REDUCING CYBER
RISK GLOBALLY
Annual Report and Accounts 2022
for the year ended 31 December 2022
�Contents
Strategic Report
Financial Highlights
About Crossword Cybersecurity
Chair’s Statement
Chief Executive Officer’s Statement
Performance Review
Operational Review
Section 172(1) Statement
Corporate Social Responsibility
Principal Risks & Uncertainties
Governance Report
The Board
Corporate Governance Report
Directors’ Report & Statement
of Directors’ Responsibilities
Financial Statements
Independent Auditor’s Report
Consolidated Statement of
Comprehensive Income
Statement of Financial Position
Statement of Changes in Equity
Statement of Cash Flows
Notes to the Financial Information
Notice of AGM
Company Information
04
06
07
08
10
12
24
26
28
32
38
50
56
66
67
68
69
70
96
99
�About Crossword Cybersecurity plc
Crossword offers a range of cyber security
solutions to help companies understand
and reduce cyber security risk. We do
this through a combination of people and
technology, in the form of SaaS and software
products, consulting, and managed services.
Crossword’s areas of emphasis are cyber
security strategy and risk, supply chain
cyber, threat detection and response, and
digital identity.
We partner with organisations to keep them secure in the
digital world, reducing cyber risks by providing a portfolio of
innovative products and services, powered by university and
other research driven insights. In the area of cybersecurity
strategy and risk our consulting services include cyber
maturity assessments, industry certifications, and virtual chief
information security officer (vCISO) managed services.
Crossword’s end-to-end supply chain cyber standard
operating model (SCC SOM) is supported by our industry
leading SaaS platform, Rizikon Assurance, along with cost-
effective cyber audits, security testing services and complete
managed services for supply chain cyber risk management.
Threat detection and response services include our
Nightingale AI-based network monitoring, our Trillion™ and
Arc breached credentials tracking platforms, and incident
response. Crossword’s work in digital identity is based on
the World Wide Web Consortium W3C verifiable credentials
standard and our current solution, Identiproof, enables secure
digital verification of individuals to prevent fraud.
Crossword serves medium and large clients including FTSE
100, FTSE 250 and S&P listed companies in various sectors,
such as defence, insurance, investment and retail banks,
private equity, education, technology and manufacturing and
has offices in the UK, Poland, Oman and Singapore. Crossword
is traded on the AIM market of the London Stock Exchange.
Visit Crossword at www.crosswordcybersecurity.com
R
E
P
O
R
T
S
T
R
A
T
E
G
C
I
R
E
P
O
R
T
G
O
V
E
R
N
A
N
C
E
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
Building a portfolio of
cyber security products
and services with
recurring revenue
models
www.crosswordcybersecurity.com
3
3
3
�Highlights
Financial Highlights
Operational Highlights
68% revenue growth to £3.65m
£
55% organic revenue growth
81% growth in ARR in 2022
• Rizikon grew to over 1,000 users by end 2022
• Leonardo UK selected Rizikon to assist with
assessment of supply chain cyber risks,
underlining Rizikon’s capacity to deliver at scale
• Acquisition of Threat Status Limited, adding two
new products: Trillion™ (credential breach SaaS
platform) and Arc (account protection for
e-commerce platforms and organisations)
54% recurring revenue in 2022
• Size of sales deals being secured by Trillion
increased significantly compared to before its
acquisition by Crossword in March 2022
Average revenue per client up 40%
year on year
Consulting gross profit margin
improved as proportion of larger
clients increased
Oversubscribed £3.6m equity fund
raise in September 2022
Total loss for the year £3.4m
£2.1m cash and cash equivalents
at year end
• Consulting increased its cross selling drive,
selling services into numerous Rizikon clients and
successfully introducing Nightingale to numerous
Consulting clients
• Integration of Arc into Sticky Password, one of the
industry’s most well-established secure password
vaults
• Opened an office in Singapore to support the 24/7
monitoring services provided by Nightingale.
• Launch of specialist Supply Chain Cyber Risk
practice, with Rizikon wrapped in a full-service
consulting offer
4
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�R
E
P
O
R
T
S
T
R
A
T
E
G
C
I
• Oman Data Park (ODP) signed a strategic
cooperation agreement to provide cyber security
risk services to over 800 government, corporate
and SME organisations and enhance the
protection of the cyber security structure of
sensitive information in Oman
• Crossword’s employees grew to 63 during 2022,
up from 51 in 2021, representing a 24% increase
Post Period Highlights
• Launch of Ransomware Readiness Assessment
service in March 2023, helping organisations
reduce their exposure to ransomware attacks
Outlook
• Targeting revenue growth of circa 50% in 2023
• Having invested significantly for rapid growth
in 2022, focus in 2023 is on a clear path
to profitability
• Increased emphasis on targeting larger clients
that can make full use of Crossword’s range
of products and services
www.crosswordcybersecurity.com
5
�Crossword Cybersecurity keeps
organisations secure in the digital
world through a combination of
software products and expert-led
cybersecurity consulting and services
Since admission to AIM in 2018, Crossword has grown
revenues almost three-fold from £1.3 million (excluding
discontinued operations) in 2019 to £3.65 million in 2022,
through a combination of organic growth and acquisitions.
Crossword’s services
Crossword’s services have gained a strong reputation in the
market thanks to a deep expertise in cyber security and a
hands-on approach. Crossword’s full-service consulting team
provides strategy, assessment and risk management services.
The constantly evolving nature and increasing number of
cyberattacks means that demand for our consulting services
keeps growing strongly. Our May 2022 report “Strategy and
collaboration: a better way forward for effective cybersecurity”
showed that over 40% of respondents believed their existing
cyber strategy will be outdated in two years, and a further
37% in three years. This dynamic creates growing demand for
the expert consulting that Crossword provides.
Crossword’s products
Crossword’s products are driven by research from some
of the UK’s leading universities and other research-driven
insights. Crossword has developed strong and extensive
research and development relationships with many UK
university academic centres of excellence in cyber security.
Crossword offers a portfolio of cyber security software
products, having successfully integrated three acquisitions
since its admission to AIM. Crossword’s products serve some
of the fastest growing sectors in cyber security, including
supply chain risks, threat intelligence and credentials
breaches.
Cyber security industry drivers
Several inter-connected factors are driving the growth in cyber
security software and services.
•
•
•
Increasing use of cyber-attacks by nation states against
each other as a result of a significant intensification in
geopolitical confrontation;
Increased interconnectivity of networks and trust domains;
Increased proliferation and commercial availability of
cyber capabilities;
•
•
•
Increasing number of devices, including from operational
technology and internet of things, and interactions drives
growth in attack opportunities;
Increase in remote working (accelerated by the pandemic)
and resultant movement of data to the cloud;
Increased dependency on third party suppliers of managed
services;
• Commoditisation of higher-end cyber capabilities, lowering
the barrier to entry for cyberthreat actors;
With 39% of UK businesses experiencing a cyber-attack in
2022, according to the UK’s National Cyber Security Centre
(NCSC), the constantly increasing number and growing
sophistication of cyberattacks means that spending on
cyber security defence is a key priority for business and
governments. As a result, Gartner predicts end-user spending
for the information security and risk management market
will grow from $172.5 billion in 2022 to $267.3 billion in 2026,
attaining a compound annual growth rate (CAGR) of 11%, with
84% of C-level executives agreeing that cyber resilience is a
business priority for their organisations in 2022, according to
the WEF Global Cybersecurity Outlook Report 2022.
The UK is home to the largest, most concentrated and
accessible cyber security market in Europe, worth over £10bn,
growing 14% in 2021 and representing twice the growth on the
previous year. The UK’s reputation as a centre of cyber security
excellence means it is the third largest exporter of cyber
security services globally, worth £4.2bn in 2020, as reported
in the UK Cyber Security Sector Analysis commissioned
by the UK Government’s Department for Digital, Culture,
Media & Sport. As one of the UK’s leading cyber security
commercialisation specialists, Crossword is well positioned to
benefit from sector growth, both in the UK and internationally.
The above cyber security industry drivers, combined with a
strong set of products and services, mean that Crossword is
well positioned to keep growing strongly.
6
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Chair’s statement
Sir Richard Dearlove KCMG OBE
Chair, Crossword Cybersecurity
R
E
P
O
R
T
S
T
R
A
T
E
G
C
I
Growth accelerates rapidly in 2022
Crossword continued to build a strong and stable business,
backed by our strategy of building a significant intellectual
property-based, AIM quoted cyber security business.
Crossword recorded impressive revenue growth of 68%
in 2022. The Company completed its third acquisition and
continued to reap the benefits of successfully integrating
previous acquisitions, with annual recurring revenue growing
by 81%. Rizikon ended 2022 with over 1,000 organisations
using the platform and our blue chip cyber security consulting
team is growing its client base with major FTSE and Fortune
clients.
Our focus now is to drive to profitability, underpinned by
targeting healthy revenue growth of over 50% in 2023.
Further progress with our acquisition
strategy
Crossword continued to build on its acquisition strategy in
2022 with the successful acquisition of Threat Status Ltd.,
a threat intelligence company. This added two additional
products to the Crossword portfolio, Trillion™ and Arc. Arc is
a similar product to Nixer, so post-acquisition, management
took the decision to merge the two products, under the Arc
product brand.
Later in the year, in line with its stated acquisition strategy,
Crossword tested a further acquisition opportunity and
decided it would not be in the interests of the company to
proceed at that time. This exploratory approach signals the
scale of Crossword’s ambition to build a scaled up, profitable
cyber security company.
A strong balance sheet and robust
governance
To ensure that we had the funds to progress with our
rapid growth, Crossword issued additional £550k of
Convertible Loan Notes in July 2022 and carried out a £3.6m
oversubscribed equity fund raise in September 2022. We are
very pleased that our shareholders continue to see the growth
opportunities for Crossword and we would like to thank them
for their commitment.
To ensure that we maintain a robust framework of controls
and high standards, the Board continues to adhere to the
Quoted Companies Alliance (“QCA”) Corporate Governance
Code (the “QCA Code”) in line with the London Stock
Exchange’s requirement for all AIM quoted companies to
adopt a recognised corporate governance code. The Corporate
Governance Statement on page 38 of this report provides
further details.
Continued healthy growth with a clear
path to profitability
Having invested significantly in 2022 to achieve impressive
growth of nearly 68% over the past year, Crossword has now
shifted its focus to defining a clear path to profitability. This
is backed by strong current momentum, which aims to grow
revenue in the region of 50% in 2023.
I am very proud of what our expert team has achieved over
the past year and I would like to acknowledge them all.
Crossword has a very strong culture and its core values of
responsibility, openness, flexibility and learning underpin
everything we do and are a source of particular strength that
we will leverage to grow into a strong, stable and profitable
business.
Sir Richard Dearlove KCMG OBE
Chair, Crossword Cybersecurity
18 April 2023
www.crosswordcybersecurity.com
7
�Chief Executive Officer’s review
Tom Ilube
Chief Executive Officer
Crossword Cybersecurity
It is my pleasure, as Chief Executive Officer, to present
the Annual Report and audited accounts for Crossword
Cybersecurity Plc (‘Crossword’ or the ‘Company’ or the
‘Group’) for the financial year ended 31 December 2022.
Crossword grew revenue by a very impressive 68% to reach
£3.65m in 2022, its highest growth rate since admission to AIM
in 2018. This proves that Crossword’s services and products
have achieved real traction with a wide range of clients. With
this momentum, we expect to see our growth rate continue
strongly into 2023, whilst we drive towards profitability, which
is our main priority now.
We were particularly pleased to see annual recurring revenue
increase by 81% over the prior year and reach £2.4m. Whilst
acquisitions naturally contributed to this strong growth in
revenues, Crossword also recorded 55% growth in organic
revenues.
The constantly increasing number and the growing
sophistication of cyberattacks means that spending on
cyber security defence is a key priority for business and
governments. In 2021, the average number of cyberattacks
and data breaches increased by 15.1 per cent. from the
previous year. Over the next two years, security executives
from over 1,200 companies polled by ThoughtLab in its 2022
cybersecurity benchmarking study see a rise in attacks
from social engineering and ransomware as nation-states
and cybercriminals grow more sophisticated. As a result,
“Cybersecurity failure” was ranked as a top-five risk over
the next two years in East Asia and the Pacific as well as in
Europe in the World Economic Forum’s 2022 Global Risks
Report, while four countries, namely Australia, Great Britain,
Ireland and New Zealand ranked it as the number one risk.
Many small, highly digitalized economies such as Denmark,
Israel, Japan, Taiwan (China), Singapore and the United Arab
Emirates also ranked the risk as a top-five concern.
With the ever increasing cybersecurity market, in 2022 we
made it our mission to achieve critical mass by investing for
growth. The executive team wanted to accelerate Crossword’s
growth aiming to achieve real momentum that would carry us
into 2023 and beyond. We also made the decision to continue
with our acquisition strategy and we succeeded in closing
another excellent transaction by securing Threat Status
Limited. Threat Status brought two excellent products into
Crossword’s portfolio, Trillion™ and Arc. Both products deliver
recurring revenue to the business and brought a range of
new clients to Crossword. Trillion™ is a data breach platform
that contains billions of carefully curated and continuously
updated credentials that organisations can search to check
the status of their usernames and passwords. Arc makes this
same vast pool of information available in a different form to
product websites to protect against credential attacks. Due to
Arc’s overlap with our existing product, Nixer, we made the
decision to merge the two products, under the product brand
name of Arc.
Rizikon, Crossword’s lead product, ended 2022 with more
than 1,000 organisations using the freemium version, trialling
or contracted to use the product. In June we launched a new
service, Supply Chain Cyber, with Rizikon at its heart wrapped
in a full-service consulting offer. We are developing new
leading edge modules for Rizikon and are in conversation
with several potential large scale supply chain cyber clients.
Increasing regulatory pressure on companies to monitor and
take control of supply chain cybersecurity risks is also aiding
the growth of Rizikon’s sales pipeline.
8
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�R
E
P
O
R
T
S
T
R
A
T
E
G
C
I
Crossword is now a 70-strong, well respected, British cyber
security business, with a growing reputation in the UK and
beyond. We take our wider social responsibilities seriously
and have supported our Polish colleagues in their efforts
to help Ukrainians exiled in Poland, by matching staff
donations each month for a period of 6 months up to PLN
2,500 each month.
As I close, I particularly wish to thank everyone who has
helped Crossword achieve this record revenue growth which,
at 68% is our fastest annual growth rate since Crossword
joined AIM. Having invested significantly for rapid growth in
2022, we have now shifted our focus in 2023 towards a clear
path to profitability. The momentum from last year places us
in a strong position to achieve at least 50% revenue growth
in 2023 and our focus on margin improvement will ensure
that there is a clear, carefully managed route to achieving
profitability in the medium term. Crossword’s exceptional
team and its culture of responsibility, openness, flexibility
and learning, gives me and the whole Executive team the
confidence that we will achieve our goals for our staff, our
clients and our investors.
Tom Ilube, Chief Executive Officer
Crossword Cybersecurity
18 April 2023
Crossword’s profitable and fast growing consulting business
is now a trusted supplier to a number of large and medium
sized companies, as well as continuing to work with
smaller, entrepreneurial companies. Our vCISO (virtual
Chief Information Security Officer) service, continues to be
popular with all sizes of client and delivers a growing stream
of recurring revenue. Along with our Nightingale network
monitoring platform, which we acquired the previous year
with the Stega acquisition, the Services business saw very
positive overall growth of 80%, of which 51% is recurring.
On the international front, Crossword invested time and effort
to firmly establish itself in Oman and is using that as a base to
explore opportunities in the wider Gulf region. This effort has
put us in prime position for a major Government contract in
the region that, if we are successful, will generate significant
revenue as well as make Crossword a strategic cyber security
supplier across Government. We also signed a distribution
agreement with Oman’s major cloud services provider who
will offer our Trillion™ product and other Crossword services
to their 600 client organisations. Outside of Oman, we won
business in the insurance sector in Bermuda as well as
established a small team in Singapore to enable us to offer
our Nightingale network monitoring service on a 24 hour basis
to major clients.
During 2022, Crossword took steps to ensure that it had
the funding it needed to continue executing on its strategy.
Crossword extended its Convertible Loan Note programme
by adding a further £550k of loan notes in July and
completed a £3.6m equity fundraise in September through an
oversubscribed subscription of Crossword Ordinary Shares.
I was very pleased to welcome several major new
shareholders and delighted that our existing shareholders
continue to back our vision and support our commitment to
the journey.
www.crosswordcybersecurity.com
9
�Performance review
Financial review
Financial review
Strong growth in revenue and ARR
Crossword recorded revenue of £3.65m in 2022. This
represented a large increase of £1.5m vs. the prior year,
equating to 68% growth. All revenue streams recorded strong
growth, other than software development with related parties,
which ceased during 2021.
The Company achieved an excellent 81% growth in ARR,
with 54% recurring revenue at year end. ARR growth rates
continued, with Rizikon ARR growing by 43% during the year,
Nightingale ARR growing by 29%, and vCISO ARR growing
by 68%. vCISO, ‘virtual chief information security officer’
is a bespoke service offered by Crossword’s experienced
consulting team which supports clients of all sizes in
improving their cybersecurity posture.
In 2022 for the first time, Crossword completed delivery of a
project focused on cyber security engineering services to a
strategic partner. It is expected that additional engineering
services will be provided in 2023.
Investing for growth
Total comprehensive loss for the year was £3.4m. Total
cost of sales and administrative expenses increased by
£2.6m in 2022 compared to 2021. The increase reflects the
acquisition of Threat Status Limited in March 2022, and the
inclusion of Stega UK Limited, acquired in August 2021, and
Verifiable Credentials Limited, acquired in April 2021, for a
full year in the 2022 accounts. Legal and professional fees
increased by c£250k, which included £346k for a potentially
transformational transaction which did not progress because
the vendor made other choices for their business. This reflects
Crossword’s ongoing drive for acquisitions during 2022.
A primary driver for the increase in costs was a 30% increase
in the number of staff compared to the closing FTE (full time
employee) count at the end of 2021. In 2022, Crossword
invested significantly in sales and marketing and product
development, which are the areas which saw the largest FTE
growth. A significant improvement in Consulting gross margin
was achieved while an improved and larger deployment of
services was delivered by a higher number of staff.
We are pleased to see that Crossword’s increased investment
in sales and marketing and products development is reaping
results, with average product and consulting revenue per
client increasing to £28.7k per client, up from £20.5k in 2021.
Focus on profitability
Staff numbers have stabilised in 2023, with a strong
foundation in place to drive the revenue growth and path
to profitability on which the Company is currently focused.
Profitability will be underpinned by improving margins, as
Consulting revenue scales to achieve critical mass and as
product revenues increase. Crossword’s diversified product
and services offering will drive scale while containing risk.
Acquisitions
Loss before taxation using the 2021 presentation was £3.8m
(2021: £2.4 million). In March 2022, Crossword acquired
the entire share capital of Threat Status Limited, the threat
intelligence company and provider of Trillion™, the cloud
based software as a service (SaaS) platform for enterprise-
level credential breach intelligence. Threat Status’s more
recently released product, Arc, protects the users of
customer-facing applications from the threat of account
takeovers.
Equity fundraise
In September 2022 Crossword completed a £3.6m equity
fundraise through a placing and subscription of Crossword
ordinary shares at a price of 21.7 pence per share.
Cashflows
Net cash outflows of the Group in 2022 were £1.3m. Excluding
proceeds from issue and repayments of loan notes, the equity
fuindraise and cash paid for acquisitions, net cash outflows of
the Group were £4.4m (2021: £3.3m).
Taxation
The Group continues to claim research and development tax
credits, with £747k accounted for in 2022 (2021: £206k).
R&D Tax Credits in FY2022 accounts have been reported in
Tax, due to the majority of the claim being under the SME
scheme. Historically, R&D Tax Credits have been reported
as Other Operating Income. There has also been a prior year
adjustment to R&D Tax Credits in FY2021.
Financial Position
Loss before taxation using the 2021 presentation was £3.8m
(2021: £2.4 million). Crossword Cybersecurity plc finished the
year with a cash balance of £2.1m.
10
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Crossword recorded an
excellent 81% growth in
ARR, with 54% recurring
revenue in 2022
R
E
P
O
R
T
S
T
R
A
T
E
G
C
I
Average product and consulting
revenue per client
Number of clients
£30,000
£25,000
£20,000
£10,000
£10,000
£5,000
0
140
120
100
80
60
40
20
0
2018
2019
2020
2021
2022
2018
2019
2020
2021
2022
www.crosswordcybersecurity.com
11
�Operational review
Services
In 2022, Crossword saw increased strong
demand across all offerings in its Services
division. Crossword continued successfully
progressing in its strategy of increasing
the proportion of midmarket and larger
clients in its client mix, which are in an ideal
position to make more widespread use of
Crossword’s full range of growing services
and products. This is leading to increased
annual recurring revenues from such clients.
Services recorded very
positive overall growth
of 80%, of which 51% is
recurring
The value of the acquisitions made by Crossword in recent
years shone through powerfully in 2022. Additionally vCISO
(Virtual Chief Information Security Officer) ARR grew by 68%
and Nightingale monitoring services ARR grew by 29%.
In 2022, Services won its first FTSE 100 client project and
carried out international work in new territories including
Bermuda and the Caribbean.
Consulting
Crossword’s consulting services delivered outstanding results
in 2022, achieving 63% year on year growth.
Consulting increased its cross-selling drive, selling services
into numerous Rizikon clients and successfully introducing
Nightingale to numerous Consulting clients. This is increasing
the level of recurring revenues that the Consulting division
generates, as well as strengthening client relationships as we
meet their evolving needs and grow with them.
To address the increased demand for consulting and product
in supply chain cyber risk, in 2022 we launched the Supply
Chain Cyber practice, which offers consulting services
wrapped around a new set of strategic Rizikon modules with
a recurring revenue proposition. The proposition targets
the needs of large organisations regarding their third party
supplier cyber risk and continued to be well received by larger
clients, thereby adding to incremental revenue per client.
The Consulting division grew to a total of 18 specialists by
year end. With higher staffing levels, we continued to improve
our consulting methodologies and develop a more scalable
model to provide our services. This is leading to work with
larger clients with multi-faceted and more complex needs.
Crossword’s team of expert consultants provides bespoke
cyber security consulting advice tailored to clients’ business
needs. The team leverages years of experience in national
security, defence and commercial cyber intelligence and
operations. Crossword’s full-service cyber security consulting
team provides strategy, assessment and risk management
services.
Crossword’s consulting services play a strategic role in its
growth and are an integral part of its offering. By consulting
12
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�R
E
P
O
R
T
S
T
R
A
T
E
G
C
I
on clients’ needs and challenges, Crossword gains valuable
market insights that help inform its product development. In
turn, the products business provides consulting opportunities,
such as the many third party and other, risk consulting
opportunities that have arisen out of Rizikon Assurance
product sales.
Crossword’s consultants work with over 100 clients across
multiple sectors, including insurance, professional services,
financial services, nuclear energy and technology. Consulting
clients include one of the world’s largest, global S&P500
insurance brokers, several FTSE 250 companies and a FTSE
100 company.
vCISO
(Virtual Chief Information Security Officer)
vCISO ARR grew
by 68%
vCISO recorded very strong growth of 68% in ARR thanks
to its integrated and tailor-made service designed to meet
clients’ evolving cyber security needs. Through the vCISO
service, clients can avail themselves of the breadth and
depth of cyber security services offered by Crossword. vCISO
provides a fixed and predictable operational cost for clients,
in contrast to the high costs and recruitment challenges that
building an in-house cyber security capability entails.
Nightingale ARR
grew by 29%
Nightingale
The integration of Nightingale continued to deliver on
expectations and saw significant successes in the period,
with ARR growing by 29%. These included new investment
management clients, deployment to a major insurance
company in a dual running assessment and carrying out a
cyber incident response at a top ten law firm.
To service the needs of global clients, Nightingale’s
capabilities were increased and we opened an office in
Singapore to support its 24/7 global monitoring services.
In March 2023, Crossword launched its Ransomware
Readiness Assessment Service. Conducted by the Nightingale
team, an organisation’s current exposure, control systems
and ability to respond to a ransomware incident is analysed
in detail by using an industry-specific approach and cyber
incident response forensics. The service helps organisations
reduce their exposure to ransomware attacks, provides
detailed assessments on areas requiring protection and
recommends how they should respond to attacks.
Nightingale, Crossword’s world class platform, is a
comprehensive security monitoring service. It mitigates the
cyber threats and vulnerabilities an organisation faces by
bringing together multiple facets to identify and monitor
organisational assets, users, traffic, networks and endpoints.
www.crosswordcybersecurity.com
13
�Crossword Services timeline
2016
First consulting services
revenues
FTSE
250
2021
Two FTSE 250
clients acquired
2020
£1m+ in annual consulting
revenues reached
August 2021
Completion of acquisition of Stega UK Limited
(threat intelligence and monitoring company)
and its in-house monitoring
platform, Nightingale
2022
First engagement with a FTSE 100
company, delivering high end
cyber consulting services
May 2022
“Strategy and collaboration: a better way
forward for effective cybersecurity” Crossword
launches research report based on interviews
with over 200 CISOs (Chief Information
Security Officer) and senior UK cyber security
professionals
June 2022
Launch of specialist Supply Chain
Cyber Consultancy practice
14
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Crossword Cybersecurity products
Crossword’s product portfolio addresses
some of the most pressing needs in the
cyber security sector, including supply
chain security, credential attacks, account
breaches and account protection.
Crossword’s product portfolio currently numbers four
products and is the result of both internal development and
acquisitions. For products developed internally, Crossword’s
specialist product development and software engineering
teams develop the initial concept into a fully-fledged
commercial product that Crossword then takes to market.
Crossword has an established tradition in commercialising
cyber security research from leading UK universities. Rizikon,
Crossword’s flagship product focused on supply chain risk
management, was based on research by the Centre for
Cyber Security Sciences at City University, London, whilst
Nixer CyberML was developed in collaboration with Imperial
College, University of London. Nixer CyberML applies
machine-learning to user behaviour analysis to detect and
prevent credential stuffing and other account takeover
attacks.
The acquisitions undertaken to date are Trillion™ and Arc
(acquisition of Threat Status Ltd completed in March 2022)
and Identiproof (acquisition of Verifiable Credentials Limited
completed in May 2021). Capitalising on other Crossword
assets, e.g. the launch of the Supply Chain Cyber practice in
May 2022, which leverages the Rizikon Platform.
