More annual reports from OneSpan:
2023 ReportPeers and competitors of OneSpan:
China Index Holdings LimitedUNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 _____________________________________ FORM 10-K FOR ANNUAL AND TRANSITION REPORTS PURSUANT TO SECTIONS 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 (Mark One) x ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(D) OF THE SECURITIES EXCHANGE ACT OF 1934 FOR THE FISCAL YEAR ENDED DECEMBER 31, 2022 or o TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 FOR THE TRANSITION PERIOD FROM TO Commission file number 000-24389 OneSpan Inc. (Exact Name of Registrant as Specified in Its Charter) DELAWARE (State or Other Jurisdiction of Incorporation or Organization) 36-4169320 (IRS Employer Identification No.) 121 West Wacker Drive, Suite 2050 Chicago, Illinois 60601 (Address of Principal Executive Offices)(Zip Code) Registrant’s telephone number, including area code: 312-766-4001 Securities registered pursuant to Section 12(b) of the Act: Title of each class Common Stock, par value $.001 per share Trading Symbol OSPN Name of exchange on which registered NASDAQ Capital Market Indicate by check mark if the registrant is a well-known seasoned issuer, as defined by Rule 405 of the Securities Act. Yes o No x Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the act. Yes o No x Securities registered pursuant to Section 12(g) of the Act: None Indicate by check mark whether the registrant: (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes x No o Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files). Yes x No o Indicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K is not contained herein, and will not be contained, to the best of registrant’s knowledge, in definitive proxy or information statements incorporated by reference in Part III of this Form 10-K or any amendment to this Form 10-K. o Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See definition of “large accelerated filer,” “accelerated filer”, “smaller reporting company”, and “emerging growth company” in Rule 12b-2 of the Exchange Act. Large accelerated filer o Accelerated filer ☒ Non-accelerated filer o Smaller reporting company o Emerging growth company o If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards pursuant to Section 13(a) of the Exchange Act. o Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report. x If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the filing reflect the correction of an error to previously issued financial statements. o Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the registrant’s executive officers during the relevant recovery period pursuant to §240.10D- 1(b). o Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act). Yes o No x As of June 30, 2022, the aggregate market value of voting and non-voting common equity (based upon the last sale price of the common stock as reported on the NASDAQ Capital Market on June 30, 2022) held by non-affiliates of the registrant was $471,211,321 at $11.90 per share. As of February 25, 2023, there were 40,001,325 shares of common stock outstanding. Certain sections of the registrant’s Notice of Annual Meeting of Stockholders and Proxy Statement for its 2023 Annual Meeting of Stockholders are incorporated by reference into Part III of this report. DOCUMENTS INCORPORATED BY REFERENCE Auditor Name: KPMG LLP Auditor Location: Chicago, IL Auditor Firm ID: 185 OneSpan Inc. Annual Report on Form 10-K For the Year Ended December 31, 2022 TABLE OF CONTENTS PART I Item 1. Business Item 1A. Risk Factors Item 1B. Unresolved Staff Comments Item 2. Item 3. Item 4. PART II Item 5. Item 6. Item 7. Properties Legal Proceedings Mine Safety Disclosures Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities [Reserved] Management’s Discussion and Analysis of Financial Condition and Results of Operations Item 7A. Quantitative and Qualitative Disclosures About Market Risk Item 8. Item 9. Financial Statements and Supplementary Data Changes in and Disagreements with Accountants on Accounting and Financial Disclosures Item 9A. Controls and Procedures Item 9B. Other Information Item 9C. Disclosure Regarding Foreign Jurisdictions that Prevent Inspection PART III Item 10. Directors, Executive Officers and Corporate Governance Item 11. Executive Compensation Item 12. Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters Item 13. Certain Relationships and Related Transactions, and Director Independence Item 14. Principal Accounting Fees and Services PART IV Item 15. Exhibits, Financial Statement Schedules CONSOLIDATED FINANCIAL STATEMENTS AND SCHEDULE PAGE 1 10 30 30 30 31 31 33 33 51 52 52 52 53 54 54 54 55 55 55 55 F-1 Cautionary Note Regarding Forward-Looking Statements This Annual Report on Form 10-K contains forward-looking statements within the meaning of applicable U.S. securities laws, including statements regarding the outcomes we expect from our strategic transformation plan; expected results of the investments we are making in sales, marketing, and product development; our plans for managing our Digital Agreements and Security Solutions segments; expectations regarding our ability to attract new customers and retain existing customers; efficiency, functionality and other expectations for our next-generation transaction-cloud platform; the timing for general availability of new or enhanced products, including Digipass CX; our expectations regarding our use of technology acquired in our ProvenDB acquisition or other acquisitions we may complete in the future; the expectation that software as a service, or SaaS, will constitute an increasingly important part of our business in the future; the potential benefits, performance and functionality of our products and solutions, including future offerings; future plans or trends in sales and marketing, research and development, and general and administrative expenditures; expectations regarding sources and uses of cash; plans to expand our salesforce and distribution channels; the impact of foreign currency exchange rate fluctuations; the impact of inflation; trends in microprocessor or other costs affecting our Digipass business; the effects of supply chain disruptions; plans or expectations for inventory management in our Digipass business; impacts of macroeconomic conditions or geopolitical conflict; trends in hiring or compensation costs or in gender diversity at our company; and our general expectations regarding our operational or financial performance in the future. Forward-looking statements may be identified by words such as "seek", "believe", "plan", "estimate", "anticipate", “expect", "intend", "continue", "outlook", "may", "will", "should", "could", or "might", and other similar expressions. These forward-looking statements involve risks and uncertainties, as well as assumptions that, if they do not fully materialize or prove incorrect, could cause our results to differ materially from those expressed or implied by such forward-looking statements. Factors that could materially affect our business and financial results include, but are not limited to: our ability to execute our strategic transformation plan; our ability to attract new customers and retain and expand sales to existing customers; our ability to effectively develop and expand our sales and marketing capabilities; our ability to hire, train, and retain sales and other employees necessary to implement our strategic transformation plan; our ability to successfully develop and market new product offerings and product enhancements; the loss of one or more large customers; difficulties enhancing and maintaining our brand recognition; competition; lengthy sales cycles; departures of senior management or other key employees; changes in customer requirements; interruptions