, a Remuneration Committee, and a Nomination Committee, each with formally delegated duties and responsibilities outlined within terms of reference reviewed and approved by the Board on an annual basis. R E P O R T G O V E R N A N C E From time to time, separate committees may be set up by the Board to consider specific issues when the need arises. The Board and its Committees are supported by the Company Secretary, who ensures that the Board receives regular and timely information ahead of each meeting. A formal agenda is produced for each meeting and the Company Secretary distributes papers several days before meetings take place to provide the Board with sufficient time to consider the matters to be discussed. Each Committee has access to such resources, information and advice as it deems necessary, at the cost of the Company, to enable it to discharge its duties. The table below sets out the attendance record of individual Directors at the scheduled and unscheduled Board meetings held during the year: Name Richard Dearlove Tom Ilube Andy Gueritz Ruth Anderson David Secher Mary Dowd Tara Cemlyn Jones Robert Coles* * Robert Coles was appointed to the Audit Committee during the year. Board Meetings 5/6 6/6 6/6 6/6 6/6 6/6 5/6 6/6 Audit – – 2/2 1/2 2/2 – – 1/1 Nomination – – 2/2 2/2 – – – 2/2 Remuneration – – 2/3 3/3 3/3 – – – www.crosswordcybersecurity.com 43 PRINCIPLE 10: COMMUNICATE HOW THE COMPANY IS GOVERNED AND IS PERFORMING BY MAINTAINING A DIALOGUE WITH SHAREHOLDERS AND OTHER RELEVANT STAKEHOLDERS The Board attaches considerable importance to the maintenance of constructive relationships with shareholders and its other stakeholders. As mentioned above, the Company communicates with shareholders through the Annual Report and accounts, full-year and half- year results announcements, the AGM and one-to-one meetings with large existing or potential new shareholders. The Company regularly releases regulatory and other announcements covering operational and corporate matters. A range of corporate information (including all Company announcements) is also available to shareholders, investors and the public on the Company’s corporate website, www.crosswordcybersecurity.com including: • Our Articles of Association and admission document; • A detailed account of how we have applied the principles of the QCA Code; • Latest Crossword Cybersecurity news and press releases; and • Annual and Interim Reports. The Board receives regular updates on the views of shareholders through briefings from the Chief Executive Officer, Chief Financial Officer and the Company’s brokers. SIR RICHARD DEARLOVE KCMG OBE Chair 18 April 2023 44 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 R E P O R T G O V E R N A N C E AUDIT COMMITTEE REPORT I am pleased to present the Committee’s report for the year ended 31 December 2022. The following pages provide an insight into how the Committee discharged its responsibilities during the year and the key topics that it considered in doing so. The role of the Audit Committee is to monitor the integrity of the Group’s Financial Statements, including its annual and half- yearly reports and any other formal statements relating to its financial performance. It monitors and reviews the effectiveness of the Group’s system of internal financial control systems that identify, assess, manage and monitor financial risks, and other internal control and risk management systems. Committee membership and governance The Audit Committee is comprised of four independent Non- Executive Directors, currently David Secher, Ruth Anderson, Andrew Gueritz and Robert Coles. David Secher, Chair of the Committee, is considered by the Board to have recent and relevant financial experience and the Committee as a whole has competence relevant to the sector in which the Company operates. At the request of the Chair of the Committee, the Chief Executive Officer, Chief Financial Officer and other members of the senior management team may also be invited to attend meetings as guests. The Audit Committee aims to meet twice in each financial year and has unrestricted access to the Group’s external Auditor. The Committee works to a planned programme of activities focused on key events in the annual financial reporting cycle and standing items that it considers regularly under its Terms of Reference. Principal activities during the year The Committee held two meetings during the year under review and considered the following: • The external Auditor’s 2021 year-end audit report and opinion; • The Company’s Report for the financial year ended 31 December 2021 and the related results announcements and the Half-Yearly Report to 30 June 2022; • Evaluation of the performance of the external Auditor including their independence, objectivity and the effectiveness of the audit process; • The re-appointment of MHA MacIntyre Hudson as the external Auditor for the Company; • The Committee’s Terms of Reference; and • The Company’s Risk Register as well as the internal controls and risk management systems in place. The Committee is planning the following activities during 2023: • Review the Company’s procedures, systems and controls for the prevention of bribery or fraud; • Review the adequacy and security of the Company’s arrangements for its employees to raise concerns, in confidence, about possible wrongdoing in financial reporting or other matters. The Committee shall ensure that these arrangements allow proportionate and independent investigation of such matters and appropriate follow-up action; • Review and approve the FY23 external Auditor’s plan, including the proposed materiality threshold, the scope of the audit, the significant audit risks and fees; • Review the Committee’s internal audit role, in the absence of an external provider of an internal audit service; and • Risk – review and challenge the Risk Register, and consider the risk appetite of the business. The Committee members’ attendance at meetings during the year is set out on page 43. External Auditor MHA MacIntyre Hudson has been the external Auditor of the Group since 2014. The continued appointment of MHA MacIntyre Hudson is reviewed by the Committee each year, taking into account the relevant legislation, guidance and best practice appropriate for a Company of Crossword’s size, nature and stage of development. The Committee considers a number of areas when reviewing the external Auditor appointment, namely its performance in discharging the audit, the scope of the audit and terms of engagement, its independence and objectivity, and its reappointment and remuneration. The breakdown of fees between audit and non-audit services paid to MHA MacIntyre Hudson during the financial year is set out in Note 10 to the Group’s Consolidated Financial Statements. The non-audit fees relate to tax advice. Following Implementation of the Revised Ethical Standard by MHA MacIntyre Hudson, non-audit services have ceased. www.crosswordcybersecurity.com 45 Internal audit Board effectiveness review The Audit Committee presently considers it appropriate that the Group uses the audit committee to undertake the internal audit function. This is due to the effectiveness of the Group’s internal financial control systems that identify, assess, manage and monitor financial risks, and other internal control and risk management systems, and the close involvement of the Executive Directors and senior management on a day-to-day operational basis. However, the need for an internal audit function will be kept under review by the Audit Committee on behalf of the Board. DAVID SECHER Chair, Audit Committee 18 April 2023 NOMINATION COMMITTEE REPORT The Nomination Committee is responsible for reviewing the composition of the Board taking into account the skills, experience and diversity of the Directors in light of the challenges and opportunities facing the Company and makes recommendations for the appointment and reappointment of Board members. Committee membership and governance The Nomination Committee is chaired by Andrew Gueritz and its other members are Ruth Anderson and Robert Coles. Under the Committee’s Terms of Reference, the Committee is required to meet at least twice in each financial year and must comprise of at least three members, two of whom must be independent Non-Executive Directors. The Committee held two meetings during the year. The Committee members’ attendance at meetings during 2022 is set out on page 43. In compliance with the QCA Code, the Board undertook an evaluation of its performance in January 2022. The evaluation was conducted by way of a questionnaire designed to assess the effectiveness of the Board, the Directors and the Chair, as well as the Board’s Committees and identify any areas for improvement. The results of the evaluation were presented to the Board for review in early April 2022 and revealed no significant concerns amongst Directors about the effectiveness of the Board. Actions arising from recommendations to further improve the effectiveness of the Board are being implemented and include the review of succession plans for key members of management and Board members. Diversity The Company has not adopted a formal policy on diversity and, therefore, has no measurable objectives to disclose. Appointments, including appointments to the Board and senior management positions, are made on merit, taking account of the balance of skills and experience required. Key areas of focus for 2023: • Review the time committed to the development of individual Directors and the Board as a whole; • Review succession plans for both Executive and Non-Executive Directors and, in particular, for the key roles of Chair and Chief Executive Officer; and • Conduct a further internal evaluation of the Board, its Committees and individual Directors, to assess improvements in the key focus areas, using questionnaires. ANDREW GUERITZ Chair, Nomination Committee 18 April 2023 46 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 REMUNERATION COMMITTEE REPORT Mary Dowd (Chief Financial Officer) The Remuneration Committee is responsible for determining and agreeing with the Board the framework or broad policy for the remuneration of all Executive Directors, the Chair of the Board, including pension rights and any compensation payments, and such other members of the senior management as it is designated to consider. In addition, the Committee makes recommendations to the Board on proposals for the granting of share options and other equity incentives, pursuant to any employee share option scheme or equity incentive plans in operation from time to time. Committee membership and governance The Remuneration Committee is a formal committee of the Board and has powers delegated to it under the Articles of Association. Its remit is set out in Terms of Reference formally adopted by the Board, which are reviewed annually. The Remuneration Committee is currently comprised of Andrew Gueritz (as Chair), David Secher and Ruth Anderson. The Committee meets at least once in each financial year and held three meetings during the year. The Committee members’ attendance at meetings during the year is set out on page 43. Letters of appointment, service contracts and termination Tom IIube (Chief Executive Officer) Tom Ilube is appointed as Chief Executive Officer under an Executive service contract dated 1 April 2014 (as amended). The employment commenced on 1 April 2014 and will continue unless terminated by either party giving 12 months’ written notice. The Company may terminate the contract without notice (or with payment in lieu of notice) if, inter alia, Tom is guilty of gross misconduct, commits a serious breach of the employment contract, commits a criminal offence, is declared bankrupt or becomes of unsound mind. The Company may, after giving or receiving notice of termination, immediately end the employee’s employment and make payment in lieu of salary with no other benefit for the remaining period of notice. R E P O R T G O V E R N A N C E Mary Dowd is employed as Chief Financial Officer under an employee service contract dated 10 May 2018. The employment commenced on 16 May 2018 and will continue unless terminated by either party giving six months’ written notice. The Company may terminate the contract on shorter notice if the employee is absent from work for an extended period through sickness or injury and may terminate without notice (or with payment in lieu of notice) if, inter alia, Mary is guilty of gross misconduct, commits a serious breach of the employment contract, commits a criminal offence, is declared bankrupt or becomes of unsound mind. The Company may, after giving or receiving notice of termination, immediately end the employee’s employment and make payment in lieu of salary with no other benefit for the remaining period of notice. Following termination of employment, Mary is subject to certain restrictions for a period of six months, including a restriction on dealing with the Company’s customers and suppliers and from working for a competing business. Non-Executive Directors All Non-Executive Directors, including the Chair, serve on the basis of letters of appointment which are terminable by three months’ written notice and are available for inspection at the Company’s registered office. Subject to continued satisfactory performance, the Board does not think it appropriate at this time to limit the term of appointment of the Non-Executive Directors. The Executive Directors’ service contracts are also available for inspection at the Company’s registered office. The remuneration of the Directors who served in the current year was as follows: www.crosswordcybersecurity.com 47 The remuneration of the Directors who served in the current year was as follows: Executive Directors Tom Ilube* Mary Dowd Non-Executive Directors Sir Richard Dearlove Ruth Anderson Andy Gueritz Dr David Secher Robert Coles Tara Cemlyn-Jones Total Basic Salary and Fees £ 130,000 140,000 25,000 12,000 16,000 16,000 12,000 12,000 362,999 Bonus £ – 10,000 – – – – – – 10,000 Taxable Benefits £ 3,926 2,216 25,000 – – – – – 31,142 Employer’s Pension Contribution £ Total £ 1,321 10,000 135,247 162,216 – – – – – – 11,321 50,000 12,000 16,000 16,000 12,000 12,000 415,462 Directors’ shareholdings and share interests The table below sets out the Directors’ interests in the ordinary shares of the Company as at 31 December 2022. There have been no changes in the current Directors’ interests in shares or options granted by the Company between the end of the financial year and 18 April 2023. Name Tom Ilube* Dr David Secher Number of Issued Ordinary Shares 14,560,250 263,650 % of Issued Shares 15.76% 0.29% * Tom Ilube’s shareholding is made up of 12,255,810 shares held by him personally and 1,304,440 held by Share Nominees Limited on his behalf. 48 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 SHARE OPTION AND INCENTIVISATION ARRANGEMENTS The Board considers employee share ownership to be an important part of its strategy for employee incentivisation and retention. The Group has established share option programmes that entitle certain employees to purchase shares in the Company. These were issued in July 2014, November 2014, July 2015, December 2015, January 2016, June 2016, September 2016, June 2017, January 2018, May 2018, July 2018, October 2018, June 2019, November 2019, June 2020, October 2020, August 2021, November 2021 and March 2022. There are no performance conditions attaching to these options, other than to awards made under the Long-Term Incentive Plan awards issued in Nov 2021. The Directors hold the following shares under option: Name Sir Richard Dearlove Sir Richard Dearlove Sir Richard Dearlove Sir Richard Dearlove Sir Richard Dearlove Sir Richard Dearlove Dr David Secher Mary Dowd Mary Dowd Mary Dowd Number of Ordinary Shares under option 131,580 67,570 45,870 52,080 94,340 70,423 150,000 79,360 100,000 25,000 Exercise Price 19p 37p 54.5p 48p 26.5p 35.5p 5.4p 31.5p 54.5p 30.5p Date of grant 03/10/2016 25/05/2018 04/06/2019 28/11/2019 16/10/2020 10/08/2021 18/07/2014 24/10/2018 04/06/2019 18/06/2020 R E P O R T G O V E R N A N C E Vesting Conditions 1 1 1 1 1 1 1 1 1 1 Expiry Date 03/10/2026 25/05/2028 04/06/2029 28/11/2029 16/10/2030 10/08/2031 17/07/2024 24/10/2028 04/06/2029 18/06/2030 (1) Option Shares to vest in three equal tranches on the first, second and third anniversary of the date of grant. In addition, the Company has issued 1,036,790 options to members of staff and up to 3,000,000 share options to Executives. EMI SHARE OPTION PLAN The Company has established an enterprise management incentive share option plan under scheme rules dated 21 May 2014 (‘EMI Option Plan’) for the purposes of recruiting and retaining its staff. The Company may grant an Option intended to be a qualifying option under the Income Tax (Earnings and Pensions) Act 2003 (‘ITEPA 2003’) (‘EMI Option’) to any eligible employee it chooses, subject to the limitations and conditions of the EMI Option Plan. EMI Options may not be granted where prohibited by law or any corporate governance code which applies to the Company or after the tenth anniversary of the date of the EMI Option Plan. Long-Term Incentive Plan During the 2021, the Company implemented a Long-Term Incentive Plan (LTIP) whereby awards were made to the following Executives – Mary Dowd, Stuart Jubb, Jake Holloway and Sean Arrowsmith. Each award is of nominal cost (0.5p) options to acquire up to 750,000 Crossword ordinary shares of 0.5p each which vest at the average mid-market price of the Ordinary Shares over the 20 trading days preceding the end of the performance period which ends on 30 September 2024. 