R
E
P
O
R
T
S
T
R
A
T
E
G
C
I
Rizikon
Identiproof
Supply chain risk management
Wallet verification technology
Rizikon Assurance helps organisations
of all sizes to assess and manage
their supply chain risk at scale,
in a cost-effective way. Rizikon is
Crossword’s leading product and
is provided as a SaaS platform.
Identiproof is a credentials verification
wallet technology that is compatible
with the World Wide Web Consortium
(W3C) standards.
Trillion™
Arc
Breached Account Mining
platform
Account protection for eCommerce
platform owners
Trillion™ continuously tracks, correlates
and analyses billions of stolen usernames
and passwords, searching for digital
identities that could belong to client
customers or users.
www.crosswordcybersecurity.com
Arc queries for access attempts in real
time, using username and password pairs
already known to criminals. This enables
clients to instantly step in and avoid losses.
Trillion™ and Arc
are the latest
additions to
Crossword’s product
suite, offering some
of the strongest
and most advanced
credential leak
monitoring services
in the market
15
�Products
Crossword’s product portfolio addresses
some of the most pressing needs in the
cyber security sector, including supply
chain security, credential attacks, account
breaches and account protection.
Rizikon and Trillion™ are well
established products with distinct
USPs. This led to strong growth
in their revenues in 2022, with
Rizikon ARR growing 43%
Crossword currently offers four products, with three products
being revenue generating and one in development.
Rizikon and Trillion™ are well established products with
distinct USPs, which led to strong growth in their revenues in
2022.
Rizikon
Rizikon is a supplier assurance and third party risk
management platform and is Crossword’s flagship product.
In 2022, Rizikon continued its strong sales growth with ARR
growing 43% during the period.
Rizikon enjoys a strong position in the market as a leading
product for supply chain risk management, with organisations
using it growing to over 1,000 by the end of 2022. As
Crossword’s first product to be developed in 2015, Rizikon
benefits highly from its accumulated expertise in supply chain
cyber risk assessment.
There is a clear need in the market for specialist providers
focused on supply chain cyber risk management. In 2022,
the UK arm of international defence and security company
Leonardo selected Rizikon to assist in its assessment of
cyber risk in its supply chain. This very significant client win
underlined Rizikon’s capacity to deliver at scale and serve the
largest of companies.
In 2022 we increased our focus on growing Rizikon Assurance,
which is aimed at mid-market and larger companies with
a higher number of users per client. Rizikon Assurance is
a highly versatile product that can be tailored to meet the
different risk appetites of clients with different levels of risk
modelling. Key to successful implementation is understanding
a client’s supplier ecosystem. This is carried out in an initial
consulting exercise for Rizikon Assurance clients.
To ensure Rizikon remains strongly positioned we made
substantial progress in re-engineering Rizikon, by moving its
coding from Java to ReactJS + Java. This will speed up future
development and enable Rizikon to keep quickly addressing
emerging supply chain cyber security needs. Other notable
product developments for Rizikon included the completion
of analysis & designs for new higher value modules, and a
number of improved features for Rizikon. In the second half of
2022, work continued on readying new modules for launch in
2023.
The supply chain cyber risk sector
Preventing cyber risk attacks in supply chains is a fast
growing market. For organisations of any size, the greatest
threats to cybersecurity are suppliers, third parties and
connected technologies given they are so hard to control.
Recent research independently conducted for Crossword of
over 200 Chief Information Security Officers (CISOs) found that
83 per cent. of CISOs viewed “ensuring that the entire supply
chain is water-tight in its ability to defend and recover against
threat actors” as a challenge.
The European Union Agency for Cybersecurity (ENISA)
reported in 2021 that it expected supply chain attacks to
quadruple over the following 12 months. Simultaneously,
supply chains are going through a period of digital
transformation, with automation increasing efficiencies,
whilst at the same time introducing possible vulnerabilities
to businesses. As a result, industries including but not limited
to banking, retail and manufacturing are under mounting
financial, reputational and regulatory pressure to monitor
and take control of supply chain cybersecurity risks. These
include the Supervisory Statement SS2/21 by the Bank of
England’s Prudential Regulation Authority (PRA), in effect
since 31st March 2022 and the EU’s NIS2 Directive and Digital
Operational Resilience Act, in effect since 16th January 2023,
amongst others.
16
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Nixer CyberML was a product in development by Crossword
and sharing similar features to Arc. Operating in the same
sector as Arc, it uses machine learning to match application
credentials against a list of 555M+ leaked username/
password combinations, making recommendations if matches
are made. As with Arc, it does so with zero friction to user
experience.
Given that ARC and Nixer Cyber ML operate in similar focus
areas, in 2022 Crossword took the decision to merge the best
features from both products in order to provide a best in class
proposition to clients, retaining the name Arc for this product.
In December 2022, Arc gained its first commercial contract
when Sticky Password, one of the industry’s most well-
established secure password vaults, announced a partnership
with Arc.
R
E
P
O
R
T
S
T
R
A
T
E
G
C
I
Identiproof
The advantages of being able to easily access and share
qualifications through digital wallets is driving strong demand
worldwide for verifiable credentials software. During the
period we made good progress on both product development
and go-to-market plans for Identiproof, which is our
credentials verification wallet technology.
A new demo portal was made available enabling demos of
Identiproof to potential customers. It covers both flows in
which the verifier requests credentials to the mobile wallet,
and in which users want to share their credentials as badges.
Experimental R&D proof of concept work continued with
grant funded development in the areas of interoperability and
trustability.
Progress was made on the second major version of the
Identiproof suite of products. The new versions will have a
new architecture and use later versions of the development
stack for better scalability, reliability and resilience.
Trillion™
Trillion™ saw strong revenue growth in 2022, with the size
of sales deals being secured becoming noticeably larger
compared to before being acquired by Crossword.
Since its launch in 2017, Trillion™ benefits from being a more
mature and established product with each year that passes.
Together with continuous product development, this enables
Trillion™ to maintain a premium product offering excellent
value for money.
Trillion’s revenue growth in 2022 was supported by an
increase in dedicated and specialist sales people, an
increase in cross-selling, supporting a number of Consulting
activities, and inclusion in the sales partnerships launched by
Crossword during the period. In parallel, we continued with
our sales strategy of seeking to include Trillion™ into third-
party MSPs (managed service providers).
On the development side, we improved product functionality
to support much larger multi-organisational clients as well as
multi-tiered SAAS providers. This dramatically increased the
revenue universe which Trillion™ can target.
Trillion™ continuously tracks, correlates and analyses billions
of stolen usernames and passwords, searching for digital
identities that could belong to client’s customers. Trillion™
was one of two products that Crossword added to its product
portfolio as a result of its acquisition of Threat Status Limited
in March in 2022, the other product being Arc.
ARC
Arc provides account protection for eCommerce platforms and
organisations, querying for access attempts in real time, using
username and password pairs already known to criminals.
This enables clients to instantly step in and avoid losses.
www.crosswordcybersecurity.com
17
�Crossword Products timeline
2015
Rizikon launched
2016
Worked with Coventry University
to help create CyberOwl Ltd
2017
Worked closely with
our university partners,
Warwick and EPFL, to
create ByzGen Ltd
2019
Accepted onto the UK
Government G-Cloud
framework
2019
Nixer CyberML machine-learning
version launched
2019
Rizikon Assurance 2.0
launched; designed with
Creditsafe integration,
360-degree Supplier
Scorecards and an Assurance
Framework Dashboard
2020
Launch of
Rizikon Pro
May 2021
Completion of acquisition of Verifiable
Credentials Limited, adding Identiproof to the
product portfolio
March 2022
Acquired Threat Status Limited, the cyber
intelligence company, in March 2022,
adding Trillion™ and Arc to Crosssword’s
product portfolio
November 2021
Integrated DarkBeam’s cyber risk
audits into Rizikon, significantly
enhancing Rizikon’s functionality
18
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Sales & Business Development
Focus on high retention rates and increased
contract value
The customer success team continued to ensure high retention rates and
increased contract value by demonstrating the value of products to clients.
We saw this markedly in the case of Rizikon, leading to high levels of
contract renewals as supply chain risks increase and become more widely
recognised.
Sales team restructured
In 2022, Crossword’s sales team was restructured into direct and indirect/
channel sales to keep improving results. As part of this restructure,
for direct sales we are placing more emphasis on sector-based sales
campaigns, e.g. targeting sectors such as large clients facing supply chain
risks for Rizikon. For indirect/channel sales we are expanding channel sales
via resellers and distributors. To generate a better sales pipeline and results
overall we also implemented the MEDDICC sales methodology, whilst
continuing to further develop CRM and sales reporting/automation.
New sales partnerships
We were pleased to establish several new sales partnerships during the
period. Sales partnerships are part of Crossword’s indirect/channel sales
and enable Crossword to reach large audiences quickly and effectively. The
new partnerships included BESA (British Educational Suppliers Association),
the SWCRC (South West Cyber Resilience Centre), techUK, (the UK digital
technology trade association), the Chartered Insurance Institute and the
International Federation of Consulting Engineers. We were also delighted
that the IASME Consortium Limited, a UK Government Cyber Essentials
Partner, selected Rizikon Assurance as the core platform to support a new
Maritime Security certification, taking the number of certifications it delivers
via Rizikon to three.
In 2022, Crossword also supported the British Educational Suppliers
Association with Cyber Essentials and Rizikon, as well as techUK’s SMEs
with Cyber Essentials and Rizikon Assurance.
R
E
P
O
R
T
S
T
R
A
T
E
G
C
I
19
�Rizikon -
Expertise in supply chain cybersecurity
Time consuming, arms length
assurance process
• Assessing cyber security risk
emanating from hundreds of
suppliers, usually at arms-
length, is very inefficient and
highly labour intensive without
technology support
• Creates strong demand for
integrated single point software
solutions that can address this
and give clients a top-down view
of their supply chain risk
Increased Regulatory Pressure
• Regulatory developments are
increasing pressure on
companies to monitor and react
to supply chain risk
• In the UK, the Network and
Information Systems Regulations
2018 (NIS), which are currently
being consulted upon under
three pillars, and the UK
Prudential Regulation Authority
(PRA), are of particular
importance
Increasing and evolving supply
chain risk
• Supply chain cyber security has
suffered from under investment
in relation to other cyber sectors,
such as combating Ransomware
• Hackers are targeting the
vulnerabilities and evolving their
attacks within increasingly
complex integrated supply chains
• Has created pent-up demand to
improve supply chain cyber
security
Rizikon reduces risk and improves compliance in
supply chain cyber risk management
Increased Cost Efficiency
Improved Compliance
Reduced Cyber Risk
• Increased automation is
driving better use of
resources and improved ROI
• Rapid assessment of regulatory
and other cyber risk compliance
• Rapid assessment of supply
chain cyber risks
in the supply chain
• Enhanced ability to focus
activities on areas of greatest
need and higher risk
• Simple scheduling and timely
deployment of assessment
activities
• Scalable SaaS solution that
grows with clients, from
small to very large supplier
chains
• Enhances client’s capability
by building on Crossword
knowledge base, advisory
support and services
• Efficient planning and tracking
of mitigating actions
• Effective escalation and senior
level reporting
• Continuous improvement based
on Crossword’s accumulated
supply chain cyber expertise
20
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
• Comprehensive overview of risk
mitigation pipeline
• Customisable categorisation for
speedy prioritisation
• Fast and efficient planning
and tracking of mitigation
& transformation
• Timely escalation and senior
level reporting
�Trillion™ - A sole focus on credential
breach detection since 2017
R
E
P
O
R
T
S
T
R
A
T
E
G
C
I
Trillion’s attractiveness derives from its sole focus
on solving one core problem area: stolen passwords,
otherwise known as credential breach detection.
Trillion’s specialisation since its launch in 2017 has
led to an outstanding degree of expertise that is highly
regarded in the market. Trillion™ focuses on serving
the corporate market, for which password/credential
breach protection is one of the highest priorities.
Trillion’s hallmarks of speed of service, quality of data
and confidentiality are highly valued by corporate
clients.
Trillion™ is strongly positioned in the feature rich
yet price accessible higher segment of the market,
combining highly automated processes that are driven
by AI, thereby simplifying onboarding and operation for
its clients.
Trillion’s distinct servicing model serves as an
additional strong differentiator, in contrast to providers
that will limit themselves to dumping raw and
unstructured data on clients.
Trillion’s USPs
1. Privacy.
Trillion™ maximises privacy whilst
continuously filtering through constantly
increasing amounts of stolen data. When
it alerts clients about stolen data, it does
so by only disclosing data appropriate for
risk management while restricting all
critical privacy elements to the data
subject themselves.
2. Relevant and cleanest data.
Trillion™ prioritizes the most relevant
data through a number of methods,
including automatically testing whether
discovered email addresses are still
active or defunct.
3. Most dangerous users.
Trillion™ targets the highest risk people
by identifying top offenders of password
re-use.
www.crosswordcybersecurity.com
21
�Delivering credential
protection at scale for Spain’s
public administration
Protecting large, distributed organisations, such as exist in
the public sector, where many individual entities exist is one
of the more challenging aspects of cyber security at scale.
Crossword considers CCN-CERT a true business partner,
and we learn as much from their feedback on our products
as they do from our data. By listening closely to clients’
needs, we are continuously enhancing Trillion™ to support
the cybersecurity needs of organisations operating at the
top of their game”
Jon Inns,
Product Director for Arc and Trillion™
Covid-19
During the height of
the Covid-19 pandemic,
CCN-CERT needed to act
immediately to enhance
the cybersecurity of
Spain’s national health
infrastructure.
Time
Once the team at CCN was given
access to Trillion™, in a matter of
hours every health organisation
across Spain was configured in the
platform and breached credential
data was being fed back into the
CERT.
CCN-CERT
CCN-CERT is the Information
Security Incident Response
Team (CERT) of the National
Cryptologic Centre in Spain
(CCN), which is accountable
to the Spanish National
Intelligence Centre.
Support
Head of the cybersecurity
department at CCN contacted the
Trillion™ operations team after
Trillion’s global offer of support to
help protect digital identities within
health services.
22
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�R
E
P
O
R
T
S
T
R
A
T
E
G
C
I
Certification
Crossword
collaborated with the
CERT to implement
new features which
would enable it
to extend the use
of Trillion™ to
local Government
departments and
organisations, while
still maintaining a
central, national view
within the CERT.
Expansion
CCN-CERT decided that a
wider scope for Trillion™
will protect the wider
Spanish public services
infrastructure.
Success
Trillion™ is now monitoring hundreds
of organisations, thousands of domains
and reporting leaked data on hundreds of
thousands of public workers across Spain.
Roll out
Trillion™, with the new features, was rolled out over
the following weeks. CCN-CERT invited hundreds
of local authorities, municipalities, town halls and
central government departments to come on board
using simple automated signups, which took a
matter of minutes to complete.
www.crosswordcybersecurity.com
23
�Section 172 (1) Statement
The Company has complied with the requirements of s414CZA of the Companies Act 2006 by including certain information within
the Strategic and Governance Reports, that informs members of the Company how the Directors have considered the matters
set out in section 172(1)(a) to (f) of the Companies Act 2006 when performing their duty under section 172 to promote the
success of the Company. The following table outlines where the key content as required by the regulations can be found in this
report.
Crossword in the UK has an Employee Assistance Programme (EAP) which includes a wealth of resources like confidential
health assessments, online resources, and telephone support.
Matters considered by the Board
Where to read more in this Annual Report
The likely consequences of any decision in the long term
The interests of the Company’s employees
The need to foster the Company’s business relationships with
suppliers, customers and others
Strategic Report on page 3
Corporate Governance Report on page 38
Directors’ Report on page 50
Corporate Social Responsibility on page 26
Corporate Governance Report on page 38
Corporate Governance Report on page 38
The impact of the Company’s operations on the community
and the environment
Corporate Social Responsibility on page 26
Corporate Governance Report on page 38
The desirability of the Company maintaining a reputation for
high standards of business conduct
The need to act fairly as between members of the Company
Performance Review on page 10
Strategic Report on page 3
Corporate Governance Report on page 38
Corporate Governance Report on page 38
Directors’ Report on page 50
24
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�R
E
P
O
R
T
S
T
R
A
T
E
G
C
I
25
�Corporate Social Responsibility
It’s a really lively, young, fast moving company.
Everyone is very engaged it’s a really great
company to work for. The atmosphere is
second to none”
The greatest thing about Crossword is the culture.
I find our CEO very charismatic and focused on
keeping the culture alive but not being not being
something which is forced on people. It feels very
natural, very modern, a great place to work.”
ENVIRONMENTAL, SOCIAL
& GOVERNANCE
As Crossword continues to grow and mature as an
organisation, a keen focus is kept on our wider stakeholder
and social responsibilities. Crossword holds itself to high
standards in relation to stakeholders, in areas such as
governance, employees, community, environment and
customers.
Crossword recognises that we have a responsibility to manage
our environmental impacts carefully, including meeting all
legal and regulatory requirements. We are committed to
reducing our environmental impact and continually improving
our environmental performance as an integral part of our
business strategy and operating methods, with regular
review points. We encourage customers, suppliers and other
stakeholders to do the same.
At Crossword, we value the people and we believe our
greatest strength is a good team of experts.
We are focussed on gender diversity with the Board being
37.5% women and Advisory Board at 50:50 parity. The Women
at Crossword Group was established during 2021 and has met
3 times covering an interesting range of topics and speakers.
Our culture
Our culture is that distinct differentiator which drives our
decisions and actions. We are energetic, agile and passionate
about the quality of work we deliver. We encourage
responsibility early in the lifecycle of an employee’s career,
along with which comes valuable learning. We make sure we
have fun while doing our work and look out for each other by
being open, transparent and flexible to adapt to each other’s
needs and the needs of our customers and stakeholders.
The Board is committed to promoting a strong ethical and
values-driven culture throughout the Company and has a
people- oriented ethos where hard work and commitment is
recognised.
The benefit of experience
The make-up of our team gives us something unique to offer.
It’s rare to find such richness of leadership experience in a
small organisation and the advantage of our size is that our
leadership team are present, accessible and engaged with the
whole team. Employees get to know the leadership well and
our staff tell us time and time again that they find this level of
exposure invaluable in developing their own knowledge and
business acumen.
In 2022, we looked after our health and well-being in many
ways, including with online yoga classes, laughter yoga,
financial wellbeing workshop, celebrating Men’s Health week,
a Wellness Week and several enjoyable social events. We
have a Mental Health First Aider to provide support where
required. We have a ‘Balance’ channel on Slack, which is a
dedicated space to bring interesting articles, blogs, websites
and general content about Mental Wellbeing.
Our Mental Wellbeing Policy outlines our provisions to prevent
and address mental health issues among our employees.
Mental Health is just as important as physical health. Mental
ill health may be detrimental to a person as it impacts
happiness, productivity, and collaboration.
Crossword in the UK has an Employee Assistance Programme
(EAP) which includes a wealth of resources like confidential
health assessments, online resources, and telephone support.
26
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Company values
Flexibility
We adapt to changing needs and empower our employees with the trust and autonomy they
need to deliver high quality work.
Learning
We promote continuous learning culture and believe that knowledge and competence drives
performance and growth of the individual and organisation.
R
E
P
O
R
T
S
T
R
A
T
E
G
C
I
Responsibility
We take the ownership to demonstrate a high standard of work as we are personally
responsible for the work we deliver.
Openness
We encourage openness between all employees and with clients, we are inclusive adaptive
collaborative, and committed to accepting people from diverse backgrounds.
More reasons to join us
Leadership
support
Asking for help and support is celebrated and highly encouraged at Crossword. The support can
be available in the form of Mentoring, knowledge sharing and we also have a ‘Buddy system’ for
new starters. The Executive team is committed to their team’s professional development.
Great working
environment
We strive to better the employee experience by providing proper work equipment and also
through workplace engagement surveys which encourage open communication and feedback.
Our offices are modern and equipped with kitchen and shower facilities, coffee machines and
breakout spaces.
Inclusivity &
Diversity
Work-life
balance
Our collective strength is in our individual uniqueness and the range of experiences we can
bring to the table. When we recruit, we don’t look for a ‘Culture fit’, to fit any specific but rather
what the person brings, but our culture is extremely collaborative and adapts to cater to the
needs of our biggest asset – our people!
We are focused on achievements at work, not how long you spend in the office. We believe in being
agile and adapt to work around employees’ commitments and working styles. We prioritise our
employees’ mental well-being above everything else. All employees are encouraged to take timely
breaks to spend time doing what they love and pursue their recreations.
Some of the initiatives which highlight the elements of our culture are as follows:
• Employee Engagement through our Corporate Social
Responsibility initiative drives a common goal and brings
employees together for a higher purpose. We have
partnered with SPEAR, a local charity in Richmond, to raise
funds and help the homeless. Our Krakow office employees
carry out philanthropic initiatives every year to help the
disadvantaged and needy.
• We also have other interesting employee engagement
events like our company away days, social events, lunch
Mondays, etc.
• Excellent communication channels like Slack, Google Meet,
virtual fortnightly coffee mornings allow for an easy flow of
communication.
• Flexible and family-friendly policies which enable an
enviable work environment.
• Open recognition initiatives as well as a 5-year Long
Service Award to acknowledge hard work and commitment
to the business
www.crosswordcybersecurity.com
27
�Principal Risks & Uncertainties
The Board has overall responsibility
for ensuring that risk is
appropriately managed throughout
the business.
The Board is aware of the need to conduct regular risk
assessments to identify any deficiencies in the controls
currently operating over all aspects of the Company.
Risks to the achievement of strategic objectives are identified
by the Executive. The degree of risk is evaluated by reference
to the impact and probability of the risk, considering inherent
and residual risk. The Executive considers the nature and
extent of the risks, the threat of such risks becoming reality,
the ability to reduce the incidence and impact on its business
if the risk materialises, and the costs and benefits resulting
from operating relevant controls.
A Risk Register is prepared and regularly reviewed by
the Executive, and shared with the Audit Committee for
independent review and robust challenge. The Risk Register
includes a plan for mitigation of risks above the risk appetite
of the business.
RISKS RELATING TO THE GROUP
AND THE INDUSTRY IN WHICH IT
OPERATES
1 INTELLECTUAL PROPERTY
ACQUISITION AND DEVELOPMENT
2 TECHNOLOGICAL CHANGES
Generally, product markets are exposed to rapid technological
change, changes in use, changes to customer requirements
and preferences, and services employing new technologies
and the emergence of new industry standards and practices.
The Group operates in a market with such changes, which
have the potential to render the Group’s existing technology
and products obsolete or uncompetitive.
To remain competitive, the Group must ensure continued
product improvement, and the development of new markets
and capabilities to maintain a pace congruent with changing
technology.
This added strain may stretch the Company’s capital
resources, which may adversely impact the revenues and
profitability of the Company. The Company’s success is
dependent on the ability to effectively respond and adapt to
technological changes and changes to customer preferences.
There can be no assurance that the Company will be able
to effectively anticipate future technological changes or
changes in customer preferences. Furthermore, there is also
no assurance that the Company will have sufficient financial
resources to effectively respond in a timely manner if such a
change is anticipated.
3 REPUTATIONAL RISKS
As a cyber security company, Crossword is very conscious
of its external reputation. If the Group is compromised
as a result of a cyber incident, it would impact its clients’
confidence. As Crossword expands its products and services,
it is holding more client data and intellectual property,
increasing the potential impact in the event of a cyber incident.
Crossword acquires intellectual property (IP) rights from
universities via licensing, IP transfer arrangements and
acquisitions, and then develops this IP into commercial
products. Failure to secure good quality IP deals, and to
quickly and appropriately meet new cyber security challenges,
will make it difficult for the Group to generate new products.
Crossword has an experienced cyber security expert
acting as its Chief Information Security Officer (CISO) and a
strong technical team who actively seek to mitigate threats.
Nonetheless, should an event take place which adversely
affects the reputation of the Group, its future prospects and
value could suffer.
The success of this strategy depends on the ability of
Crossword to source suitable IP and use its expertise in
business management, marketing and product development
to build solutions attractive to its potential customer base.
Ultimately, Crossword will only succeed if it is able to acquire
design, develop and sell new software solutions in a timely
fashion that deliver operational reliability and effectiveness.
4 COMPETITION
There is no guarantee against new entrants or current
competitors providing superior technologies, products or
services to the market. There is no certainty that new entrants
or current competitors will not provide equivalent products for
a lower price. The Company may be forced to make changes
to one or more of its products or to its pricing strategy to
effectively respond to changes in customer preferences in
order to remain competitive. This may impact negatively on
28
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�R
E
P
O
R
T
S
T
R
A
T
E
G
C
I
the Company’s financial performance.
The Group’s consulting division operates in an environment
that includes large international accounting firms and
consultancies and a number of smaller niche players.
There are very low start-up costs for any new entrant into
the market and the Group cannot prevent any person or
organisation from seeking to compete with it. There is a
risk that an existing competitor or a new entrant may, over
time, be able to win work from the Group’s existing and
future customers. In addition, larger competitors may, in the
future, adopt more aggressive expansion strategies, which
could include hiring additional experienced consultants and
changing their business model and service offering to one
that is directly comparable to that of the Group. This could, in
theory, result in a material loss of customers from the Group
to larger competitors and therefore have a material adverse
impact on the financial performance of the Group.
5 KEY SYSTEM FAILURE, DISRUPTION OR
INTERRUPTION
The Company’s reliance on technology exposes the Company
to a significant risk in the event that such technology, or
the Company’s systems, experience damage, interruption
or failure in some form. A malfunctioning of the Company’s
technology and systems, or those of key parties, could
result in a diminished confidence in the Company’s services,
resulting in a consequential material adverse effect on the
Company’s operations and results.
6 DEPENDENCE ON THIRD PARTIES AND
BUSINESS CONTINUITY
and therefore materially and adversely affect its reputation,
performance or financial condition.
7 ABILITY TO RECRUIT AND RETAIN
SKILLED PERSONNEL
The Company believes that it has the appropriate incentive
structures and culture to attract and retain the calibre of
employees and contractors necessary to ensure the efficient
management and development of the Company. However, any
difficulties encountered in hiring, and retaining, appropriate
employees and/or contractors and the failure to do so, or a
change in market conditions that renders current incentive
structures unattractive, may have a detrimental effect upon
the trading performance of the Company. With recognised
shortage of skilled technical people, the ability to attract new
employees and contractors with the appropriate expertise and
skills cannot be guaranteed.