or delays in the performance of our products and solutions; real or perceived malfunctions or errors in our products; the potential effects of technological changes; economic recession, inflation, and political instability; the impact of the COVID-19 pandemic and actions taken to contain it; our ability to effectively manage third party partnerships, acquisitions, divestitures, alliances, or joint ventures; security breaches or cyber-attacks; claims that we have infringed the intellectual property rights of others; price competitive bidding; changing laws, government regulations or policies; pressures on price levels; component shortages; delays and disruption in global transportation and supply chains; reliance on third parties for certain products and data center services; impairment of goodwill or amortizable intangible assets causing a significant charge to earnings; actions of activist stockholders; and exposure to increased economic and operational uncertainties from operating a global business, as well as other factors described in the “Risk Factors” section of this Form 10-K. Our filings with the Securities and Exchange Commission (the “SEC”) and other important information can be found in the Investor Relations section of our website at investors.onespan.com. We do not have any intent, and disclaim any obligation, to update the forward-looking information to reflect events that occur, circumstances that exist or changes in our expectations after the date of this Form 10-K, except as required by law. Item 1 – Business Overview PART I OneSpan helps organizations accelerate digital transformations by enabling secure, compliant, and refreshingly easy digital customer agreements and transaction experiences. We deliver digital agreement products and services that automate and secure customer-facing and revenue-generating business processes. Our solutions help organizations streamline and secure user experiences, which in turn allows them to drive growth, reduce risk, and unlock their business potential. We are a global leader in providing high-assurance identity and authentication security as well as enterprise-grade electronic signature (e- signature) solutions, for use cases ranging from simple transactions to workflows that are complex or require higher levels of security. Our solutions help our clients ensure the integrity of the people and records associated with digital agreements, transactions, and interactions in industries including banking, financial services, healthcare, and professional services. We are trusted by global blue-chip enterprises, including more than 60% of the world’s largest 100 banks, and process millions of digital agreements and billions of transactions in more than 100 countries annually. Our solutions are powered by a portfolio of products and services across identity verification, authentication, virtual interactions and transactions, and secure digital storage. These products and services can be acquired and embedded individually within enterprise business workflows or assembled into tailored solutions for simple yet secure business-to-business, business-to-employee, and business-to-customer experiences. We offer our solutions through cloud-based and, in select cases, on-premises solutions using both open standards and proprietary technologies. We offer our products primarily through a subscription licensing model. Our solutions are sold worldwide through our direct sales force, as well as through distributors, resellers, systems integrators, and original equipment manufacturers. Business Transformation We are currently in the midst of a business transformation. Our total revenue decreased on a year-over-year basis in 2020 and 2021, and we experienced negative operating income and net losses in both of those years. During 2021 and early 2022, our previous CEO, CFO, and several other senior executives left the company. In late November 2021, our current CEO joined us and has built a new executive team over the course of 2022 to effect the transformation. In May 2022, we announced a three-year strategic transformation plan that began on January 1, 2023. We believe this transformation plan will enable us to build on our strong solution portfolio and market position, enhance our enterprise go-to-market strategy, accelerate revenue growth, and drive efficiencies to support margin expansion and increased profitability. In conjunction with the strategic transformation plan and to enable a more efficient capital deployment model, effective with the quarter ended June 30, 2022, we began reporting under the following two lines of business, which are our reportable operating segments: Digital Agreements and Security Solutions. • Digital Agreements. Digital Agreements consists of solutions that enable our clients to secure and automate business processes associated with their digital agreement and customer transaction lifecycles that require consent, non-repudiation and compliance. These solutions, which are largely cloud-based, include our OneSpan Sign e-signature solution and our recently introduced OneSpan Notary and Virtual Room solutions.. As our transformation plan progresses, we expect to include other cloud-based security modules associated with the secure transaction lifecycle of identity verification, authentication, virtual interaction and transactions, and secure digital storage in the Digital Agreements segment. This segment also includes costs attributable to our transaction-cloud platform. Security Solutions. Security Solutions consist of our broad portfolio of software products and/or software development kits (SDKs) that are used to build applications designed to defend against attacks on digital transactions across online environments, devices and applications. These solutions, which are largely on-premises software products, include identity verification, multi-factor authentication and transaction signing, such as mobile application security, mobile software tokens, and Digipass authenticators that are not cloud connected devices. • 1 We expect to manage Digital Agreements for accelerated growth and market share gains and Security Solutions for cash flows given its more modest growth profile. Across both segments, we plan to build on our strong foundation in both e-signature and cybersecurity by enhancing product features, developing new solutions, and building out our next-generation transaction cloud platform, which we expect will allow us to efficiently deliver security and e-signature solutions to our customers across their entire digital agreement lifecycle. We also plan to enhance our go-to-market strategy by prioritizing growth at large enterprise accounts, expanding our direct sales force, and accessing new routes to market through alliances and partnerships. Our transformation plan involves numerous risks and uncertainties. Please see Item IA, Risk Factors. Industry Background While digital transformation and the shift to cloud-delivered experiences across all industries has helped increase the pace of innovation and business execution, it has also increased security risks for organizations, their customers, and their employees. People and records associated with business interactions, transactions, and agreements have become the biggest attack surface, or point of vulnerability, to cyber-attacks. Today’s cybersecurity bad actors are more sophisticated and well-resourced, which means that enterprises everywhere are confronted with security threats on all fronts, from identity fraud and firewall breaches to nation-state espionage. Without secure and enforceable business processes and outcomes, economies everywhere are vulnerable. However, current security measures are typically at odds with the pressure for organizations to drive growth and support