25% of the options will vest if the Award Price is 50p, and 100% will vest if the Award Price is equal to or greater than 100p, with straight-line vesting between 50p and 100p. ANDREW GUERITZ Chair, Remuneration Committee 18 April 2023 www.crosswordcybersecurity.com 49 Directors’ Report & Statement of Directors’ Responsibilities DIRECTORS’ REPORT This Directors’ Report includes the information required to be included under the Companies Act 2006 or, where provided elsewhere, an appropriate cross-reference is given. The Corporate Governance Report approved by the Board is provided on pages 32 to 53 and incorporated by reference into this Directors’ Report. Principal activity, review of the business and future developments Crossword Cybersecurity PLC (08927013) is a public company, limited by shares, incorporated in the United Kingdom under the Companies Act, with operations in the UK, Poland, Oman and Singapore. Its shares are traded on AIM, a sub-market of the London Stock Exchange (‘AIM’). Crossword offers a range of cyber security solutions to help companies understand and reduce cyber security risk. We do this through a combination of people and technology, in the form of SaaS and software products, consulting, and managed services. Crossword’s areas of emphasis are cyber security strategy and risk, supply chain cyber, threat detection and response, and digital identity and the aim is to build up a portfolio of cyber security products and services with recurring revenue models in these four areas. We work with UK universities and our products and services are often powered by academic research-driven insights. In the area of cybersecurity strategy and risk our consulting services include cyber maturity assessments, industry certifications, and virtual chief information security officer (vCISO) managed services. Crossword’s end-to-end supply chain cyber standard operating model (SCC SOM) is supported by our best-selling SaaS platform, Rizikon Assurance, along with cost-effective cyber audits, security testing services and complete managed services for supply chain cyber risk management. Threat detection and response services include our Nightingale AI- based network monitoring, Nixer to protect against application layer DDoS attacks, our Trillion™ and Arc breached credentials tracking platforms, and incident response. Crossword’s work in digital identity is based on the World Wide Web Consortium W3C verifiable credentials standard and our current solution, Identiproof, enables secure digital verification of individuals to prevent fraud. Crossword serves medium and large clients including FTSE 100, FTSE 250 and S&P listed companies in various sectors, such as defence, insurance, investment and retail banks, private equity, education, technology and manufacturing and has offices in the UK, Poland, Oman and Singapore. Crossword is traded on the AIM market of the London Stock Exchange. More details on the strategy, nature of the Group’s operations and future developments are set out in the Strategic Report on page 3. Share capital and rights attaching to the shares The number of shares in issue as at the date of publication of this report was 93,717,641 (31 December 2021: 74,957,150 ordinary shares of 0.5 pence) ordinary shares of 0.5 pence, each with one vote. In accordance with applicable laws and the Company’s Articles of Association, holders of ordinary shares are entitled to: • Receive shareholder documentation including the notice of any general meeting; • Attend, speak and exercise voting rights at general meetings, either in person or by proxy; and • A dividend, where declared and paid out of profits available for such purposes. On a return of capital on a winding up, holders of ordinary shares are entitled to participate in such a return. Articles of Association The Company’s Articles of Association can only be amended by special resolution and are available at www.crosswordcybersecurity.com Engagement with employees Crossword aims to provide an environment which will attract, retain and motivate its team. The Company has a growing number of permanent staff employed across the UK, Poland, Oman and Singapore. Employee engagement with the senior management, who pride themselves on their availability and flexibility, is frequent through daily discussions and meetings. Staff are encouraged to give regular feedback in relation to their needs, interests and expectations on away days, general discussions or one-to-one meetings with their line managers. These can then be addressed at the fortnightly management meeting to all senior members of the team where further actions will be discussed. Furthermore, the team engages in a bi-weekly call where staff are able to communicate with all levels of the team across all jurisdictions. Crossword reviews its processes and policies, which are guided by our values of Responsibility, Openness, Learning and Flexibility, to make continuous improvements for its staff. 50 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 R E P O R T G O V E R N A N C E The Company has developed its induction programme for new staff, engages with employees to maintain its culture and values and expected behaviours, performs exit interviews in the event people decide to leave the business, and follow-up interviews with new employees. Crossword is supportive of career development of its employees and provides training programmes and Masters degree opportunities where appropriate. With the continuing growth in staff numbers, the Directors recognise the need to ensure excellence in engagement with employees. Regular staff away days take place and engagement survey are undertaken, with feedback from staff forming a prioritised action plan. Included was an action to ensure that the Company’s culture is maintained during its growth. To this effect, a project to define the Company’s culture was started. At the end of this project, the Company was in a position to state its values and expected behaviours. The values were shared with all staff at an away day in February 2020. Engagement with charities was an action from an away day. Crossword partners with charities both in UK and Poland. Crossword employees propose and vote on which charity they would like to support. Previously work has been undertaken to help a charity local to the London office in their efforts to support the homeless and lead them to independence and also a national mental health charity. In Poland, Crossword is supporting one of the largest, most recognisable and effective social schemes in Poland which implements and develops a system of smart, personalised aid that is unique in the world. More details are available on page 26. Sustainability and climate change The group is not required to required to disclose climate- related financial information and does not need to comply with SECR. However, the Directors take their responsibilities relating to the environment seriously and aim to minimise the impact of the Company’s activities on the environment. The key points of their strategy to achieve this are: • Minimise waste by evaluating operations and ensuring they are as efficient as possible; • Minimise toxic emissions through the selection and use of its power requirement; • Actively promote recycling; • Source and promote a product range to minimise the environmental impact of both production and distribution; and • Meet or exceed all the environmental legislation that relates to the Company. www.crosswordcybersecurity.com 51 Powers of Directors Political donations The Directors may exercise powers subject to applicable legislation and regulations and the Company’s Articles of Association. The Directors in office at the date of this Annual Report are shown on pages 32 to 34. Directors’ conflict of interest The Board may authorise, to the fullest extent permitted by law, any matter which, if not so authorised, would or may result in a Director infringing their duty to avoid a situation in which they can have a direct or indirect interest that conflicts, or possibly may conflict, with the interests of the Company and which may reasonably be regarded as likely to give rise to a conflict of interest. The Company has effective procedures in place to monitor and deal with conflicts of interest. The Board is aware of the other commitments and interests of its Directors, and changes to these commitments and interests are reported to and, where appropriate, agreed with the rest of the Board. Directors’ insurance and indemnity The Group maintains Directors’ and Officers’ liability insurance which gives appropriate cover for any legal action brought against its Directors. In accordance with Section 234 of the Companies Act 2006, qualifying third-party indemnity provisions are in place for the Directors in respect of liabilities incurred as a result of their office to the extent permitted by law. Purchase of own shares The Company has not acquired any of its own shares in the period to 31 December 2022, nor in the period up to the date of approval of this Annual Report. Subsequent events There are no events after the reporting date to be disclosed. Dividend The Directors do not intend that the Company will declare a dividend in the near term, but instead channel the available cash resources into funding the expansion of the Group. The Board intends to commence the payment of dividends only when it becomes commercially prudent to do so, having regard to the Group’s earnings, financial position, cash requirements and availability of distributable profits, as well as the provisions of relevant laws and/or generally accepted accounting principles from time to time. No political donations have been made during this financial year. Principal shareholder Tom Ilube is the Company’s principal shareholder, holding a total of 14,560,250 ordinary shares, representing 15.76% of the voting rights attached to the current issued share capital of the Company. Of the 14,560,250 shares are held, 12,255,810 shares held by Tom Ilube and 1,304,440 held by Share Nominees Limited. Annual General Meeting The Annual General Meeting of the Company will be held on the 11 May 2023 at 3.00 pm at the offices of Shakespeare Martineau LLP, 6th Floor, 60 Gracechurch Street, London EC3V 0HR. The Notice of Meeting will be available to view on the Company’s website in advance of that meeting. Approval of Directors’ Report This Directors’ Report, including the Corporate Governance Statement and Strategic Report, was approved for and on behalf of the Board on 18 April 2023. STATEMENT OF DIRECTORS’ RESPONSIBILITIES IN RESPECT OF THE ANNUAL REPORT AND THE FINANCIAL STATEMENTS The Directors are responsible for preparing the Annual Report and the financial statements in accordance with applicable law and regulations. Company law requires the Directors to prepare financial statements for each financial year. Under that law, the Directors have elected to prepare the consolidated and parent company financial statements in accordance with International Accounting Standards as adopted in the United Kingdom (“UK adopted IFRS”). Under Company law, the Directors must not approve the financial statements unless they are satisfied that they give a true and fair view of the state of affairs and profit or loss of the Group and parent company for that period. In preparing the financial statements, the Directors are required to: • Select suitable accounting policies and then apply them consistently; 52 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 description of the principal risks and uncertainties that they face; • The Annual Report and accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for the shareholders to assess the Group and parent company’s position, performance, business model and strategy; and • The Strategic Report includes a fair review of the development and performance of the business and the position of the Group and parent company, together with a description of the principal risks and uncertainties that it faces. DISCLOSURE OF INFORMATION TO THE AUDITOR We, the Directors of the Company who held office at the date of approval of these financial statements as set out above, each confirm, so far as we are aware, that: • There is no relevant audit information of which the Company’s Auditor is unaware; and • We have taken all the steps that we ought to have taken as Directors in order to make ourselves aware of any relevant audit information and to establish that the Company’s Auditor is aware of that information. This Statement of Responsibilities and the Directors’ Report were approved by the Board on18 April 2023. R E P O R T G O V E R N A N C E TOM ILUBE Chief Executive Officer 18 April 2023 Crossword Cybersecurity PLC 60 Gracechurch Street, London EC3V 0HR e: info@crosswordcybersecurity.com twitter: @crosswordcyber t: +44 (0)333 090 2587 • Make judgements and accounting estimates that are reasonable and prudent; • State whether applicable UK adopted IFRS has been followed, subject to any material departures disclosed and explained in the financial statements; and • Prepare the financial statements on the going concern basis, unless it is inappropriate to presume that the Group and parent company will continue in business. The Directors are responsible for keeping adequate accounting records that are sufficient to show and explain the Group and parent company’s transactions and disclose with reasonable accuracy at any time the financial position of the Group and parent company and enable them to ensure that the financial statements and the Directors’ Remuneration Report comply with the Companies Act 2006. They are also responsible for safeguarding the assets of the Group and parent company and, hence, for taking reasonable steps for the prevention and detection of fraud and other irregularities. The Directors are responsible for the maintenance and integrity of the parent company’s website. Legislation in the United Kingdom governing the preparation and dissemination of financial statements may differ from legislation in other jurisdictions. Responsibility Statement of the Directors in respect of the Annual Report and Accounts The Directors consider that the Annual Report and accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the Group and parent company’s position, performance, business model and strategy. Each of the Directors, whose names and functions are listed in the Corporate Governance Section confirm to the best of our knowledge, that: • The parent company and Group financial statements, prepared in accordance with International Financial Reporting Standards in conformity with the requirements of the Companies Act 2006, give a true and fair view of the assets, liabilities, financial position and profit or loss of the Company and the undertakings included in the consolidation as a whole; • The Annual Report includes a fair review of the development and performance of the business and the position of the Company and the undertakings included in the consolidation taken as a whole, together with a www.crosswordcybersecurity.com 53 54 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Financial Statements 55 Independent auditor’s report to the members of Crossword Cybersecurity plc For the purpose of this report, the terms “we” and “our” denote MHA MacIntyre Hudson in relation to UK legal, professional and regulatory responsibilities and reporting obligations to the members of Crossword Cybersecurity plc. For the purposes of the table on pages 58 to 59 that sets out the key audit matters and how our audit addressed the key audit matters, the terms “we” and “our” refer to MHA MacIntyre Hudson. The Group financial statements, as defined below, consolidate the accounts of Crossword Cybersecurity plc and its subsidiaries (the “Group”). The “Parent Company” is defined as Crossword Cybersecurity plc, as an individual entity. The relevant legislation governing the Company is the United Kingdom Companies Act 2006 (“Companies Act 2006”). Opinion We have audited the financial statements of Crossword Cybersecurity plc for the year ended 31 December 2022. The financial statements that we have audited comprise: • • • • the Consolidated Statement of Comprehensive Income; the Statements of Financial Position; the Statements of Changes in Equity; the Statements of Cash Flows; and • Notes 1 to 32 to the financial statements, including significant accounting policies. The financial reporting framework that has been applied in the preparation of the Group and Parent Company’s financial statements is applicable law and UK adopted International Financial Reporting Standards (“UK adopted IFRS”). In our opinion, the financial statements: • give a true and fair view of the state of the Group’s and of the Parent Company’s affairs as at 31 December 2022 and of the Group’s loss for the year then ended; • have been properly prepared in accordance with UK adopted International Financial Reporting Standards (“UK adopted IFRS”); and • have been prepared in accordance with the requirements of the Companies Act 2006. Our opinion is consistent with our reporting to the Audit Committee. Basis for opinion We conducted our audit in accordance with International Standards on Auditing (UK) (ISAs (UK)) and applicable law. Our responsibilities under those standards are further described in the Auditor’s Responsibilities for the Audit of the Financial Statements section of our report. We are independent of the Group in accordance with the ethical requirements that are relevant to our audit of the financial statements in the UK, including the FRC’s Ethical Standard as applied to listed entities, and we have fulfilled our ethical responsibilities in accordance with those requirements. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our opinion. Material uncertainty relating to going concern We draw your attention to note 1.3 of the financial statements which indicates for the Group and Parent to continue as a going concern they will require fundraising in 2023 to support the cash flow requirement of the Group’s business model and aims for growth. As stated in note 1.3, these events or conditions, along with the other matters as set forth in note 1.3 indicate that a material uncertainty exists that may cast significant doubt on the Group and Parent Company’s ability to continue as a going concern. Our opinion is not modified in respect of this matter. In auditing the financial statements, we have concluded that the Directors’ use of the going basis of accounting in the preparation of the financial statements is appropriate. 56 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Our evaluation of the Directors’ assessment of the Group’s and the Parent Company’s ability to continue to adopt the going concern basis of accounting included: • The consideration of inherent risks to the Group’s and the Parent Company’s operations and specifically their business model; • The evaluation of how those risks might impact on the available financial resources; • Where additional resources may be required, the reasonableness and practicality of the assumptions made by the Directors when assessing the probability and likelihood of those resources becoming available; • Liquidity considerations including examination of cash flow projections at Group and Parent Company level; and • The evaluation of the base case scenarios and stress scenarios, in respect of the Group and the Parent Company, and the respective sensitivities and rationale. Our responsibilities and the responsibilities of the directors with respect to going concern are described in the relevant sections of this report. Overview of our audit approach Materiality Group 2022 £150,000 2021 £100,000 2% (2021: 2%) of aggregate of cost of sales and administrative expenses. £87,250 Parent company Key Audit Matters In addition to the matters described in the basis for qualified opinion and in the material uncertainty about going concern sections, we have determined the matters described below to be key audit matters to be communicated in our report. Recurring • Valuation of investment and non-current loans to its subsidiaries. 2% (2021: 2%) of aggregate of cost of sales and administrative expenses. £99,000 Recurring Parent • Impairment of goodwill and intangible assets. The scope of our audit Our audit was scoped by obtaining an understanding of the Company and its environment, including the Company’s system of internal control, and assessing the risks of material misstatement in the financial statements. We also addressed the risk of management override of internal controls, including assessing whether there was evidence of bias by the directors that may have represented a risk of material misstatement. S T A T E M E N T S F I N A N C A L I www.crosswordcybersecurity.com 57 Independent auditor’s report Continued Key Audit Matters Key Audit Matters are those matters that, in our professional judgement, were of most significance in our audit of the financial statements of the current period and include the most significant assessed risks of material misstatement (whether or not due to fraud) that we identified. These matters included those matters which had the greatest effect on: the overall audit strategy; the allocation of resources in the audit; and directing the efforts of the engagement team. These matters were addressed in the context of our audit of the financial statements as a whole, and in forming our opinion thereon, and we do not provide a separate opinion on these matters. Valuation of investment and non-current loans to its subsidiaries Key audit matter description The Parent Company makes non-interest-bearing loans available to its subsidiaries Crossword Consulting Limited and Stega UK Limited through a mix of debt finance and loans. The investment and loans owed to the Parent Company have been subject to an impairment review to determine whether an expected credit loss provision is required. As no interest is charged on these loans then a notional interest is assumed to be embedded in the principal amount of the loan which is computed and treated as a further capital contribution by the Parent Company in its subsidiaries. Our audit work included, but was not restricted to the following: How the scope of our audit responded to the key audit matter Key observations • Challenged management’s allocation of the financing arrangement between a capital contribution and loans in the subsidiaries. • Challenged management’s assessment of expected credit losses. • Benchmarked the discount rate used in management’s assessment. • Reviewed and checked management’s amortised cost calculations. • Considered management’s assessment of the strategy options which the Parent Company would pursue in recovering the amounts due from the subsidiaries. • Reviewed management’s assessment as to the impairment of the Parent Company’s investment in its subsidiaries. • Ensured that the disclosures in the financial statements are adequate. We concluded that the financing arrangement at Parent Company level was correctly classified between capital contribution and loans due from its subsidiaries and that the carrying amounts exceeded the recoverable amounts and no impairment was required of these non-current assets at the Parent Company level. 58 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Valuation of intangibles and goodwill Key audit matter description There is a risk that the fair value of goodwill arising on investments made by the Group, or intangible assets exceed their recoverable amount and may therefore need to be impaired. Management prepares a detailed impairment assessment, taking into consideration: • • • current year developments relating to each intangible; expected useful lives of the intangible; completion of forecasts for all subsidiaries taking into account growth and discount rates. We draw attention to note x to the financial statements which describes the judgements and estimates used by management to estimate the recoverable amount of the Group’s Cash Generating Units. Our opinion is not modified in respect of this matter. Our audit work included, but was not restricted to the following: • Reviewed the mathematical accuracy of the value in use calculation to identify any computational errors that may have fed into the forecasts; • Reviewed and challenged the calculations to ensure pre-tax weighted average cost of capital and pre-tax cash flows had been used in accordance with IAS 36; • We have reviewed, with the help of our internal valuation expert, the determination of the discount rate applied in the value in use calculation and considered whether it is reasonable in the Group’s circumstances; • Reviewed the growth assumptions used by management and compared them to actual results in 2022 and previous forecasts prepared by management in the past; • Performed sensitivity analysis to understand which of the key judgements were resulting in the most significant change to the calculations; • Challenged management whether the inputs into the impairment assessment are reasonable and accurate based on supporting evidence; • Assessed any evidence of management bias in selecting key assumptions and assessed the impact of changes in the model vs. the assumptions used in previous periods. Based on the audit procedures performed, we noted that the recoverability of the intangible assets and goodwill is heavily reliant upon future growth to be sustained for several years. Based upon the growth achieved in the 12 months to 31 December 2022 this does not appear unreasonable but this is a key judgement. We concluded that based upon the evidence received there is enough supporting evidence to conclude that the growth plans appear reasonable and no impairment is required in respect of the intangible assets and goodwill as at 31 December 2022. S T A T E M E N T S F I N A N C A L I How the scope of our audit responded to the key audit matter Key observations www.crosswordcybersecurity.com 59 Independent auditor’s report Continued Our application of materiality Our definition of materiality considers the value of error or omission on the financial statements that, individually or in aggregate, would change or influence the economic decision of a reasonably knowledgeable user of those financial statements. Misstatements below these levels will not necessarily be evaluated as immaterial as we also take account of the nature of identified misstatements, and the particular circumstances of their occurrence, when evaluating their effect on the financial statements as a whole. Materiality is used in planning the scope of our work, executing that work and evaluating the results. Overall Materiality Basis of determining overall materiality Group £150,000 (2021: £100,000) We determined materiality based on 2% (2021: 2%) of the Group’s aggregate cost of sales and administrative expenses. Parent Company £87,250 (2021: £99,000) We determined materiality based on 2% (2021: 2%) of the Company’s aggregate cost of sales and administrative expenses. We have considered the primary users of the financial statements to be shareholders, loan note holders, management, and banks. We have considered the primary users of the financial statements to be shareholders, loan note holders, management, and banks. This was deemed to be the most appropriate metric for materiality as this is primarily what the users of the financial statements are concerned with. Performance materiality £105,000 (2021: £85,000) Basis of determining overall performance materiality We set performance materiality based on 70% (2021: 85%) of overall materiality. Performance materiality is the application of materiality at the individual account or balance level, set at an amount to reduce, to an appropriately low level, the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. This was deemed to be the most appropriate metric for materiality as this is primarily what the users of the financial statements are concerned with. £61,075 (2021: £84,150) We set performance materiality based on 70% (2021: 85%) of overall materiality. Performance materiality is the application of materiality at the individual account or balance level, set at an amount to reduce, to an appropriately low level, the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. Error reporting threshold The determination of performance materiality reflects our assessment of the risk of undetected errors existing, the nature of the systems and controls and the level of misstatements arising in previous audits. We agreed to report any corrected or uncorrected adjustments exceeding £7,500 (2021: £5,000) to the Audit Committee as well as differences below this threshold that in our view warranted reporting on qualitative grounds. The determination of performance materiality reflects our assessment of the risk of undetected errors existing, the nature of the systems and controls and the level of misstatements arising in previous audits. We agreed to report any corrected or uncorrected adjustments exceeding £4,363 (2021: £4,950) to the Audit Committee as well as differences below this threshold that in our view warranted reporting on qualitative grounds. 60 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 How we tailored the audit scope Our assessment of audit risk, evaluation of materiality and our determination of performance materiality sets our audit scope for each company within the Group. Taken together, this enables us to form an opinion on the consolidated financial statements. This assessment takes into account the size, risk profile, organisation / distribution and effectiveness of group-wide controls, changes in the business environment and other factors such as recent internal audit results when assessing the level of work to be performed at each component. In assessing the risk of material misstatement to the consolidated financial statements, and to ensure we had adequate quantitative and qualitative coverage of significant accounts in the consolidated financial statements, of the 7 reporting components of the group. Full scope audits – 3 entities were subject to a full scope audit. These entities were selected based upon their size or risk characteristics. Specified audit procedures – 3 entities were subject to specified audit procedures. These procedures have been determined based on the size and nature of the balances. 1 entity remains dormant during the year. Our audit scoping coverage for the key balances is summarised in the charts below: Cost of sales administrative costs Loss before tax Gross assets 8.9% -5.6% 8.6% S T A T E M E N T S F I N A N C A L I 91.1% 105.6% 91.4% Full scope Specified audit procedures www.crosswordcybersecurity.com 61 Independent auditor’s report Continued The control environment We evaluated the design and implementation of those internal controls of the Group, including the Parent Company, which are relevant to our audit, such as those relating to the financial reporting cycle. We performed control testing over the purchase and payroll cycles. Reporting on other information The other information comprises the information included in the annual report other than the financial statements and our auditor’s report thereon. The directors are responsible for the other information contained within the annual report. Our opinion on the financial statements does not cover the other information and, except to the extent otherwise explicitly stated in our report, we do not express any form of assurance conclusion thereon. Our responsibility is to read the other information and, in doing so, consider whether the other information is materially inconsistent with the financial statements or our knowledge obtained in the course of the audit, or otherwise appears to be materially misstated. If we identify such material inconsistencies or apparent material misstatements, we are required to determine whether this gives rise to a material misstatement in the financial statements themselves. If, based on the work we have performed, we conclude that there is a material misstatement of this other information, we are required to report that fact. We have nothing to report in this regard. Strategic report and directors’ report In our opinion, based on the work undertaken in the course of the audit: • the information given in the strategic report and the directors’ report for the financial year for which the financial statements are prepared is consistent with the financial statements; and • the strategic report and the directors’ report have been prepared in accordance with applicable legal requirements. In the light of the knowledge and understanding of the Group and the Parent Company and their environment obtained in the course of the audit, we have not identified material misstatements in the strategic report or the directors’ report. Matters on which we are required to report by exception We have nothing to report in respect of the following matters in relation to which the Companies Act 2006 requires us to report to you if, in our opinion: • • • adequate accounting records have not been kept by the Parent Company, or returns adequate for our audit have not been received by branches not visited by us; or the Parent Company financial statements are not in agreement with the accounting records and returns; or certain disclosures of directors’ remuneration specified by law are not made;.or • we have not received all the information and explanations we require for our audit. Responsibilities of directors As explained more fully in the directors’ responsibilities statement, the directors are responsible for the preparation of the financial statements and for being satisfied that they give a true and fair view, and for such internal control as the directors determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error. In preparing the financial statements, the directors are responsible for assessing the Group’s and the Parent Company’s ability to continue as a going concern, disclosing, as applicable, matters related to going concern and using the going concern basis of accounting unless the directors either intend to liquidate the Group or Parent Company or to cease operations, or have no realistic alternative but to do so. 62 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Auditor responsibilities for the audit of the financial statements Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor’s report that includes our opinion. Reasonable assurance is a high level of assurance but is not a guarantee that an audit conducted in accordance with ISAs (UK) will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of these financial statements. A further description of our responsibilities for the financial statements is located on the FRC’s website at: www.frc.org.uk/auditorsresponsibilities. This description forms part of our auditor’s report. Extent to which the audit was considered capable of detecting irregularities, including fraud Irregularities, including fraud, are instances of non-compliance with laws and regulations. We design procedures in line with our responsibilities, outlined above, to detect material misstatements in respect of irregularities, including fraud. These audit procedures were designed to provide reasonable assurance that the financial statements were free from fraud or error. The risk of not detecting a