8 FINANCIAL CONTROLS AND INTERNAL
REPORTING PROCEDURES
The Company’s future growth and prospects will depend
on its ability to manage growth and to continue to maintain,
expand and improve operational, financial and management
information systems on a timely basis, whilst at the same
time maintaining effective cost controls. Any damage to,
failure of or inability to maintain, expand and upgrade effective
operational, financial and management information systems
and internal controls in line with the Company’s growth could
have a material adverse effect on the Company’s business,
financial condition and results of operations.
Key components of Crossword’s technology platform may
be dependent on the continuing availability of a particular
supplier.
GENERAL BUSINESS RISKS
9 TAXATION RISK
The software development environment or data processing
platforms may become unavailable for an extended period of
time thereby disrupting customers’ experience of Crossword’s
products and services.
Crossword’s business is at risk from disruption of key systems
and assets on which it depends.
The Company is subject to taxation and the application
of such taxes may change over time due to changes in
laws, regulations or interpretations by the relevant tax
authorities. The recent proposed changes to the research and
development tax incentives may have an adverse effect on the
Company’s results of operations.
The functioning of the IT systems on which it relies could
be disrupted for reasons either within or beyond its control,
including but not limited to: accidental damage; disruption to
the supply of utilities or services; security breaches; extreme
weather events; systems failure; or workforce actions. There
is a risk that such disruption may materially and adversely
affect Crossword’s ability to offer services to customers
The continuing status of the Ordinary Shares as a qualifying
holding for VCT and/or EIS purposes will be conditional
(amongst other things) on the qualifying conditions being
satisfied throughout the period of ownership. There can be
no assurance that the Company will continue to conduct its
activities in a way that will secure or retain qualifying status
for VCT and/or EIS purposes.
www.crosswordcybersecurity.com
29
�10 COUNTERPARTY CREDIT RISK
14 CURRENCY EXCHANGE RISK
The Group’s functional currency is Sterling. One subsidiary,
Crossword Cybersecurity Sp. Z.o.o is based in Poland, and
another subsidiary, Crossword Cybersecurity LLC, is based in
Oman. Crossword Cybersecurity Sp. Z.o.o, where the functional
currency is zloty, accounts for approximately 11 per cent
of the total costs of the business. Crossword Cybersecurity
LLC‘s functional currency is Omani rials, which is pegged to
the US Dollar. Exposure to this and other exchange rates may
effect the Company’s results. The Company may consider
implementing policies to limit its currency exposure and will
consider currency hedging instruments when they prove to be
available and cost-effective.
15 GOING CONCERN RISK
There is a risk that the Group will not be able to raise
cash when it is required. This could be as a result of poor
performance within the Group or turmoil within the markets
following COVID-19, or other economic issues such as the
Ukraine crisis.
The Strategic Report was approved by the Board of Directors
on 18 April 2023.
TOM ILUBE
CEO
18 April 2023
There is a risk that parties with whom the Company trades
or has other business relationships (including partners,
customers, suppliers, subcontractors and other parties)
may become insolvent. This may be as a result of general
economic conditions or factors specific to that company, or
exceptional circumstances such as COVID-19. In the event that
a party with whom the Company trades becomes insolvent,
this could have an adverse impact on the revenues and
profitability of the Company.
11 LEGAL RISK
Legal risks include the inability to enforce security
arrangements, an absence of adequate protection for
intellectual property rights, an inability to enforce foreign
judgments relating to contracts entered into by the Company
that are governed by law outside England and Wales,
absence of a choice of law, and an inability to refer disputes
to arbitration or to have a limited choice with regard to
arbitration rules, venue and language.
Mitigation measures for these risks may also be limited.
12 INSURANCE RISK
There can be no certainty that the Group’s insurance cover is
adequate to protect against every eventuality.
The occurrence of an event for which the Group did not have
adequate insurance cover could have a materially adverse
effect on the Group’s business, revenue, financial condition,
profitability, results, prospects and/or future operations.
13 ECONOMIC CONDITIONS
The Group could be affected by unforeseen events outside its
control including economic and political events and trends,
inflation and deflation or currency exchange fluctuations.
The impact is likely to include interrupted power supply,
disruption to financial markets and higher inflation. Any
economic downturn either globally or locally in any area in
which the Group operates may have an adverse effect on
the demand for the Group’s products and services. A more
prolonged economic downturn may lead to an overall decline
in the volume of the Group’s activities and sales, restricting
the Group’s ability to realise a profit. The markets in which
the Group offers its services are directly affected by many
national and international factors that are beyond the Group’s
control.
30
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Governance Report
�The Board
The Directors in office during the year and at the date of this report are as shown below:
Sir Richard Dearlove KCMG OBE
Tom Ilube CBE
Mary Dowd
Non-Executive Chair
Chief Executive Officer
Chief Financial Officer
Appointment Date: 1 September 2016
Skills and Experience:
Sir Richard brings to the Board extensive
experience across government, education
and global business.
Sir Richard joined MI6 in 1966, undertaking
various overseas and head office roles
before being promoted to Chief of the
Secret Intelligence Service in 1999.
He retired from the Service in 2004.
External Appointments:
Sir Richard is presently Chair of Trustees
of University of London, Chair of Ascot
Underwriting Limited at Lloyd’s of London
and a Director of Kosmos Energy, the
New York Stock Exchange listed oil and
gas exploration company. Sir Richard is
also a Director of The Cambridge Security
Initiative 2017, the Cambridge Arts Theatre
Trust Limited, Lower Tamar Fishing Club
Limited and Endsleigh Fishing Club Limited.
He also holds several advisory roles.
Committee Memberships:
None
Appointment Date:
6 March 2014
Skills and Experience:
Tom is founder and CEO of Crossword.
Tom served as Chief Information Officer
of Egg Banking PLC, which at the time
was a pioneering main market listed
UK internet bank. Tom chaired the UK
Government Technology Strategy Board’s
Network Security Innovation panel. He
was a member of the High Level Expert
Group on cyber security at the International
Telecommunication Union (ITU), a Geneva-
based UN agency. He was awarded a
Doctor of Science (Honoris Causa) by
City, University of London, an Honorary
Doctor of Technology by the University of
Wolverhampton and was appointed a CBE
in the 2018 Birthday Honours for services
to Technology and Philanthropy.
External Appointments:
Non-Executive Director of WPP plc and
Chair of the RFU. Director of Iternal
Limited, Honorary Fellow of St Anne’s
College, Oxford and of Jesus College,
Oxford and Chair of the African Gifted
Foundation.
Committee Memberships: None
Appointment Date: 14 June 2018
Skills and Experience:
Mary brings over 20 years’ experience of
working alongside business leaders.
She has demonstrated a track record of
managing finance teams to ensure timely
delivery of relevant financial information to
all stakeholders, providing clear leadership,
continuous process improvement, and
excellent communication.
She also brings to Crossword extensive
experience of working in acquisitive
businesses and providing transactional
support.
Mary graduated from University College
Galway, Ireland and has a postgraduate
Diploma in Business Studies from the same
university. She is a Fellow of the Chartered
Institute of Management Accountants.
External Appointments:
Trustee at The Groundwork South Trust
Limited and member of the Audit and Risk
Committee of the University of Essex.
Committee Memberships:
None
32
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Dr Robert Coles
Dr David Secher
Independent
Non-Executive Director
Appointment Date: 25 May 2021
Skills and Experience:
Robert is a highly experienced IT Risk and
Cyber Security leader. He has over 30
years commercial experience, including
Chief Information Security Officer of the
NHS. Prior to this, Robert worked for GSK,
National Grid, and Merrill Lynch. He held
various senior information security roles at
Royal Bank of Scotland and he was a partner
in KPMG.
Robert is a Senior Fellow at the Centre for
Assurance Research and Engineering at
George Mason University, Washington DC.
He is also an Honorary Professor at UCL.
He was awarded a PhD in psychology by
the University of Leeds for his work on the
perceptions of information and IT risk and
has published and presented on this and
other topics. He continues to undertake
research in these areas. He was also
awarded an MBA from Manchester Business
School. He has extensive links with major
industry information security networking
groups. Robert is Chair of the Group’s
subsidiary, Crossword Consulting Limited.
External Appointments:
Director & Chair of Cumberland House
Consulting Ltd, Director & Chair of Think
Cyber Security Ltd, Governor/Trustee and
Audit Committee Member of the University
of Brighton.
Committee Memberships:
Audit and Nomination (Member)
www.crosswordcybersecurity.com
Independent
Non-Executive Director
Appointment Date:
16 June 2014
Skills and Experience:
David is an international expert in
intellectual property, technology transfer
and research management. His experience
includes Japan, Jordan, South Africa,
Brazil, Chile, Australia, Argentina, India,
Saudi Arabia and Lebanon as well as
Europe and the USA. David is a Life Fellow
and until 2018 was Senior Bursar at
Gonville & Caius College, Cambridge where
he was responsible for the investment of a
£210m endowment.
David was co-founder and chair of
Praxis (now PraxisAuril), the leading UK
technology transfer training programme,
of which he is now Patron. He served as
Director of Research Services, University
of Cambridge, where he was responsible
for creating and directing a new division of
80 staff, for designing and implementing
an intellectual policy for the university
and for technology transfer throughout
the university resulting in £2m licensing
revenue, 40 new licences and six spin outs
per year.
David was Chief Executive of N8 Limited,
a consortium of eight research-intensive
universities in the North of England,
securing initial funding of £6m from
Regional Development Agencies. His earlier
career was in molecular biology research
with MRC Laboratory of Molecular Biology,
Celltech Limited and Cancer Research
Campaign (now Cancer Research UK).
David held or was named on three
patents and is the holder of a Lifetime
Queen’s Award for Enterprise Promotion
for creating ‘environments that favour
enterprise, specialising in the practical
aspects of commercialising the results of
academic research’
External Appointments:
David is a Director of Cambridge KT
Limited, Trustee of Cambridge United
Charities, Chair of Fitzwilliam Museum
(Enterprises) Limited, Trustee of The Trinity
Challenge, a Governor of Coventry
University Group and Treasurer of the
César and Celia Milstein Foundation.
Committee Memberships:
Audit (Chair), and Remuneration (Member).
R
E
P
O
R
T
G
O
V
E
R
N
A
N
C
E
33
�The Board continued
Ruth Anderson
Tara Cemlyn-Jones
Andy Gueritz
Independent
Non-Executive Director
Appointment Date:
25 May 2021
Skills and Experience:
Tara has over 30 years’ experience in
financial services namely in capital
markets, M&A, strategy and digital
transformation across many sectors,
including financial services (banking,
asset & wealth management,and fintech),
energy & infrastructure and healthcare.
Tara was head of M&A at Lastminute.
com and has held senior positions at
Schroders, Citigroup and Espirito Santo
Investment Bank.
External Appointments:
25x25 Limited.
Committee Memberships: None
Independent
Non-Executive Director
Appointment Date: 1 February 2018
Skills and Experience:
Ruth has over 15 years’ experience in the
fields of security, intelligence, cyber crime
and risk management.
She brings to the Board extensive
experience across defence and law
enforcement sectors and within financial
services, developing and implementing
cyber risk governance frameworks.
Ruth is currently Chief Operating Officer for
Technology, Security and Data divisions at
Lloyds Banking Group. She was previously
a Director of Cyber in the Financial Services
Department of KPMG. She served as the
Head of Specialist Operational Support and
also as the Head of Intelligence at the Child
Exploitation and Online Protection Centre,
where she delivered the first-ever strategic
threat assessment on child abuse in the
online environment.
Prior to this, Ruth served in intelligence
and security in the British Army.
External Appointments:
Halifax Share Dealing Limited.
Committee Memberships:
Audit (member), Remuneration (Member)
and Nomination (Member).
Independent Non-Executive
Director
Appointment Date: 21 September 2015
Skills and Experience:
Andy is an experienced Senior Advisor with
a successful track record in helping clients
improve and transform their business
by managing technology better and
creating new technology-based ventures.
In recent years, Andy has advised clients
in a broad range of industries on topics
such as business/technology strategy
and investment planning; customer data
analytics; transformation for innovation
and agility; performance improvement and
cost optimisation, and other ways using
technology to get and deliver better value.
Before becoming a consultant, he attained
Board-level responsibility in a successful
career in software development and
systems implementation.
Andy is a Chartered Fellow of the BCS
(FBCS), Chartered IT Professional (CITP),
Chartered Engineer (C.Eng), Fellow of
the IET (FIET), and a European Engineer
registered at FEANI.
He holds a First Class Honours degree
in Electrical and Electronic Engineering
with Computer Science from Queen Mary
University of London.
External Appointments:
Sixhills Consulting Limited.
Committee Memberships:
Audit (member), Remuneration (Chair) and
Nomination (Chair).
34
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�The Executive board
R
E
P
O
R
T
G
O
V
E
R
N
A
N
C
E
Tom Ilube CBE
Mary Dowd
Jake Holloway
Chief Executive Officer
Chief Financial Officer
Chief Product Officer
Skills and Experience:
Jake has over 30 years of experience
in technology across a wide range of
industries and roles – including as CTO
and Head of Product for two well-known
software houses, and as CEO/Founder of
an innovative Online Systems House. In
his two most recent roles before joining
Crossword, he was advising Worldpay on
their separation from RBS, and founded
Xendpay, a Fintech startup, where he was
COO.
Jake authored books on project
management in 2015 and 2016.
Appointment Date:
6 March 2014
Appointment Date:
14 June 2018
Skills and Experience:
Tom is founder and CEO of Crossword.
Tom served as Chief Information Officer
of Egg Banking PLC, which at the time
was a pioneering main market listed
UK internet bank. Tom chaired the UK
Government Technology Strategy Board’s
Network Security Innovation panel. He
was a member of the High Level Expert
Group on cyber security at the International
Telecommunication Union (ITU), a Geneva-
based UN agency. He was awarded a
Doctor of Science (Honoris Causa) by
City, University of London, an Honorary
Doctor of Technology by the University of
Wolverhampton and was appointed a CBE
in the 2018 Birthday Honours for services
to Technology and Philanthropy.
External Appointments:
Non-Executive Director of WPP plc and
Chair of the RFU. Director of Iternal
Limited, Honorary Fellow of St Anne’s
College, Oxford and of Jesus College,
Oxford and Chair of the African Gifted
Foundation.
Committee Memberships:
None
Skills and Experience:
Mary brings over 20 years’ experience of
working alongside business leaders.
She has demonstrated a track record of
managing finance teams to ensure timely
delivery of relevant financial information to
all stakeholders, providing clear leadership,
continuous process improvement, and
excellent communication.
She also brings to Crossword extensive
experience of working in acquisitive
businesses and providing transactional
support.
Mary graduated from University College
Galway, Ireland and has a postgraduate
Diploma in Business Studies from the same
university. She is a Fellow of the Chartered
Institute of Management Accountants.
External Appointments:
Trustee at The Groundwork South Trust
Limited and member of the Audit and Risk
Committee of the University of Essex.
Committee Memberships:
None
www.crosswordcybersecurity.com
35
�The Executive board
Stuart Jubb
Sean Arrowsmith
Group Managing Director
Group Sales Director
Skills and Experience:
Stuart joined Crossword from KPMG
where he was Associate Director, Defence
& Security. Prior to that, he was Chief
Operating Officer of a global consulting
team of over 200 in KPMG Advisory. Stuart
spent nine years as an officer in HM Forces,
after Sandhurst, serving in Afghanistan,
NATO and elsewhere.
Skills and Experience:
Sean has over 20 years’ sales experience in
cyber/information security and technology.
He was previously Group Sales Director
at IRM Limited, the World Class Centre
in Cyber Security of Altran Technologies
SA, the global innovation and engineering
consulting firm.
Here, Sean was accountable for revenue
target achievement across all of IRM’s
business streams including consulting,
software and training.
Prior to that, Sean was responsible for
leading consulting sales at Siemens Insight
Consulting.
36
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�The Advisory board
R
E
P
O
R
T
G
O
V
E
R
N
A
N
C
E
Alison Dyer
Professor David Stupples
Naina Bhattacharya
Chair of the Advisory Board
Advisory Board Member
Advisory Board Member
Skills and Experience:
Naina Bhattacharya is Global Chief
Information Security Officer at Danone S.A.,
the multinational food product corporation
with over 100,000 staff in 120 countries.
She is responsible for delivering the
cyber security vision and roadmap for the
company. Prior to Danone, she worked in
consulting and had the privilege of working
on complex cyber security and data privacy
projects across multiple companies in
several industries. She is passionate about
diversity and inclusion with a specific
interest in increasing the representation of
women in technology. Naina holds a BEng
in Computer Science from BITS, Pilani,
India and a post-graduation in management
from the Indian School of Business in
Hyderabad.
Skills and Experience:
Alison Dyer joined ASOS.com in August
2022 as CISO. Prior to this, Alison was
CISO at URENCO, a global supplier of
enrichment services and fuel cycle
products. Alison was responsible for all
aspects of their information and cyber
security, covering both information and
operational technology.
Alison has also held the position of Director
of GlaxoSmithKline’s (GSK) global cyber
security programme, where she led
multiple strategic delivery workstreams
including security technology, governance,
culture, third party management and
operational technology security. Alison
holds a BEng in Mechanical Engineering
from Imperial College, London and an
MSc in Information Security from Royal
Holloway University.
Skills and Experience:
David is currently Director of the Centre
for Cyber and Security Sciences at City
University London. In his early career, he
was employed as an engineer in signals
intelligence in the Royal Air Force followed
by a period of intensive research into
surveillance systems at the Royal Signal
and Radar Establishment, Malvern. He
spent three years developing highly secure
communications for surveillance satellites
for Hughes Aircraft Corporation in the United
States of America. Later, he became a senior
partner with PA Consulting Group where
he undertook surveillance and intelligence
systems research for Ministry of Defence
(Navy) and was responsible for consultancy
in secure communications and surveillance
systems for world-wide clients.
Since 2003, David has been researching
internet security at City University focused
on cyber terrorism and organized cyber
crime for both the UK government and
commercial companies. However, he
still maintains an active interest in radar
surveillance research. Professor Stupples is
a member of the Defence Scientific Advisory
Council (DSAC), the Defence Procurement
Agency’s Independent Advisory Board
on Systems Integration, and he consults
worldwide in cyber intelligence.
www.crosswordcybersecurity.com
37
�Corporate Governance Report
CHAIR’S INTRODUCTION
The Directors acknowledge the importance of high standards
of corporate governance and have adopted the principles set
out in the Quoted Companies Alliance Corporate Governance
Code for Small and Mid-Size Quoted Companies (the ‘QCA
Code’) 2018, given the Group’s size and the constitution of the
Board. The QCA Code sets out a standard of minimum best
practice for small and mid-size quoted companies, particularly
AIM companies.
The Chair and the Board accept the importance and
responsibility of setting good corporate culture, values and
behaviours. The Board also acknowledges its responsibility
in delivering the long-term success of the Company for the
benefit of shareholders and other stakeholders.
This Corporate Governance Report describes how the
Company has applied the principles and standards set out
in the Code during the year and, to the extent it has not done
so, any deviations from them. It is the Board’s view that the
Company has complied with all of the provisions of the Code
during the year ended 31 December 2022.
operating model (SCC SOM) is supported by our best-selling
SaaS platform, Rizikon Assurance, along with cost-effective
cyber audits, security testing services and complete managed
services for supply chain cyber risk management. Threat
detection and response services include our Nightingale AI-
based network monitoring, our Trillion™ and Arc breached
credentials tracking platforms, and incident response.
Crossword’s work in digital identity is based on the World
Wide Web Consortium W3C verifiable credentials standard
and our current solution, Identiproof, enables secure digital
verification of individuals to prevent fraud.
Crossword serves medium and large clients including FTSE
100, FTSE 250 and S&P listed companies in various sectors,
such as defence, insurance, investment and retail banks,
private equity, education, technology and manufacturing and
has offices in the UK, Poland, Oman and Singapore. Crossword
is traded on the AIM market of the London Stock Exchange.
Where appropriate, Crossword will transfer the IP to separate
companies in which it will retain a commercial interest. So far,
Crossword has been instrumental in the development of two
such companies, ByzGen Limited and CyberOwl Limited.
1: ESTABLISH A STRATEGY AND
BUSINESS MODEL WHICH PROMOTE
LONG-TERM VALUE FOR SHAREHOLDERS
2: SEEK TO UNDERSTAND AND
MEET SHAREHOLDER NEEDS AND
EXPECTATIONS
The Company’s Strategic Report is on pages 3 to 30 of this
report.
Crossword’s vision is to partner with organisations to keep
them secure in the digital world. The Group reduces cyber
risks for their clients by providing a portfolio of innovative
products and services, powered by university and other
research-driven insights.
Crossword offers a range of cyber security solutions to help
companies understand and reduce cyber security risk. We
do this through a combination of people and technology, in
the form of SaaS and software products, consulting, and
managed services. Crossword’s areas of emphasis are cyber
security strategy and risk, supply chain cyber, threat detection
and response, and digital identity with recurring revenue
models in these four areas. We work with UK universities and
our products and services are often powered by academic
research-driven insights. In the area of cybersecurity strategy
and risk our consulting services include cyber maturity
assessments, industry certifications, and virtual chief
information security officer (vCISO) managed services.
Crossword’s end-to-end supply chain cyber standard
Crossword is committed to engaging with its shareholders
to ensure that its strategy, business model and performance
is clearly understood. The Company communicates with
shareholders and potential investors through a variety of
channels, including webinars, regular financial reporting,
direct contact with its major shareholders and release of
regulatory announcements, which are available on its website.
Regulatory announcements include details of the Company’s
website and the relevant contact at the Company, as well as
its professional advisors.
The Annual General Meeting (AGM) provides another
opportunity for dialogue between shareholders and the Board.
The Chair of the Board and of the Committees, together with
other Directors, routinely attend the AGM and are available to
answer questions raised by the shareholders. At the meeting,
each vote, the number of proxy votes received for, against and
withheld is announced.
The results of the AGM are subsequently published on the
Company’s website and released via a regulatory information
service provider.
38
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�R
E
P
O
R
T
G
O
V
E
R
N
A
N
C
E
A range of corporate information, including all Company
announcements, is also available to shareholders, investors
and the public on the Company’s corporate website,
www.crosswordcybersecurity.com
3: TAKE INTO ACCOUNT WIDER
STAKEHOLDER AND SOCIAL
RESPONSIBILITIES AND THEIR
IMPLICATIONS FOR LONG-TERM
SUCCESS
Crossword considers it’s relationships with internal and
external stakeholders. Apart from our shareholders, our most
important stakeholder groups are our employees, our clients
and partners. The Board is regularly updated on stakeholder
feedback and their potential impact on our business to enable
them to understand and consider the feedback in decision-
making. The Board understands that maintaining the support
of all its stakeholders is paramount for the long-term success
of the Company.
Employees
Crossword aims to provide an environment which will attract,
retain and motivate its team. The Company has a growing number
of permanent staff employed across the UK, Poland, Oman and
Singapore. Employee engagement with the senior management,
who pride themselves on their availability and flexibility, is frequent
through daily discussions and meetings. Staff are encouraged
to give regular feedback in relation to their needs, interests and
expectations on away days, general discussions or one-to-one
meetings with their line managers. These can then be addressed
at the fortnightly management meeting to all senior members of
the team where further actions will be discussed. Furthermore,
the team engages in a bi-weekly call where staff are able to
communicate with all levels of the team across all jurisdictions.
Crossword reviews its processes and policies, which are guided by
our values of Responsibility, Openness, Learning and Flexibility, to
make continuous improvements for its staff.
The Company has developed its induction programme for new staff,
engages with employees to maintain its culture and values and
expected behaviours, performs exit interviews in the event people
decide to leave the business, and follow-up interviews with new
employees.
Crossword is supportive of career development of its employees
and provides training programmes and Masters degree
opportunities where appropriate.
Crossword’s clients and partners
Crossword develops mutually beneficial commercial relationships
with companies to support sourcing and commercialising cyber
security intellectual property originating from university and
other research projects and evaluating and exploiting routes to
distributing and reselling its products. Crossword recognises that
the establishment of a close working relationship with its partners
is essential for its long-term success.
Crossword maintains its relationship with its partners through
regular meetings, mutual understanding and aligned objectives.
Feedback from partners is communicated to the relevant teams
and the Board as appropriate.
Crosswords interacts closely with its clients to understand the
cyber issues organisations are facing, in order to support clients
and help them to reduce cyber risks. Crossword provides a
portfolio of innovative products and services, aimed at addressing
risks clients have identified.
Social responsibility
Crossword partners with charities both in UK and Poland.
Crossword employees propose and vote on which charity they
would like to support. Previously work has been undertaken to
help a charity local to the London office in their efforts to support
the homeless and lead them to independence and also a national
mental health charity. In Poland, Crossword is supporting one
of the largest, most recognisable and effective social schemes
in Poland which implements and develops a system of smart,
personalised aid that is unique in the world.
4: EMBED EFFECTIVE RISK
MANAGEMENT, CONSIDERING BOTH
OPPORTUNITIES AND THREATS,
THROUGHOUT THE ORGANISATION
Audit, risk and internal control
Financial controls
The Group has an established framework of internal financial
controls, the effectiveness of which is regularly reviewed by
the Executive Management, the Audit Committee and the Board,
in light of an ongoing assessment of significant risks facing
the Group.
• The Board is ultimately responsible for the effectiveness
of the Group’s system of internal controls. Its key strategy
has been to establish financial reporting procedures that
provide the Board of Directors with a reasonable basis upon
which to make judgements as to the financial position and
prospects of the Group. Executive Directors and Non-
Executive Directors have been appointed by the Board to
www.crosswordcybersecurity.com
39
� assist with the implementation of this strategy and report
progress to the Board.
• The Audit Committee has the primary responsibility for
monitoring the quality of internal controls to ensure that the
financial performance of the Group is properly measured and
reported on. It receives and reviews reports from the Group’s
management and external auditors relating to the interim
and annual accounts and the accounting and internal control
systems in use throughout the Group. The Audit Committee
meets not less than three times in each financial year and
has unrestricted access to the Group’s external auditors.
• Regular budgeting and forecasting is conducted to monitor
the Group’s ongoing cash requirements and cash flow
forecasts are circulated to the Board.