increasing customer expectations for frictionless user experiences. For high-value transactions and agreements that have shifted to digital workflows, these challenges are amplified due to the fragmented legal requirements, regulatory rules, and complexity associated with doing business across state and national borders. In addition to automating and securing these digital workflows, cross-border identity verification, data privacy, and sovereignty regulations vary from one jurisdiction to the next, complicating compliance for organizations operating globally. We believe that these trends will continue to accelerate and evolve, creating a unique opportunity for OneSpan to leverage its global security roots to deliver technology that enables frictionless customer experiences, with security seamlessly interwoven throughout every action and interaction. OneSpan is uniquely positioned to help organizations deliver the simple and intuitive experiences their customers demand today, while preparing them for the security challenges of tomorrow. Our Products and Services Portfolio We offer a portfolio of products and solutions to enable secure, compliant and refreshingly easy customer interactions and transactions. Whereas other companies provide point solutions for either security or digital agreements, we support the entire lifecycle of digital agreements for global enterprises that need to meet the highest levels of assurance, security, and compliance, all while using a human-centric approach that minimizes friction for customers. Our portfolio spans across the stages of the digital agreement process: • Verify – Identity Proofing and Verification: Establish a relationship with your customer, starting with knowing who they are. • Authenticate – User Authentication: Protect yourself and your customer’s identity with strong customer authentication. • • • Interact – Virtual Room: Connect and collaborate with your customers in a secure, virtual environment. Transact – E-Sign: Sign transactions and agreements remotely and securely. Store – Secure Vaulting: Complete the digital agreement process by securely storing transaction records and documentation. Since June 30, 2022, we have reported our financial results under two operating segments: Digital Agreements and Security Solutions. The products and services that currently fall under each segment are shown below; however, as our transformation plan progresses and we deliver more of our products and services through our next-generation transaction- cloud platform, we expect to include other cloud-based security modules across the digital agreements lifecycle in the Digital Agreements segment. 2 Digital Agreements OneSpan Sign supports a broad range of e-signature requirements from simple to complex, and from the occasional agreement to processing tens of thousands of transactions. OneSpan Sign provides multiple deployment options, including public cloud or private cloud, without compromising security or functionality. The solution is also available in a Federal Risk and Authorization Management Program (FedRAMP) SaaS-level compliant cloud, allowing U.S. government agencies to implement e- signatures in the cloud and meet General Services Administration (GSA) security requirements. Customers can configure OneSpan Sign to reinforce their brand for a seamless signing experience. Each step of the digital agreement workflow can be customized, from authentication to e-signing and secure storage. OneSpan Sign also provides comprehensive and secure electronic evidence for strong legal protection by capturing all actions that took place during the agreement process. This reduces the time and cost of gathering evidence and demonstrating legal and regulatory compliance. Electronic signature capabilities can be a critical component of the account opening and onboarding processes, providing a secure and user-friendly way to execute legally binding agreements. Virtual Room is a purpose-built, high-assurance solution that blends the simplicity of a consumer video collaboration app with high-assurance identity and authentication security. OneSpan’s secure Virtual Room cloud service enables organizations to deliver live, high-touch assistance to their customers in a secure virtual environment. This next-generation customer engagement solution gives organizations the ability to combine identity verification, authentication, and e-signature solutions from the broader OneSpan portfolio with a high-assurance virtual experience that removes the friction of entering a branch or meeting in person. In addition, robust audit and compliance controls help manage risk and meet regulatory requirements. OneSpan Notary is the newest addition to the OneSpan product portfolio that spans the entire digital agreements lifecycle from identifying an unknown signer all the way to securely storing an agreement and associated assets. Developed for organizations with in-house notaries, OneSpan Notary includes live electronic signature, two-way secured videoconferencing, and strong identity proofing options, like ID Verification and Knowledge-based Authentication (KBA). It also simplifies the notarization process with guided workflows, the ability to upload eNotary Seal, recording, eJournaling, and audit trail capabilities in a single solution. Digipass CX is OneSpan’s latest family of cloud-connected high-assurance identity verification and authentication devices designed to increase security, minimize fraud, and simplify the user experience. These new devices rely on biometrics rather than one-time passwords which can be stolen via social engineering. Because these devices are connected to the cloud, they can be dynamically provisioned, reprovisioned, and even updated to incorporate new features and applications as they become available in the future. We plan for the first two Digipass CX models to be generally available later in 2023. Secure Storage is a new addition to the OneSpan product portfolio through the first quarter 2023 acquisition of ProvenDB. OneSpan plans to integrate the ProvenDB Compliance Vault technology obtained through the acquisition to add blockchain-backed secure storage initially for the OneSpan Sign product and eventually across the entire portfolio. This new secure storage capability is designed for high-value, high-risk use-cases by providing tamper resistant document storage supported by immutable compliance data, all protected by blockchain technology. Security Solutions OneSpan Identity Verification gives banks and other financial institutions access to a wide range of identity verification services – all through a single API integration. This includes identity document (e.g., driver’s license, passport, etc.) capture and real-time authenticity verification, as well as facial comparison (“selfie”) and liveness detection (the ability to detect whether a digital interaction is with a live human being) to establish that the individual presenting the identity document is the same person whose picture appears on the authenticated identity document. OneSpan Cloud Authentication is a quick-to-deploy, cloud-based multifactor authentication solution that supports a full range of authentication options including biometrics, push notification, visual cryptograms for transaction data security, SMS, and hardware authenticators. This allows customers to solve strong authentication problems across different endpoints to best meet their unique requirements through a single provider rather than integrating multiple modalities together. It eliminates cost associated with managing legacy on-premises authentication technology and 3 provides a seamless upgrade path to more comprehensive capabilities such as Intelligent Adaptive Authentication, which applies a precise level of security