material misstatement due to fraud is higher than the risk of not detecting one resulting from error and detecting irregularities that result from fraud is inherently more difficult than detecting those that result from error, as fraud may involve collusion, deliberate concealment, forgery or intentional misrepresentations. Also, the further removed non-compliance with laws and regulations is from events and transactions reflected in the financial statements, the less likely we would become aware of it. Identifying and assessing potential risks arising from irregularities, including fraud The extent of the procedures undertaken to identify and assess the risks of material misstatement in respect of irregularities, including fraud, included the following: S T A T E M E N T S F I N A N C A L I • We considered the nature of the industry and sector the control environment, business performance including remuneration policies and the Group’s, including the Parent Company’s, own risk assessment that irregularities might occur as a result of fraud or error. From our sector experience and through discussion with the directors, we obtained an understanding of the legal and regulatory frameworks applicable to the Group focusing on laws and regulations that could reasonably be expected to have a direct material effect on the financial statements, such as provisions of the Companies Act 2006, UK tax legislation or those that had a fundamental effect on the operations of the Group including the regulatory and supervisory requirements of the AIM regulations. • We enquired of the directors and management including the audit committee concerning the Group’s and the Parent Company’s policies and procedures relating to: identifying, evaluating and complying with the laws and regulations and whether they were aware of any instances of - non-compliance; - detecting and responding to the risks of fraud and whether they had any knowledge of actual or suspected fraud; and - the internal controls established to mitigate risks related to fraud or non-compliance with laws and regulations. • We assessed the susceptibility of the financial statements to material misstatement, including how fraud might occur by evaluating management’s incentives and opportunities for manipulation of the financial statements. This included utilising the spectrum of inherent risk and an evaluation of the risk of management override of controls. We determined that the principal risks were related to posting inappropriate journal entries to increase revenue or reduce costs, creating fictitious transactions to hide losses or to improve financial performance, and management bias in accounting estimates. www.crosswordcybersecurity.com 63 Audit response to risks identified In respect of the above procedures: • we corroborated the results of our enquiries through our review of the minutes of the Group’s and the Parent Company’s board meetings; • audit procedures performed by the engagement team in connection with the risks identified included: - - reviewing financial statement disclosures and testing to supporting documentation to assess compliance with applicable laws and regulations expected to have a direct impact on the financial statements. testing journal entries, including those processed late for financial statements preparation, those posted by infrequent or unexpected users, those posted to unusual account combinations; - evaluating the business rationale of significant transactions outside the normal course of business, and reviewing accounting estimates for bias; - enquiry of management around actual and potential litigation and claims. - challenging the assumptions and judgements made by management in its significant accounting estimates, and - obtaining confirmations from third parties to confirm existence of a sample of balances. • we communicated relevant laws and regulations and potential fraud risks to all engagement team members, including experts, and remained alert to any indications of fraud or non-compliance with laws and regulations throughout the audit. Use of our report This report is made solely to the Parent Company’s members, as a body, in accordance with Chapter 3 of Part 16 of the Companies Act 2006. Our audit work has been undertaken so that we might state to the Parent Company’s members those matters we are required to state to them in an auditor’s report and for no other purpose. To the fullest extent permitted by law, we do not accept or assume responsibility to anyone other than the Parent Company and the Parent Company’s members as a body, for our audit work, for this report, or for the opinions we have formed. Andrew Moyser FCA FCCA (Senior Statutory Auditor) for and on behalf of MHA MacIntyre Hudson, Statutory Auditor London, United Kingdom 18 April 2023 64 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 S T A T E M E N T S F I N A N C A L I www.crosswordcybersecurity.com 65 Consolidated Financial Statements for Crossword Cybersecurity PLC company number 08927013 CONSOLIDATED STATEMENT OF COMPREHENSIVE INCOME 12 Months ended 31 December 2022 £ 3,648,000 (2,755,662) 39,814 932,152 12 Months ended 31 December 2021* £ 2,171,137 (1,631,384) 152,347 692,100 (4,967,499) (304,457) (1,569) (395,762) 170,283 (4,566,852) (3,481,809) (104,124) 4,956 (220,545) 456,803 (2,652,619) Notes 2 3 6 3,4 7 8 9 11 1,144,302 378,995 (3,422,550) (2,273,624) 1,782 1,782 (13,220) (13,220) (3,420,768) (2,286,844) (3,408,149) (14,401) (3,422,550) (2,229,296) (44,328) (2,273,624) (3,406,367) (14,401) (3,420,768) (2,242,516) (44,328) (2,286,844) 23 (0.04) (0.04) (0.03) (0.03) Revenue Cost of Sales Other income Gross Profit Administrative expenses Other operating expense Finance income-bank interest income and foreign exchange Finance costs-other interest expense Gain on remeasurement of financial assets and liabilities Loss for the year before taxation Tax credit / (expense) Loss for the Year Other Comprehensive Income Items that may be reclassified to profit or loss: Foreign exchange translation Gain / (Loss) Total Other Comprehensive Income Total Comprehensive Loss Loss for the period attributable to: Owners of the parent Non-controlling interests Total Loss for the Year Total comprehensive loss for the period attributable to: Owners of the parent Non-controlling interests Total Comprehensive Loss Loss Per Share (basic) Loss Per Share (diluted) All results are derived from continuing operations * Restated (as per note 1.2) 66 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 STATEMENT OF FINANCIAL POSITION AS AT 31 DECEMBER Group 2022 £ Group 2021 £ Company 2022 £ Company 2021 £ Notes Non-Current Assets Intangible assets Tangible assets Goodwill Unlisted investment Investments in subsidiaries Intercompany receivable greater than one year Total non-current assets Current Assets Trade and other receivables Current tax receivable Cash and cash equivalents Total current assets Total Assets EQUITY Attributable to the owners of the Company Share Capital Share premium account Convertible debt reserve Equity reserve Retained earnings Translation of foreign operations Attributable to owners of the parent Non-controlling interests Total equity LIABILITIES Current Liabilities Trade and other payables Other current liabilities Total current liabilities Long Term Liabilities Convertible loan notes Bank loans Other non-current liabilities Total long term liabilities Total Liabilities Total Equity & Liabilities 13 14 15 16 17 18 22 22 24 19 20 30 21 2,708,423 45,039 875,277 456,834 - - 4,085,573 1,103,679 5,460 875,277 456,834 - - 2,441,250 2,197,206 - - 456,834 1,649,145 1,067,185 5,370,370 521,603 - - 456,834 1,637,518 918,206 3,534,161 2,078,050 398,511 2,077,771 4,554,332 8,639,905 1,066,076 - 3,373,062 4,439,138 6,880,388 1,918,525 368,393 1,746,530 4,033,448 9,403,818 838,622 - 3,106,817 3,945,439 7,479,600 462,019 18,534,372 195,685 370,762 (15,235,500) (13,210) 4,314,128 (153,527) 4,160,601 374,786 14,971,221 - 240,310 (11,827,351) (14,992) 3,743,974 (139,127) 3,604,847 462,019 18,534,372 195,685 370,762 (14,127,624) - 5,435,214 - 5,435,214 374,786 14,971,221 - 240,310 (10,800,700) - 4,785,617 - 4,785,617 S T A T E M E N T S F I N A N C A L I 2,456,783 17,000 2,473,783 1,413,658 1,368,638 2,782,296 2,146,775 - 2,146,775 1,049,960 1,351,471 2,401,431 1,329,678 51,000 624,843 2,005,521 - 68,000 425,245 493,245 1,329,678 - 492,151 1,821,829 - - 292,552 292,552 4,479,304 8,639,905 3,275,541 6,880,388 3,968,604 9,403,818 2,693,983 7,479,600 The company’s loss for the year was £3,326,925 (2021: £1,964,825). The financial statements were approved by the Board and authorised for issue on18 April 2023. They were signed on its behalf by www.crosswordcybersecurity.com 67 Consolidated Financial Statements CONTINUED STATEMENT OF CHANGES IN EQUITY Convertible Debt Reserve Share Capital Share Premium 14,971,221 374,786 Group 2022 £ At 1st January Issue of shares 87,233 3,750,012 Transaction costs Issue of convertible debt Employee share schemes - value of employee services Loss for the period Other comprehensive loss for the period At 31st December Group 2021 At 1st January Issue of shares Transaction costs Employee share schemes - value of employee services Loss for the period Other comprehensive loss for the period - - - - - (186,861) - - - - 256,605 118,181 8,518,391 6,770,954 - (318,124) - - - - - - At 31st December 374,786 14,971,221 Equity Reserve 240,310 Retained Earnings (11,827,351) Translation Reserve Attributable to owners of the parent Non- controlling interests (14,992) 3,743,974 (139,126) - - - 130,452 - - - - - (3,408,149) - - - - - 3,837,245 (186,861) 195,685 130,452 - - - - Total 3,604,848 3,837,245 (186,861) 195,685 130,452 (3,408,149) (14,401) (3,422,550) - - 1,782 1,782 - 1,782 - - 195,685 - - - - - - - - - - 181,618 (9,598,056) (1,772) (643,214) (94,799) (738,013) - - 58,692 - - - - (2,229,296) - - - - 6,889,135 (318,124) 58,692 - - - 6,889,135 (318,124) 58,692 (2,229,296) (44,328) (2,273,624) - - 240,310 (11,827,351) (13,220) (14,992) (13,220) - (13,220) 3,743,974 (139,126) 3,604,847 462,019 18,534,372 195,685 370,762 (15,235,500) (13,210) 4,314,128 (153,527) 4,160,601 Company 2022 £ At 1st January Issue of shares Transaction costs Issue of convertible debt Employee share schemes - value of employee services Loss for the period At 31st December Company 2021 At 1st January Issue of shares Transaction costs Employee share schemes - value of employee services Loss for the period At 31st December Share Capital 374,786 Share Premium 14,971,221 87,233 3,750,012 (186,861) Convertible Debt Reserve - - - - - - - - - - 195,685 - - Equity Reserve 240,310 Retained Earnings (10,800,699) - - - 130,452 - - - - - (3,326,925) 462,019 18,534,372 195,685 370,762 (14,127,624) 256,605 118,181 8,518,391 6,770,954 - (318,124) - - - - 374,786 14,971,221 - - - - - - 181,618 (8,835,874) - - 58,692 - - - - (1,964,825) 240,310 (10,800,699) Translation Reserve Attributable to owners of the parent Non- controlling interests - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Total 4,785,617 3,837,245 (186,861) 195,685 130,452 (3,326,925) £5,435,214 120,740 6,889,135 (318,124) 58,692 (1,964,825) 4,785,617 68 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 STATEMENT OF CASHFLOWS Years Cashflows From Operating Activities Loss for the year Movement in trade and other receivables Movement in trade and other payables Depreciation Amortisation Finance costs Gain on remeasurement of financial assets and liabilities Employee share schemes Tax (credit) / expense Tax received / (paid) Net Cashflow from Operating Activities Cashflow From Investing Activities Investment in intangible assets Purchase of tangible assets Acquisition of subsidiaries, net of cash acquired Net Cashflow from Investing Activities Cashflows From Financing Activities Proceeds from issue of ordinary shares Share issuance costs Proceeds from issue of convertible loan notes Repayment of convertible loan notes Interest paid on convertible loan notes Other interest paid Payments for right of use assets Net Cash Inflow from Financing Activities Net Increase in Cash & Cash Equivalents Foreign Currency Translation Difference Cash and Cash Equivalent at the beginning of the period Cash and Cash Equivalent at the end of the period * Restated as per Note 1.2 TOM ILUBE Chief Executive Officer 12 Months ended 31st December Group 2022 £ 12 Months ended 31st December Group 2021* £ 12 Months ended 31st December Company 2022 £ 12 Months ended 31st December Company 2021* £ Notes (3,422,550) (786,642) 381,130 11,287 293,170 395,762 (170,283) 130,452 (1,144,302) 348,662 (3,963,314) (2,273,624) (412,005) 86,231 66,243 37,881 220,545 (456,803) 58,692 (378,995) 200,984 (2,850,851) (3,326,924) (1,649,101) 646,965 - 222,310 468,084 (365,968) 130,452 (423,572) 295,763 (4,001,990) (1,964,825) (837,873) 40,374 38,392 9,931 138,742 (456,803) 58,692 (206,380) 206,380 (2,973,370) (203,627) (48,971) (625,408) (878,006) (183,796) - (645,390) (829,186) (203,627) - (715,415) (919,042) (183,796) - (700,000) (883,796) S T A T E M E N T S F I N A N C A L I 3 3 8 4 11 13 14 3,837,245 (186,861) 800,000 (700,000) (189,640) (16,495) - 3,544,249 6,639,135 (318,124) - - (168,000) (1,638) (43,734) 6,107,639 3,837,245 (186,861) 800,000 (700,000) (189,640) - - 3,560,744 6,639,135 (318,124) - - (168,000) (186) (13,507) 6,139,319 (1,297,071) 1,780 3,373,062 2,077,771 2,427,602 (12,881) 958,341 3,373,062 (1,360,288) - 3,106,818 1,746,530 2,282,151 - 824,667 3,106,818 www.crosswordcybersecurity.com 69 Consolidated Financial Statements CONTINUED Furthermore, Amortisation and Depreciation have been separated from Administrative expenses into Other operating expense category. Prior period has been reclassified. The Group has revised the treatment of Research and development tax credits from the approach where these get recorded following the receipt of tax relief to being recognised in the period they relate to. Prior year has not been restated. During the period the Group has changed presentation of Research and development tax credits from Other operating income to Income tax to reflect the fact that most of the credit relates to tax relief for small and medium-sized enterprises. The following table demonstrates re-classification of 2021 Consolidated Income Statement: NOTES TO THE FINANCIAL INFORMATION 1. ACCOUNTING POLICIES 1.1 The Group and its operations Crossword Cybersecurity plc (the “Company”) is a Company incorporated on 6 March 2014 in England and Wales under the Companies Act 2006. The Company is the parent company of the Crossword Group of Companies focusing on the cybersecurity sector. Crossword offers a range of cyber security solutions to help companies understand and reduce cyber security risk. We do this through a combination of people and technology, in the form of SaaS and software products, consulting, and managed services. The financial information includes the results of the Company and its subsidiaries (together referred to as the “Group” and individually as “Group entities”). The principal accounting policies applied in the preparation of the financial information are set out below. These policies have been consistently applied to all the periods presented, unless otherwise stated. 1.2 Basis of preparation of financial information The financial information has been prepared in accordance with the requirements of the London Stock Exchange plc AIM Rules for Companies and in accordance with International Financial Reporting Standards as adopted in the United Kingdom (“UK adopted IFRS”) and those parts of the Companies Act 2006 applicable to companies reporting in accordance with UK adopted IFRS. The financial information has been prepared on the historical cost basis. The preparation of financial information in conformity with UK adopted IFRS requires the use of certain critical accounting estimates. It also requires management to exercise its judgement in the process of applying the Group’s accounting policies. Changes in assumptions may have a significant impact on the financial information in the year the assumptions changed. Management believes that the underlying assumptions are appropriate. The areas involving a higher degree of judgement or complexity, or areas where assumptions and estimates are significant to the financial information are disclosed in note 1.22. Changes in accounting policy and disclosures During the year the Group has reviewed presentation of Gross Margin in the Income Statement to align with general principles adopted by Software-as-a-Service industry. The costs to be included in Costs of Sales are primarily application hosting expenses, customer success and customer service costs. Research and Development expenses, which were previously included in Costs of Sales, have been reclassified to Administrative expenses. 