• The Group has a Risk Register which identifies the potential
possibility and impact of risks associated with the Group
and allocates an owner to mitigate each risk. The Risk
Register is updated by the Chief Financial Officer and
reviewed by the Executive, the Audit Committee and the
Board.
Non-financial controls
The Board has ultimate responsibility for the Group’s system
of internal control and for reviewing its effectiveness.
However, any such system of internal control can provide
only reasonable, but not absolute, assurance against material
misstatement or loss. The Board considers that the internal
controls in place are appropriate for the size, complexity and
risk profile of the Group. The principal elements of the Group’s
internal control system include:
• Close management of the day-to-day activities of the Group
by the Executive Directors;
• An organisational structure with defined levels of
responsibility, which promotes entrepreneurial decision-
making and rapid implementation whilst minimising risks;
• Central control over key areas such as capital expenditure
authorisation and banking facilities;
• A comprehensive annual budgeting process producing a
detailed integrated profit and loss, balance sheet and cash
flow, which is approved by the Board; and
• Detailed monthly reporting of performance against budget.
The Group continues to review its system of internal control to
ensure compliance with best practice, whilst also having regard
to its size and the resources available.
Standards and policies
The Board is committed to maintaining appropriate standards
for all the Group’s business activities and ensuring that these
standards are set out in written policies. Key examples of such
standards and policies include:
• Anti-bribery and Corruption Policy
•
Information Security Policy
• Data Protection Policy
• Share Dealing Code.
All policies are documented and senior managers and Directors are
responsible for monitoring the compliance with these policies.
Approval process
An approvals matrix exists and is published on the Company’s
intranet to ensure clear and appropriate levels of authority across
the business.
5: MAINTAINING THE BOARD AS
A WELL-FUNCTIONING, BALANCED
TEAM, LED BY THE CHAIR
Composition, qualification and independence of the board
The Board comprises six Non-Executive and two Executive
Directors. The names and responsibilities of the current
Directors, together with their biographical details, are set out on
pages 32 to 37.
37.5% of the Board are female. 62.5% of the Board are male.
The Board considers each of the Non-Executive Directors
to be independent in character and judgement. Two of the
Non-Executive Directors do not meet the strict criteria for
independence set out in the QCA Code, due to their participation
in the Company’s share option arrangements, as part of their
remuneration arrangements.
The Board considers that the ownership of shares and
participation in the Company’s share options to certain of the
Non-Executive Directors encourages the alignment of their
interests with those of the Company’s shareholders and are not
material enough to compromise their independence, character
and judgement.
Therefore, the Company considers all Non-Executive Directors
to be independent for the purposes of the QCA Code.
The Non-Executive Directors provide independent, robust
and constructive challenge to the Executive Management and
monitor the performance of the management team in delivering
the agreed objectives.
40
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�All Directors have disclosed their other significant commitments
and confirmed that they have sufficient time to discharge their
duties effectively.
Appointment and tenure
The Board makes decisions regarding the appointment and
removal of Directors and there is a formal, rigorous and
transparent procedure for appointments, some of which has
been delegated to the Nomination Committee. Appointments
are made on merit, taking account of the balance of skills,
experience and knowledge required.
The Company’s Articles of Association require that all Directors
retire by rotation at regular intervals and that any new
Directors appointed during the year must stand for election at
the AGM immediately following their appointment.
6: ENSURE THAT, BETWEEN THEM, THE
DIRECTORS HAVE THE NECESSARY
UP-TO-DATE EXPERIENCE, SKILLS AND
CAPABILITIES
The Board believes that its composition brings a desirable
range of skills and experience to address the Group’s
challenges and opportunities, while at the same time ensuring
that no individuals or a small group of individuals can dominate
the Board’s decision-making.
The current Board, although considered to have a sufficient
level of skills in all areas of the business, is always looking
to improve and further its knowledge of the industry. All
Directors receive regular and timely information on the Group’s
operational and financial performance and on technical issues.
R
E
P
O
R
T
G
O
V
E
R
N
A
N
C
E
An Advisory Board exists to advise and support the main
Board. The Advisory Board is not a formal Committee of the
Company’s Board. The Advisory Board considers specific cyber
security projects that the Company is interested in and share its
views on them, ranging from technical innovation, engineering
complexity, business viability, attractiveness to partners and
investors and any other observations that the Advisory Board
has. It also considers and shares thoughts on major trends in
cyber security that the Company may want to engage in and
share its views on the trends that the Company believes are
important.
Induction
Upon appointment, all Directors are provided with training
in respect of their legal, regulatory and governance
www.crosswordcybersecurity.com
41
�responsibilities and obligations, in accordance with the UK
regulatory regime.
The induction includes face-to-face meetings with Executive
Management and site visits to orientate and familiarise the new
Directors with the Company’s industry, organisation, business,
strategy, commercial objectives and key risks.
The Board is kept up to date on legal, regulatory and
governance matters at Board meetings. Additional training is
available on request, where appropriate, so that Directors can
update their skills and knowledge as applicable.
Independent advice
All Directors are able to take independent professional advice
in the furtherance of their duties, if necessary, at the Company’s
expense. In addition, the Directors have direct access to the
advice and services of the Company Secretary and Chief
Financial Officer.
7: EVALUATE BOARD PERFORMANCE
BASED ON CLEAR AND RELEVANT
OBJECTIVES, SEEKING CONTINUOUS
IMPROVEMENT
Board effectiveness review
The Board undertook a further evaluation of its performance
for the during the financial year and has continued throughout
the year to measure progress against the recommendations
resulting from the Board evaluation and will continue to assess
its effectiveness in implementing new processes to achieve
the recommendations. Furthermore, the Board conducted an
evaluation in January 2023 to assess current performance
and the progress made against the key focus areas. The
Nomination Committee and Board were satisfied that previous
recommendations and focus areas had been implemented and
were being continually assessed.
The Nominations Committee will regularly review the structure,
size and composition (including the skills, knowledge,
independence, experience and diversity) of the Board and make
recommendations concerning plans for succession for both
Executive and Non-Executive Directors and in particular for the
key roles of Chair and Chief Executive Officer.
8: PROMOTE A CORPORATE CULTURE
THAT IS BASED ON ETHICAL VALUES AND
BEHAVIOURS
The Board is committed to promoting a strong ethical and
values-driven culture throughout the Company and has a
people-oriented ethos where hard work and commitment
are recognised. The Company has articulated its values as
Responsibility, Openness, Learning and Flexibility, and develops
its values and expected behaviours on an ongoing basis.
Crossword also recognises that employees will have interests
outside work and consequently supports flexibility around these
interests.
Further details on how the board monitors and assesses the
state of the corporate culture are included in the Directors’
Report.
9: MAINTAIN GOVERNANCE STRUCTURES
AND PROCESSES THAT ARE FIT FOR
PURPOSE AND SUPPORT GOOD
DECISION-MAKING BY THE BOARD
The role of the Board
The Board is responsible for the long-term success and
strategic leadership of the Group. It is responsible for reviewing,
formulating and approving the strategy of the Group and its
subsidiaries, corporate actions and overseeing the Group’s
progress towards its goals. In addition, it also approves the
annual and interim results and monitors the exposure to key
business risks. The Board’s full responsibilities are set out in a
schedule of matters reserved for the Board.
The matters reserved for the attention of the Board include:
• The approval of interim and annual financial statements,
dividends and significant changes in accounting practices;
• Review of bi-monthly financial statements;
• Board membership, reviewed by NOMAD, and powers
including the appointment and removal of Board members,
determining the terms of reference of the Board and
establishing the overall control framework;
• AIM-related issues including the approval of communications
to the London Stock Exchange and communications with
shareholders will be dealt with by the Market Disclosure
Committee and reviewed by the NOMAD, or delegated by the
Board to the Executive Directors;
• Senior management, remuneration, contracts, and the
grant of share options will be addressed by the
Remuneration Committee;
• Key commercial matters where the financial commitment is
42
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�in excess of £50,000 per annum;
• Taking of loans or other credit;
• Financial matters including the approval of the budget
and financial plans and performance against such plans and
budgets;
• Approval of the appointment of the current period auditor,
year-end audited statutory accounts and audit-related
queries addressed by the Audit Committee;
• Risk management review;
• Changes to the Company’s capital structure, its business
strategy, acquisitions and disposals of businesses, and
capital expenditures outside of budget approval; and
• Other matters including, but not limited to, health and safety
policy, insurance and legal compliance.
Role of the Chair and Chief Executive Officer
There is a clear division of responsibility at the head of the
Company. The Chair is responsible for running the business
of the Board and for ensuring appropriate strategic focus and
direction, whilst the Chief Executive Officer is responsible for
proposing the strategic focus to the Board, implementing it once
approved, and overseeing the management of the Company
through the Executive Management. The Chief Executive Officer
is also responsible for communicating with shareholders,
assisted by the Chief Financial Officer. This separation of
responsibilities is clearly defined and agreed by the Board.
Board and Committee meetings
The Board meets at least six times each year, in accordance
with its scheduled meeting calendar (these may be
supplemented by additional meetings as and when required) to
review, formulate and approve the Group’s strategy, budgets,
corporate actions and oversee the Group’s progress towards
its goals. At each meeting, the Board considers a number of
matters, which include technical, operational, financial, risk and
corporate governance reports, in addition to an update from its
Committees, where applicable.
Any Director can challenge proposals, and decisions are taken
democratically after discussion. Any Director who feels that any
concern remains unresolved after discussion may ask for that
concern to be noted in the minutes of the meeting, which are
then circulated to all Directors. Specific actions arising from
such meetings are agreed by the Board or relevant committee
and then followed up by Management.
The Group has established an Audit Committee, a Remuneration
Committee, and a Nomination Committee, each with formally
delegated duties and responsibilities outlined within terms of
reference reviewed and approved by the Board on an annual
basis.
R
E
P
O
R
T
G
O
V
E
R
N
A
N
C
E
From time to time, separate committees may be set up by the
Board to consider specific issues when the need arises.
The Board and its Committees are supported by the Company
Secretary, who ensures that the Board receives regular and
timely information ahead of each meeting. A formal agenda
is produced for each meeting and the Company Secretary
distributes papers several days before meetings take place to
provide the Board with sufficient time to consider the matters
to be discussed. Each Committee has access to such resources,
information and advice as it deems necessary, at the cost of the
Company, to enable it to discharge its duties.
The table below sets out the attendance record of individual
Directors at the scheduled and unscheduled Board meetings
held during the year:
Name
Richard Dearlove
Tom Ilube
Andy Gueritz
Ruth Anderson
David Secher
Mary Dowd
Tara Cemlyn Jones
Robert Coles*
* Robert Coles was appointed to the Audit Committee during the year.
Board Meetings
5/6
6/6
6/6
6/6
6/6
6/6
5/6
6/6
Audit
–
–
2/2
1/2
2/2
–
–
1/1
Nomination
–
–
2/2
2/2
–
–
–
2/2
Remuneration
–
–
2/3
3/3
3/3
–
–
–
www.crosswordcybersecurity.com
43
�PRINCIPLE 10: COMMUNICATE HOW THE COMPANY IS GOVERNED AND IS
PERFORMING BY MAINTAINING A DIALOGUE WITH SHAREHOLDERS AND OTHER
RELEVANT STAKEHOLDERS
The Board attaches considerable importance to the maintenance of constructive relationships with shareholders and its other
stakeholders.
As mentioned above, the Company communicates with shareholders through the Annual Report and accounts, full-year and half-
year results announcements, the AGM and one-to-one meetings with large existing or potential new shareholders. The Company
regularly releases regulatory and other announcements covering operational and corporate matters.
A range of corporate information (including all Company announcements) is also available to shareholders, investors and the public
on the Company’s corporate website, www.crosswordcybersecurity.com including:
• Our Articles of Association and admission document;
• A detailed account of how we have applied the principles
of the QCA Code;
• Latest Crossword Cybersecurity news and press releases;
and
• Annual and Interim Reports.
The Board receives regular updates on the views of shareholders through briefings from the Chief Executive Officer, Chief Financial
Officer and the Company’s brokers.
SIR RICHARD DEARLOVE KCMG OBE
Chair
18 April 2023
44
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�R
E
P
O
R
T
G
O
V
E
R
N
A
N
C
E
AUDIT COMMITTEE REPORT
I am pleased to present the Committee’s report for the year
ended 31 December 2022. The following pages provide an
insight into how the Committee discharged its responsibilities
during the year and the key topics that it considered in doing so.
The role of the Audit Committee is to monitor the integrity of the
Group’s Financial Statements, including its annual and half-
yearly reports and any other formal statements relating to its
financial performance. It monitors and reviews the effectiveness
of the Group’s system of internal financial control systems that
identify, assess, manage and monitor financial risks, and other
internal control and risk management systems.
Committee membership and governance
The Audit Committee is comprised of four independent Non-
Executive Directors, currently David Secher, Ruth Anderson,
Andrew Gueritz and Robert Coles. David Secher, Chair of the
Committee, is considered by the Board to have recent and
relevant financial experience and the Committee as a whole
has competence relevant to the sector in which the Company
operates. At the request of the Chair of the Committee, the Chief
Executive Officer, Chief Financial Officer and other members
of the senior management team may also be invited to attend
meetings as guests.
The Audit Committee aims to meet twice in each financial year
and has unrestricted access to the Group’s external Auditor.
The Committee works to a planned programme of activities
focused on key events in the annual financial reporting cycle
and standing items that it considers regularly under its Terms of
Reference.
Principal activities during the year
The Committee held two meetings during the year under review
and considered the following:
• The external Auditor’s 2021 year-end audit report and opinion;
• The Company’s Report for the financial year ended
31 December 2021 and the related results announcements
and the Half-Yearly Report to 30 June 2022;
• Evaluation of the performance of the external Auditor
including their independence, objectivity and the effectiveness
of the audit process;
• The re-appointment of MHA MacIntyre Hudson as the external
Auditor for the Company;
• The Committee’s Terms of Reference; and
• The Company’s Risk Register as well as the internal controls
and risk management systems in place.
The Committee is planning the following activities
during 2023:
• Review the Company’s procedures, systems and controls for
the prevention of bribery or fraud;
• Review the adequacy and security of the Company’s
arrangements for its employees to raise concerns, in
confidence, about possible wrongdoing in financial
reporting or other matters. The Committee shall ensure
that these arrangements allow proportionate and
independent investigation of such matters and appropriate
follow-up action;
• Review and approve the FY23 external Auditor’s plan,
including the proposed materiality threshold, the scope of
the audit, the significant audit risks and fees;
• Review the Committee’s internal audit role, in the absence of
an external provider of an internal audit service; and
• Risk – review and challenge the Risk Register, and consider
the risk appetite of the business.
The Committee members’ attendance at meetings during the
year is set out on page 43.
External Auditor
MHA MacIntyre Hudson has been the external Auditor of
the Group since 2014. The continued appointment of MHA
MacIntyre Hudson is reviewed by the Committee each year,
taking into account the relevant legislation, guidance and best
practice appropriate for a Company of Crossword’s size, nature
and stage of development.
The Committee considers a number of areas when reviewing
the external Auditor appointment, namely its performance
in discharging the audit, the scope of the audit and terms
of engagement, its independence and objectivity, and its
reappointment and remuneration.
The breakdown of fees between audit and non-audit services
paid to MHA MacIntyre Hudson during the financial year
is set out in Note 10 to the Group’s Consolidated Financial
Statements. The non-audit fees relate to tax advice. Following
Implementation of the Revised Ethical Standard by MHA
MacIntyre Hudson, non-audit services have ceased.
www.crosswordcybersecurity.com
45
�Internal audit
Board effectiveness review
The Audit Committee presently considers it appropriate that
the Group uses the audit committee to undertake the internal
audit function. This is due to the effectiveness of the Group’s
internal financial control systems that identify, assess, manage
and monitor financial risks, and other internal control and
risk management systems, and the close involvement of the
Executive Directors and senior management on a day-to-day
operational basis. However, the need for an internal audit
function will be kept under review by the Audit Committee on
behalf of the Board.
DAVID SECHER
Chair, Audit Committee
18 April 2023
NOMINATION COMMITTEE REPORT
The Nomination Committee is responsible for reviewing
the composition of the Board taking into account the skills,
experience and diversity of the Directors in light of the
challenges and opportunities facing the Company and makes
recommendations for the appointment and reappointment of
Board members.
Committee membership and governance
The Nomination Committee is chaired by Andrew Gueritz and
its other members are Ruth Anderson and Robert Coles. Under
the Committee’s Terms of Reference, the Committee is required
to meet at least twice in each financial year and must comprise
of at least three members, two of whom must be independent
Non-Executive Directors. The Committee held two meetings
during the year.
The Committee members’ attendance at meetings during 2022
is set out on page 43.
In compliance with the QCA Code, the Board undertook an
evaluation of its performance in January 2022. The evaluation
was conducted by way of a questionnaire designed to assess
the effectiveness of the Board, the Directors and the Chair,
as well as the Board’s Committees and identify any areas for
improvement.
The results of the evaluation were presented to the Board for
review in early April 2022 and revealed no significant concerns
amongst Directors about the effectiveness of the Board.
Actions arising from recommendations to further improve
the effectiveness of the Board are being implemented and
include the review of succession plans for key members of
management and Board members.
Diversity
The Company has not adopted a formal policy on diversity
and, therefore, has no measurable objectives to disclose.
Appointments, including appointments to the Board and senior
management positions, are made on merit, taking account of
the balance of skills and experience required.
Key areas of focus for 2023:
• Review the time committed to the development of individual
Directors and the Board as a whole;
• Review succession plans for both Executive and
Non-Executive Directors and, in particular, for the key roles
of Chair and Chief Executive Officer; and
• Conduct a further internal evaluation of the Board, its
Committees and individual Directors, to assess
improvements in the key focus areas, using questionnaires.
ANDREW GUERITZ
Chair, Nomination Committee
18 April 2023
46
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�REMUNERATION COMMITTEE REPORT
Mary Dowd (Chief Financial Officer)
The Remuneration Committee is responsible for determining
and agreeing with the Board the framework or broad policy
for the remuneration of all Executive Directors, the Chair of
the Board, including pension rights and any compensation
payments, and such other members of the senior management
as it is designated to consider. In addition, the Committee makes
recommendations to the Board on proposals for the granting
of share options and other equity incentives, pursuant to any
employee share option scheme or equity incentive plans in
operation from time to time.
Committee membership and governance
The Remuneration Committee is a formal committee of the
Board and has powers delegated to it under the Articles of
Association. Its remit is set out in Terms of Reference formally
adopted by the Board, which are reviewed annually.
The Remuneration Committee is currently comprised of Andrew
Gueritz (as Chair), David Secher and Ruth Anderson. The
Committee meets at least once in each financial year and held
three meetings during the year.
The Committee members’ attendance at meetings during the
year is set out on page 43.
Letters of appointment, service contracts and
termination
Tom IIube (Chief Executive Officer)
Tom Ilube is appointed as Chief Executive Officer under an
Executive service contract dated 1 April 2014 (as amended).
The employment commenced on 1 April 2014 and will continue
unless terminated by either party giving 12 months’ written
notice. The Company may terminate the contract without notice
(or with payment in lieu of notice) if, inter alia, Tom is guilty of
gross misconduct, commits a serious breach of the employment
contract, commits a criminal offence, is declared bankrupt or
becomes of unsound mind. The Company may, after giving or
receiving notice of termination, immediately end the employee’s
employment and make payment in lieu of salary with no other
benefit for the remaining period of notice.
R
E
P
O
R
T
G
O
V
E
R
N
A
N
C
E
Mary Dowd is employed as Chief Financial Officer under an
employee service contract dated 10 May 2018.
The employment commenced on 16 May 2018 and will continue
unless terminated by either party giving six months’ written
notice. The Company may terminate the contract on shorter
notice if the employee is absent from work for an extended
period through sickness or injury and may terminate without
notice (or with payment in lieu of notice) if, inter alia, Mary is
guilty of gross misconduct, commits a serious breach of the
employment contract, commits a criminal offence, is declared
bankrupt or becomes of unsound mind. The
Company may, after giving or receiving notice of termination,
immediately end the employee’s employment and make
payment in lieu of salary with no other benefit for the remaining
period of notice. Following termination of employment, Mary
is subject to certain restrictions for a period of six months,
including a restriction on dealing with the Company’s
customers and suppliers and from working for a competing
business.
Non-Executive Directors
All Non-Executive Directors, including the Chair, serve on the
basis of letters of appointment which are terminable by three
months’ written notice and are available for inspection at the
Company’s registered office. Subject to continued satisfactory
performance, the Board does not think it appropriate at this
time to limit the term of appointment of the Non-Executive
Directors.
The Executive Directors’ service contracts are also available for
inspection at the Company’s registered office.
The remuneration of the Directors who served in the current
year was as follows:
www.crosswordcybersecurity.com
47
�The remuneration of the Directors who served in the current year was as follows:
Executive Directors
Tom Ilube*
Mary Dowd
Non-Executive Directors
Sir Richard Dearlove
Ruth Anderson
Andy Gueritz
Dr David Secher
Robert Coles
Tara Cemlyn-Jones
Total
Basic Salary
and Fees
£
130,000
140,000
25,000
12,000
16,000
16,000
12,000
12,000
362,999
Bonus
£
–
10,000
–
–
–
–
–
–
10,000
Taxable
Benefits
£
3,926
2,216
25,000
–
–
–
–
–
31,142
Employer’s
Pension
Contribution
£
Total
£
1,321
10,000
135,247
162,216
–
–
–
–
–
–
11,321
50,000
12,000
16,000
16,000
12,000
12,000
415,462
Directors’ shareholdings and share interests
The table below sets out the Directors’ interests in the ordinary shares of the Company as at 31 December 2022. There have been no
changes in the current Directors’ interests in shares or options granted by the Company between the end of the financial year and
18 April 2023.
Name
Tom Ilube*
Dr David Secher
Number of
Issued
Ordinary
Shares
14,560,250
263,650
% of Issued
Shares
15.76%
0.29%
* Tom Ilube’s shareholding is made up of 12,255,810 shares held by him personally and 1,304,440 held by Share Nominees Limited on his behalf.
48
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�SHARE OPTION AND INCENTIVISATION ARRANGEMENTS
The Board considers employee share ownership to be an important part of its strategy for employee incentivisation and retention.
The Group has established share option programmes that entitle certain employees to purchase shares in the Company. These
were issued in July 2014, November 2014, July 2015, December 2015, January 2016, June 2016, September 2016, June 2017,
January 2018, May 2018, July 2018, October 2018, June 2019, November 2019, June 2020, October 2020, August 2021,
November 2021 and March 2022. There are no performance conditions attaching to these options, other than to awards made under
the Long-Term Incentive Plan awards issued in Nov 2021.
The Directors hold the following shares under option:
Name
Sir Richard Dearlove
Sir Richard Dearlove
Sir Richard Dearlove
Sir Richard Dearlove
Sir Richard Dearlove
Sir Richard Dearlove
Dr David Secher
Mary Dowd
Mary Dowd
Mary Dowd
Number of
Ordinary
Shares under
option
131,580
67,570
45,870
52,080
94,340
70,423
150,000
79,360
100,000
25,000
Exercise Price
19p
37p
54.5p
48p
26.5p
35.5p
5.4p
31.5p
54.5p
30.5p
Date of grant
03/10/2016
25/05/2018
04/06/2019
28/11/2019
16/10/2020
10/08/2021
18/07/2014
24/10/2018
04/06/2019
18/06/2020
R
E
P
O
R
T
G
O
V
E
R
N
A
N
C
E
Vesting
Conditions
1
1
1
1
1
1
1
1
1
1
Expiry Date
03/10/2026
25/05/2028
04/06/2029
28/11/2029
16/10/2030
10/08/2031
17/07/2024
24/10/2028
04/06/2029
18/06/2030
(1) Option Shares to vest in three equal tranches on the first, second and third anniversary of the date of grant.
In addition, the Company has issued 1,036,790 options to members of staff and up to 3,000,000 share options to Executives.
EMI SHARE OPTION PLAN
The Company has established an enterprise management incentive share option plan under scheme rules dated 21 May 2014 (‘EMI
Option Plan’) for the purposes of recruiting and retaining its staff. The Company may grant an Option intended to be a qualifying option
under the Income Tax (Earnings and Pensions) Act 2003 (‘ITEPA 2003’) (‘EMI Option’) to any eligible employee it chooses, subject to
the limitations and conditions of the EMI Option Plan. EMI Options may not be granted where prohibited by law or any corporate
governance code which applies to the Company or after the tenth anniversary of the date of the EMI Option Plan.
Long-Term Incentive Plan
During the 2021, the Company implemented a Long-Term Incentive Plan (LTIP) whereby awards were made to the following Executives
– Mary Dowd, Stuart Jubb, Jake Holloway and Sean Arrowsmith. Each award is of nominal cost (0.5p) options to acquire up to 750,000
Crossword ordinary shares of 0.5p each which vest at the average mid-market price of the Ordinary Shares over the 20 trading days
preceding the end of the performance period which ends on 30 September 2024. 25% of the options will vest if the Award Price is 50p,
and 100% will vest if the Award Price is equal to or greater than 100p, with straight-line vesting between 50p and 100p.
ANDREW GUERITZ
Chair, Remuneration Committee
18 April 2023
www.crosswordcybersecurity.com
49
�Directors’ Report & Statement of
Directors’ Responsibilities
DIRECTORS’ REPORT
This Directors’ Report includes the information required
to be included under the Companies Act 2006 or, where
provided elsewhere, an appropriate cross-reference is given.
The Corporate Governance Report approved by the Board is
provided on pages 32 to 53 and incorporated by reference into
this Directors’ Report.
Principal activity, review of the business and future
developments
Crossword Cybersecurity PLC (08927013) is a public company,
limited by shares, incorporated in the United Kingdom under
the Companies Act, with operations in the UK, Poland, Oman
and Singapore. Its shares are traded on AIM, a sub-market of
the London Stock Exchange (‘AIM’).
Crossword offers a range of cyber security solutions to help
companies understand and reduce cyber security risk. We
do this through a combination of people and technology, in
the form of SaaS and software products, consulting, and
managed services. Crossword’s areas of emphasis are
cyber security strategy and risk, supply chain cyber, threat
detection and response, and digital identity and the aim is to
build up a portfolio of cyber security products and services
with recurring revenue models in these four areas. We work
with UK universities and our products and services are often
powered by academic research-driven insights. In the area
of cybersecurity strategy and risk our consulting services
include cyber maturity assessments, industry certifications,
and virtual chief information security officer (vCISO) managed
services.