for each unique customer interaction using advanced real-time risk analysis and scoring. Mobile Security Suite is a comprehensive software development kit that helps protect mobile transactions from bad actors by allowing organizations to natively integrate security features including geolocation, device identification, jailbreak and root detection, fingerprint and face recognition, one-time password delivery via push notification, and transaction data security, among others. Through a comprehensive library of APIs, application developers can extend and strengthen application security, deliver enhanced convenience to their application users, and streamline application deployment and lifecycle management processes. Mobile Security Suite also includes a Runtime Application Self-Protection module, which can detect and mitigate malicious app activity and potential loss to hacking activities. Authentication Server resides on-premises and incorporates a range of strong authentication utilities and solutions designed to allow organizations to securely authenticate users and transactions. The solution, once integrated, becomes largely transparent to users, minimizing rollout and support issues. Authentication Server encompasses multiple authentication technologies (e.g., passwords, dynamic password technologies, certificates, and biometrics) and allows the use of any combination of those technologies simultaneously. Digipass Authenticators are our family of hardware authenticators, consisting of a wide variety of authentication devices, each of which has its own distinct characteristics to meet the needs of our customers. All models of the Digipass family of authenticators are designed to work together so customers can switch devices without changes to their existing infrastructure. Our models range from one-button devices and smart card readers to devices that include more advanced technologies, such as public key infrastructure (PKI) and visual cryptography. Digipass devices included in the Security Solutions segment are not cloud-connected, in contrast to our cloud-connected Digipass CX device, which we expect to include in the Digital Agreements segment. Intellectual Property and Proprietary Rights and Licenses We rely on a combination of patent, copyright, trademark, design, and trade secret laws, as well as employee and third-party non-disclosure agreements to protect our intellectual property, or IP, and other proprietary rights. In particular, we hold several patents in the U.S. and in other countries, which cover multiple aspects of our technology. These patents expire between 2023 and 2040. In addition to the issued patents, we also have several patent applications pending in the U.S., Europe, and other countries. Many of our issued and pending patents are related to our Digipass product line. In addition to our owned IP, we license software from third parties for integration into our solutions, including open-source software and other software available on commercially reasonable terms. We furthermore have registrations for most of our trademarks in most of the markets where we sell the corresponding products and services, as well as registrations of the designs of many of our hardware products, primarily in the European Union (EU) and China. Protecting IP rights can be difficult, particularly in countries that provide less protection to IP rights and in the absence of harmonized international IP standards. Competitors and others may already have IP rights covering similar products. We may not be able to secure IP rights covering our own products or may have difficulties obtaining IP licenses from other companies on commercially favorable terms. For a discussion of IP-related risks, see Item IA, Risk Factors. Research and Development Our research and development efforts are focused primarily on enhancing our solutions by building new features, functionality, and applications; developing technology to support new products; enhancing our next-generation transaction- cloud platform; and conducting product and quality assurance testing. We employ a team of full-time engineers and, from time to time, also engage independent engineering firms to conduct certain product development efforts on our behalf. For fiscal years ended December 31, 2022, 2021, and 2020, we incurred expenses, net of software capitalization, of $41.7 million, $47.4 million, and $41.2 million, respectively, for research and development. Production Our Digipass authentication devices are manufactured by third-party manufacturers pursuant to purchase orders that we issue. The majority of our Digipass products are manufactured by four independent factories in Southern China and one in Romania. We maintain local teams in China and Romania to conduct quality control and quality assurance 4 procedures. Periodic visits are conducted by our personnel for quality management, assembly process review, and supplier relations. Digipass devices are made primarily from commercially available electronic components, including microprocessors purchased from several suppliers. We purchase microprocessors and arrange for shipment to third parties for assembly and testing in accordance with our design specifications. The microprocessors are the most important components of the devices which are not commodity items readily available on the open market. During 2022, the supply chain for our Digipass devices was impacted by global issues related to the effects of the COVID-19 pandemic, the Russia-Ukraine conflict and the inflationary cost environment, particularly with respect to materials in the semiconductor market, including part shortages, increased freight costs, diminished transportation capacity and labor constraints. This has resulted in disruptions in our supply chain, as well as difficulties and delays in procuring certain microprocessors. Since late 2021, our costs have increased due to elevated lead times and increased material costs, in particular the need to purchase microprocessors from alternative sources. We expect increased costs to procure materials within the semiconductor market to continue in 2023. Further, we anticipate that the broader impact of inflationary pressures, increased material costs, and supply chain disruptions may continue in 2023. In response to these supply chain conditions, in 2022 we focused on improving our supplier network, engineering alternative designs, and working to reduce supply shortages. We are actively managing our inventory in an effort to minimize supply chain disruptions and enable continuity of supply and services to our customers, and we may maintain elevated levels of inventory for certain of our products until supply constraints have been remediated. We are also considering alternative manufacturing and supply arrangements, including moving more of our manufacturing from China to Romania or other locations, to mitigate supply chain risks in the future. Our software solutions are produced in-house or developed by third parties and sold under license. Competition The market for digital solutions for identity, authentication, and secure digital agreements is very competitive and, like most technology-driven markets, is subject to rapid change and constantly evolving solutions and services. Our identity verification and authentication products are designed to allow authorized users access to digital business processes and properties, in some cases using patented technology, as a replacement for or supplement to a static password. Our main competitors in our identity verification and authentication markets are Gemalto, a subsidiary of Thales Group, and RSA Security. There are also many other companies, such as Transmit Security, Symantec, and Duo Security, that offer competing services. In addition