70 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Consolidated Statement of Comprehensive Income 12 Months ended 31 December 2021 Revenue Cost of Sales Other income Gross Profit Administrative expenses Other operating income Other operating expense Finance income Finance costs-other interest expense Gain on revaluation of financial assets Loss for the year before taxation Tax credit / (expense) Loss for the Year Other Operating Expense seperate from Admin costs £ - - Research and development Tax Credits £ - - - - 104,124 - (104,124) - - - - - (206,380) - - - - (206,380) Change in Gross Margin calculation £ - 325,794 152,347 478,141 (325,794) (152,347) - - - - - Restated £ 2,171,137 (1,631,384) 152,347 692,100 (3,481,809) - (104,124) 4,956 (220,545) 456,803 (2,652,619) - - - - 206,380 378,995 - (2,273,624) As previously reported £ 2,171,137 (1,957,178) - 213,959 (3,260,139) 358,727 - 4,956 (220,545) 456,803 (2,446,239) 172,615 (2,273,624) At the year end, the following standards and interpretations which have not been applied in these financial statements were in issue but not yet effective. The Group is considering their impact but do not expect a material on the future results of the Group. New standards, interpretations and amendments effective in current period None of the new standards and amendments to the existing standards effective in the current period have been applicable to the Group’s consolidated financial statements. New standards, interpretations and amendments not yet effective The Group adopt early the following amendments to standards which are not yet mandatory. IFRS 17 Insurance Contracts (including the June 2020 Amendments to IFRS 17, effective from 1 January 2023) Amendments to IAS 8 Accounting Policies, Changes in Accounting Estimates and Errors - Definition of Accounting Estimates (effective 1 January 2023). Amendments to IAS 1 Presentation of Financial Statements and IFRS Practice Statement 2: Disclosure of Accounting policies (effective 1 January 2023). Amendments to IAS 12 Income Taxes - Deferred Tax related to Assets and Liabilities arising from a Single Transaction (effective 1 January 2023). Amendments to IAS 1 Presentation of Financial Statements - Classification of Liabilities as Current or Non-current (effective 1 January 2023). 1.3 Going Concern The financial information has been prepared on a going concern basis. The Group’s business model has been enhanced following the two acquisitions in 2021 and a further acquisition in early 2022. The Group’s operations have incurred a loss in the financial year whilst the Group’s products and services continue to be enhanced, developed and brought to market. The Directors’ forecast in 2023 shows a trading loss with net cash outflows as the business continues to develop and enhance its products and services and grows revenue. In 2022, the Group’s operations have been supported by cash inflows from customers and from the issue of £3.6m equity gross during 2022. The Directors have considered the Group’s future and forecast business and cash requirements. Following the completion of a successful fundraise in 2022, the Directors have determined that the group wants to continue to expand, while having a clear and determined focus on a path to profitability, which is expected to require successful additional fundraise. On 12 July 2022 holders of £700,000 of loan notes extended their loan notes to be repayable 30 June 2025 and two loan note holders loaned a further £150,000 to the Company on the above terms. In both cases the conversion price was amended to 25.2p. S T A T E M E N T S F I N A N C A L I www.crosswordcybersecurity.com 71 Consolidated Financial Statements CONTINUED On 15 July 2022 a further £550,000 of loan notes were issued repayable on 14 July 2025, otherwise on the same terms as above save that the conversion price is 26.1p. Currently, £1.5 million of loan notes remain outstanding. The Directors have concluded that these circumstances could give rise to a material uncertainty arising from events or conditions that may cast significant doubt on the entity’s ability to continue as a going concern if a further fund raise was unsuccessful. However, considering recent successful fund raises the Directors are confident that they can continue to adopt the going concern basis in preparing the financial statements. The financial statements do not include any adjustment that may arise in the event that the Group is unable to raise finance, realise its assets and discharge its liabilities in the normal course of business. 1.4 Basis of consolidation Subsidiaries are fully consolidated from the date on which control is transferred to the Group. Control exists when then the Group has: • • • the power over the investee; exposure, or rights, to variable returns from its involvement with the investee; the ability to use its power over the investee to affect the amount of the investor’s returns. All intra-Group transactions balances income and expenses are eliminated on consolidation. Uniform accounting policies are applied by the Group entities to ensure consistency. 1.5 Revenue Revenue comprises the fair value of consideration received or receivable for licence income and the rendering of services in the ordinary course of the Group’s activities. Revenue is shown net of value added tax and trade discounts. Income is reported as follows: (a) Licence Income Technology and product licensing revenue represents amounts earned for licenses granted under licensing agreements and recognized over time. Revenues relating to up-front payments are recognised when the obligations related to the revenues have been completed. Revenues for maintenance and support services are recognised in the accounting periods in which the services are rendered. (b) Rendering of Services Services relate to implementation and deployment fees for the technology and products licensed to customers. Revenue is recognised in the accounting periods in which the services are rendered. (c) Consulting Consulting revenue is recognised when the performance obligation is met, primarily at a point of time. Contracts are structured to support the revenue recognition process by stating what the objectives and deliverables are for each part of the project, and the revenue attributable to each deliverable. (d) Software Engineering Services Revenues for software engineering services are recognised in the accounting periods in which the services are rendered. Contract balances Contract related balances comprise of contract assets and contract liabilities. Contract assets – are recognised when services are transferred to customers before consideration is received or before the Group has an unconditional right to payment for performance completed to date. Contract assets are subsequently transferred to receivables when the right of payment becomes unconditional. Contract liabilities – are recognised when amounts are received from customers in advance of transfer of goods or services. Contract liabilities are subsequently recognised in revenue as or when the Group performs under contracts. 1.6 Functional and presentation currency The presentation currency of the Group is pounds sterling (GBP). The functional currency of the Company is pounds sterling. The functional currency of the Company’s polish subsidiary is Polish Zloty (PLN). 1.7 Business combinations The acquisition of subsidiaries is accounted for using the acquisition method. The cost of the acquisition is measured as the aggregate of the fair values, at the date of exchange, of assets given, liabilities incurred or assumed, and equity instruments issued by the Group in exchange for control of the acquiree. Acquisition related costs are recognised in the income statement as incurred. Any contingent consideration to be transferred by the Group is recognised at fair value at the acquisition date. Subsequent changes to the fair value of the contingent consideration that is deemed to be an asset or liability is recognised in the consolidated income statement. Contingent consideration that 72 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 is classified as equity is not remeasured, and its subsequent settlement is accounted for within equity. Goodwill arising on acquisition is recognised as an asset and initially measured at cost, being the excess of the cost of the business combination over the Group’s interest in the net fair value of the identifiable assets, liabilities and contingent liabilities recognised. For the purpose of impairment testing, goodwill acquired in a business combination is, from the acquisition date, allocated to the cash generating unit (“CGU”) that is expected to benefit from the synergies of the combination. CGU to which goodwill has been allocated is tested for impairment annually, or more frequently when there is an indication that the unit may be impaired. Any impairment loss is recognised directly in the income statement. 1.8 Foreign operations The assets and liabilities of foreign operations are translated into Pound sterling using the exchange rates at the reporting date. The revenues and expenses of foreign operations are translated into Pound sterling using the average exchange rates, which approximate the rates at the dates of the transactions, for the period. All resulting foreign exchange differences are recognised in other comprehensive income through the foreign currency reserve in equity. On disposal of a foreign operation, the cumulative exchange differences recognised in the foreign exchange reserve relating to that operation up to the date of disposal are transferred to the consolidated statement of comprehensive income as part of the profit or loss on disposal. development can be reliably measured. Directly attributable costs that are capitalised as part of the software product include the software development employee costs and an appropriate portion of relevant overheads. Other development expenditure that does not meet these criteria is recognised as an expense as incurred. 1.10 Property, plant and equipment Property, plant and equipment is stated at purchase price less accumulated depreciation and impairment losses. The cost includes all expenses directly related to the purchase of a relevant asset. All other repair and maintenance costs are charged to the income statement for the period during the reporting period in which they are incurred. 1.11 Depreciation and amortisation Each item of property, plant and equipment is depreciated using the straight-line method over the estimated useful life and depreciation charge is included in the income statement for the period. The depreciation is charged to the income statement for the period and determined using the straight-line method over the estimated useful life of the item of property, plant and equipment. The expected useful lives of property, plant and equipment in the reporting and comparative periods are as follows: Computers Furniture & fittings Useful lives in years 3.33 3.33 1.9 Intangible assets – research and development Expenditure on research is written off in the period in which it is incurred. Computer software development expenditure recognised as assets is amortised on a straight-line basis over their estimated useful lives, which does not exceed 5 years. Development expenditure incurred on specific projects is capitalised where the management is satisfied that the following criteria have been met: • it is technically feasible to complete the software product so that it will be available for use; • management intends to complete the software product and use or sell it; 1.12 Impairment of non-financial assets The residual value of an asset is the estimated amount that the Group would currently obtain from disposal of the asset less the estimated costs of disposal, if the asset was already of the age and in the condition expected at the end of its physical life. The assets’ residual values and useful lives are reviewed, and adjusted if appropriate, at each reporting date. • • • there is an ability to use or sell the software product; it can be demonstrated how the software product will generate probable future economic benefits; At the end of each reporting period management assesses whether the indicators of impairment of property, plant and equipment exists. adequate technical, financial and other resources to complete the development and to use or sell the software product are available; and The carrying amounts of property, plant and equipment and all other non-financial assets are reviewed for impairment if there is any indication that the carrying amount may not be recoverable. • the expenditure attributable to the software product during its S T A T E M E N T S F I N A N C A L I www.crosswordcybersecurity.com 73 Consolidated Financial Statements CONTINUED For the purpose of impairment testing the recoverable amount is measured by reference to the higher of value in use (being the net present value of expected future cashflows of a relevant cash generating unit) and fair value less costs to sell (the amount obtainable from the sale of an asset or cash generating unit in an arm’s length transaction between knowledgeable, willing parties who are independent from each other less the costs of disposal). Where there is no binding sale agreement or active market, fair value less costs to sell is based on the best information available to reflect the amount the Group would receive for the cash generating unit. A cash generating unit is the smallest identifiable group of assets that generates cash inflows that are largely independent of the cash inflows from other assets or groups of assets. If the carrying amount of the asset exceeds its recoverable amount, the asset is impaired and an impairment loss is charged to the income statement so as to reduce the carrying amount in the statement of financial position to its recoverable amount. A previously recognised impairment loss is reversed if the recoverable amount increases as a result of a reversal of the conditions that originally resulted in the impairment. This reversal is recognised in profit or loss for the period and is limited to the carrying amount that would have been determined, net of depreciation, had no impairment loss been recognised in prior years. 1.13 Financial Instruments Financial assets and financial liabilities are recognised when the Company becomes a party to the contractual provisions of the instrument. Financial assets and financial liabilities are initially measured at fair value. Transaction costs that are directly attributable to the acquisition or issue of financial assets and financial liabilities (other than financial assets and financial liabilities at fair value through profit or loss) are added to or deducted from the fair value of the financial assets or financial liabilities, as appropriate, on initial recognition. Transaction costs directly attributable to the acquisition of financial assets or financial liabilities at fair value through profit or loss are recognised immediately in profit or loss. All financial instruments are classified in accordance with the principles of IFRS 9 Financial Instruments. 1.13 a Financial assets Classification of financial assets Debt instruments that meet the following conditions are subsequently measured at amortised cost: • • the financial asset is held within a business model whose objective is to hold financial assets in order to collect contractual cash flows; and the contractual terms of the financial asset give rise on specified dates to cash flows that are solely payments of principal and interest on the principal amount outstanding. Debt instruments that meet the following conditions are subsequently measured at FVTOCI: • • the financial asset is held within a business model whose objective is achieved by both collecting contractual cash flows and selling the financial assets; and the contractual terms of the financial asset give rise on specified dates to cash flows that are solely payments of principal and interest on the principal amount outstanding. By default, all other financial assets are subsequently measured at FVTPL. Amortised cost and effective interest method The effective interest method is a method of calculating the amortised cost of a debt instrument and of allocating interest income over the relevant period. For financial instruments other than purchased or originated credit-impaired financial assets, the effective interest rate is the rate that exactly discounts estimated future cash receipts (including all fees and points paid or received that form an integral part of the effective interest rate, transaction costs and other premiums or discounts) excluding expected credit losses, through the expected life of the debt instrument, or, where appropriate, a shorter period to the gross carrying amount of the debt instrument on initial recognition. For purchased or originated credit-impaired financial assets, a credit-adjusted effective interest rate is calculated by discounting the estimated future cash flows, including expected credit losses, to the amortised cost of the debt instrument on initial recognition. The amortised cost of a financial asset is the amount at which the financial asset is measured at initial recognition minus the principal repayments, plus the cumulative amortisation using the effective interest method of any difference between that initial amount and the maturity amount, adjusted for any loss allowance. On the other hand, the gross carrying amount of a financial asset is the amortised cost of a financial asset before adjusting for any loss allowance. 74 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Impairment of financial assets Derecognition of financial liabilities The Company recognises a loss allowance for expected credit losses on financial assets that are measured at amortised cost. The amount of expected credit losses is updated at each reporting date to reflect changes in credit risk since initial recognition of the respective financial instrument. Expected credit loss measurement The consolidated entity has applied the simplified approach to measuring expected credit losses, which uses a lifetime expected loss allowance. To measure the expected credit losses, trade receivables have been grouped based on days overdue. 