Crossword’s end-to-end supply chain cyber standard
operating model (SCC SOM) is supported by our best-selling
SaaS platform, Rizikon Assurance, along with cost-effective
cyber audits, security testing services and complete managed
services for supply chain cyber risk management. Threat
detection and response services include our Nightingale AI-
based network monitoring, Nixer to protect against application
layer DDoS attacks, our Trillion™ and Arc breached
credentials tracking platforms, and incident response.
Crossword’s work in digital identity is based on the World
Wide Web Consortium W3C verifiable credentials standard
and our current solution, Identiproof, enables secure digital
verification of individuals to prevent fraud.
Crossword serves medium and large clients including FTSE
100, FTSE 250 and S&P listed companies in various sectors,
such as defence, insurance, investment and retail banks,
private equity, education, technology and manufacturing and
has offices in the UK, Poland, Oman and Singapore. Crossword
is traded on the AIM market of the London Stock Exchange.
More details on the strategy, nature of the Group’s operations
and future developments are set out in the Strategic Report
on page 3.
Share capital and rights attaching to the shares
The number of shares in issue as at the date of publication
of this report was 93,717,641 (31 December 2021: 74,957,150
ordinary shares of 0.5 pence) ordinary shares of 0.5 pence,
each with one vote.
In accordance with applicable laws and the Company’s
Articles of Association, holders of ordinary shares are entitled
to:
• Receive shareholder documentation including the notice
of any general meeting;
• Attend, speak and exercise voting rights at general
meetings, either in person or by proxy; and
• A dividend, where declared and paid out of profits available
for such purposes. On a return of capital on a winding up,
holders of ordinary shares are entitled to participate in such
a return.
Articles of Association
The Company’s Articles of Association can only be amended
by special resolution and are available at
www.crosswordcybersecurity.com
Engagement with employees
Crossword aims to provide an environment which will attract,
retain and motivate its team. The Company has a growing
number of permanent staff employed across the UK, Poland,
Oman and Singapore. Employee engagement with the senior
management, who pride themselves on their availability and
flexibility, is frequent through daily discussions and meetings.
Staff are encouraged to give regular feedback in relation to
their needs, interests and expectations on away days, general
discussions or one-to-one meetings with their line managers.
These can then be addressed at the fortnightly management
meeting to all senior members of the team where further
actions will be discussed. Furthermore, the team engages in
a bi-weekly call where staff are able to communicate with all
levels of the team across all jurisdictions.
Crossword reviews its processes and policies, which are
guided by our values of Responsibility, Openness, Learning
and Flexibility, to make continuous improvements for its staff.
50
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�R
E
P
O
R
T
G
O
V
E
R
N
A
N
C
E
The Company has developed its induction programme for
new staff, engages with employees to maintain its culture and
values and expected behaviours, performs exit interviews in
the event people decide to leave the business, and follow-up
interviews with new employees.
Crossword is supportive of career development of its
employees and provides training programmes and Masters
degree opportunities where appropriate.
With the continuing growth in staff numbers, the Directors
recognise the need to ensure excellence in engagement
with employees. Regular staff away days take place and
engagement survey are undertaken, with feedback from staff
forming a prioritised action plan.
Included was an action to ensure that the Company’s culture
is maintained during its growth. To this effect, a project to
define the Company’s culture was started. At the end of this
project, the Company was in a position to state its values and
expected behaviours. The values were shared with all staff at
an away day in February 2020.
Engagement with charities was an action from an away day.
Crossword partners with charities both in UK and Poland.
Crossword employees propose and vote on which charity they
would like to support. Previously work has been undertaken
to help a charity local to the London office in their efforts to
support the homeless and lead them to independence and
also a national mental health charity. In Poland, Crossword is
supporting one of the largest, most recognisable and effective
social schemes in Poland which implements and develops a
system of smart, personalised aid that is unique in the world.
More details are available on page 26.
Sustainability and climate change
The group is not required to required to disclose climate-
related financial information and does not need to comply
with SECR. However, the Directors take their responsibilities
relating to the environment seriously and aim to minimise the
impact of the Company’s activities on the environment.
The key points of their strategy to achieve this are:
• Minimise waste by evaluating operations and ensuring they
are as efficient as possible;
• Minimise toxic emissions through the selection and use of
its power requirement;
• Actively promote recycling;
• Source and promote a product range to minimise the
environmental impact of both production and distribution;
and
• Meet or exceed all the environmental legislation that relates
to the Company.
www.crosswordcybersecurity.com
51
�Powers of Directors
Political donations
The Directors may exercise powers subject to applicable
legislation and regulations and the Company’s Articles of
Association. The Directors in office at the date of this Annual
Report are shown on pages 32 to 34.
Directors’ conflict of interest
The Board may authorise, to the fullest extent permitted by
law, any matter which, if not so authorised, would or may
result in a Director infringing their duty to avoid a situation in
which they can have a direct or indirect interest that conflicts,
or possibly may conflict, with the interests of the Company
and which may reasonably be regarded as likely to give rise to
a conflict of interest.
The Company has effective procedures in place to monitor and
deal with conflicts of interest. The Board is aware of the other
commitments and interests of its Directors, and changes to
these commitments and interests are reported to and, where
appropriate, agreed with the rest of the Board.
Directors’ insurance and indemnity
The Group maintains Directors’ and Officers’ liability insurance
which gives appropriate cover for any legal action brought
against its Directors. In accordance with Section 234 of
the Companies Act 2006, qualifying third-party indemnity
provisions are in place for the Directors in respect of liabilities
incurred as a result of their office to the extent permitted by
law.
Purchase of own shares
The Company has not acquired any of its own shares in the
period to 31 December 2022, nor in the period up to the date
of approval of this Annual Report.
Subsequent events
There are no events after the reporting date to be disclosed.
Dividend
The Directors do not intend that the Company will declare a
dividend in the near term, but instead channel the available
cash resources into funding the expansion of the Group. The
Board intends to commence the payment of dividends only
when it becomes commercially prudent to do so, having
regard to the Group’s earnings, financial position, cash
requirements and availability of distributable profits, as well
as the provisions of relevant laws and/or generally accepted
accounting principles from time to time.
No political donations have been made during this financial
year.
Principal shareholder
Tom Ilube is the Company’s principal shareholder, holding a
total of 14,560,250 ordinary shares, representing 15.76% of
the voting rights attached to the current issued share capital
of the Company. Of the 14,560,250 shares are held, 12,255,810
shares held by Tom Ilube and 1,304,440 held by Share
Nominees Limited.
Annual General Meeting
The Annual General Meeting of the Company will be held on
the 11 May 2023 at 3.00 pm at the offices of Shakespeare
Martineau LLP, 6th Floor, 60 Gracechurch Street, London EC3V
0HR. The Notice of Meeting will be available to view on the
Company’s website in advance of that meeting.
Approval of Directors’ Report
This Directors’ Report, including the Corporate Governance
Statement and Strategic Report, was approved for and on
behalf of the Board on 18 April 2023.
STATEMENT OF DIRECTORS’
RESPONSIBILITIES IN RESPECT OF THE
ANNUAL REPORT AND THE FINANCIAL
STATEMENTS
The Directors are responsible for preparing the Annual Report
and the financial statements in accordance with applicable law
and regulations.
Company law requires the Directors to prepare financial
statements for each financial year. Under that law, the
Directors have elected to prepare the consolidated and parent
company financial statements in accordance with International
Accounting Standards as adopted in the United Kingdom (“UK
adopted IFRS”). Under Company law, the Directors must not
approve the financial statements unless they are satisfied that
they give a true and fair view of the state of affairs and profit
or loss of the Group and parent company for that period. In
preparing the financial statements, the Directors are required
to:
• Select suitable accounting policies and then apply them
consistently;
52
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
� description of the principal risks and uncertainties that they
face;
• The Annual Report and accounts, taken as a whole, is fair,
balanced and understandable and provides the information
necessary for the shareholders to assess the Group and
parent company’s position, performance, business model
and strategy; and
• The Strategic Report includes a fair review of the
development and performance of the business and the
position of the Group and parent company, together with
a description of the principal risks and uncertainties that it
faces.
DISCLOSURE OF INFORMATION TO THE
AUDITOR
We, the Directors of the Company who held office at the date
of approval of these financial statements as set out above,
each confirm, so far as we are aware, that:
• There is no relevant audit information of which the
Company’s Auditor is unaware; and
• We have taken all the steps that we ought to have taken as
Directors in order to make ourselves aware of any relevant
audit information and to establish that the Company’s
Auditor is aware of that information.
This Statement of Responsibilities and the Directors’ Report
were approved by the Board on18 April 2023.
R
E
P
O
R
T
G
O
V
E
R
N
A
N
C
E
TOM ILUBE
Chief Executive Officer
18 April 2023
Crossword Cybersecurity PLC
60 Gracechurch Street,
London EC3V 0HR
e: info@crosswordcybersecurity.com
twitter: @crosswordcyber
t: +44 (0)333 090 2587
• Make judgements and accounting estimates that are
reasonable and prudent;
• State whether applicable UK adopted IFRS has been
followed, subject to any material departures disclosed and
explained in the financial statements; and
• Prepare the financial statements on the going concern
basis, unless it is inappropriate to presume that the Group
and parent company will continue in business.
The Directors are responsible for keeping adequate
accounting records that are sufficient to show and explain the
Group and parent company’s transactions and disclose with
reasonable accuracy at any time the financial position of the
Group and parent company and enable them to ensure that
the financial statements and the Directors’ Remuneration
Report comply with the Companies Act 2006. They are also
responsible for safeguarding the assets of the Group and
parent company and, hence, for taking reasonable steps for
the prevention and detection of fraud and other irregularities.
The Directors are responsible for the maintenance and
integrity of the parent company’s website. Legislation in the
United Kingdom governing the preparation and dissemination
of financial statements may differ from legislation in other
jurisdictions.
Responsibility Statement of the Directors in respect of
the Annual Report and Accounts
The Directors consider that the Annual Report and accounts,
taken as a whole, is fair, balanced and understandable and
provides the information necessary for shareholders to assess
the Group and parent company’s position, performance,
business model and strategy.
Each of the Directors, whose names and functions are listed in
the Corporate Governance Section confirm to the best of our
knowledge, that:
• The parent company and Group financial statements,
prepared in accordance with International Financial
Reporting Standards in conformity with the requirements
of the Companies Act 2006, give a true and fair view of the
assets, liabilities, financial position and profit or loss of the
Company and the undertakings included in the
consolidation as a whole;
• The Annual Report includes a fair review of the
development and performance of the business and the
position of the Company and the undertakings included in
the consolidation taken as a whole, together with a
www.crosswordcybersecurity.com
53
�54
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Financial Statements
55
�Independent auditor’s report
to the members of Crossword Cybersecurity plc
For the purpose of this report, the terms “we” and “our” denote MHA MacIntyre Hudson in relation to UK legal, professional and
regulatory responsibilities and reporting obligations to the members of Crossword Cybersecurity plc. For the purposes of the table on
pages 58 to 59 that sets out the key audit matters and how our audit addressed the key audit matters, the terms “we” and “our” refer
to MHA MacIntyre Hudson. The Group financial statements, as defined below, consolidate the accounts of Crossword Cybersecurity plc
and its subsidiaries (the “Group”). The “Parent Company” is defined as Crossword Cybersecurity plc, as an individual entity. The relevant
legislation governing the Company is the United Kingdom Companies Act 2006 (“Companies Act 2006”).
Opinion
We have audited the financial statements of Crossword Cybersecurity plc for the year ended 31 December 2022.
The financial statements that we have audited comprise:
•
•
•
•
the Consolidated Statement of Comprehensive Income;
the Statements of Financial Position;
the Statements of Changes in Equity;
the Statements of Cash Flows; and
• Notes 1 to 32 to the financial statements, including significant accounting policies.
The financial reporting framework that has been applied in the preparation of the Group and Parent Company’s financial statements is
applicable law and UK adopted International Financial Reporting Standards (“UK adopted IFRS”).
In our opinion, the financial statements:
• give a true and fair view of the state of the Group’s and of the Parent Company’s affairs as at 31 December 2022 and of the Group’s
loss for the year then ended;
• have been properly prepared in accordance with UK adopted International Financial Reporting Standards (“UK adopted IFRS”); and
• have been prepared in accordance with the requirements of the Companies Act 2006.
Our opinion is consistent with our reporting to the Audit Committee.
Basis for opinion
We conducted our audit in accordance with International Standards on Auditing (UK) (ISAs (UK)) and applicable law. Our responsibilities
under those standards are further described in the Auditor’s Responsibilities for the Audit of the Financial Statements section of our
report. We are independent of the Group in accordance with the ethical requirements that are relevant to our audit of the financial
statements in the UK, including the FRC’s Ethical Standard as applied to listed entities, and we have fulfilled our ethical responsibilities
in accordance with those requirements. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a
basis for our opinion.
Material uncertainty relating to going concern
We draw your attention to note 1.3 of the financial statements which indicates for the Group and Parent to continue as a going concern
they will require fundraising in 2023 to support the cash flow requirement of the Group’s business model and aims for growth. As stated
in note 1.3, these events or conditions, along with the other matters as set forth in note 1.3 indicate that a material uncertainty exists
that may cast significant doubt on the Group and Parent Company’s ability to continue as a going concern. Our opinion is not modified in
respect of this matter.
In auditing the financial statements, we have concluded that the Directors’ use of the going basis of accounting in the preparation of the
financial statements is appropriate.
56
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Our evaluation of the Directors’ assessment of the Group’s and the Parent Company’s ability to continue to adopt the going concern
basis of accounting included:
• The consideration of inherent risks to the Group’s and the Parent Company’s operations and specifically their business model;
• The evaluation of how those risks might impact on the available financial resources;
• Where additional resources may be required, the reasonableness and practicality of the assumptions made by the Directors when
assessing the probability and likelihood of those resources becoming available;
•
Liquidity considerations including examination of cash flow projections at Group and Parent Company level; and
• The evaluation of the base case scenarios and stress scenarios, in respect of the Group and the Parent Company, and the respective
sensitivities and rationale.
Our responsibilities and the responsibilities of the directors with respect to going concern are described in the relevant sections of this
report.
Overview of our audit approach
Materiality
Group
2022
£150,000
2021
£100,000
2% (2021: 2%) of aggregate of cost of sales and administrative expenses.
£87,250
Parent company
Key Audit Matters
In addition to the matters described in the basis for qualified opinion and in the material uncertainty about going concern sections, we
have determined the matters described below to be key audit matters to be communicated in our report.
Recurring
• Valuation of investment and non-current loans to its subsidiaries.
2% (2021: 2%) of aggregate of cost of sales and administrative expenses.
£99,000
Recurring Parent
•
Impairment of goodwill and intangible assets.
The scope of our audit
Our audit was scoped by obtaining an understanding of the Company and its environment, including the Company’s system of internal
control, and assessing the risks of material misstatement in the financial statements. We also addressed the risk of management
override of internal controls, including assessing whether there was evidence of bias by the directors that may have represented a risk
of material misstatement.
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
www.crosswordcybersecurity.com
57
�Independent auditor’s report
Continued
Key Audit Matters
Key Audit Matters are those matters that, in our professional judgement, were of most significance in our audit of the financial
statements of the current period and include the most significant assessed risks of material misstatement (whether or not due to fraud)
that we identified. These matters included those matters which had the greatest effect on: the overall audit strategy; the allocation of
resources in the audit; and directing the efforts of the engagement team. These matters were addressed in the context of our audit of
the financial statements as a whole, and in forming our opinion thereon, and we do not provide a separate opinion on these matters.
Valuation of investment and non-current loans to its subsidiaries
Key audit matter
description
The Parent Company makes non-interest-bearing loans available to its subsidiaries Crossword Consulting
Limited and Stega UK Limited through a mix of debt finance and loans. The investment and loans owed to
the Parent Company have been subject to an impairment review to determine whether an expected credit
loss provision is required. As no interest is charged on these loans then a notional interest is assumed to be
embedded in the principal amount of the loan which is computed and treated as a further capital contribution
by the Parent Company in its subsidiaries.
Our audit work included, but was not restricted to the following:
How the scope of our
audit responded to the
key audit matter
Key observations
• Challenged management’s allocation of the financing arrangement between a capital contribution and
loans in the subsidiaries.
• Challenged management’s assessment of expected credit losses.
• Benchmarked the discount rate used in management’s assessment.
• Reviewed and checked management’s amortised cost calculations.
• Considered management’s assessment of the strategy options which the Parent Company would pursue
in recovering the amounts due from the subsidiaries.
• Reviewed management’s assessment as to the impairment of the Parent Company’s investment in its
subsidiaries.
• Ensured that the disclosures in the financial statements are adequate.
We concluded that the financing arrangement at Parent Company level was correctly classified between
capital contribution and loans due from its subsidiaries and that the carrying amounts exceeded the
recoverable amounts and no impairment was required of these non-current assets at the Parent Company
level.
58
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Valuation of intangibles and goodwill
Key audit matter
description
There is a risk that the fair value of goodwill arising on investments made by the Group, or intangible assets
exceed their recoverable amount and may therefore need to be impaired.
Management prepares a detailed impairment assessment, taking into consideration:
•
•
•
current year developments relating to each intangible;
expected useful lives of the intangible;
completion of forecasts for all subsidiaries taking into account growth and discount rates.
We draw attention to note x to the financial statements which describes the judgements and estimates used
by management to estimate the recoverable amount of the Group’s Cash Generating Units. Our opinion is
not modified in respect of this matter.
Our audit work included, but was not restricted to the following:
• Reviewed the mathematical accuracy of the value in use calculation to identify any computational errors
that may have fed into the forecasts;
• Reviewed and challenged the calculations to ensure pre-tax weighted average cost of capital and pre-tax
cash flows had been used in accordance with IAS 36;
• We have reviewed, with the help of our internal valuation expert, the determination of the discount
rate applied in the value in use calculation and considered whether it is reasonable in the Group’s
circumstances;
• Reviewed the growth assumptions used by management and compared them to actual results in 2022
and previous forecasts prepared by management in the past;
• Performed sensitivity analysis to understand which of the key judgements were resulting in the most
significant change to the calculations;
• Challenged management whether the inputs into the impairment assessment are reasonable and
accurate based on supporting evidence;
• Assessed any evidence of management bias in selecting key assumptions and assessed the impact of
changes in the model vs. the assumptions used in previous periods.
Based on the audit procedures performed, we noted that the recoverability of the intangible assets and
goodwill is heavily reliant upon future growth to be sustained for several years. Based upon the growth
achieved in the 12 months to 31 December 2022 this does not appear unreasonable but this is a key
judgement. We concluded that based upon the evidence received there is enough supporting evidence to
conclude that the growth plans appear reasonable and no impairment is required in respect of the intangible
assets and goodwill as at 31 December 2022.
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
How the scope of our
audit responded to the
key audit matter
Key observations
www.crosswordcybersecurity.com
59
�Independent auditor’s report
Continued
Our application of materiality
Our definition of materiality considers the value of error or omission on the financial statements that, individually or in aggregate, would
change or influence the economic decision of a reasonably knowledgeable user of those financial statements. Misstatements below
these levels will not necessarily be evaluated as immaterial as we also take account of the nature of identified misstatements, and the
particular circumstances of their occurrence, when evaluating their effect on the financial statements as a whole. Materiality is used in
planning the scope of our work, executing that work and evaluating the results.
Overall Materiality
Basis of determining
overall materiality
Group
£150,000 (2021: £100,000)
We determined materiality based on 2% (2021:
2%) of the Group’s aggregate cost of sales and
administrative expenses.
Parent Company
£87,250 (2021: £99,000)
We determined materiality based on 2% (2021:
2%) of the Company’s aggregate cost of sales and
administrative expenses.
We have considered the primary users of the
financial statements to be shareholders, loan note
holders, management, and banks.
We have considered the primary users of the
financial statements to be shareholders, loan note
holders, management, and banks.
This was deemed to be the most appropriate metric
for materiality as this is primarily what the users of
the financial statements are concerned with.
Performance materiality £105,000 (2021: £85,000)
Basis of determining
overall performance
materiality
We set performance materiality based on 70% (2021:
85%) of overall materiality.
Performance materiality is the application of
materiality at the individual account or balance level,
set at an amount to reduce, to an appropriately
low level, the probability that the aggregate of
uncorrected and undetected misstatements exceeds
materiality for the financial statements as a whole.
This was deemed to be the most appropriate metric
for materiality as this is primarily what the users of
the financial statements are concerned with.
£61,075 (2021: £84,150)
We set performance materiality based on 70% (2021:
85%) of overall materiality.
Performance materiality is the application of
materiality at the individual account or balance level,
set at an amount to reduce, to an appropriately
low level, the probability that the aggregate of
uncorrected and undetected misstatements exceeds
materiality for the financial statements as a whole.
Error reporting
threshold
The determination of performance materiality reflects
our assessment of the risk of undetected errors
existing, the nature of the systems and controls and
the level of misstatements arising in previous audits.
We agreed to report any corrected or uncorrected
adjustments exceeding £7,500 (2021: £5,000) to the
Audit Committee as well as differences below this
threshold that in our view warranted reporting on
qualitative grounds.
The determination of performance materiality reflects
our assessment of the risk of undetected errors
existing, the nature of the systems and controls and
the level of misstatements arising in previous audits.
We agreed to report any corrected or uncorrected
adjustments exceeding £4,363 (2021: £4,950) to the
Audit Committee as well as differences below this
threshold that in our view warranted reporting on
qualitative grounds.
60
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�How we tailored the audit scope
Our assessment of audit risk, evaluation of materiality and our determination of performance materiality sets our audit scope for
each company within the Group. Taken together, this enables us to form an opinion on the consolidated financial statements. This
assessment takes into account the size, risk profile, organisation / distribution and effectiveness of group-wide controls, changes in the
business environment and other factors such as recent internal audit results when assessing the level of work to be performed at each
component.
In assessing the risk of material misstatement to the consolidated financial statements, and to ensure we had adequate quantitative and
qualitative coverage of significant accounts in the consolidated financial statements, of the 7 reporting components of the group.
Full scope audits – 3 entities were subject to a full scope audit. These entities were selected based upon their size or risk
characteristics.
Specified audit procedures – 3 entities were subject to specified audit procedures. These procedures have been determined based on
the size and nature of the balances.
1 entity remains dormant during the year.
Our audit scoping coverage for the key balances is summarised in the charts below:
Cost of sales
administrative costs
Loss before tax
Gross assets
8.9%
-5.6%
8.6%
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
91.1%
105.6%
91.4%
Full scope
Specified audit procedures
www.crosswordcybersecurity.com
61
�Independent auditor’s report
Continued
The control environment
We evaluated the design and implementation of those internal controls of the Group, including the Parent Company, which are relevant
to our audit, such as those relating to the financial reporting cycle. We performed control testing over the purchase and payroll cycles.
Reporting on other information
The other information comprises the information included in the annual report other than the financial statements and our auditor’s
report thereon. The directors are responsible for the other information contained within the annual report. Our opinion on the financial
statements does not cover the other information and, except to the extent otherwise explicitly stated in our report, we do not express
any form of assurance conclusion thereon. Our responsibility is to read the other information and, in doing so, consider whether the
other information is materially inconsistent with the financial statements or our knowledge obtained in the course of the audit, or
otherwise appears to be materially misstated. If we identify such material inconsistencies or apparent material misstatements, we are
required to determine whether this gives rise to a material misstatement in the financial statements themselves. If, based on the work
we have performed, we conclude that there is a material misstatement of this other information, we are required to report that fact. We
have nothing to report in this regard.
Strategic report and directors’ report
In our opinion, based on the work undertaken in the course of the audit:
•
the information given in the strategic report and the directors’ report for the financial year for which the financial statements are
prepared is consistent with the financial statements; and
•
the strategic report and the directors’ report have been prepared in accordance with applicable legal requirements.
In the light of the knowledge and understanding of the Group and the Parent Company and their environment obtained in the course of
the audit, we have not identified material misstatements in the strategic report or the directors’ report.
Matters on which we are required to report by exception
We have nothing to report in respect of the following matters in relation to which the Companies Act 2006 requires us to report to you if,
in our opinion:
•
•
•
adequate accounting records have not been kept by the Parent Company, or returns adequate for our audit have not been received
by branches not visited by us; or
the Parent Company financial statements are not in agreement with the accounting records and returns; or
certain disclosures of directors’ remuneration specified by law are not made;.or
• we have not received all the information and explanations we require for our audit.
Responsibilities of directors
As explained more fully in the directors’ responsibilities statement, the directors are responsible for the preparation of the financial
statements and for being satisfied that they give a true and fair view, and for such internal control as the directors determine is
necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error.
In preparing the financial statements, the directors are responsible for assessing the Group’s and the Parent Company’s ability to
continue as a going concern, disclosing, as applicable, matters related to going concern and using the going concern basis of accounting
unless the directors either intend to liquidate the Group or Parent Company or to cease operations, or have no realistic alternative but
to do so.
62
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Auditor responsibilities for the audit of the financial statements
Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material
misstatement, whether due to fraud or error, and to issue an auditor’s report that includes our opinion. Reasonable assurance is a
high level of assurance but is not a guarantee that an audit conducted in accordance with ISAs (UK) will always detect a material
misstatement when it exists.
Misstatements can arise from fraud or error and are considered material if, individually or in aggregate, they could reasonably be
expected to influence the economic decisions of users taken on the basis of these financial statements.
A further description of our responsibilities for the financial statements is located on the FRC’s website at:
www.frc.org.uk/auditorsresponsibilities. This description forms part of our auditor’s report.
Extent to which the audit was considered capable of detecting irregularities,
including fraud
Irregularities, including fraud, are instances of non-compliance with laws and regulations. We design procedures in line with our
responsibilities, outlined above, to detect material misstatements in respect of irregularities, including fraud.
These audit procedures were designed to provide reasonable assurance that the financial statements were free from fraud or error. The
risk of not detecting a material misstatement due to fraud is higher than the risk of not detecting one resulting from error and detecting
irregularities that result from fraud is inherently more difficult than detecting those that result from error, as fraud may involve
collusion, deliberate concealment, forgery or intentional misrepresentations. Also, the further removed non-compliance with laws and
regulations is from events and transactions reflected in the financial statements, the less likely we would become aware of it.