to these companies, we face competition from many small authentication solution providers, many of whom offer new technologies and niche solutions such as biometric or risk and behavioral analysis. We believe that competition in this market is likely to intensify as a result of increasing demand for security products. Our primary competitors for electronic signature solutions are DocuSign and Adobe Systems. Both companies are significantly larger than us. In addition to these companies, there are numerous smaller and regional or niche providers of electronic signing solutions. We believe that the principal competitive factors affecting the market for digital solutions for identity, security, and electronic signatures include the strength and effectiveness of the solution, technical features, ease of use, quality and reliability, customer service and support, brand recognition, customer base, distribution channels, and the total cost of ownership of the solution. Although we believe that our products currently compete favorably with respect to most of these factors, we may not be able to maintain our competitive position against current and potential competitors. Some of our present and potential competitors have significantly greater financial, technical, marketing, purchasing, and other resources. As a result, they may be able to respond more quickly to new or emerging technologies and changes in customer requirements, or to devote greater resources to the development, promotion and sale of products, or to deliver competitive products at a lower end-user price. Please see Item IA, Risk Factors. Sales and Marketing Our solutions are sold worldwide through our direct sales force as well as through distributors, resellers, systems integrators, and original equipment manufacturers. Our sales staff coordinates sales activity through both our sales channels 5 and those of our partners, making direct sales calls either alone or with the sales personnel of our partners. Our sales staff also provides product education seminars to sales and technical personnel of resellers and distributors, with whom we have working relationships, and to potential end users of our products. As part of our three-year strategic plan, we are enhancing our go-to-market strategy in several ways, including: shifting to a unified sales force that sells across our full solution portfolio (rather than separate sales forces for e-signature and security solutions); prioritizing growth at large enterprise accounts; expanding our direct sales force; and accessing new routes to market through alliances and partnerships. Our expanded selling effort also includes identifying additional applications for our solutions, cross-selling our products to existing enterprise customers, and selling our full portfolio into new market segments and additional geographic markets. Customers and Markets The majority of our revenue is derived from financial institutions, which include traditional banks, credit unions, and online-only banks. We also sell to the enterprise market segment, government, healthcare, and insurance industries in select regions around the globe. We believe there are substantial opportunities for future growth, both within the market segments we currently serve and in new market segments, as we expand our product portfolio and go-to-market strategy. Our top 10 customers contributed 23%, 22%, and 21% in 2022, 2021, and 2020, respectively, of our total worldwide revenue. Because a significant portion of our sales is denominated in foreign currencies, changes in exchange rates impact results of operations. To mitigate exposure to risks associated with fluctuations in currency exchange rates, we attempt to denominate an amount of billings in a currency such that it would provide a hedge against operating expenses being incurred in that currency. For additional information regarding how currency fluctuations can affect our business, please refer to Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations. We also experience seasonality or variation across the year in our markets. These trends can include lower sales during the summer months, particularly in Europe. Financial Information Relating to Foreign and Domestic Operations For financial information regarding OneSpan, see our consolidated financial statements and the related notes, which are included in Part IV of this Annual Report on Form 10-K. See Note 17, Geographic, Customer and Supplier Information in the notes to consolidated financial statements for a breakdown of revenue, gross profit and long-lived assets between the U.S. and other regions. Government Regulation As a global cybersecurity company, we are subject to complex and evolving global regulations in the various jurisdictions in which our products and services are used. Also, because banking and financial services is our largest industry target market, the government regulations affecting our customers in this area have a significant indirect effect on our business. Similar regulatory dynamics occur in the other primary markets where we have customers, such as healthcare and government. Additional proposed or new legislation and regulations could also significantly affect our business. See Item IA, Risk Factors, for additional information about the laws and regulations we are subject to and the risks to our business associated with those laws and regulations. Human Capital OneSpan is powered by a team of approximately 790 employees that spans the globe, consisting of approximately 300 employees in Canada, 292 in Europe, 27 in the Middle East and Latin America, 134 in the United States, and 37 in the Asia Pacific Region. As of December 31, 2022, approximately 309 of our employees were in research and development, 338 in sales and marketing, and 143 in general and administrative. We are currently in the early stages of a business transformation that we believe will disrupt our industry by securing the digital agreements process while taking a human-centric approach to end-user experience. We understand that 6 achieving this ambitious goal will depend primarily on the skills, creativity, and determination of our people, and we believe that people do their best work in an environment built on a compelling shared purpose, openness, trust, mutual accountability, and the opportunity to make a meaningful impact. To that end, our human capital objectives are built on the following five pillars, which we refer to as our “People Promise”: • Now is the time. With a bold vision and an ambitious market opportunity, we are ready to seize the moment. There’s never been a better time to join the team and play a part in the OneSpan story. • • Start from openness. We lead with transparency, engage with open minds, and promote diversity in our thinking and in our culture. That’s why we encourage each of our people to bring their whole self to work and be open to different ideas, new challenges, and new possibilities. Build it on trust. Real connections and true collaboration are built on trust. We trust each other and have no time for internal politics. We trust our people to always to bring their best. We trust ourselves to take chances and to build something bigger – together. • Own it. We believe in empowerment through freedom: giving our people flexibility and enabling them to carve their path, their way. We don’t just ask our team to embrace change; we ask them to own it. • Make a global impact. We challenge the now by thinking ahead, speaking up, and working together to constantly improve. Everyone is an integral part of the work we do with an equal opportunity to participate and make a global impact. The goal of our People Promise is to create an environment that will attract, retain and develop talented people who are motivated