1.13 b Financial liabilities and equity Debt and equity instruments are classified as either financial liabilities or as equity in accordance with the substance of the contractual arrangement. Equity instruments An equity instrument is any contract that evidences a residual interest in the assets of an entity after deducting all of its liabilities. Equity instruments issued by the Company entity are recognised at the proceeds received, net of direct issue costs. Financial liabilities All financial liabilities are subsequently measured at amortised cost using the effective interest method or at “Fair Value Through Profit or Loss” (“FVTPL”). Financial liabilities at FVTPL Financial liabilities are classified as at FVTPL when the financial liability is contingent consideration of an acquirer in a business combination to which IFRS 3 applies, or it is designated as at FVTPL. Financial liabilities subsequently measured at amortised cost Financial liabilities that are not 1) contingent consideration of an acquirer in a business combination, 2) held-for-trading, or 3) designated as at FVTPL, are subsequently measured at amortised cost using the effective interest method. The effective interest method is a method of calculating the amortised cost of a financial liability and of allocating interest expense over the relevant period. The effective interest rate is the rate that exactly discounts estimated future cash payments (including all fees and points paid or received that form an integral part of the effective interest rate, transaction costs and other premiums or discounts) through the expected life of the financial liability, or (where appropriate) a shorter period, to the amortised cost of a financial liability. The Company derecognises financial liabilities when, and only when, the Company’s obligations are discharged, cancelled or they expire. The difference between the carrying amount of the financial liability derecognised and the consideration paid and payable, including any non-cash assets transferred or liabilities assumed, is recognised in the statement of comprehensive income. 1.14 Leases The Company assesses whether a contract is or contains a lease, at inception of the contract. The Company recognises a right-of- use asset and a corresponding lease liability with respect to all lease arrangements in which it is the lessee, except for short- term leases (defined as leases with a lease term of 12 months or less) and leases of low value assets. For these leases, the Company recognises the lease payments as an administrative expense on a straight-line basis over the term of the lease. 1.15 Taxes Current tax is calculated using rates and laws enacted or substantively enacted at the reporting date. Current tax is recognised in profit or loss unless it relates to an item of other comprehensive income or equity whereby it is recognised in other comprehensive income or equity respectively. Deferred income tax is calculated using rates and laws enacted or substantively enacted at the reporting date that are expected to apply on reversal of the related temporary difference, and is determined in accordance with the expected manner of recovery of the related asset. Deferred income tax is recognised in profit or loss unless it relates to an item of other comprehensive income or equity whereby it is recognised in other comprehensive income or equity respectively. 1.16 Share Based Payments On occasion, the Company has made share-based payments to certain Directors and employees by way of issue of share options. The fair value of these payments is calculated by the Company using the binomial option valuation model and Monte Carlo simulation model. The expense, where material, is recognised on a straight-line basis over the period from the date of award to the date of vesting, based on the Company’s best estimate of the number of shares that will eventually vest. S T A T E M E N T S F I N A N C A L I www.crosswordcybersecurity.com 75 Consolidated Financial Statements CONTINUED 1.17 Investments Shares in subsidiary undertakings are stated at cost less provision for impairment. Unlisted investments are measured at fair value through profit or loss. 1.18 Intercompany Financing arrangements The amortised cost methodology is applied to the financing arrangement between the Company and subsidiary Crossword Consulting Limited. An assessment in undertaken to determine the market rate of interest for a similar loan given the credit rating of the subsidiary to apply discounting with the principal conceptually including a financing element. 1.19 Pension Obligations The Group operates a defined contribution pension scheme for employees in the United Kingdom. A defined contribution scheme is a pension plan under which the Group pays fixed contributions into a separate entity. Contributions payable to the Group’s pension scheme are charged to the income statement in the year to which they relate. The Group has no further payment obligations once the contributions have been paid. In Poland, the Group pays the statutory employer’s contribution into the public pension scheme for each employee, but does not operate any pension schemes. The Group implemented the Employee Capital Plans (PPK) programme which involved employee consultation and selection of a financial institution. 1.20 Cash and Cash Equivalents Cash comprises cash-in-hand and demand deposits. Cash equivalents are short-term, highly liquid investments that are readily convertible to known amounts of cash, and which are subject to an insignificant risk of change in value. 1.21 Accounting for Government Grants Government grants are not recognised until there is reasonable assurance that the Group will comply with the conditions attached to them and that the grants will be received. Government grants are recognised as income over the periods necessary to match them with the costs for which they are intended to compensate, on a systematic basis. Government grants that are receivable as compensation for expenses or losses already incurred or for the purpose of giving immediate financial support to the Group with no future related costs are recognised in the income statement in the period in which they become receivable. 1.22 Critical accounting estimates and judgements and key sources of estimation uncertainty Estimates and judgements are continually evaluated and are based on experience and other factors, including expectations of future events that are believed to be reasonable under the circumstances. The following are the key estimates that the directors have made in the process of applying the Group’s accounting policies and have the most significant effect on the amounts recognised in the financial information. There are no further critical accounting judgements. Fair value of options granted to employee The Group uses the Binomial model and Monte Carlo simulation model in determining the fair value of options granted to employees under the Group’s various share schemes. The determination of the fair value of options requires a number of assumptions. The alteration of these assumptions may impact charges to the income statement over the vesting period of the award. Details of the assumptions used are shown in note 4. Convertible Loans The Group has given consideration to the measurement and presentation of the convertible loans. On legal execution of the loans the financial liability is initially measured at its fair value which is the face value of the loans. Immediately after recognition, at fair value, the financial liability is measured at amortised cost, using a reasonable estimate of the Group’s cost of capital. The difference between the fair value and the amortised cost is taken to the P&L account. Impairment An impairment assessment of the carrying value in the Company of the investment in subsidiaries is undertaken using an NPV model over the projected cash flows, with a discount rate based on the assessment of weighted average cost of capital. Business combinations The recognition of business combinations requires management to make estimates in order to determine fair value of consideration payable on acquisition as well as fair value of identifiable assets, particularly intangibles, and liabilities acquired. These estimates are based on all available information and in some cases assumptions with respect to the timing and amount of future revenues and expenses associated with an asset. Deferred tax Deferred tax assets are recognised for unused tax losses to the extent that it is probable that taxable profit will be available 76 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 against which the losses can be utilised. Significant management judgement is required to determine the amount of deferred tax assets that can be recognised, based upon the likely timing and the level of future taxable profits, together with future tax planning strategies. The company has taxable temporary differences that partly support the recognition of the losses as deferred tax assets based on the above. The company has determined that it cannot recognise deferred tax assets on all of the tax losses carried forward however, based on the likely characteristics, timing and level of future taxable profits, together with future tax planning strategies. Further details on taxes are disclosed in note 11. 2 REVENUE AND SEGMENTAL INFORMATION An analysis of the Group’s revenue for each period for its continuing operations, is as follows: £ Revenue from the sale of goods/licences Revenue from the rendering of services Revenue from consulting services Software engineering revenue Total Revenue Group 2022 479,849 64,667 3,013,884 89,600 3,648,000 Group 2021 189,252 183,855 1,660,207 137,823 2,171,137 The IFRS 8 Operating segments requires the Group to determine its operating segments based on information which is provided internally. Based on the internal reporting information and management structures within the Group, it has been determined that there are two operating segments established in accordance to differences in products and services provided - Software product and services and Cybersecurity consulting. These operating segments are based on the internal reports that are reviewed and used by the Board of Directors (who are identified as the Chief Operating Decision Makers (‘CODM’)) in assessing performance and in determining the allocation of resources. There is no aggregation of operating segments. The CODM reviews EBITDA (earnings before interest, tax, depreciation and amortisation). The accounting policies adopted for internal reporting to the CODM are consistent with those adopted in the financial statements. The information regarding the Group’s reportable segments is presented below: S T A T E M E N T S F I N A N C A L I www.crosswordcybersecurity.com 77 Consolidated Financial Statements CONTINUED 2022 £ Revenue Cost of Sales Other income Gross Profit Administrative expenses Other operating expense Financial income and expenses Loss for the year before taxation Tax credit / (expense) Loss for the Year Software product and services 634,116 (136,287) 39,814 537,643 Cybersecurity consulting 3,131,103 (2,619,375) - 511,728 Eliminations (117,219) - - (117,219) Total 3,648,000 (2,755,662) 39,814 932,152 (4,561,425) (226,447) (29,958) (4,280,186) (523,292) (78,010) (197,090) (286,666) 117,218 - - - (4,967,499) (304,457) (227,048) (4,566,852) 1,144,302 (3,135,884) - (286,666) - - 1,144,302 (3,422,550) Total Comprehensive Loss (3,134,102) (286,666) - (3,420,768) Segment assets Segment liabilities EBITDA 2021* £ Revenue Cost of Sales Other income Gross Profit Administrative expenses Other operating expense Financial income and expenses Loss for the year before taxation Tax credit / (expense) Loss for the Year 10,413,274 4,234,893 1,594,370 2,649,280 (3,367,738) (2,404,869) 8,639,905 4,479,304 (4,023,782) (11,565) - (4,035,347) Software product and services 462,108 (32,539) 152,347 581,917 Cybersecurity consulting 1,784,309 (1,598,845) - 185,464 Eliminations (75,280) - - (75,280) Total 2,171,137 (1,631,384) 152,347 692,100 (2,956,758) (72,045) 323,725 (2,123,161) (600,331) (32,079) (82,512) (529,458) 75,280 - - - (3,481,809) (104,124) 241,214 (2,652,619) 378,995 (1,744,166) - (529,458) - - 378,995 (2,273,624) Total Comprehensive Loss (1,757,386) (529,458) - (2,286,844) Segment assets Segment liabilities EBITDA * Restated (as per note 1.2) 8,178,282 2,924,439 1,029,509 1,762,053 (2,327,403) (1,410,951) 6,880,388 3,275,541 (2,168,462) (414,866) - (2,583,328) 78 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 During the year ended 31 December 2022 approximately 14% (2021: 17%) of the consolidated entity’s external revenue was derived from sales to a major United Kingdom client in Cybersecurity consulting segment. No other clients accounted for more than 10% of the consolidated entity’s external revenue. No analysis of net assets by geographic segment is provided as the net assets are principally all within the UK. 3 EXPENSES BY NATURE £ Staff and related costs Consultancy and related costs Professional fees Property related costs Depreciation Amortisation Capitalised costs Other expenses Total cost of sales, administrative and other operating expenses Included in Cost of Sales £ Staff and related costs Consultancy and related costs Other expenses Total cost of sales Included in Administrative expenses £ Staff and related costs Professional fees Property related costs Capitalised costs Other expenses Total administrative expenses Expenses by geographic segment £ UK Poland Total cost of sales, administrative and other operating expenses Administrative expenses include-short term lease expense of £188,643 (2021: £171,714). Group 2022 4,914,076 854,972 808,910 201,590 11,287 293,170 (162,680) 1,106,293 8,027,618 Group 2022 1,874,960 854,972 25,730 2,755,662 Group 2022 3,039,116 808,910 201,590 (162,680) 1,080,563 4,968,499 Group 2021 3,305,430 450,028 616,791 172,823 66,243 37,881 (138,067) 706,188 5,217,317 Group 2021 1,133,519 450,028 47,837 1,631,384 Group 2021 2,171,911 616,791 172,823 (138,067) 658,351 3,481,809 Group 2022 7,355,231 672,387 8,027,618 Group 2021 4,695,737 521,580 5,217,317 S T A T E M E N T S F I N A N C A L I www.crosswordcybersecurity.com 79 Consolidated Financial Statements CONTINUED 4 STAFF COSTS Staff costs, including directors’ remuneration, were as follows: £ Wages and salaries: - Administrative - Consulting - Research and development Social security costs Other pension costs Group 2022 Group 2021 Company 2022 Company 2021 2,342,943 1,719,588 348,910 432,124 70,511 4,914,076 1,420,624 1,226,231 277,503 327,012 54,061 3,305,430 2,066,066 - - 231,583 47,838 2,345,487 1,321,393 - - 142,103 37,003 1,500,499 The average monthly number of employees, including the directors, during the period was as follows: Staff Directors Total Share based payments Group 2022 52 11 63 Group 2021 42 9 51 Company 2022 30 8 38 Company 2021 17 8 25 The amount recognised in respect of share-based payments was £130,452 (2021: £58,692). The Group has established share option programmes that entitle certain employees to purchase shares in the Group. There are no performance conditions attaching to these options. No options were exercised in 2022 (5,840 in 2021). Total options issued as at 31 December 2022 amount to 2,278,653 (2021: 2,348,653). The share options have been valued using a binomial model applying the following inputs: • Exercise price – equal to the share price at grant date, • Vesting date – all options vest in three tranches, on the first, second and third anniversary from the grant date; • Expiry/Exercise date – 10 years from the grant date; • Volatility (sigma) – 40%. This has been calculated based on the historic volatility of the Company’s share price. • Risk free rate – yield on a zero coupon government security at each grant date with a life congruent with the expected option life; • Dividend yield – 0%, • Future staff turnover – 0%. We have however adjusted the P+L charge for the current year (and future years) to account for lapsed options due to Leavers; and • Performance conditions – none 80 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Reconciliation of share options – Company 1st January Granted during the period Lapsed during the period Exercised during the period End of the period Weighted average exercise price 2022 2,348,653 10,000 (85,000) - 2,273,653 2022 0.36 0.33 0.34 - 0.36 Weighted average exercise price 2021 2,065,730 352,923 (64,160) (5,840) 2,348,653 2021 0.36 0.36 0.36 0.28 0.36 The weighted average share Price at the exercise date was £0.36. The range of exercise prices is from £0.05 to £0.55. The weighted average remaining life of the options was 6.5 years (2021: 6.5 years). 5 DIRECTORS’ REMUNERATION The remuneration of the Directors who served in the current year was as follows: 2022 Executive Directors Tom Ilube Mary Dowd* Non-Executive Directors Sir Richard Dearlove Ruth Anderson Andy Gueritz Dr David Secher Robert Coles Tara Cemlyn-Jones Total Executive Directors Tom Ilube Mary Dowd* Non-Executive Directors Sir Richard Dearlove Ruth Anderson Andy Gueritz Gordon Matthew Dr David Secher Prof David Stupples Robert Coles Tara Cemlyn-Jones Total Basic Salary and Fees £ 130,000 140,000 25,000 12,000 16,000 16,000 12,000 12,000 363,000 128,311 130,000 25,000 12,000 16,000 6,000 16,000 4,750 7,250 7,231 352,541 Taxable Benefits £ Employer’s Pension Contribution £ Total £ 3,926 2,216 1,321 10,000 135,247 162,216 Bonus £ 10,000 25,000 10,000 31,142 11,321 S T A T E M E N T S F I N A N C A L I 50,000 12,000 16,000 16,000 12,000 12,000 415,463 3,942 1,318 10,000 133,572 140,000 25,000 - 28,942 11,318 50,000 12,000 16,000 6,000 16,000 4,750 7,250 7,231 392,801 * Denotes highest paid director. In the year ended 31 December 2022, certain of the directors received remuneration (which is included in the amounts above) through payments by the Group to third parties as follows: £12,000 was paid to Cumberland House Consulting Ltd for the services of R Coles (2021: £7,250); £12,000 was paid to Caprica Nelson Ltd for the services of R Anderson (2021: £12,000); £16,000 was paid to Cambridge KT Ltd for the services of D Secher (2021: £16,000). www.crosswordcybersecurity.com 81 Consolidated Financial Statements CONTINUED Share Options issued Mary Dowd Sir Richard Dearlove Sir Richard Dearlove Year 2020 2020 2021 Share Options 25,000 94,340 70,423 Exercise Price £0.31 £0.27 £0.36 Total Value £2,903 £9,496 £25,000 In 2021 the Company implemented a Long Term Incentive Plan (LTIP) whereas awards have been made to the following executives - Mary Dowd, Stuart Jubb, Jake Holloway and Sean Arrowsmith. Each award is of nominal cost (£0.005) options to acquire up to 750,000 Crossword ordinary shares of 0.5p each which vest at the average mid-market price of the Ordinary Shares over the 20 trading days preceding the end of the performance period which ends on 30 September 2024. 