Identifying and assessing potential risks arising from irregularities, including fraud
The extent of the procedures undertaken to identify and assess the risks of material misstatement in respect of irregularities, including
fraud, included the following:
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
• We considered the nature of the industry and sector the control environment, business performance including remuneration
policies and the Group’s, including the Parent Company’s, own risk assessment that irregularities might occur as a result of fraud
or error. From our sector experience and through discussion with the directors, we obtained an understanding of the legal and
regulatory frameworks applicable to the Group focusing on laws and regulations that could reasonably be expected to have a direct
material effect on the financial statements, such as provisions of the Companies Act 2006, UK tax legislation or those that had a
fundamental effect on the operations of the Group including the regulatory and supervisory requirements of the AIM regulations.
• We enquired of the directors and management including the audit committee concerning the Group’s and the Parent Company’s
policies and procedures relating to:
identifying, evaluating and complying with the laws and regulations and whether they were aware of any instances of
-
non-compliance;
- detecting and responding to the risks of fraud and whether they had any knowledge of actual or suspected fraud; and
- the internal controls established to mitigate risks related to fraud or non-compliance with laws and regulations.
• We assessed the susceptibility of the financial statements to material misstatement, including how fraud might occur by evaluating
management’s incentives and opportunities for manipulation of the financial statements. This included utilising the spectrum of
inherent risk and an evaluation of the risk of management override of controls. We determined that the principal risks were related
to posting inappropriate journal entries to increase revenue or reduce costs, creating fictitious transactions to hide losses or to
improve financial performance, and management bias in accounting estimates.
www.crosswordcybersecurity.com
63
�Audit response to risks identified
In respect of the above procedures:
• we corroborated the results of our enquiries through our review of the minutes of the Group’s and the Parent Company’s board
meetings;
•
audit procedures performed by the engagement team in connection with the risks identified included:
-
-
reviewing financial statement disclosures and testing to supporting documentation to assess compliance with applicable laws
and regulations expected to have a direct impact on the financial statements.
testing journal entries, including those processed late for financial statements preparation, those posted by infrequent or
unexpected users, those posted to unusual account combinations;
- evaluating the business rationale of significant transactions outside the normal course of business, and reviewing accounting
estimates for bias;
- enquiry of management around actual and potential litigation and claims.
- challenging the assumptions and judgements made by management in its significant accounting estimates, and
- obtaining confirmations from third parties to confirm existence of a sample of balances.
• we communicated relevant laws and regulations and potential fraud risks to all engagement team members, including experts, and
remained alert to any indications of fraud or non-compliance with laws and regulations throughout the audit.
Use of our report
This report is made solely to the Parent Company’s members, as a body, in accordance with Chapter 3 of Part 16 of the Companies Act
2006. Our audit work has been undertaken so that we might state to the Parent Company’s members those matters we are required
to state to them in an auditor’s report and for no other purpose. To the fullest extent permitted by law, we do not accept or assume
responsibility to anyone other than the Parent Company and the Parent Company’s members as a body, for our audit work, for this
report, or for the opinions we have formed.
Andrew Moyser FCA FCCA
(Senior Statutory Auditor)
for and on behalf of MHA MacIntyre Hudson, Statutory Auditor
London, United Kingdom
18 April 2023
64
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
www.crosswordcybersecurity.com
65
�Consolidated Financial Statements
for Crossword Cybersecurity PLC company number 08927013
CONSOLIDATED STATEMENT OF COMPREHENSIVE INCOME
12 Months
ended
31 December
2022 £
3,648,000
(2,755,662)
39,814
932,152
12 Months
ended
31 December
2021* £
2,171,137
(1,631,384)
152,347
692,100
(4,967,499)
(304,457)
(1,569)
(395,762)
170,283
(4,566,852)
(3,481,809)
(104,124)
4,956
(220,545)
456,803
(2,652,619)
Notes
2
3
6
3,4
7
8
9
11
1,144,302
378,995
(3,422,550)
(2,273,624)
1,782
1,782
(13,220)
(13,220)
(3,420,768)
(2,286,844)
(3,408,149)
(14,401)
(3,422,550)
(2,229,296)
(44,328)
(2,273,624)
(3,406,367)
(14,401)
(3,420,768)
(2,242,516)
(44,328)
(2,286,844)
23
(0.04)
(0.04)
(0.03)
(0.03)
Revenue
Cost of Sales
Other income
Gross Profit
Administrative expenses
Other operating expense
Finance income-bank interest income and foreign exchange
Finance costs-other interest expense
Gain on remeasurement of financial assets and liabilities
Loss for the year before taxation
Tax credit / (expense)
Loss for the Year
Other Comprehensive Income
Items that may be reclassified to profit or loss:
Foreign exchange translation Gain / (Loss)
Total Other Comprehensive Income
Total Comprehensive Loss
Loss for the period attributable to:
Owners of the parent
Non-controlling interests
Total Loss for the Year
Total comprehensive loss for the period attributable to:
Owners of the parent
Non-controlling interests
Total Comprehensive Loss
Loss Per Share (basic)
Loss Per Share (diluted)
All results are derived from continuing operations
* Restated (as per note 1.2)
66
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�STATEMENT OF FINANCIAL POSITION AS AT 31 DECEMBER
Group
2022
£
Group
2021
£
Company
2022
£
Company
2021
£
Notes
Non-Current Assets
Intangible assets
Tangible assets
Goodwill
Unlisted investment
Investments in subsidiaries
Intercompany receivable greater than one year
Total non-current assets
Current Assets
Trade and other receivables
Current tax receivable
Cash and cash equivalents
Total current assets
Total Assets
EQUITY
Attributable to the owners of the Company
Share Capital
Share premium account
Convertible debt reserve
Equity reserve
Retained earnings
Translation of foreign operations
Attributable to owners of the parent
Non-controlling interests
Total equity
LIABILITIES
Current Liabilities
Trade and other payables
Other current liabilities
Total current liabilities
Long Term Liabilities
Convertible loan notes
Bank loans
Other non-current liabilities
Total long term liabilities
Total Liabilities
Total Equity & Liabilities
13
14
15
16
17
18
22
22
24
19
20
30
21
2,708,423
45,039
875,277
456,834
-
-
4,085,573
1,103,679
5,460
875,277
456,834
-
-
2,441,250
2,197,206
-
-
456,834
1,649,145
1,067,185
5,370,370
521,603
-
-
456,834
1,637,518
918,206
3,534,161
2,078,050
398,511
2,077,771
4,554,332
8,639,905
1,066,076
-
3,373,062
4,439,138
6,880,388
1,918,525
368,393
1,746,530
4,033,448
9,403,818
838,622
-
3,106,817
3,945,439
7,479,600
462,019
18,534,372
195,685
370,762
(15,235,500)
(13,210)
4,314,128
(153,527)
4,160,601
374,786
14,971,221
-
240,310
(11,827,351)
(14,992)
3,743,974
(139,127)
3,604,847
462,019
18,534,372
195,685
370,762
(14,127,624)
-
5,435,214
-
5,435,214
374,786
14,971,221
-
240,310
(10,800,700)
-
4,785,617
-
4,785,617
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
2,456,783
17,000
2,473,783
1,413,658
1,368,638
2,782,296
2,146,775
-
2,146,775
1,049,960
1,351,471
2,401,431
1,329,678
51,000
624,843
2,005,521
-
68,000
425,245
493,245
1,329,678
-
492,151
1,821,829
-
-
292,552
292,552
4,479,304
8,639,905
3,275,541
6,880,388
3,968,604
9,403,818
2,693,983
7,479,600
The company’s loss for the year was £3,326,925 (2021: £1,964,825).
The financial statements were approved by the Board and authorised for issue on18 April 2023. They were signed on its behalf by
www.crosswordcybersecurity.com
67
�Consolidated Financial Statements
CONTINUED
STATEMENT OF CHANGES IN EQUITY
Convertible
Debt
Reserve
Share
Capital
Share
Premium
14,971,221
374,786
Group 2022
£
At 1st January
Issue of shares
87,233
3,750,012
Transaction costs
Issue of convertible
debt
Employee share
schemes - value of
employee services
Loss for the period
Other comprehensive
loss for the period
At 31st December
Group 2021
At 1st January
Issue of shares
Transaction costs
Employee share
schemes - value of
employee services
Loss for the period
Other comprehensive
loss for the period
-
-
-
-
-
(186,861)
-
-
-
-
256,605
118,181
8,518,391
6,770,954
-
(318,124)
-
-
-
-
-
-
At 31st December
374,786
14,971,221
Equity
Reserve
240,310
Retained
Earnings
(11,827,351)
Translation
Reserve
Attributable
to owners of
the parent
Non-
controlling
interests
(14,992)
3,743,974
(139,126)
-
-
-
130,452
-
-
-
-
-
(3,408,149)
-
-
-
-
-
3,837,245
(186,861)
195,685
130,452
-
-
-
-
Total
3,604,848
3,837,245
(186,861)
195,685
130,452
(3,408,149)
(14,401)
(3,422,550)
-
-
1,782
1,782
-
1,782
-
-
195,685
-
-
-
-
-
-
-
-
-
-
181,618
(9,598,056)
(1,772)
(643,214)
(94,799)
(738,013)
-
-
58,692
-
-
-
-
(2,229,296)
-
-
-
-
6,889,135
(318,124)
58,692
-
-
-
6,889,135
(318,124)
58,692
(2,229,296)
(44,328)
(2,273,624)
-
-
240,310
(11,827,351)
(13,220)
(14,992)
(13,220)
-
(13,220)
3,743,974
(139,126)
3,604,847
462,019
18,534,372
195,685
370,762 (15,235,500)
(13,210)
4,314,128
(153,527)
4,160,601
Company 2022
£
At 1st January
Issue of shares
Transaction costs
Issue of convertible
debt
Employee share
schemes - value of
employee services
Loss for the period
At 31st December
Company 2021
At 1st January
Issue of shares
Transaction costs
Employee share
schemes - value of
employee services
Loss for the period
At 31st December
Share
Capital
374,786
Share
Premium
14,971,221
87,233
3,750,012
(186,861)
Convertible
Debt
Reserve
-
-
-
-
-
-
-
-
-
-
195,685
-
-
Equity
Reserve
240,310
Retained
Earnings
(10,800,699)
-
-
-
130,452
-
-
-
-
-
(3,326,925)
462,019
18,534,372
195,685
370,762 (14,127,624)
256,605
118,181
8,518,391
6,770,954
-
(318,124)
-
-
-
-
374,786
14,971,221
-
-
-
-
-
-
181,618
(8,835,874)
-
-
58,692
-
-
-
-
(1,964,825)
240,310
(10,800,699)
Translation
Reserve
Attributable
to owners of
the parent
Non-
controlling
interests
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Total
4,785,617
3,837,245
(186,861)
195,685
130,452
(3,326,925)
£5,435,214
120,740
6,889,135
(318,124)
58,692
(1,964,825)
4,785,617
68
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�STATEMENT OF CASHFLOWS
Years
Cashflows From Operating Activities
Loss for the year
Movement in trade and other receivables
Movement in trade and other payables
Depreciation
Amortisation
Finance costs
Gain on remeasurement of financial assets and liabilities
Employee share schemes
Tax (credit) / expense
Tax received / (paid)
Net Cashflow from Operating Activities
Cashflow From Investing Activities
Investment in intangible assets
Purchase of tangible assets
Acquisition of subsidiaries, net of cash acquired
Net Cashflow from Investing Activities
Cashflows From Financing Activities
Proceeds from issue of ordinary shares
Share issuance costs
Proceeds from issue of convertible loan notes
Repayment of convertible loan notes
Interest paid on convertible loan notes
Other interest paid
Payments for right of use assets
Net Cash Inflow from Financing Activities
Net Increase in Cash & Cash Equivalents
Foreign Currency Translation Difference
Cash and Cash Equivalent at the beginning of the period
Cash and Cash Equivalent at the end of the period
* Restated as per Note 1.2
TOM ILUBE
Chief Executive Officer
12 Months
ended
31st December
Group
2022
£
12 Months
ended
31st December
Group
2021*
£
12 Months
ended
31st December
Company
2022
£
12 Months
ended
31st December
Company
2021*
£
Notes
(3,422,550)
(786,642)
381,130
11,287
293,170
395,762
(170,283)
130,452
(1,144,302)
348,662
(3,963,314)
(2,273,624)
(412,005)
86,231
66,243
37,881
220,545
(456,803)
58,692
(378,995)
200,984
(2,850,851)
(3,326,924)
(1,649,101)
646,965
-
222,310
468,084
(365,968)
130,452
(423,572)
295,763
(4,001,990)
(1,964,825)
(837,873)
40,374
38,392
9,931
138,742
(456,803)
58,692
(206,380)
206,380
(2,973,370)
(203,627)
(48,971)
(625,408)
(878,006)
(183,796)
-
(645,390)
(829,186)
(203,627)
-
(715,415)
(919,042)
(183,796)
-
(700,000)
(883,796)
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
3
3
8
4
11
13
14
3,837,245
(186,861)
800,000
(700,000)
(189,640)
(16,495)
-
3,544,249
6,639,135
(318,124)
-
-
(168,000)
(1,638)
(43,734)
6,107,639
3,837,245
(186,861)
800,000
(700,000)
(189,640)
-
-
3,560,744
6,639,135
(318,124)
-
-
(168,000)
(186)
(13,507)
6,139,319
(1,297,071)
1,780
3,373,062
2,077,771
2,427,602
(12,881)
958,341
3,373,062
(1,360,288)
-
3,106,818
1,746,530
2,282,151
-
824,667
3,106,818
www.crosswordcybersecurity.com
69
�Consolidated Financial Statements
CONTINUED
Furthermore, Amortisation and Depreciation have been separated
from Administrative expenses into Other operating expense
category. Prior period has been reclassified.
The Group has revised the treatment of Research and
development tax credits from the approach where these get
recorded following the receipt of tax relief to being recognised in
the period they relate to. Prior year has not been restated.
During the period the Group has changed presentation of
Research and development tax credits from Other operating
income to Income tax to reflect the fact that most of the credit
relates to tax relief for small and medium-sized enterprises.
The following table demonstrates re-classification of 2021
Consolidated Income Statement:
NOTES TO THE FINANCIAL INFORMATION
1. ACCOUNTING POLICIES
1.1 The Group and its operations
Crossword Cybersecurity plc (the “Company”) is a Company
incorporated on 6 March 2014 in England and Wales under the
Companies Act 2006. The Company is the parent company of the
Crossword Group of Companies focusing on the cybersecurity
sector. Crossword offers a range of cyber security solutions to
help companies understand and reduce cyber security risk. We
do this through a combination of people and technology, in the
form of SaaS and software products, consulting, and managed
services.
The financial information includes the results of the Company
and its subsidiaries (together referred to as the “Group” and
individually as “Group entities”).
The principal accounting policies applied in the preparation of
the financial information are set out below. These policies have
been consistently applied to all the periods presented, unless
otherwise stated.
1.2 Basis of preparation of financial information
The financial information has been prepared in accordance with
the requirements of the London Stock Exchange plc AIM Rules
for Companies and in accordance with International Financial
Reporting Standards as adopted in the United Kingdom (“UK
adopted IFRS”) and those parts of the Companies Act 2006
applicable to companies reporting in accordance with UK adopted
IFRS.
The financial information has been prepared on the historical
cost basis. The preparation of financial information in conformity
with UK adopted IFRS requires the use of certain critical
accounting estimates. It also requires management to exercise
its judgement in the process of applying the Group’s accounting
policies. Changes in assumptions may have a significant impact
on the financial information in the year the assumptions changed.
Management believes that the underlying assumptions are
appropriate. The areas involving a higher degree of judgement
or complexity, or areas where assumptions and estimates are
significant to the financial information are disclosed in note 1.22.
Changes in accounting policy and disclosures
During the year the Group has reviewed presentation of
Gross Margin in the Income Statement to align with general
principles adopted by Software-as-a-Service industry. The
costs to be included in Costs of Sales are primarily application
hosting expenses, customer success and customer service
costs. Research and Development expenses, which were
previously included in Costs of Sales, have been reclassified to
Administrative expenses.
70
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Consolidated Statement of Comprehensive Income
12 Months ended 31 December 2021
Revenue
Cost of Sales
Other income
Gross Profit
Administrative expenses
Other operating income
Other operating expense
Finance income
Finance costs-other interest expense
Gain on revaluation of financial assets
Loss for the year before taxation
Tax credit / (expense)
Loss for the Year
Other
Operating
Expense
seperate from
Admin costs
£
-
-
Research and
development
Tax Credits
£
-
-
-
-
104,124
-
(104,124)
-
-
-
-
-
(206,380)
-
-
-
-
(206,380)
Change in
Gross Margin
calculation
£
-
325,794
152,347
478,141
(325,794)
(152,347)
-
-
-
-
-
Restated
£
2,171,137
(1,631,384)
152,347
692,100
(3,481,809)
-
(104,124)
4,956
(220,545)
456,803
(2,652,619)
-
-
-
-
206,380
378,995
-
(2,273,624)
As previously
reported
£
2,171,137
(1,957,178)
-
213,959
(3,260,139)
358,727
-
4,956
(220,545)
456,803
(2,446,239)
172,615
(2,273,624)
At the year end, the following standards and interpretations which
have not been applied in these financial statements were in issue
but not yet effective. The Group is considering their impact but do
not expect a material on the future results of the Group.
New standards, interpretations and amendments effective in
current period
None of the new standards and amendments to the existing
standards effective in the current period have been applicable to
the Group’s consolidated financial statements.
New standards, interpretations and amendments not yet
effective
The Group adopt early the following amendments to standards
which are not yet mandatory.
IFRS 17 Insurance Contracts (including the June 2020
Amendments to IFRS 17, effective from 1 January 2023)
Amendments to IAS 8 Accounting Policies, Changes in
Accounting Estimates and Errors - Definition of Accounting
Estimates (effective 1 January 2023).
Amendments to IAS 1 Presentation of Financial Statements and
IFRS Practice Statement 2: Disclosure of Accounting policies
(effective 1 January 2023).
Amendments to IAS 12 Income Taxes - Deferred Tax related to
Assets and Liabilities arising from a Single Transaction (effective
1 January 2023).
Amendments to IAS 1 Presentation of Financial Statements -
Classification of Liabilities as Current or Non-current (effective 1
January 2023).
1.3 Going Concern
The financial information has been prepared on a going concern
basis. The Group’s business model has been enhanced following
the two acquisitions in 2021 and a further acquisition in early
2022. The Group’s operations have incurred a loss in the financial
year whilst the Group’s products and services continue to be
enhanced, developed and brought to market. The Directors’
forecast in 2023 shows a trading loss with net cash outflows as
the business continues to develop and enhance its products and
services and grows revenue. In 2022, the Group’s operations have
been supported by cash inflows from customers and from the
issue of £3.6m equity gross during 2022.
The Directors have considered the Group’s future and forecast
business and cash requirements. Following the completion of a
successful fundraise in 2022, the Directors have determined that
the group wants to continue to expand, while having a clear and
determined focus on a path to profitability, which is expected to
require successful additional fundraise.
On 12 July 2022 holders of £700,000 of loan notes extended
their loan notes to be repayable 30 June 2025 and two loan note
holders loaned a further £150,000 to the Company on the above
terms. In both cases the conversion price was amended to 25.2p.
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
www.crosswordcybersecurity.com
71
�Consolidated Financial Statements
CONTINUED
On 15 July 2022 a further £550,000 of loan notes were issued
repayable on 14 July 2025, otherwise on the same terms as above
save that the conversion price is 26.1p.
Currently, £1.5 million of loan notes remain outstanding.
The Directors have concluded that these circumstances could
give rise to a material uncertainty arising from events or
conditions that may cast significant doubt on the entity’s ability
to continue as a going concern if a further fund raise was
unsuccessful. However, considering recent successful fund raises
the Directors are confident that they can continue to adopt the
going concern basis in preparing the financial statements.
The financial statements do not include any adjustment that may
arise in the event that the Group is unable to raise finance, realise
its assets and discharge its liabilities in the normal course of
business.
1.4 Basis of consolidation
Subsidiaries are fully consolidated from the date on which
control is transferred to the Group. Control exists when then the
Group has:
•
•
•
the power over the investee;
exposure, or rights, to variable returns from its involvement
with the investee;
the ability to use its power over the investee to affect the
amount of the investor’s returns.
All intra-Group transactions balances income and expenses are
eliminated on consolidation. Uniform accounting policies are
applied by the Group entities to ensure consistency.
1.5 Revenue
Revenue comprises the fair value of consideration received or
receivable for licence income and the rendering of services in the
ordinary course of the Group’s activities. Revenue is shown net
of value added tax and trade discounts. Income is reported as
follows:
(a) Licence Income
Technology and product licensing revenue represents
amounts earned for licenses granted under licensing
agreements and recognized over time. Revenues relating to
up-front payments are recognised when the obligations
related to the revenues have been completed.
Revenues for maintenance and support services are
recognised in the accounting periods in which the services
are rendered.
(b) Rendering of Services
Services relate to implementation and deployment fees for
the technology and products licensed to customers. Revenue
is recognised in the accounting periods in which the services
are rendered.
(c) Consulting
Consulting revenue is recognised when the performance
obligation is met, primarily at a point of time. Contracts are
structured to support the revenue recognition process by
stating what the objectives and deliverables are for each part
of the project, and the revenue attributable to each
deliverable.
(d) Software Engineering Services
Revenues for software engineering services are recognised in
the accounting periods in which the services are rendered.
Contract balances
Contract related balances comprise of contract assets and
contract liabilities.
Contract assets – are recognised when services are transferred
to customers before consideration is received or before the
Group has an unconditional right to payment for performance
completed to date. Contract assets are subsequently transferred
to receivables when the right of payment becomes unconditional.
Contract liabilities – are recognised when amounts are received
from customers in advance of transfer of goods or services.
Contract liabilities are subsequently recognised in revenue as or
when the Group performs under contracts.
1.6 Functional and presentation currency
The presentation currency of the Group is pounds sterling (GBP).
The functional currency of the Company is pounds sterling. The
functional currency of the Company’s polish subsidiary is Polish
Zloty (PLN).
1.7 Business combinations
The acquisition of subsidiaries is accounted for using the
acquisition method. The cost of the acquisition is measured as
the aggregate of the fair values, at the date of exchange, of assets
given, liabilities incurred or assumed, and equity instruments
issued by the Group in exchange for control of the acquiree.
Acquisition related costs are recognised in the income statement
as incurred.
Any contingent consideration to be transferred by the Group
is recognised at fair value at the acquisition date. Subsequent
changes to the fair value of the contingent consideration
that is deemed to be an asset or liability is recognised in the
consolidated income statement. Contingent consideration that
72
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�is classified as equity is not remeasured, and its subsequent
settlement is accounted for within equity.
Goodwill arising on acquisition is recognised as an asset and
initially measured at cost, being the excess of the cost of the
business combination over the Group’s interest in the net fair
value of the identifiable assets, liabilities and contingent liabilities
recognised. For the purpose of impairment testing, goodwill
acquired in a business combination is, from the acquisition date,
allocated to the cash generating unit (“CGU”) that is expected
to benefit from the synergies of the combination. CGU to which
goodwill has been allocated is tested for impairment annually,
or more frequently when there is an indication that the unit may
be impaired. Any impairment loss is recognised directly in the
income statement.
1.8 Foreign operations
The assets and liabilities of foreign operations are translated into
Pound sterling using the exchange rates at the reporting date.
The revenues and expenses of foreign operations are translated
into Pound sterling using the average exchange rates, which
approximate the rates at the dates of the transactions, for the
period.
All resulting foreign exchange differences are recognised in other
comprehensive income through the foreign currency reserve in
equity.
On disposal of a foreign operation, the cumulative exchange
differences recognised in the foreign exchange reserve relating
to that operation up to the date of disposal are transferred to the
consolidated statement of comprehensive income as part of the
profit or loss on disposal.
development can be reliably measured.
Directly attributable costs that are capitalised as part of the
software product include the software development employee
costs and an appropriate portion of relevant overheads.
Other development expenditure that does not meet these criteria
is recognised as an expense as incurred.
1.10 Property, plant and equipment
Property, plant and equipment is stated at purchase price less
accumulated depreciation and impairment losses. The cost
includes all expenses directly related to the purchase of a
relevant asset.
All other repair and maintenance costs are charged to the income
statement for the period during the reporting period in which they
are incurred.
1.11 Depreciation and amortisation
Each item of property, plant and equipment is depreciated using
the straight-line method over the estimated useful life and
depreciation charge is included in the income statement for the
period.
The depreciation is charged to the income statement for the
period and determined using the straight-line method over the
estimated useful life of the item of property, plant and equipment.
The expected useful lives of property, plant and equipment in the
reporting and comparative periods are as follows:
Computers
Furniture & fittings
Useful lives in years
3.33
3.33
1.9 Intangible assets – research and development
Expenditure on research is written off in the period in which it is
incurred.
Computer software development expenditure recognised as
assets is amortised on a straight-line basis over their estimated
useful lives, which does not exceed 5 years.
Development expenditure incurred on specific projects is
capitalised where the management is satisfied that the following
criteria have been met:
•
it is technically feasible to complete the software product so
that it will be available for use;
• management intends to complete the software product and
use or sell it;
1.12 Impairment of non-financial assets
The residual value of an asset is the estimated amount that the
Group would currently obtain from disposal of the asset less the
estimated costs of disposal, if the asset was already of the age
and in the condition expected at the end of its physical life.
The assets’ residual values and useful lives are reviewed, and
adjusted if appropriate, at each reporting date.
•
•
•
there is an ability to use or sell the software product;
it can be demonstrated how the software product will
generate probable future economic benefits;
At the end of each reporting period management assesses
whether the indicators of impairment of property, plant and
equipment exists.
adequate technical, financial and other resources to complete
the development and to use or sell the software product are
available; and
The carrying amounts of property, plant and equipment and all
other non-financial assets are reviewed for impairment if there is
any indication that the carrying amount may not be recoverable.
•
the expenditure attributable to the software product during its
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
www.crosswordcybersecurity.com
73
�Consolidated Financial Statements
CONTINUED
For the purpose of impairment testing the recoverable amount
is measured by reference to the higher of value in use (being
the net present value of expected future cashflows of a relevant
cash generating unit) and fair value less costs to sell (the amount
obtainable from the sale of an asset or cash generating unit in an
arm’s length transaction between knowledgeable, willing parties
who are independent from each other less the costs of disposal).