to find opportunities and create new possibilities for our customers, for themselves and their teams, and for OneSpan. To achieve this goal, we focus on the areas described below. Competitive Compensation and Benefits. We seek to provide our employees with competitive and fair compensation and benefit offerings, and use market benchmarks to ensure external competitiveness while maintaining equity within the organization. We tie incentive compensation to both business and individual performance and provide a range of health, wellness, family leave, savings, retirement, and time-off benefits for our employees, which vary based on local regulations and norms. ngagement. We regularly request input from employees, including through a broad employee engagement survey conducted annually and through more frequent, “pulse” surveys. These surveys are intended to measure our progress in promoting an environment where employees are engaged, productive, and have a strong sense of belonging. As part of our commitment to acting on employee input, we also use survey results to identify areas where we can do better and expect our managers to actively work to improve those areas. Hybrid Workplace Policy. For our employees who live near one of our offices, we have adopted a hybrid work model whereby employees generally come to the office in person once a week, on a day designated by local office leadership. For the rest of the week, employees may work either remotely or from their local office. We believe this approach maintains the flexibility of remote work while also providing a regular opportunity for in- person interactions to collaborate, innovate, and build relationships with colleagues. Diversity and Inclusion. With approximately 790 employees around the world and customers in more than 100 countries, we understand the importance of diversity in perspectives, experience, backgrounds and cultures. As part of our efforts to encourage diversity and inclusion, all employees take an annual diversity and inclusion training and an unconscious bias training. We also work with diversity focused job sites and candidate application platforms to increase access to diverse talent. In addition, we have an active employee resource group, Women at OneSpan, focused on providing support, mentoring and other resources for our female employees, and are beginning the process of making other employee resource groups available to interested employees. We monitor the gender diversity of our workforce regularly. We measure gender diversity overall, by job level, and by job category. As of December 31, 2022, approximately 31% of our employees identified as female, up from 27% at the end of 2021. The percentage of women in all job levels and categories also improved year over year. Although our gender diversity metrics may fluctuate from period to period, over the longer term, we hope and expect to see continued improvement in the representation of women across the company. 7 We are also proud of the strides we have made during 2022 in the diversity of our executive leadership team. As a result of new management hires during 2022, more than half of our 13-person executive team identifies as female, LGBTQ, and/or a person of color, which represents significant progress as compared to the prior year. Training and Talent Development. We promote and support employee development, compliance and organizational effectiveness by providing compliance training and professional development programs. All of our employees take a required annual training on the following topics: our code of conduct and ethics; cybersecurity; diversity and inclusion; and preventing sexual harassment. In addition, in 2022, we added a training on psychological safety at work, which covers ways managers and employees can promote an open, trusting and non-judgmental environment that promotes creativity and the free exchange of ideas. Feedback and Coaching. We believe regular feedback is an integral component of employee development, and that creating a culture of ongoing performance coaching is critical to our success. To that end, we conduct quarterly coaching sessions, where each employee is evaluated by their personal manager. Employee performance is assessed in significant part based on the achievement of goals set collaboratively by the employee and their manager. We also encourage managers to provide ongoing feedback and performance coaching to their direct reports, and to solicit their teams’ feedback on their own performance. Employee Recognition. We regularly recognize our employees for driving business results and exemplifying our company values. We believe that these recognition programs help drive strong employee performance. Employees also have access to an internal communications channel to recognize their peers for their contributions to the company. Community Outreach and Support. We believe it is important to promote community outreach through corporate giving and employee volunteerism in the communities where we live and work. We provide each employee with one paid day off each year to participate in volunteer activities of their choice. Beginning in mid-2023, we plan to launch a global social impact platform that will help our employees to find volunteer opportunities and collaborate with colleagues on social impact efforts. Monitoring our Progress We monitor our progress toward the goal of our People Promise by tracking the following metrics: • • Employee Survey Results. As discussed above under “Engagement”, we conduct a comprehensive employee engagement survey annually, and compare results for each survey question from year to year. Employee Turnover. We monitor attrition, voluntary turnover, and total turnover, as a whole and by tenure, region, and by job family. Attrition captures all reasons employees leave, including voluntary turnover and involuntary turnover due to job eliminations or performance reasons, whereas voluntary turnover is limited to elective departures by employees. Total turnover is the sum of attrition plus voluntary turnover. Our voluntary turnover across our global employee base in 2022 was 16%, which we believe compares favorably with global turnover rates in the technology industry. • Diversity. As discussed above under “Diversity and Inclusion”, we measure gender diversity at least annually overall, by geography, by job role, and by job level. We also monitor the racial and ethnic diversity of our U.S.-based employees, to the extent that our employees disclose their race and ethnicity to us. Corporate Information Our predecessor company, VASCO Corp., entered the data security business in 1991 through the acquisition of a controlling interest in ThumbScan, Inc., which we renamed VASCO Data Security, Inc. In 1997, VASCO Data Security International, Inc. was incorporated and in 1998, we completed a registered exchange offer with the holders of the outstanding securities of VASCO Corp., thereby becoming a publicly traded company. In May 2018, VASCO Data Security International, Inc., our publicly traded parent company, changed its name to OneSpan Inc. Including our predecessor companies, we have completed 17 acquisitions and two dispositions since our inception, including the 2013 acquisition of Cronto Limited, a provider of secure visual transaction authentication solutions 8 for online banking, and the 2015 acquisition of Silanis Technology Inc., a provider of e-signature and digital transaction solutions which we now market and sell under the OneSpan Sign name. Our principal executive offices are located at 121 West Wacker Drive, Suite 2050, Chicago, IL 60601. “OneSpan” and other trademarks, trade names or service marks of OneSpan Inc. or its subsidiaries appearing in this Annual Report on Form 10-K are the property of