25% of the options will vest if the Award Price is 50p, and 100% will vest if the Award Price is equal to or greater than 100p, with straight line vesting between 50p and 100p. 6 OTHER OPERATING INCOME Grant income 7 OTHER OPERATING EXPENSE Amortisation of intangible assets Depreciation of property, plant and equipment Depreciation of right-of-use assets 8 FINANCE COSTS Finance cost of loan notes Interest on deferred consideration Right to use assets Interest Other interest expense Group 2022 £ 39,814 39,814 Group 2022 £ 293,170 11,287 - 304,457 Group 2022 £ 272,400 115,766 - 7,596 395,762 Group 2021 £ 152,347 152,347 Group 2021 £ 37,881 8,072 58,171 104,124 Group 2021 £ 184,149 34,978 187 1,231 220,545 9 GAIN ON REMEASUREMENT OF FINANCIAL ASSETS AND LIABILITIES £ Gain on remeasurement of contingent consideration Gain on revaluation of investment in Cyberowl Group 2022 £ 170,283 - 170,283 Group 2021 £ - 456,803 456,803 82 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 10 AUDITOR’S REMUNERATION The expenses for services rendered by the Group auditor present themselves as follows: £ Fees for the parent company individual and consolidated financial statements Fees for legal audit of subsidiary financial information 11 TAX £ Corporation tax on profits for the period R&D tax credit Deferred tax credit Total tax (credit) / expense * Restated (as per note 1.2) Group 2022 £ 41,400 24,050 65,450 Group 2021 £ 46,000 17,000 63,000 Group 2022 6,115 (753,288) (397,129) (1,144,302) Group 2021* 5,396 (206,380) (178,011) (378,995) There is no tax charge in respect of other comprehensive income. The deferred tax liability arising on fair value revaluation on acquisitions of Verifiable Credentials Ltd, Stega UK Ltd (both in 2021) and Threat Status Ltd (in 2022), as reflected in note 12, has been offset with a deferred tax asset recognised in respect of losses brought forward from prior periods, resulting in deferred tax credit to the statement of comprehensive income. There is a deferred tax liability of £114,201 arising on the fair value uplift of £456,803 of the unlisted investment in CyberOwl Limited. This deferred tax liability has been offset by trading losses of the group. Corporation tax losses carried forward for offset against future year’s trading profits amount to approximately £8.5m (2021: £4.8m). S T A T E M E N T S F I N A N C A L I £ Loss before taxation Average rate of corporation tax Tax on loss Effects of: Expenses not deductible for tax purposes Additional deduction for R&D expenditure Adjustments in respect of prior period Tax rate changes / adjustments Deferred tax not recognised Total tax charge * Restated (as per note 1.2) Factors that may affect future tax changes Group 2022 4,566,852 19.00% (867,702) 116,084 (164,009) (354,777) (12,199) 138,301 (1,144,302) Group 2021* 2,652,619 19.00% (503,998) 24,578 (167,168) - 104,124 163,468 (378,995) On 24 May 2021 the Finance Bill was substantively enacted with the consequence that the main rate of corporation tax will increase from 19% to the rate of 25%, with effect from 1 April 2023, with a corresponding effect on deferred tax balances after that date. Polish Corporation Tax has been 19% until 1 January 2017, when Crossword started to benefit from the new small companies reduced rate of 15% adopted by the Parliament Act amendment to Polish CIT Law. www.crosswordcybersecurity.com 83 Consolidated Financial Statements CONTINUED 12 BUSINESS COMBINATIONS On 11 March 2022 the Group acquired 100% of the issued share capital of Threat Status Ltd (“TSL”), the threat intelligence company and provider of Trillion, the cloud-based software as a service platform for enterprise-level credential breach intelligence. The net consideration used in the acquisition of TSL and the provisional fair value of assets acquired and liabilities assumed on the acquisition date are detailed below: Intangible assets Tangible assets Deferred tax asset Non-current assets Trade and other receivables Cash and cash equivalents Current assets Deferred tax liability Non-current liabilities Trade and other payables Current liabilities Book value - 1,208 26,854 28,062 Adjustment 1,694,287 - - 1,694,287 Fair value 1,694,287 1,208 26,854 1,722,349 10,420 90,007 100,427 - - - 10,420 90,007 100,427 - - 423,572 423,572 423,572 423,572 57,784 57,784 - - 57,784 57,784 Total fair value of net assets acquired 70,706 1,270,715 1,341,420 Fair value of consideration Cash on completion Deferred consideration in cash Deferred consideration in shares Total consideration 500,915 343,339 497,166 1,341,420 Acquisition costs of £16,894 relating to this transaction have been recognised as part of administrative expenses in the statement of comprehensive income. Since the acquisition date, TSL has contributed £177,223 to group revenues and £127,483 to group result. If the acquisition had occurred on 1 January 2022, group revenue would have been £3,703,829 and group loss for the period would have been £3,229,407. The acquisitions help to implement the Group’s strategy to create a portfolio of subscription-based, enterprise-class products and services for its clients. 84 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 13 INTANGIBLE ASSETS Software Development £ Cost b/f Acquired through business combinations Additions Accumulated Depreciation B/F Charge for the period C/d Net Book Value Group 2022 1,141,560 1,694,287 203,627 3,039,473 Group 2021 - 957,764 183,796 1,141,560 Company 2022 531,534 1,694,287 203,627 2,429,447 Company 2021 - - 531,534 531,534 37,881 293,170 331,051 - 37,881 37,881 9,931 222,310 232,241 - 9,931 9,931 2,708,422 1,103,679 2,197,206 521,603 Intangible assets comprise of 5 different software development projects with remaining useful life of approximate between 5 and 10 years each and the carrying amounts of £1,173,512, £810,244, £344,206, £255,491 and £124,970. The intangible assets have been evaluated to determine whether there are any indicators of impairment. Assessment of the recoverable value for Identiproof software has been based on calculating the net present value of the future cash flows. The cash flow projections are based on the most recent 3 year forecast extrapolated to 5 years with a growth rate for revenue of 20% and costs of 10%. The pre- tax discount rate used in the calculation was 24%. Please refer to note 15 for matters relating to impairment assessment for Nightingale product. S T A T E M E N T S F I N A N C A L I www.crosswordcybersecurity.com 85 Consolidated Financial Statements CONTINUED 14 TANGIBLE ASSETS Computers £ Cost b/f Additions Acquired through business combinations Accumulated Depreciation B/F Charge for the period Translation adjustments C/d Net Book Value Furniture and Fittings £ Cost b/f Additions Accumulated Depreciation B/F Charge for the period C/d Net Book Value Group 2022 31,845 48,971 1,207 82,023 26,385 11,287 (688) 36,984 Group 2021 24,675 - 7,170 31,845 21,124 4,924 337 26,385 45,039 5,460 Company 2022 Company 2021 - - - - - - Group 2022 15,157 Group 2021 15,157 Company 2022 15,157 Company 2021 15,157 15,157 15,157 15,157 15,157 15,157 - 15,157 12,009 3,148 15,157 15,157 - 15,157 12,009 3,148 15,157 - - - - 86 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Right of Use Assets £ Cost b/f Disposals Accumulated Depreciation B/F Charge for the period Translation adjustments Disposals C/d Net Book Value Total £ Cost b/f Additions/(disposals) Acquired through business combinations Accumulated Depreciation B/F Charge for the period Translation adjustments Disposals C/d Net Book Value Group 2022 - - - - - - - - - Group 2022 47,002 48,971 1,207 97,180 41,542 11,287 (688) - 52,141 Group 2021 344,058 (344,058) - 280,694 58,171 5,193 (344,058) - - Group 2021 383,890 (344,058) 7,170 47,002 313,826 66,243 5,530 (344,058) 41,542 Company 2022 - - - - - - - - - Company 2022 15,157 - - 15,157 Company 2021 231,935 (231,935) - 196,687 35,248 - (231,935) - - Company 2021 247,092 (231,935) - 15,157 15,157 - - - 15,157 208,696 38,396 - (231,935) 15,157 45,039 5,460 - - S T A T E M E N T S F I N A N C A L I www.crosswordcybersecurity.com 87 Consolidated Financial Statements CONTINUED 15 GOODWILL The goodwill arises on acquisition of Stega UK Ltd in 2021 and forms a part of Nightingale cash generating unit. The goodwill has been tested for impairment alongside Intangible asset of NBV of £255,491 allocated to the same unit. The recoverable amount has been determined by value in use calculation. The cash flow projections are based on the most recent 3 year forecast extrapolated to 5 years with a growth rate for revenue of 25% and costs between 10% and 15%, these are based primarily on past experience. The growth rate beyond 5 year period is assumed as a perpetuity at 10%. The pre-tax discount rate used in the calculation was 24%. £ Goodwill B/F Additions in the period C/F 16 UNLISTED INVESTMENTS £ Fair value at 1 January and 31 December Group 2022 Group 2021 875,277 - 875,277 - 875,277 875,277 Group 2022 456,834 Group 2021 456,834 Company 2022 456,834 Company 2021 456,834 The above Group investment represents Crossword Cybersecurity Plc’s 2022 – 3.1% (2021 - 4.4%) holding in CyberOwl Limited which was purchased on 18 April 2016. The investment value has not changed during the period and has been based on the values from the latest fundraise by CyberOwl in August 2022. 88 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 17 INVESTMENT IN SUBSIDIARIES £ Cost b/f 1 January Acquired during the year Transfer to intangibles on hive up Reversal of contingent consideration Capital contribution Cost c/f 31 December Company 2022 Company 2021 458,164 1,088,740 - - 90,614 1,637,518 1,637,518 1,341,420 (1,270,715) (170,283) 111,205 1,649,145 The group’s subsidiary undertakings are listed below, including name, country of incorporation, and proportion of ownership interest: Name Crossword Consulting Limited Registered office 6th Floor, 60 Gracechurch Street, London EC3N 0HR United Kingdom Principal activity Cybersecurity services 2022 % 90 2021 % 90 Crossword Cybersecurity SP Z.o.o. Stega UK Ltd ul. Wiejska 12a, 00-490 Warszawa, Poland Cybersecurity services 100 100 6th Floor, 60 Gracechurch Street, London EC3N 0HR United Kingdom Cybersecurity services 100 100 Verifiable Credentials Ltd 6th Floor, 60 Gracechurch Street, London EC3N 0HR United Kingdom Cybersecurity services 100 100 Crossword Cybersecurity LLC PO Box 808, Alwattayah / Muttrah / Muscat Governorate, Postcode: 100, Oman Cybersecurity services 90 90 Threat Status Ltd 6th Floor, 60 Gracechurch Street, London EC3N 0HR United Kingdom Cybersecurity services 100 – S T A T E M E N T S F I N A N C A L I Verifiable Credentials Ltd, a company incorporated in England and Wales, registered No 11923813 and Threat Status Ltd, a company incorporated in England and Wales, registered No 10877044, are exempt from the requirements from the UK Companies Act relating to the audit of individual accounts by virtue of s479A of the Act. www.crosswordcybersecurity.com 89 Consolidated Financial Statements CONTINUED 18 TRADE AND OTHER RECEIVABLES £ Trade receivables Other receivables Prepayments Accrued income VAT Refund Intercompany receivables within one year Group 2022 1,110,697 524,721 239,066 133,883 69,683 - 2,078,050 Group 2021 509,576 254,451 149,309 140,708 12,033 - 1,066,076 Company 2022 505,451 445,603 183,160 23,383 46,421 714,507 1,918,525 Company 2021 192,975 247,274 105,101 131,025 - 162,247 838,622 All of the above amounts are considered to be due within one year. The maximum exposure to credit risk at the reporting date is the carrying value as above and the cash and cash equivalents and none are either past or impaired. Of the above amounts held within the Group, £32,735 is denominated in Polish Zloty with the remainder in GBP (2021: £18,419). Foreign exchange risk is currently minimal as balances in Polish Zloty are between the parent and its wholly owned subsidiary. 19 TRADE AND OTHER PAYABLES £ Trade payables Employment taxes and VAT payable Accruals Deferred income Deferred consideration Other payables Group 2022 659,282 306,168 434,705 460,853 568,146 27,629 2,456,783 Group 2021 331,043 242,642 226,623 331,198 261,606 20,546 1,413,658 Company 2022 1,025,828 69,300 187,197 279,125 568,146 17,179 2,146,775 Company 2021 459,753 56,790 164,284 94,333 261,606 13,194 1,049,960 All of the above amounts are considered to be due within one year. The deferred income relates to contract liabilities arising from contracts with customers. Of the Trade and Other Payables amounts held within the Group, £83,965 (2021: £57,836) is denominated in Polish Zloty with the remainder in GBP. 20 OTHER CURRENT LIABILITIES £ Convertible loan notes Bank loan Group 2022 - 17,000 17,000 Group 2021 1,351,471 17,167 1,368,638 Company 2022 - - - Company 2021 1,351,471 - 1,351,471 90 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 21 OTHER NON-CURRENT LIABILITIES £ Deferred consideration Contingent consideration Deferred grant income 22 SHARE CAPITAL Allotted called up and fully paid Number of shares (all ordinary shares £0.005 each) B/f Shares Issued in period C/d Group 2022 492,151 - 132,692 624,843 Group 2021 111,900 180,652 132,693 425,245 Company 2022 492,151 - - 492,151 Company 2021 111,900 180,652 - 292,552 2022 74,957,150 17,446,565 92,403,715 2021 51,320,900 23,636,250 74,957,150 The shares issued in the period were ordinary shares of £0.005 at a premium of £3,563,151 (2021: £6,452,830). All shares carry the same voting and capital distribution rights. £ Share Capital Cost b/f Shares Issued in period Share Premium B/F Shares Issued in period C/d 23 LOSS PER SHARE 2022 2021 374,786 87,233 462,019 256,605 118,181 374,786 14,971,221 3,563,151 18,534,372 8,518,391 6,452,830 14,971,221 S T A T E M E N T S F I N A N C A L I Earnings per share is calculated by dividing the loss for the period attributable to ordinary equity shareholders of the parent by the weighted average number of ordinary shares outstanding during the year. During the year the calculation for basic loss per share was based on the loss for the year attributable to owners of the parent of £3,408,149 (2021: £2,229,296) divided by the weighted average number of ordinary shares of 80,022,937 (2021: 64,491,462). 