Where there is no binding sale agreement or active market, fair
value less costs to sell is based on the best information available
to reflect the amount the Group would receive for the cash
generating unit.
A cash generating unit is the smallest identifiable group of assets
that generates cash inflows that are largely independent of the
cash inflows from other assets or groups of assets.
If the carrying amount of the asset exceeds its recoverable
amount, the asset is impaired and an impairment loss is charged
to the income statement so as to reduce the carrying amount in
the statement of financial position to its recoverable amount.
A previously recognised impairment loss is reversed if the
recoverable amount increases as a result of a reversal of the
conditions that originally resulted in the impairment.
This reversal is recognised in profit or loss for the period and is
limited to the carrying amount that would have been determined,
net of depreciation, had no impairment loss been recognised in
prior years.
1.13 Financial Instruments
Financial assets and financial liabilities are recognised when the
Company becomes a party to the contractual provisions of the
instrument.
Financial assets and financial liabilities are initially measured at
fair value. Transaction costs that are directly attributable to the
acquisition or issue of financial assets and financial liabilities
(other than financial assets and financial liabilities at fair value
through profit or loss) are added to or deducted from the fair
value of the financial assets or financial liabilities, as appropriate,
on initial recognition. Transaction costs directly attributable to the
acquisition of financial assets or financial liabilities at fair value
through profit or loss are recognised immediately in profit or
loss.
All financial instruments are classified in accordance with the
principles of IFRS 9 Financial Instruments.
1.13 a Financial assets
Classification of financial assets
Debt instruments that meet the following conditions are
subsequently measured at amortised cost:
•
•
the financial asset is held within a business model whose
objective is to hold financial assets in order to collect
contractual cash flows; and
the contractual terms of the financial asset give rise on
specified dates to cash flows that are solely payments of
principal and interest on the principal amount outstanding.
Debt instruments that meet the following conditions are
subsequently measured at FVTOCI:
•
•
the financial asset is held within a business model whose
objective is achieved by both collecting contractual cash flows
and selling the financial assets; and
the contractual terms of the financial asset give rise on
specified dates to cash flows that are solely payments of
principal and interest on the principal amount outstanding.
By default, all other financial assets are subsequently measured
at FVTPL.
Amortised cost and effective interest method
The effective interest method is a method of calculating the
amortised cost of a debt instrument and of allocating interest
income over the relevant period.
For financial instruments other than purchased or originated
credit-impaired financial assets, the effective interest rate is
the rate that exactly discounts estimated future cash receipts
(including all fees and points paid or received that form an
integral part of the effective interest rate, transaction costs and
other premiums or discounts) excluding expected credit losses,
through the expected life of the debt instrument, or, where
appropriate, a shorter period to the gross carrying amount of the
debt instrument on initial recognition. For purchased or originated
credit-impaired financial assets, a credit-adjusted effective
interest rate is calculated by discounting the estimated future
cash flows, including expected credit losses, to the amortised cost
of the debt instrument on initial recognition.
The amortised cost of a financial asset is the amount at which
the financial asset is measured at initial recognition minus the
principal repayments, plus the cumulative amortisation using the
effective interest method of any difference between that initial
amount and the maturity amount, adjusted for any loss allowance.
On the other hand, the gross carrying amount of a financial asset
is the amortised cost of a financial asset before adjusting for any
loss allowance.
74
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Impairment of financial assets
Derecognition of financial liabilities
The Company recognises a loss allowance for expected credit
losses on financial assets that are measured at amortised cost.
The amount of expected credit losses is updated at each reporting
date to reflect changes in credit risk since initial recognition of the
respective financial instrument.
Expected credit loss measurement
The consolidated entity has applied the simplified approach to
measuring expected credit losses, which uses a lifetime expected
loss allowance. To measure the expected credit losses, trade
receivables have been grouped based on days overdue.
1.13 b Financial liabilities and equity
Debt and equity instruments are classified as either financial
liabilities or as equity in accordance with the substance of the
contractual arrangement.
Equity instruments
An equity instrument is any contract that evidences a residual
interest in the assets of an entity after deducting all of its
liabilities. Equity instruments issued by the Company entity are
recognised at the proceeds received, net of direct issue costs.
Financial liabilities
All financial liabilities are subsequently measured at amortised
cost using the effective interest method or at “Fair Value Through
Profit or Loss” (“FVTPL”).
Financial liabilities at FVTPL
Financial liabilities are classified as at FVTPL when the financial
liability is contingent consideration of an acquirer in a business
combination to which IFRS 3 applies, or it is designated as at
FVTPL.
Financial liabilities subsequently measured at amortised cost
Financial liabilities that are not 1) contingent consideration of
an acquirer in a business combination, 2) held-for-trading, or 3)
designated as at FVTPL, are subsequently measured at amortised
cost using the effective interest method.
The effective interest method is a method of calculating the
amortised cost of a financial liability and of allocating interest
expense over the relevant period. The effective interest rate is
the rate that exactly discounts estimated future cash payments
(including all fees and points paid or received that form an
integral part of the effective interest rate, transaction costs and
other premiums or discounts) through the expected life of the
financial liability, or (where appropriate) a shorter period, to the
amortised cost of a financial liability.
The Company derecognises financial liabilities when, and only
when, the Company’s obligations are discharged, cancelled or
they expire. The difference between the carrying amount of the
financial liability derecognised and the consideration paid and
payable, including any non-cash assets transferred or liabilities
assumed, is recognised in the statement of comprehensive
income.
1.14 Leases
The Company assesses whether a contract is or contains a lease,
at inception of the contract. The Company recognises a right-of-
use asset and a corresponding lease liability with respect to all
lease arrangements in which it is the lessee, except for short-
term leases (defined as leases with a lease term of 12 months
or less) and leases of low value assets. For these leases, the
Company recognises the lease payments as an administrative
expense on a straight-line basis over the term of the lease.
1.15 Taxes
Current tax is calculated using rates and laws enacted or
substantively enacted at the reporting date. Current tax is
recognised in profit or loss unless it relates to an item of other
comprehensive income or equity whereby it is recognised in other
comprehensive income or equity respectively.
Deferred income tax is calculated using rates and laws enacted
or substantively enacted at the reporting date that are expected
to apply on reversal of the related temporary difference, and is
determined in accordance with the expected manner of recovery
of the related asset.
Deferred income tax is recognised in profit or loss unless it
relates to an item of other comprehensive income or equity
whereby it is recognised in other comprehensive income or equity
respectively.
1.16 Share Based Payments
On occasion, the Company has made share-based payments to
certain Directors and employees by way of issue of share options.
The fair value of these payments is calculated by the Company
using the binomial option valuation model and Monte Carlo
simulation model.
The expense, where material, is recognised on a straight-line
basis over the period from the date of award to the date of
vesting, based on the Company’s best estimate of the number of
shares that will eventually vest.
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
www.crosswordcybersecurity.com
75
�Consolidated Financial Statements
CONTINUED
1.17 Investments
Shares in subsidiary undertakings are stated at cost less
provision for impairment. Unlisted investments are measured at
fair value through profit or loss.
1.18 Intercompany Financing arrangements
The amortised cost methodology is applied to the financing
arrangement between the Company and subsidiary Crossword
Consulting Limited. An assessment in undertaken to determine
the market rate of interest for a similar loan given the credit
rating of the subsidiary to apply discounting with the principal
conceptually including a financing element.
1.19 Pension Obligations
The Group operates a defined contribution pension scheme for
employees in the United Kingdom. A defined contribution scheme
is a pension plan under which the Group pays fixed contributions
into a separate entity.
Contributions payable to the Group’s pension scheme are charged
to the income statement in the year to which they relate. The
Group has no further payment obligations once the contributions
have been paid.
In Poland, the Group pays the statutory employer’s contribution
into the public pension scheme for each employee, but does
not operate any pension schemes. The Group implemented
the Employee Capital Plans (PPK) programme which involved
employee consultation and selection of a financial institution.
1.20 Cash and Cash Equivalents
Cash comprises cash-in-hand and demand deposits. Cash
equivalents are short-term, highly liquid investments that are
readily convertible to known amounts of cash, and which are
subject to an insignificant risk of change in value.
1.21 Accounting for Government Grants
Government grants are not recognised until there is reasonable
assurance that the Group will comply with the conditions attached
to them and that the grants will be received.
Government grants are recognised as income over the periods
necessary to match them with the costs for which they are
intended to compensate, on a systematic basis. Government
grants that are receivable as compensation for expenses or
losses already incurred or for the purpose of giving immediate
financial support to the Group with no future related costs are
recognised in the income statement in the period in which they
become receivable.
1.22 Critical accounting estimates and judgements and
key sources of estimation uncertainty
Estimates and judgements are continually evaluated and are
based on experience and other factors, including expectations
of future events that are believed to be reasonable under the
circumstances.
The following are the key estimates that the directors have made
in the process of applying the Group’s accounting policies and
have the most significant effect on the amounts recognised in
the financial information. There are no further critical accounting
judgements.
Fair value of options granted to employee
The Group uses the Binomial model and Monte Carlo simulation
model in determining the fair value of options granted to
employees under the Group’s various share schemes. The
determination of the fair value of options requires a number of
assumptions. The alteration of these assumptions may impact
charges to the income statement over the vesting period of the
award. Details of the assumptions used are shown in note 4.
Convertible Loans
The Group has given consideration to the measurement and
presentation of the convertible loans.
On legal execution of the loans the financial liability is initially
measured at its fair value which is the face value of the loans.
Immediately after recognition, at fair value, the financial liability is
measured at amortised cost, using a reasonable estimate of the
Group’s cost of capital. The difference between the fair value and
the amortised cost is taken to the P&L account.
Impairment
An impairment assessment of the carrying value in the Company
of the investment in subsidiaries is undertaken using an NPV
model over the projected cash flows, with a discount rate based
on the assessment of weighted average cost of capital.
Business combinations
The recognition of business combinations requires management
to make estimates in order to determine fair value of
consideration payable on acquisition as well as fair value
of identifiable assets, particularly intangibles, and liabilities
acquired. These estimates are based on all available information
and in some cases assumptions with respect to the timing and
amount of future revenues and expenses associated with an
asset.
Deferred tax
Deferred tax assets are recognised for unused tax losses to the
extent that it is probable that taxable profit will be available
76
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�against which the losses can be utilised. Significant management
judgement is required to determine the amount of deferred
tax assets that can be recognised, based upon the likely timing
and the level of future taxable profits, together with future
tax planning strategies. The company has taxable temporary
differences that partly support the recognition of the losses
as deferred tax assets based on the above. The company has
determined that it cannot recognise deferred tax assets on all
of the tax losses carried forward however, based on the likely
characteristics, timing and level of future taxable profits, together
with future tax planning strategies. Further details on taxes are
disclosed in note 11.
2 REVENUE AND SEGMENTAL INFORMATION
An analysis of the Group’s revenue for each period for its continuing operations, is as follows:
£
Revenue from the sale of goods/licences
Revenue from the rendering of services
Revenue from consulting services
Software engineering revenue
Total Revenue
Group
2022
479,849
64,667
3,013,884
89,600
3,648,000
Group
2021
189,252
183,855
1,660,207
137,823
2,171,137
The IFRS 8 Operating segments requires the Group to determine its operating segments based on information which is provided
internally. Based on the internal reporting information and management structures within the Group, it has been determined that there
are two operating segments established in accordance to differences in products and services provided - Software product and services
and Cybersecurity consulting.
These operating segments are based on the internal reports that are reviewed and used by the Board of Directors (who are identified
as the Chief Operating Decision Makers (‘CODM’)) in assessing performance and in determining the allocation of resources. There is no
aggregation of operating segments.
The CODM reviews EBITDA (earnings before interest, tax, depreciation and amortisation). The accounting policies adopted for internal
reporting to the CODM are consistent with those adopted in the financial statements. The information regarding the Group’s reportable
segments is presented below:
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
www.crosswordcybersecurity.com
77
�Consolidated Financial Statements
CONTINUED
2022
£
Revenue
Cost of Sales
Other income
Gross Profit
Administrative expenses
Other operating expense
Financial income and expenses
Loss for the year before taxation
Tax credit / (expense)
Loss for the Year
Software
product and
services
634,116
(136,287)
39,814
537,643
Cybersecurity
consulting
3,131,103
(2,619,375)
-
511,728
Eliminations
(117,219)
-
-
(117,219)
Total
3,648,000
(2,755,662)
39,814
932,152
(4,561,425)
(226,447)
(29,958)
(4,280,186)
(523,292)
(78,010)
(197,090)
(286,666)
117,218
-
-
-
(4,967,499)
(304,457)
(227,048)
(4,566,852)
1,144,302
(3,135,884)
-
(286,666)
-
-
1,144,302
(3,422,550)
Total Comprehensive Loss
(3,134,102)
(286,666)
-
(3,420,768)
Segment assets
Segment liabilities
EBITDA
2021*
£
Revenue
Cost of Sales
Other income
Gross Profit
Administrative expenses
Other operating expense
Financial income and expenses
Loss for the year before taxation
Tax credit / (expense)
Loss for the Year
10,413,274
4,234,893
1,594,370
2,649,280
(3,367,738)
(2,404,869)
8,639,905
4,479,304
(4,023,782)
(11,565)
-
(4,035,347)
Software
product and
services
462,108
(32,539)
152,347
581,917
Cybersecurity
consulting
1,784,309
(1,598,845)
-
185,464
Eliminations
(75,280)
-
-
(75,280)
Total
2,171,137
(1,631,384)
152,347
692,100
(2,956,758)
(72,045)
323,725
(2,123,161)
(600,331)
(32,079)
(82,512)
(529,458)
75,280
-
-
-
(3,481,809)
(104,124)
241,214
(2,652,619)
378,995
(1,744,166)
-
(529,458)
-
-
378,995
(2,273,624)
Total Comprehensive Loss
(1,757,386)
(529,458)
-
(2,286,844)
Segment assets
Segment liabilities
EBITDA
* Restated (as per note 1.2)
8,178,282
2,924,439
1,029,509
1,762,053
(2,327,403)
(1,410,951)
6,880,388
3,275,541
(2,168,462)
(414,866)
-
(2,583,328)
78
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�During the year ended 31 December 2022 approximately 14% (2021: 17%) of the consolidated entity’s external revenue was derived
from sales to a major United Kingdom client in Cybersecurity consulting segment. No other clients accounted for more than 10% of the
consolidated entity’s external revenue.
No analysis of net assets by geographic segment is provided as the net assets are principally all within the UK.
3 EXPENSES BY NATURE
£
Staff and related costs
Consultancy and related costs
Professional fees
Property related costs
Depreciation
Amortisation
Capitalised costs
Other expenses
Total cost of sales, administrative and other operating expenses
Included in Cost of Sales
£
Staff and related costs
Consultancy and related costs
Other expenses
Total cost of sales
Included in Administrative expenses
£
Staff and related costs
Professional fees
Property related costs
Capitalised costs
Other expenses
Total administrative expenses
Expenses by geographic segment
£
UK
Poland
Total cost of sales, administrative and other operating expenses
Administrative expenses include-short term lease expense of £188,643 (2021: £171,714).
Group
2022
4,914,076
854,972
808,910
201,590
11,287
293,170
(162,680)
1,106,293
8,027,618
Group
2022
1,874,960
854,972
25,730
2,755,662
Group
2022
3,039,116
808,910
201,590
(162,680)
1,080,563
4,968,499
Group
2021
3,305,430
450,028
616,791
172,823
66,243
37,881
(138,067)
706,188
5,217,317
Group
2021
1,133,519
450,028
47,837
1,631,384
Group
2021
2,171,911
616,791
172,823
(138,067)
658,351
3,481,809
Group
2022
7,355,231
672,387
8,027,618
Group
2021
4,695,737
521,580
5,217,317
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
www.crosswordcybersecurity.com
79
�Consolidated Financial Statements
CONTINUED
4 STAFF COSTS
Staff costs, including directors’ remuneration, were as follows:
£
Wages and salaries:
- Administrative
- Consulting
- Research and development
Social security costs
Other pension costs
Group
2022
Group
2021
Company
2022
Company
2021
2,342,943
1,719,588
348,910
432,124
70,511
4,914,076
1,420,624
1,226,231
277,503
327,012
54,061
3,305,430
2,066,066
-
-
231,583
47,838
2,345,487
1,321,393
-
-
142,103
37,003
1,500,499
The average monthly number of employees, including the directors, during the period was as follows:
Staff
Directors
Total
Share based payments
Group
2022
52
11
63
Group
2021
42
9
51
Company
2022
30
8
38
Company
2021
17
8
25
The amount recognised in respect of share-based payments was £130,452 (2021: £58,692).
The Group has established share option programmes that entitle certain employees to purchase shares in the Group.
There are no performance conditions attaching to these options. No options were exercised in 2022 (5,840 in 2021).
Total options issued as at 31 December 2022 amount to 2,278,653 (2021: 2,348,653).
The share options have been valued using a binomial model applying the following inputs:
• Exercise price – equal to the share price at grant date,
• Vesting date – all options vest in three tranches, on the first, second and third anniversary from the grant date;
• Expiry/Exercise date – 10 years from the grant date;
• Volatility (sigma) – 40%. This has been calculated based on the historic volatility of the Company’s share price.
• Risk free rate – yield on a zero coupon government security at each grant date with a life congruent with the expected option life;
• Dividend yield – 0%,
• Future staff turnover – 0%. We have however adjusted the P+L charge for the current year (and future years) to account for lapsed
options due to Leavers; and
• Performance conditions – none
80
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Reconciliation of share options – Company
1st January
Granted during the period
Lapsed during the period
Exercised during the period
End of the period
Weighted average
exercise price
2022
2,348,653
10,000
(85,000)
-
2,273,653
2022
0.36
0.33
0.34
-
0.36
Weighted average
exercise price
2021
2,065,730
352,923
(64,160)
(5,840)
2,348,653
2021
0.36
0.36
0.36
0.28
0.36
The weighted average share Price at the exercise date was £0.36.
The range of exercise prices is from £0.05 to £0.55.
The weighted average remaining life of the options was 6.5 years (2021: 6.5 years).
5 DIRECTORS’ REMUNERATION
The remuneration of the Directors who served in the current year was as follows:
2022
Executive Directors
Tom Ilube
Mary Dowd*
Non-Executive Directors
Sir Richard Dearlove
Ruth Anderson
Andy Gueritz
Dr David Secher
Robert Coles
Tara Cemlyn-Jones
Total
Executive Directors
Tom Ilube
Mary Dowd*
Non-Executive Directors
Sir Richard Dearlove
Ruth Anderson
Andy Gueritz
Gordon Matthew
Dr David Secher
Prof David Stupples
Robert Coles
Tara Cemlyn-Jones
Total
Basic Salary
and Fees
£
130,000
140,000
25,000
12,000
16,000
16,000
12,000
12,000
363,000
128,311
130,000
25,000
12,000
16,000
6,000
16,000
4,750
7,250
7,231
352,541
Taxable
Benefits
£
Employer’s
Pension
Contribution
£
Total
£
3,926
2,216
1,321
10,000
135,247
162,216
Bonus
£
10,000
25,000
10,000
31,142
11,321
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
50,000
12,000
16,000
16,000
12,000
12,000
415,463
3,942
1,318
10,000
133,572
140,000
25,000
-
28,942
11,318
50,000
12,000
16,000
6,000
16,000
4,750
7,250
7,231
392,801
* Denotes highest paid director.
In the year ended 31 December 2022, certain of the directors received remuneration (which is included in the amounts
above) through payments by the Group to third parties as follows: £12,000 was paid to Cumberland House Consulting Ltd
for the services of R Coles (2021: £7,250); £12,000 was paid to Caprica Nelson Ltd for the services of R Anderson (2021:
£12,000); £16,000 was paid to Cambridge KT Ltd for the services of D Secher (2021: £16,000).
www.crosswordcybersecurity.com
81
�Consolidated Financial Statements
CONTINUED
Share Options issued
Mary Dowd
Sir Richard Dearlove
Sir Richard Dearlove
Year
2020
2020
2021
Share
Options
25,000
94,340
70,423
Exercise Price
£0.31
£0.27
£0.36
Total
Value
£2,903
£9,496
£25,000
In 2021 the Company implemented a Long Term Incentive Plan (LTIP) whereas awards have been made to the following executives -
Mary Dowd, Stuart Jubb, Jake Holloway and Sean Arrowsmith. Each award is of nominal cost (£0.005) options to acquire up to 750,000
Crossword ordinary shares of 0.5p each which vest at the average mid-market price of the Ordinary Shares over the 20 trading days
preceding the end of the performance period which ends on 30 September 2024. 25% of the options will vest if the Award Price is 50p,
and 100% will vest if the Award Price is equal to or greater than 100p, with straight line vesting between 50p and 100p.
6 OTHER OPERATING INCOME
Grant income
7 OTHER OPERATING EXPENSE
Amortisation of intangible assets
Depreciation of property, plant and equipment
Depreciation of right-of-use assets
8 FINANCE COSTS
Finance cost of loan notes
Interest on deferred consideration
Right to use assets Interest
Other interest expense
Group
2022
£
39,814
39,814
Group
2022
£
293,170
11,287
-
304,457
Group
2022
£
272,400
115,766
-
7,596
395,762
Group
2021
£
152,347
152,347
Group
2021
£
37,881
8,072
58,171
104,124
Group
2021
£
184,149
34,978
187
1,231
220,545
9 GAIN ON REMEASUREMENT OF FINANCIAL ASSETS AND LIABILITIES
£
Gain on remeasurement of contingent consideration
Gain on revaluation of investment in Cyberowl
Group
2022
£
170,283
-
170,283
Group
2021
£
-
456,803
456,803
82
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�10 AUDITOR’S REMUNERATION
The expenses for services rendered by the Group auditor present themselves as follows:
£
Fees for the parent company individual and consolidated financial statements
Fees for legal audit of subsidiary financial information
11 TAX
£
Corporation tax on profits for the period
R&D tax credit
Deferred tax credit
Total tax (credit) / expense
* Restated (as per note 1.2)
Group
2022
£
41,400
24,050
65,450
Group
2021
£
46,000
17,000
63,000
Group
2022
6,115
(753,288)
(397,129)
(1,144,302)
Group
2021*
5,396
(206,380)
(178,011)
(378,995)
There is no tax charge in respect of other comprehensive income.
The deferred tax liability arising on fair value revaluation on acquisitions of Verifiable Credentials Ltd, Stega UK Ltd (both in 2021) and
Threat Status Ltd (in 2022), as reflected in note 12, has been offset with a deferred tax asset recognised in respect of losses brought
forward from prior periods, resulting in deferred tax credit to the statement of comprehensive income.
There is a deferred tax liability of £114,201 arising on the fair value uplift of £456,803 of the unlisted investment in CyberOwl Limited.
This deferred tax liability has been offset by trading losses of the group.
Corporation tax losses carried forward for offset against future year’s trading profits amount to approximately £8.5m (2021: £4.8m).
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
£
Loss before taxation
Average rate of corporation tax
Tax on loss
Effects of:
Expenses not deductible for tax purposes
Additional deduction for R&D expenditure
Adjustments in respect of prior period
Tax rate changes / adjustments
Deferred tax not recognised
Total tax charge
* Restated (as per note 1.2)
Factors that may affect future tax changes
Group
2022
4,566,852
19.00%
(867,702)
116,084
(164,009)
(354,777)
(12,199)
138,301
(1,144,302)
Group
2021*
2,652,619
19.00%
(503,998)
24,578
(167,168)
-
104,124
163,468
(378,995)
On 24 May 2021 the Finance Bill was substantively enacted with the consequence that the main rate of corporation tax will increase
from 19% to the rate of 25%, with effect from 1 April 2023, with a corresponding effect on deferred tax balances after that date.
Polish Corporation Tax has been 19% until 1 January 2017, when Crossword started to benefit from the new small companies reduced
rate of 15% adopted by the Parliament Act amendment to Polish CIT Law.
www.crosswordcybersecurity.com
83
�Consolidated Financial Statements
CONTINUED
12 BUSINESS COMBINATIONS
On 11 March 2022 the Group acquired 100% of the issued share capital of Threat Status Ltd (“TSL”), the threat intelligence company and
provider of Trillion, the cloud-based software as a service platform for enterprise-level credential breach intelligence.
The net consideration used in the acquisition of TSL and the provisional fair value of assets acquired and liabilities assumed on the
acquisition date are detailed below:
Intangible assets
Tangible assets
Deferred tax asset
Non-current assets
Trade and other receivables
Cash and cash equivalents
Current assets
Deferred tax liability
Non-current liabilities
Trade and other payables
Current liabilities
Book value
-
1,208
26,854
28,062
Adjustment
1,694,287
-
-
1,694,287
Fair value
1,694,287
1,208
26,854
1,722,349
10,420
90,007
100,427
-
-
-
10,420
90,007
100,427
-
-
423,572
423,572
423,572
423,572
57,784
57,784
-
-
57,784
57,784
Total fair value of net assets acquired
70,706
1,270,715
1,341,420
Fair value of consideration
Cash on completion
Deferred consideration in cash
Deferred consideration in shares
Total consideration
500,915
343,339
497,166
1,341,420
Acquisition costs of £16,894 relating to this transaction have been recognised as part of administrative expenses in the statement of
comprehensive income.
Since the acquisition date, TSL has contributed £177,223 to group revenues and £127,483 to group result. If the acquisition had occurred
on 1 January 2022, group revenue would have been £3,703,829 and group loss for the period would have been £3,229,407.
The acquisitions help to implement the Group’s strategy to create a portfolio of subscription-based, enterprise-class products and
services for its clients.
84
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�13 INTANGIBLE ASSETS
Software Development
£
Cost b/f
Acquired through business combinations
Additions
Accumulated Depreciation
B/F
Charge for the period
C/d
Net Book Value
Group
2022
1,141,560
1,694,287
203,627
3,039,473
Group
2021
-
957,764
183,796
1,141,560
Company
2022
531,534
1,694,287
203,627
2,429,447
Company
2021
-
-
531,534
531,534
37,881
293,170
331,051
-
37,881
37,881
9,931
222,310
232,241
-
9,931
9,931
2,708,422
1,103,679
2,197,206
521,603
Intangible assets comprise of 5 different software development projects with remaining useful life of approximate between 5 and 10
years each and the carrying amounts of £1,173,512, £810,244, £344,206, £255,491 and £124,970.