OneSpan Inc. or its appliable subsidiary. This Annual Report on Form 10-K may contain additional trade names, trademarks and service marks of others, which are the property of their respective owners. Solely for convenience, trademarks and trade names referred to in this Annual Report on Form 10-K may appear without the ® or ™ symbols. Available Information We maintain an Internet website at www.onespan.com. The information on, or that can be accessed through, our website is not incorporated by reference into this Annual Report on Form 10-K and should not be considered to be a part of this Annual Report on Form 10-K. Our website address is included in this Annual Report on Form 10-K as inactive textual reference only. Our reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934, as amended (Exchange Act), including our Annual Reports on Form 10-K, our Quarterly Reports on Form 10-Q and our Current Reports on Form 8-K, and amendments to those reports, are accessible through our website, free of charge, as soon as reasonably practicable after these reports are filed electronically with, or otherwise furnished to, the Securities and Exchange Commission, or the SEC. We also make available on our website the charters of our audit committee, compensation committee and nominating and corporate governance committee, as well as our corporate governance guidelines and our code of business conduct and ethics. In addition, we intend to disclose on our website any amendments to, or waivers from, our code of business conduct and ethics that are required to be disclosed pursuant to SEC rules. Information about our Executive Officers The following sets forth certain information with regard to each of our executive officers. There are no family relationships between any of the executive officers, and there is no arrangement or understanding between any executive officer and any other person pursuant to which the executive officer was selected. MATTHEW P. MOYNAHAN — Mr. Moynahan has served as OneSpan’s President and Chief Executive Officer since November 2021 and as a director since June 2022. Before OneSpan, he was the Chief Executive Officer of Forcepoint LLC, a global provider of commercial and government cybersecurity solutions and a subsidiary of Raytheon Technologies Corporation, from May 2016 until its acquisition by Francisco Partners in January 2021. Prior to that, Mr. Moynahan served as President of Arbor Networks, a network security and monitoring software company and a subsidiary of Danaher Corporation, from January 2012 through May 2016, where he was responsible for building a large commercial cloud DDoS platform and network-based advanced threat protection systems, and as President and Chief Executive Officer of Veracode, Inc., a SaaS pioneer of cloud-based software security testing platforms, from April 2006 through May 2011. Earlier in his career, he served as Vice President of Symantec’s enterprise product management group, as well as Vice President and General Manager of its consumer division. Mr. Moynahan is 52 years old. JORGE MARTELL— Mr. Martell has served as OneSpan’s Chief Financial Officer since September 2022. From July 2016 to September 2022, he served as Chief Financial Officer and Treasurer and from April 2015 to July 2016 as Vice President of Finance, Corporate Controller, at Extreme Reach Inc., a private-equity owned omnichannel creative logistics company for brand advertising, where he played an integral role in optimizing the company’s balance sheet and in executing the company’s growth strategy through global M&A, prior to its acquisition by another private equity firm. From September 2012 to March 2015, Mr. Martell was Treasurer and Assistant Corporate Controller at Sapient Corporation, a technology company, where he led its global revenue organization, execution of its M&A financial strategy, and global treasury organization prior to its acquisition by Publicis Groupe. Earlier in his career, Mr. Martell held leadership roles at ABM Industries, Inc., a provider of facilities management solutions, and at KPMG LLP, a public accounting firm. Mr. Martell is 44 years old. LARA MATAAC — Ms. Mataac has served as OneSpan’s General Counsel, Chief Compliance Officer and Secretary since June 2022. From April 2021 to June 2022, Ms. Mataac was General Counsel at Constant Contact, Inc., a provider of cloud-based online marketing solutions, where she led the legal and compliance team during a period of transition after the company’s spinout from Endurance International Group (EIG) in February 2021. Before Constant Contact, Ms. Mataac was at EIG, a provider of cloud-based web presence and online marketing solutions, from February 9 2013 through March 2021, most recently as Deputy General Counsel. Before EIG, Ms. Mataac was corporate legal director at Bottomline Technologies, a software company. Earlier in her career, Ms. Mataac practiced corporate law at the firms Wilmer Cutler Pickering Hale & Dorr LLP and Fenwick & West LLP. Ms. Mataac is 46 years old. Item 1A - Risk Factors Risk Factors Summary Our business is subject to numerous risks and uncertainties, including those highlighted in the section titled “Risk Factors” immediately following this Risk Factors Summary. These summary risks provide an overview of many of the risks we are exposed to in the normal course of our business, some of which have manifested and any of which may occur in the future. As a result, the following summary risks do not contain all of the information that may be important to you, and you should read them together with the more detailed discussion of risks set forth following this section under the heading “Risk Factors,” and with the other information in this Annual Report on Form 10-K. Additional risks beyond those summary risks discussed below, in “Risk Factors” or elsewhere in this Annual Report on Form 10-K, could have an adverse effect on our business, results of operations, financial condition or prospects, and could cause the trading price of our common stock to decline. Our business, results of operations, financial condition or prospects could also be harmed by risks and uncertainties not currently known to us or that we currently do not believe are material. Consistent with the foregoing, we are exposed to a variety of risks, including the following significant risks: • Our strategic transformation plan involves numerous risks and may not achieve the results we expect. • • If we are unable to attract new customers and retain and expand sales to existing customers, we will be unable to grow our business. Failure to effectively develop and expand our sales and marketing capabilities, and particularly our ability to hire, train, and retain sales personnel, may have a material adverse effect on our ability to grow our business. If our new product offerings and product enhancements do not keep pace with the needs of our customers or do not achieve sufficient customer acceptance, our competitive position and financial results will be negatively impacted. • • A significant portion of our sales are to a limited number of customers. The loss of substantial sales to any one of them could have an adverse • • effect on revenues and profits. If we are not able to enhance our brand recognition and maintain our brand reputation, our business may be adversely affected. The market we serve is highly competitive, which may negatively affect our ability to add new customers, retain existing customers and grow our business. • Our Digipass authenticator business is dependent on a limited number of suppliers, and the loss of their manufacturing capability, components and • • • • technology could materially impact our operations. Our Digipass business may also experience inventory-related losses. The sales cycle for our products