24 RESERVES The following describes the nature and purpose of each reserve within owners’ equity: Reserve Share capital Share premium Convertible debt reserve Equity reserve Retained earnings Translation of foreign operations Description and purpose This represents the nominal value of shares issued Amount subscribed for share capital less any issue costs more than nominal value The residual amount after deducting from the fair value of the convertible loan notes the liability component Represents amounts charged on share options that have been granted to employees Cumulative net gains and losses recognised in the consolidated statement of comprehensive income Is the difference that arises due to consolidation of foreign subsidiaries using an average rate during the period and a closing rate for the period end statement of financial position www.crosswordcybersecurity.com 91 Consolidated Financial Statements CONTINUED 25 FINANCIAL INSTRUMENTS £ Current Financial Assets Financial assets measured at amortised cost Trade and other receivables Cash and cash equivalents Non-Current Financial Assets Financial assets measured at amortised cost Loan to subsidiary Financial assets measured at fair value through profit or loss Financial investments Group 2022 Group 2021 Company 2022 Company 2021 1,769,301 2,077,771 904,735 3,373,062 1,688,943 1,746,530 733,521 3,106,817 - - 1,067,185 918,206 456,834 4,303,906 456,834 4,734,631 456,834 4,959,493 456,834 5,215,378 The financial investments comprise of investment in CyberOwl Ltd, which has been valued on the basis of valuation per share at as March 2022 during the investment round, multiplied by the number of shares the Company owns in it. This methodology of determining a fair value equates to a level 2 assessment based on observed transactions of share price in recent transactions in the entity’s equity. £ Current Financial Liabilities Financial liabilities measured at amortised cost Trade and other payables Loans Convertible loan notes Non-Current Financial Liabilities Financial liabilities measured at amortised cost Loans Convertible loan notes Non-current deferred consideration Financial liabilities measured at fair value through profit or loss Non-current contingent consideration Group 2022 Group 2021 Company 2022 Company 2021 1,689,761 17,000 - 839,818 17,167 1,351,471 1,798,351 - - 898,836 - 1,351,471 51,000 1,329,678 492,151 68,000 - 111,900 - 1,329,678 492,151 - - 111,900 - 180,652 - 180,652 3,579,590 2,569,008 3,620,180 2,542,858 In relation to the loan there was a fair value revaluation of £195,685 (2021: £nil) recorded in Convertible debt reserve arising from the loan notes being initially measured at fair value and subsequently measured at amortised cost. During the year, the management changed its estimate that Stega would achieve its revenue target for the period between 12 and 18 months from the date of acquisition and concluded that this will be very unlikely. Therefore, contingent consideration, recorded as part of acquisition accounting for Stega, has been reversed via Income Statement in full. Reconciliation of Level 3 fair value measurements of financial liabilities: £ B/f Unwinding of discount Reversed C/d 92 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Contingent consideration 180,652 (10,369) (170,283) - 26 FINANCIAL INSTRUMENTS – RISK The Group could be exposed to risks that arise from its use of financial instruments. Risks in relation to financial assets include: Market risk Market risk covers foreign exchange risk, price risk and interest rate risk. As the majority of the Group’s transactions are either in Sterling or in Polish Zloty the Group considers its exposure to foreign exchange risk to be minimal. There are no derivatives and hedging instruments. The Group is not exposed to price risk given that no securities are held under financial assets. The Group is not exposed to interest rate or cash flow risk due to the fact that the Group has no borrowing or complex financial instruments. Credit risk Credit risk is considered to be the risk of financial loss incurred by the Group in the event that a customer or counterparty to an asset fails to meet contractual obligations. The Group has adopted a policy of only dealing with credit worthy counterparties. The Group’s maximum credit exposure at the reporting date is represented by the carrying value of its financial assets. The Group’s financial instruments do not represent a concentration of credit risk since the Group deals with a variety of counterparties. Financial Assets £ Cash and cash equivalents Trade and other receivables Loan to subsidiary Financial investments Total Liquidity risk £ Trade payables Accruals Deferred consideration Contingent consideration Other Payables Loans Convertible loan notes Total Group 2022 2,077,771 1,769,301 - 456,834 4,303,906 Group 2021 3,373,062 904,735 - 456,834 4,734,631 Company 2022 1,746,530 1,688,943 1,067,185 456,834 4,959,492 Company 2021 3,106,817 733,521 918,206 456,834 5,215,378 S T A T E M E N T S F I N A N C A L I 2022 2021 due <1 year 659,282 434,705 568,146 - 27,629 17,000 - 1,706,762 due 1–2 years - - 492,151 - - 51,000 1,329,678 543,150 due <1 year 331,043 226,623 261,606 - 20,546 17,167 1,351,471 2,208,456 due 1–2 years - - 111,900 180,652 - 68,000 - 360,552 www.crosswordcybersecurity.com 93 Consolidated Financial Statements CONTINUED 27 CAPITAL MANAGEMENT The Group considers its capital to comprise of its equity share capital, share premium, foreign exchange reserve, share options reserve and capital redemption reserve, less its accumulated losses. Quantitative detail is shown in the consolidated statement of changes in equity. The directors’ objective when managing capital is to safeguard the Group’s ability to continue as a going concern in order to provide returns for the shareholder and benefits for other stakeholders and to maintain an optimal capital structure to reduce the cost of capital. The directors monitor a number of KPIs at both the Group and individual subsidiary level on a monthly basis. As part of the budgetary process, targets are set with respect to operating expenses in order to effectively manage the activities of the Group. Performance is reviewed on a regular basis and appropriate actions are taken as required. These internal measures indicate the performance of the business against budget/forecast and to confirm that the Group has adequate resources to meet its working capital requirements. 28 PENSIONS Employer contributions to the Group defined contribution pension scheme for employees in the United Kingdom were £70,695 (2021: £46,509). A defined contribution scheme is a pension plan under which the Group pays fixed contributions into a separate entity. Contributions payable to the Group’s pension scheme are charged to the income statement in the year to which they relate. The Group has no further payment obligations once the contributions have been paid. In Poland, the Group pays the statutory employer’s contribution into the public pension scheme for each employee, but does not operate any pension schemes. 29 RELATED PARTY TRANSACTIONS 2022 Services received from £ Services supplied to £ Balance trade payable to £ Balance trade receivable from £ Intercompany loan receivable from £ 2021 Services received from £ Services supplied to £ Balance trade payable to £ Balance trade receivable from £ Intercompany loan receivable from £ Crossword Consulting Limited 102,877 - - 143,779 1,178,367 Crossword Cybersecurity SP Z.o.o 746,355 - 284,420 - - Stega UK Limited" 42,000 - - 156,870 88,818 274,099 - 150,311 165,757 918,207 580,704 - 102,067 - - 7,000 - 4,200 - - Cumberland House Consulting Limited - 318,800 - 54,235 - - - - - Verifiable Credentials Limited - - - 1,385 - - - - 10,736 - Tom Ilube, CEO, had made a loan of £250,000 to the Company on the same terms as the other Lenders as described in note 30. This loan was repaid in December 2022. The Company has a related party relationship with its key management who are the Executives: Tom Ilube, Mary Dowd, Jake Holloway, Sean Arrowsmith and Stuart Jubb, whose total compensation amounted to £796,444 (2021: £793,233). 94 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 30 CONVERTIBLE LOAN NOTES The following table explains movements in the undiscounted Convertible Loan Notes in the year: £ B/f 2022 Expired in the period Extended loans Increased loan amounts Additional loans issued in the period C/d 2022 Convertible Loan Notes 1,400,000 (1,400,000) 700,000 150,000 650,000 1,500,000 The discounted amount of the Convertible Loan Notes at the year end was £1,329,678. The equity component of the Convertible Loan Notes at the date of issue was £195,685. Repayment of the loan notes is at the end of the term, in cash, save that each lender may opt to convert part or all of their loan into Ordinary Shares at £0.252. On repayment of the loans in cash, each lender will be issued warrants valid for three months to subscribe for Ordinary Shares representing 10% of the value of the loan at £0.252. The loan from Tom Ilube, CEO, for an amount of £250,000 was repaid in December 2022. 31 CONTROLLING PARTY The Company does not have a controlling party. 32 SUBSEQUENT EVENTS There are no events after the reporting date to be disclosed. S T A T E M E N T S F I N A N C A L I www.crosswordcybersecurity.com 95 Notice of AGM Notice is hereby given that the Annual General Meeting of Crossword Cybersecurity plc (the “Company”) will be held at the offices of Shakespeare Martineau LLP, 6th Floor, 60 Gracechurch Street, London EC3V 0HR on Monday 22nd May 2023 at 11.00 am to consider, and if thought fit, to pass the following resolutions, of which 1 to 5 will be proposed as Ordinary Resolutions and resolution 6 will be proposed as a Special Resolution: Ordinary Business 1. To receive and adopt the report of the directors and the financial statements for the year ended 31 December 2022 and the report of the auditors thereon. 2. To re-elect, as a director of the Company, Sir Richard Dearlove who retires in accordance with Article 93.2 of the Company’s Articles of Association and offers himself for re-election. 3. To re-elect, as a director of the Company, Dr David Secher who retires in accordance with Article 93.2 of the Company’s Articles of Association and offers himself for re-election. 4. To re-appoint MHA MacIntyre Hudson LLP as auditors of the Company and to authorise the directors to determine the auditor’s remuneration. Special Business 5. THAT the Directors be and they are hereby generally and unconditionally authorised pursuant to Section 551 of the Companies Act 2006 (“the Act”), in substitution for all previous powers granted to them, to exercise all the powers of the Company to allot and make offers to allot relevant securities (within the meaning of the Act) up to an aggregate nominal amount of £46,858.82 such authority shall, unless previously revoked or varied by the Company in general meeting, expire on the conclusion of the Annual General Meeting of the Company to be held in 2024 provided that the Company may, at any time before such expiry, make an offer or enter into an agreement which would or might require relevant securities to be allotted after such expiry and the Directors may allot relevant securities pursuant to any such offer or agreement as if the authority conferred hereby had not expired. 6. THAT, subject to and conditional upon the passing of Resolution 5 the Directors be and they are hereby authorised pursuant to Section 570 of the Act to allot equity securities (as defined in Section 560 of the Act) for cash pursuant to the authority conferred by resolution 5 above as if Section 561(1) of the Act did not apply to any such allotment, provided that this power shall be limited to: (a) the allotment of equity securities in connection with an issue in favour of shareholders where the equity securities respectively attributable to the interests of all such shareholders are proportionate (or as nearly as may be practicable) to the respective number of Ordinary Shares in the capital of the Company held by them on the record date for such allotment, but subject to such exclusions or other arrangements as the Directors may deem necessary or expedient in relation to fractional entitlements or legal or practical problems under the laws of, or the requirements of, any recognised regulatory body or any stock exchange, in any territory; (b) the allotment of equity securities arising from the exercise of options or the conversion of any other convertible securities outstanding at the date of this resolution; and (c) the allotment (otherwise than pursuant to sub-paragraph (a) and (b) above) of further equity securities up to an aggregate nominal amount of £46,858.82 provided that this power shall, unless previously revoked or varied by special resolution of the Company in general meeting, expire at the conclusion of the Annual General Meeting of the Company to be held in 2024. The Company may, before such expiry, make offers or agreements which would or might require equity securities to be allotted after such expiry and the Directors are hereby empowered to allot equity securities in pursuance of such offers or agreements as if the power conferred hereby had not expired. BY ORDER OF THE BOARD B HARBER Company Secretary 18 April 2023 96 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Notes 1. Members are entitled to appoint a proxy to exercise all or any of their rights to attend and to speak and vote on their behalf at the meeting. A proxy need not be a shareholder of the Company. You can register your vote(s) for the Annual General Meeting either: • by logging on to www.shareregistrars.uk.com, clicking on the “Proxy Vote” button and then following the on-screen instructions; • by post or by hand to Share Registrars Limited, 3 The Millennium Centre, Crosby Way, Farnham, Surrey GU9 7XX using the proxy form accompanying this notice; • in the case of CREST members, by utilising the CREST electronic proxy appointment service in accordance with the procedures set out in note 5 below. 2. In order for a proxy appointment to be valid the proxy must be received by Share Registrars Limited by Thursday 18th May 2023 at 11am. 3. Any member entitled to attend and vote at the meeting may appoint one or more proxies to attend and, on a poll, vote instead of him. A proxy need not also be a member. 4. The completion and return of a form of proxy will not preclude a member from attending in person at the meeting and voting should he wish to do so. 5. CREST members may appoint a proxy through CREST by using the procedures described in the CREST Manual (available via www.euroclear.com/CREST). CREST personal members or other CREST sponsored members and those CREST members who have appointed a voting service provider should refer to their CREST sponsor or voting service provider, who will be able to take the appropriate action on their behalf. In order for a proxy appointment or instruction made using the CREST service to be valid, the appropriate CREST message (“a CREST proxy instruction”) must be properly authenticated in accordance with Euroclear UK & Ireland Limited’s specifications and must contain the information required for such instructions, as described in the CREST Manual. All messages relating to the appointment of a proxy or an instruction to a previously appointed proxy must be transmitted so that they are received by Share Registrars Limited (ID 7RA36) by Thursday 18th May 2023 at 11am (or, if the meeting is adjourned, the time that is 48 hours (excluding non- working days) before the time fixed for the adjourned meeting). For this purpose, the time of receipt will be taken to be the time (as determined by the time stamp applied to the message by the CREST Applications Host) from which the issuer’s agent is able to retrieve the message by enquiry to CREST in the manner prescribed by CREST. Any change of instructions to proxies appointed through CREST should be communicated to the appointee through other means. CREST members and, where applicable, their CREST sponsors or voting service providers should note that Euroclear UK & Ireland Limited does not make available special procedures in CREST for any particular message. Normal system timings and limitations will, therefore, apply in relation to the input of CREST proxy instructions. It is therefore the responsibility of the CREST member concerned to take (or procure the taking of) such action as shall be necessary to ensure that a message is transmitted by means of the CREST system by any particular time. In this connection, CREST members and, where applicable, their CREST sponsors or voting service providers are referred, in particular, to those sections of the CREST Manual concerning practical limitations of the CREST system and timings. The Company may treat a CREST Proxy Instruction as invalid in the circumstances set out in Regulation 35(5)(a) of the Uncertificated Securities Regulations 2001. 6. The Company has specified that only those members entered on the register of members at 11am on Thursday 18th May 2023 shall be entitled to vote at the meeting in respect of the number of ordinary shares of £0.05 each in the capital of the Company held in their name at that time. Changes to the register after Thursday 18th May 2023 at 11am shall be disregarded in determining the rights of any person to attend and vote at the meeting. 7. Resolutions 2 and 3 – Article 93.2 of the Company’s Articles of Association require that a director of the Company who held office at the time of the two preceding annual general meetings and who did not retire at either of them must offer themselves for re-election at the next Annual General Meeting. This year Sir Richard Dearlove and Dr David Secher are offering themselves for re-election. 8. Resolution 5 – As required by the Act, this resolution, to be proposed as an Ordinary Resolution, relates to the grant to the Directors of authority to allot unissued Ordinary Shares until the conclusion of the Annual General Meeting to be held in 2024, unless the authority is renewed or revoked prior to such time. If approved, this authority is limited to a maximum of 9,371,764 Ordinary Shares. This represents one-third of the issued share capital of the Company. S T A T E M E N T S F I N A N C A L I www.crosswordcybersecurity.com 97 Notice of AGM CONTINUED 9. Resolution 6 – The Act requires that if the Directors decide to allot unissued Ordinary Shares in the Company the shares proposed to be issued be first offered to existing shareholders in proportion to their existing holdings. This is known as shareholders’ pre-emption rights. However, to act in the best interests of the Company the Directors may require flexibility to allot shares for cash without regard to the provisions of Section 561(1) of the Act. Therefore this resolution, to be proposed as a Special Resolution, seeks authority to enable the Directors to allot equity securities up to a maximum of 9,371,764 Ordinary Shares. This authority expires at the conclusion of the Annual General Meeting to be held in 2024 and represents 10% of the issued share capital. 98 CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022 Company Information DIRECTORS Sir Richard Dearlove (Chair) T Ilube (CEO) Dr D Secher A Gueritz R Anderson M Dowd Dr R Coles T Cemlyn Jones REGISTERED NUMBER 08927013 REGISTERED OFFICE 60 Gracechurch Street London EC3V 0HR INDEPENDENT AUDITOR MHA MacIntryre Hudson Chartered Accountants & Statutory Auditors 6th Floor 2 London Wall Place London EC2Y 5AU NOMAD Grant Thornton LLP 30 Finsbury Square London EC2P 2YU CORPORATE BROKER Hybridan LLP 1 Poultry London EC2R 8EJ PUBLIC RELATIONS ADVISER Kinlan Communications 2-4 Exmoor Street London W10 6BD S T A T E M E N T S F I N A N C A L I www.crosswordcybersecurity.com 99 Crossword Cybersecurity plc 60 Gracechurch Street, London EC3V 0HR e: info@crosswordcybersecurity.com twitter: @crosswordcyber t: +44 (0) 203 953 8466

Continue reading text version or see original annual report in PDF format above