The intangible assets have been evaluated to determine whether there are any indicators of impairment. Assessment of the recoverable
value for Identiproof software has been based on calculating the net present value of the future cash flows. The cash flow projections
are based on the most recent 3 year forecast extrapolated to 5 years with a growth rate for revenue of 20% and costs of 10%. The pre-
tax discount rate used in the calculation was 24%.
Please refer to note 15 for matters relating to impairment assessment for Nightingale product.
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
www.crosswordcybersecurity.com
85
�Consolidated Financial Statements
CONTINUED
14 TANGIBLE ASSETS
Computers
£
Cost b/f
Additions
Acquired through business combinations
Accumulated Depreciation
B/F
Charge for the period
Translation adjustments
C/d
Net Book Value
Furniture and Fittings
£
Cost b/f
Additions
Accumulated Depreciation
B/F
Charge for the period
C/d
Net Book Value
Group
2022
31,845
48,971
1,207
82,023
26,385
11,287
(688)
36,984
Group
2021
24,675
-
7,170
31,845
21,124
4,924
337
26,385
45,039
5,460
Company
2022
Company
2021
-
-
-
-
-
-
Group
2022
15,157
Group
2021
15,157
Company
2022
15,157
Company
2021
15,157
15,157
15,157
15,157
15,157
15,157
-
15,157
12,009
3,148
15,157
15,157
-
15,157
12,009
3,148
15,157
-
-
-
-
86
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Right of Use Assets
£
Cost b/f
Disposals
Accumulated Depreciation
B/F
Charge for the period
Translation adjustments
Disposals
C/d
Net Book Value
Total
£
Cost b/f
Additions/(disposals)
Acquired through business combinations
Accumulated Depreciation
B/F
Charge for the period
Translation adjustments
Disposals
C/d
Net Book Value
Group
2022
-
-
-
-
-
-
-
-
-
Group
2022
47,002
48,971
1,207
97,180
41,542
11,287
(688)
-
52,141
Group
2021
344,058
(344,058)
-
280,694
58,171
5,193
(344,058)
-
-
Group
2021
383,890
(344,058)
7,170
47,002
313,826
66,243
5,530
(344,058)
41,542
Company
2022
-
-
-
-
-
-
-
-
-
Company
2022
15,157
-
-
15,157
Company
2021
231,935
(231,935)
-
196,687
35,248
-
(231,935)
-
-
Company
2021
247,092
(231,935)
-
15,157
15,157
-
-
-
15,157
208,696
38,396
-
(231,935)
15,157
45,039
5,460
-
-
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
www.crosswordcybersecurity.com
87
�Consolidated Financial Statements
CONTINUED
15 GOODWILL
The goodwill arises on acquisition of Stega UK Ltd in 2021 and forms a part of Nightingale cash generating unit. The goodwill has been
tested for impairment alongside Intangible asset of NBV of £255,491 allocated to the same unit. The recoverable amount has been
determined by value in use calculation. The cash flow projections are based on the most recent 3 year forecast extrapolated to 5 years
with a growth rate for revenue of 25% and costs between 10% and 15%, these are based primarily on past experience. The growth rate
beyond 5 year period is assumed as a perpetuity at 10%. The pre-tax discount rate used in the calculation was 24%.
£
Goodwill
B/F
Additions in the period
C/F
16 UNLISTED INVESTMENTS
£
Fair value at 1 January and 31 December
Group
2022
Group
2021
875,277
-
875,277
-
875,277
875,277
Group
2022
456,834
Group
2021
456,834
Company
2022
456,834
Company
2021
456,834
The above Group investment represents Crossword Cybersecurity Plc’s 2022 – 3.1% (2021 - 4.4%) holding in CyberOwl Limited which
was purchased on 18 April 2016.
The investment value has not changed during the period and has been based on the values from the latest fundraise by CyberOwl in
August 2022.
88
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�17 INVESTMENT IN SUBSIDIARIES
£
Cost b/f 1 January
Acquired during the year
Transfer to intangibles on hive up
Reversal of contingent consideration
Capital contribution
Cost c/f 31 December
Company 2022 Company 2021
458,164
1,088,740
-
-
90,614
1,637,518
1,637,518
1,341,420
(1,270,715)
(170,283)
111,205
1,649,145
The group’s subsidiary undertakings are listed below, including name, country of incorporation, and proportion of ownership interest:
Name
Crossword Consulting
Limited
Registered office
6th Floor, 60 Gracechurch Street, London EC3N
0HR United Kingdom
Principal activity
Cybersecurity services
2022
%
90
2021
%
90
Crossword Cybersecurity
SP Z.o.o.
Stega UK Ltd
ul. Wiejska 12a, 00-490 Warszawa, Poland
Cybersecurity services
100
100
6th Floor, 60 Gracechurch Street, London EC3N
0HR United Kingdom
Cybersecurity services
100
100
Verifiable Credentials Ltd
6th Floor, 60 Gracechurch Street, London EC3N
0HR United Kingdom
Cybersecurity services
100
100
Crossword Cybersecurity
LLC
PO Box 808, Alwattayah / Muttrah / Muscat
Governorate, Postcode: 100, Oman
Cybersecurity services
90
90
Threat Status Ltd
6th Floor, 60 Gracechurch Street, London EC3N
0HR United Kingdom
Cybersecurity services
100
–
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
Verifiable Credentials Ltd, a company incorporated in England and Wales, registered No 11923813 and Threat Status Ltd, a company
incorporated in England and Wales, registered No 10877044, are exempt from the requirements from the UK Companies Act relating to
the audit of individual accounts by virtue of s479A of the Act.
www.crosswordcybersecurity.com
89
�Consolidated Financial Statements
CONTINUED
18 TRADE AND OTHER RECEIVABLES
£
Trade receivables
Other receivables
Prepayments
Accrued income
VAT Refund
Intercompany receivables within one year
Group
2022
1,110,697
524,721
239,066
133,883
69,683
-
2,078,050
Group
2021
509,576
254,451
149,309
140,708
12,033
-
1,066,076
Company
2022
505,451
445,603
183,160
23,383
46,421
714,507
1,918,525
Company
2021
192,975
247,274
105,101
131,025
-
162,247
838,622
All of the above amounts are considered to be due within one year.
The maximum exposure to credit risk at the reporting date is the carrying value as above and the cash and cash equivalents and none
are either past or impaired.
Of the above amounts held within the Group, £32,735 is denominated in Polish Zloty with the remainder in GBP (2021: £18,419).
Foreign exchange risk is currently minimal as balances in Polish Zloty are between the parent and its wholly owned subsidiary.
19 TRADE AND OTHER PAYABLES
£
Trade payables
Employment taxes and VAT payable
Accruals
Deferred income
Deferred consideration
Other payables
Group
2022
659,282
306,168
434,705
460,853
568,146
27,629
2,456,783
Group
2021
331,043
242,642
226,623
331,198
261,606
20,546
1,413,658
Company
2022
1,025,828
69,300
187,197
279,125
568,146
17,179
2,146,775
Company
2021
459,753
56,790
164,284
94,333
261,606
13,194
1,049,960
All of the above amounts are considered to be due within one year.
The deferred income relates to contract liabilities arising from contracts with customers.
Of the Trade and Other Payables amounts held within the Group, £83,965 (2021: £57,836) is denominated in Polish Zloty with the
remainder in GBP.
20 OTHER CURRENT LIABILITIES
£
Convertible loan notes
Bank loan
Group
2022
-
17,000
17,000
Group
2021
1,351,471
17,167
1,368,638
Company
2022
-
-
-
Company
2021
1,351,471
-
1,351,471
90
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�21 OTHER NON-CURRENT LIABILITIES
£
Deferred consideration
Contingent consideration
Deferred grant income
22 SHARE CAPITAL
Allotted called up and fully paid
Number of shares (all ordinary shares £0.005 each)
B/f
Shares Issued in period
C/d
Group
2022
492,151
-
132,692
624,843
Group
2021
111,900
180,652
132,693
425,245
Company
2022
492,151
-
-
492,151
Company
2021
111,900
180,652
-
292,552
2022
74,957,150
17,446,565
92,403,715
2021
51,320,900
23,636,250
74,957,150
The shares issued in the period were ordinary shares of £0.005 at a premium of £3,563,151 (2021: £6,452,830).
All shares carry the same voting and capital distribution rights.
£
Share Capital
Cost b/f
Shares Issued in period
Share Premium
B/F
Shares Issued in period
C/d
23 LOSS PER SHARE
2022
2021
374,786
87,233
462,019
256,605
118,181
374,786
14,971,221
3,563,151
18,534,372
8,518,391
6,452,830
14,971,221
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
Earnings per share is calculated by dividing the loss for the period attributable to ordinary equity shareholders of the parent by the
weighted average number of ordinary shares outstanding during the year.
During the year the calculation for basic loss per share was based on the loss for the year attributable to owners of the parent of
£3,408,149 (2021: £2,229,296) divided by the weighted average number of ordinary shares of 80,022,937 (2021: 64,491,462).
24 RESERVES
The following describes the nature and purpose of each reserve within owners’ equity:
Reserve
Share capital
Share premium
Convertible debt reserve
Equity reserve
Retained earnings
Translation of foreign
operations
Description and purpose
This represents the nominal value of shares issued
Amount subscribed for share capital less any issue costs more than nominal value
The residual amount after deducting from the fair value of the convertible loan notes the liability
component
Represents amounts charged on share options that have been granted to employees
Cumulative net gains and losses recognised in the consolidated statement of comprehensive income
Is the difference that arises due to consolidation of foreign subsidiaries using an average rate during
the period and a closing rate for the period end statement of financial position
www.crosswordcybersecurity.com
91
�Consolidated Financial Statements
CONTINUED
25 FINANCIAL INSTRUMENTS
£
Current Financial Assets
Financial assets measured at amortised cost
Trade and other receivables
Cash and cash equivalents
Non-Current Financial Assets
Financial assets measured at amortised cost
Loan to subsidiary
Financial assets measured at fair value through profit or loss
Financial investments
Group
2022
Group
2021
Company
2022
Company
2021
1,769,301
2,077,771
904,735
3,373,062
1,688,943
1,746,530
733,521
3,106,817
-
-
1,067,185
918,206
456,834
4,303,906
456,834
4,734,631
456,834
4,959,493
456,834
5,215,378
The financial investments comprise of investment in CyberOwl Ltd, which has been valued on the basis of valuation per share at as
March 2022 during the investment round, multiplied by the number of shares the Company owns in it. This methodology of determining
a fair value equates to a level 2 assessment based on observed transactions of share price in recent transactions in the entity’s equity.
£
Current Financial Liabilities
Financial liabilities measured at amortised cost
Trade and other payables
Loans
Convertible loan notes
Non-Current Financial Liabilities
Financial liabilities measured at amortised cost
Loans
Convertible loan notes
Non-current deferred consideration
Financial liabilities measured at fair value through profit or loss
Non-current contingent consideration
Group
2022
Group
2021
Company
2022
Company
2021
1,689,761
17,000
-
839,818
17,167
1,351,471
1,798,351
-
-
898,836
-
1,351,471
51,000
1,329,678
492,151
68,000
-
111,900
-
1,329,678
492,151
-
-
111,900
-
180,652
-
180,652
3,579,590
2,569,008
3,620,180
2,542,858
In relation to the loan there was a fair value revaluation of £195,685 (2021: £nil) recorded in Convertible debt reserve arising from the
loan notes being initially measured at fair value and subsequently measured at amortised cost.
During the year, the management changed its estimate that Stega would achieve its revenue target for the period between 12 and 18
months from the date of acquisition and concluded that this will be very unlikely. Therefore, contingent consideration, recorded as part
of acquisition accounting for Stega, has been reversed via Income Statement in full.
Reconciliation of Level 3 fair value measurements of financial liabilities:
£
B/f
Unwinding of discount
Reversed
C/d
92
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
Contingent
consideration
180,652
(10,369)
(170,283)
-
�26 FINANCIAL INSTRUMENTS – RISK
The Group could be exposed to risks that arise from its use of financial instruments. Risks in relation to financial assets include:
Market risk
Market risk covers foreign exchange risk, price risk and interest rate risk.
As the majority of the Group’s transactions are either in Sterling or in Polish Zloty the Group considers its exposure to foreign exchange
risk to be minimal.
There are no derivatives and hedging instruments.
The Group is not exposed to price risk given that no securities are held under financial assets.
The Group is not exposed to interest rate or cash flow risk due to the fact that the Group has no borrowing or complex financial
instruments.
Credit risk
Credit risk is considered to be the risk of financial loss incurred by the Group in the event that a customer or counterparty to an asset
fails to meet contractual obligations. The Group has adopted a policy of only dealing with credit worthy counterparties.
The Group’s maximum credit exposure at the reporting date is represented by the carrying value of its financial assets. The Group’s
financial instruments do not represent a concentration of credit risk since the Group deals with a variety of counterparties.
Financial Assets
£
Cash and cash equivalents
Trade and other receivables
Loan to subsidiary
Financial investments
Total
Liquidity risk
£
Trade payables
Accruals
Deferred consideration
Contingent consideration
Other Payables
Loans
Convertible loan notes
Total
Group
2022
2,077,771
1,769,301
-
456,834
4,303,906
Group
2021
3,373,062
904,735
-
456,834
4,734,631
Company
2022
1,746,530
1,688,943
1,067,185
456,834
4,959,492
Company
2021
3,106,817
733,521
918,206
456,834
5,215,378
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
2022
2021
due <1
year
659,282
434,705
568,146
-
27,629
17,000
-
1,706,762
due 1–2
years
-
-
492,151
-
-
51,000
1,329,678
543,150
due <1
year
331,043
226,623
261,606
-
20,546
17,167
1,351,471
2,208,456
due 1–2
years
-
-
111,900
180,652
-
68,000
-
360,552
www.crosswordcybersecurity.com
93
�Consolidated Financial Statements
CONTINUED
27 CAPITAL MANAGEMENT
The Group considers its capital to comprise of its equity share capital, share premium, foreign exchange reserve, share options reserve
and capital redemption reserve, less its accumulated losses. Quantitative detail is shown in the consolidated statement of changes in
equity.
The directors’ objective when managing capital is to safeguard the Group’s ability to continue as a going concern in order to provide
returns for the shareholder and benefits for other stakeholders and to maintain an optimal capital structure to reduce the cost of
capital.
The directors monitor a number of KPIs at both the Group and individual subsidiary level on a monthly basis. As part of the budgetary
process, targets are set with respect to operating expenses in order to effectively manage the activities of the Group. Performance is
reviewed on a regular basis and appropriate actions are taken as required. These internal measures indicate the performance of the
business against budget/forecast and to confirm that the Group has adequate resources to meet its working capital requirements.
28 PENSIONS
Employer contributions to the Group defined contribution pension scheme for employees in the United Kingdom were £70,695 (2021:
£46,509). A defined contribution scheme is a pension plan under which the Group pays fixed contributions into a separate entity.
Contributions payable to the Group’s pension scheme are charged to the income statement in the year to which they relate. The Group
has no further payment obligations once the contributions have been paid.
In Poland, the Group pays the statutory employer’s contribution into the public pension scheme for each employee, but does not operate
any pension schemes.
29 RELATED PARTY TRANSACTIONS
2022
Services received from £
Services supplied to £
Balance trade payable to £
Balance trade receivable from £
Intercompany loan receivable from £
2021
Services received from £
Services supplied to £
Balance trade payable to £
Balance trade receivable from £
Intercompany loan receivable from £
Crossword
Consulting
Limited
102,877
-
-
143,779
1,178,367
Crossword
Cybersecurity
SP Z.o.o
746,355
-
284,420
-
-
Stega
UK
Limited"
42,000
-
-
156,870
88,818
274,099
-
150,311
165,757
918,207
580,704
-
102,067
-
-
7,000
-
4,200
-
-
Cumberland
House
Consulting
Limited
-
318,800
-
54,235
-
-
-
-
-
Verifiable
Credentials
Limited
-
-
-
1,385
-
-
-
-
10,736
-
Tom Ilube, CEO, had made a loan of £250,000 to the Company on the same terms as the other Lenders as described in note 30. This loan
was repaid in December 2022.
The Company has a related party relationship with its key management who are the Executives: Tom Ilube, Mary Dowd, Jake Holloway,
Sean Arrowsmith and Stuart Jubb, whose total compensation amounted to £796,444 (2021: £793,233).
94
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�30 CONVERTIBLE LOAN NOTES
The following table explains movements in the undiscounted Convertible Loan Notes in the year:
£
B/f 2022
Expired in the period
Extended loans
Increased loan amounts
Additional loans issued in the period
C/d 2022
Convertible
Loan Notes
1,400,000
(1,400,000)
700,000
150,000
650,000
1,500,000
The discounted amount of the Convertible Loan Notes at the year end was £1,329,678.
The equity component of the Convertible Loan Notes at the date of issue was £195,685.
Repayment of the loan notes is at the end of the term, in cash, save that each lender may opt to convert part or all of their loan into
Ordinary Shares at £0.252. On repayment of the loans in cash, each lender will be issued warrants valid for three months to subscribe
for Ordinary Shares representing 10% of the value of the loan at £0.252.
The loan from Tom Ilube, CEO, for an amount of £250,000 was repaid in December 2022.
31 CONTROLLING PARTY
The Company does not have a controlling party.
32 SUBSEQUENT EVENTS
There are no events after the reporting date to be disclosed.
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
www.crosswordcybersecurity.com
95
�Notice of AGM
Notice is hereby given that the Annual General Meeting of Crossword Cybersecurity plc (the “Company”) will be held at the offices of
Shakespeare Martineau LLP, 6th Floor, 60 Gracechurch Street, London EC3V 0HR on Monday 22nd May 2023 at 11.00 am to consider,
and if thought fit, to pass the following resolutions, of which 1 to 5 will be proposed as Ordinary Resolutions and resolution 6 will be
proposed as a Special Resolution:
Ordinary Business
1. To receive and adopt the report of the directors and the financial statements for the year ended 31 December 2022 and the report of the
auditors thereon.
2. To re-elect, as a director of the Company, Sir Richard Dearlove who retires in accordance with Article 93.2 of the Company’s Articles of
Association and offers himself for re-election.
3. To re-elect, as a director of the Company, Dr David Secher who retires in accordance with Article 93.2 of the Company’s Articles of
Association and offers himself for re-election.
4. To re-appoint MHA MacIntyre Hudson LLP as auditors of the Company and to authorise the directors to determine the auditor’s
remuneration.
Special Business
5. THAT the Directors be and they are hereby generally and unconditionally authorised pursuant to Section 551 of the Companies Act 2006
(“the Act”), in substitution for all previous powers granted to them, to exercise all the powers of the Company to allot and make offers
to allot relevant securities (within the meaning of the Act) up to an aggregate nominal amount of £46,858.82 such authority shall, unless
previously revoked or varied by the Company in general meeting, expire on the conclusion of the Annual General Meeting of the
Company to be held in 2024 provided that the Company may, at any time before such expiry, make an offer or enter into an agreement
which would or might require relevant securities to be allotted after such expiry and the Directors may allot relevant securities pursuant
to any such offer or agreement as if the authority conferred hereby had not expired.
6. THAT, subject to and conditional upon the passing of Resolution 5 the Directors be and they are hereby authorised pursuant to
Section 570 of the Act to allot equity securities (as defined in Section 560 of the Act) for cash pursuant to the authority conferred by
resolution 5 above as if Section 561(1) of the Act did not apply to any such allotment, provided that this power shall be limited to:
(a) the allotment of equity securities in connection with an issue in favour of shareholders where the equity securities respectively
attributable to the interests of all such shareholders are proportionate (or as nearly as may be practicable) to the respective number
of Ordinary Shares in the capital of the Company held by them on the record date for such allotment, but subject to such exclusions
or other arrangements as the Directors may deem necessary or expedient in relation to fractional entitlements or legal or practical
problems under the laws of, or the requirements of, any recognised regulatory body or any stock exchange, in any territory;
(b) the allotment of equity securities arising from the exercise of options or the conversion of any other convertible securities
outstanding at the date of this resolution; and
(c) the allotment (otherwise than pursuant to sub-paragraph (a) and (b) above) of further equity securities up to an aggregate nominal
amount of £46,858.82 provided that this power shall, unless previously revoked or varied by special resolution of the Company in
general meeting, expire at the conclusion of the Annual General Meeting of the Company to be held in 2024. The Company may, before
such expiry, make offers or agreements which would or might require equity securities to be allotted after such expiry and the
Directors are hereby empowered to allot equity securities in pursuance of such offers or agreements as if the power conferred
hereby had not expired.
BY ORDER OF THE BOARD
B HARBER
Company Secretary
18 April 2023
96
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Notes
1. Members are entitled to appoint a proxy to exercise all or any of their rights to attend and to speak and vote on their behalf at the
meeting. A proxy need not be a shareholder of the Company. You can register your vote(s) for the Annual General Meeting either:
• by logging on to www.shareregistrars.uk.com, clicking on the “Proxy Vote” button and then following the on-screen instructions;
• by post or by hand to Share Registrars Limited, 3 The Millennium Centre, Crosby Way, Farnham, Surrey GU9 7XX using the proxy form
accompanying this notice;
• in the case of CREST members, by utilising the CREST electronic proxy appointment service in accordance with the procedures set out
in note 5 below.
2. In order for a proxy appointment to be valid the proxy must be received by Share Registrars Limited by Thursday 18th May 2023
at 11am.
3. Any member entitled to attend and vote at the meeting may appoint one or more proxies to attend and, on a poll, vote instead of him.
A proxy need not also be a member.
4. The completion and return of a form of proxy will not preclude a member from attending in person at the meeting and voting should
he wish to do so.
5. CREST members may appoint a proxy through CREST by using the procedures described in the CREST Manual (available via
www.euroclear.com/CREST). CREST personal members or other CREST sponsored members and those CREST members who
have appointed a voting service provider should refer to their CREST sponsor or voting service provider, who will be able to take the
appropriate action on their behalf. In order for a proxy appointment or instruction made using the CREST service to be valid, the
appropriate CREST message (“a CREST proxy instruction”) must be properly authenticated in accordance with Euroclear UK &
Ireland Limited’s specifications and must contain the information required for such instructions, as described in the CREST Manual.
All messages relating to the appointment of a proxy or an instruction to a previously appointed proxy must be transmitted so that
they are received by Share Registrars Limited (ID 7RA36) by Thursday 18th May 2023 at 11am (or, if the meeting is adjourned, the
time that is 48 hours (excluding non- working days) before the time fixed for the adjourned meeting). For this purpose, the time of
receipt will be taken to be the time (as determined by the time stamp applied to the message by the CREST Applications Host) from
which the issuer’s agent is able to retrieve the message by enquiry to CREST in the manner prescribed by CREST. Any change of
instructions to proxies appointed through CREST should be communicated to the appointee through other means. CREST members
and, where applicable, their CREST sponsors or voting service providers should note that Euroclear UK & Ireland Limited does
not make available special procedures in CREST for any particular message. Normal system timings and limitations will, therefore,
apply in relation to the input of CREST proxy instructions. It is therefore the responsibility of the CREST member concerned to take
(or procure the taking of) such action as shall be necessary to ensure that a message is transmitted by means of the CREST system
by any particular time. In this connection, CREST members and, where applicable, their CREST sponsors or voting service providers
are referred, in particular, to those sections of the CREST Manual concerning practical limitations of the CREST system and timings.
The Company may treat a CREST Proxy Instruction as invalid in the circumstances set out in Regulation 35(5)(a) of the Uncertificated
Securities Regulations 2001.
6. The Company has specified that only those members entered on the register of members at 11am on Thursday 18th May 2023 shall
be entitled to vote at the meeting in respect of the number of ordinary shares of £0.05 each in the capital of the Company held in their
name at that time. Changes to the register after Thursday 18th May 2023 at 11am shall be disregarded in determining the rights of
any person to attend and vote at the meeting.
7. Resolutions 2 and 3 – Article 93.2 of the Company’s Articles of Association require that a director of the Company who held office at
the time of the two preceding annual general meetings and who did not retire at either of them must offer themselves for re-election
at the next Annual General Meeting. This year Sir Richard Dearlove and Dr David Secher are offering themselves for re-election.
8. Resolution 5 – As required by the Act, this resolution, to be proposed as an Ordinary Resolution, relates to the grant to the Directors
of authority to allot unissued Ordinary Shares until the conclusion of the Annual General Meeting to be held in 2024, unless the
authority is renewed or revoked prior to such time. If approved, this authority is limited to a maximum of 9,371,764 Ordinary Shares.
This represents one-third of the issued share capital of the Company.
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
www.crosswordcybersecurity.com
97
�Notice of AGM
CONTINUED
9. Resolution 6 – The Act requires that if the Directors decide to allot unissued Ordinary Shares in the Company the shares proposed to
be issued be first offered to existing shareholders in proportion to their existing holdings. This is known as shareholders’ pre-emption
rights. However, to act in the best interests of the Company the Directors may require flexibility to allot shares for cash without
regard to the provisions of Section 561(1) of the Act. Therefore this resolution, to be proposed as a Special Resolution, seeks authority
to enable the Directors to allot equity securities up to a maximum of 9,371,764 Ordinary Shares. This authority expires at the
conclusion of the Annual General Meeting to be held in 2024 and represents 10% of the issued share capital.
98
CROSSWORD CYBERSECURITY PLC Annual Report and Accounts 2022
�Company Information
DIRECTORS
Sir Richard Dearlove (Chair)
T Ilube (CEO)
Dr D Secher
A Gueritz
R Anderson
M Dowd
Dr R Coles
T Cemlyn Jones
REGISTERED NUMBER
08927013
REGISTERED OFFICE
60 Gracechurch Street
London
EC3V 0HR
INDEPENDENT AUDITOR
MHA MacIntryre Hudson
Chartered Accountants & Statutory Auditors
6th Floor
2 London Wall Place
London
EC2Y 5AU
NOMAD
Grant Thornton LLP
30 Finsbury Square
London
EC2P 2YU
CORPORATE BROKER
Hybridan LLP
1 Poultry
London
EC2R 8EJ
PUBLIC RELATIONS ADVISER
Kinlan Communications
2-4 Exmoor Street
London
W10 6BD
S
T
A
T
E
M
E
N
T
S
F
I
N
A
N
C
A
L
I
www.crosswordcybersecurity.com
99
�Crossword Cybersecurity plc
60 Gracechurch Street,
London EC3V 0HR
e: info@crosswordcybersecurity.com
twitter: @crosswordcyber
t: +44 (0) 203 953 8466