is often long, and we may incur substantial expenses for sales that do not occur when anticipated or at all. If we are unable to successfully hire, train, and retain qualified personnel, we may be unable to achieve our business objectives. In addition, we are dependent on the continued services and performance of our senior management and other key employees, the loss of whom could adversely affect our business, operating results and financial condition. Security breaches or cyberattacks could expose us to significant liability, cause our business and reputation to suffer, and harm our competitive position. Real or perceived malfunctions and errors in our products could result in warranty and product liability risks and economic and reputational damages. • We depend on third party hosting providers and other technology vendors, as well as our own infrastructure, to provide our products and solutions to our customers in a timely manner. Interruptions or delays in performance of our products and solutions could result in customer dissatisfaction, damage to our reputation, loss of customers, and a reduction in revenue. • Our success depends in part on establishing and maintaining relationships with other companies to distribute our technology and products or to incorporate their technology into our products and services, or vice versa. • We have operated at a loss for each of the past three years, and we may not be profitable in the future. • Our financial results may fluctuate from period to period, making it difficult to project future results. If we fail to meet the expectations of securities analysts or investors, the price of our common stock could decline. • We face a number of risks associated with our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue. 10 • Acquisitions or other strategic transactions may not achieve the intended benefits or may disrupt our current plans and operations. • We may be subject to legal proceedings for a variety of claims, including intellectual property disputes, labor and employment issues, commercial disagreements, securities law violations and other matters. These proceedings may be costly, subject us to significant liability, limit our ability to use certain technologies, increase our costs of doing business or otherwise adversely affect our business and operating results. • We are subject to numerous laws and regulations and customer requirements governing the production, distribution, sale and use of our products. Any failure to comply with these laws, regulations and requirements could result in unanticipated costs and could have a materially adverse effect on our business, results of operations and financial condition. Risk Factors Our business involves significant risks, some of which are described below. You should carefully consider the following risks, some of which have manifested and any of which may occur in the future, together with all of the other information in this Annual Report on Form 10-K, including in the preceding Risk Factors Summary, and our consolidated financial statements and the related notes included elsewhere in this Annual Report on Form 10-K before making an investment decision with respect to any of our securities. . Risks Related to our Business and Industry Our strategic transformation plan involves numerous risks and may not achieve the results we expect. In May 2022, we announced a three-year strategic transformation plan that began on January 1, 2023. Although we believe that this plan will enable to us accelerate revenue growth and increase profitability, we may not be successful in executing the plan on our expected timeframe or at all, or the plan may not achieve the results we expect, for a number of reasons, including the following: • The assumptions we used in developing the plan, including assumptions regarding customer acquisition, customer retention, market needs, market opportunity size, and the impact of our marketing initiatives, may prove incorrect; • We may experience challenges or delays in growing our salesforce and marketing programs to support our growth plans or in training and incentivizing our salespeople to execute our new go-to-market approach; • We may have difficulties in hiring and retaining employees in general due to the challenging hiring environment; • It may be more difficult, time consuming, or expensive than we anticipate to build a robust sales pipeline, increase our brand awareness, or enhance our product distribution channels; • We may encounter difficulties and delays in platform and product-related initiatives to support our growth, including delays in the availability of new product offerings or the buildout of our next-generation transaction- cloud platform due to staffing and other resource constraints; • Ongoing component shortages and shipping delays affecting our Digipass authenticator devices could negatively impact revenue and cash flow for • our Security Solutions segment, which we are relying upon to help fund growth in our Digital Agreements segment; and Economic slowdown or recession, heightened inflation, capital markets volatility, political instability or conflict, and changes in interest rates and foreign exchange rates may negatively affect our financial and operating results. If we are unable to attract new customers and retain and expand sales to existing customers, we will be unable to grow our business. Our success will depend significantly on our ability to attract new customers, particularly enterprise customers. We have experienced, and expect to continue to experience in the near term, challenges in adding new customers, in part because we are in the early stages of scaling our sales and marketing capabilities to support our strategic transformation plan. If we are unable to adequately enhance our sales and marketing organizations in the timeframe we expect, we may not be able to attract sufficient new enterprise customers to achieve the growth objectives in our strategic transformation plan, which would have an adverse effect on our business. The achievement of our growth objectives also depends on our ability to retain and expand sales to existing customers. Our renewal and expansion rates may be below our expectations, decline or fluctuate as a result of a number of factors, including customer budgets, decreases in the number of users at our customers, changes in the type and size of our customers, pricing, competitive conditions, customer attrition and general economic and global market conditions. If our 11 efforts to expand sales to our existing customers are not successful or if our customers do not renew their subscriptions at the rates we expect, our business will be negatively impacted. Failure to effectively develop and expand our sales and marketing capabilities, and particularly our ability to hire, train, and retain sales personnel, may have a material adverse effect on our ability to grow our business. Our ability to increase our customer base and achieve broader market acceptance of our products and solutions depends to a significant extent on our ability to effectively develop and expand our sales and marketing operations. As part of our three-year strategic transformation plan, we are making significant investments in and changes to our sales operations. We are in the process of implementing a unified go-to-market approach across our entire business rather than having separate salespeople for Digital Agreements and Security Solutions. This initiative involves intensive training to enable our sales force to sell across our full product portfolio. We are also shifting our sales model to target high-potential enterprise sales prospects using an account- based engagement model. This buildout of our salesforce involves, among other things, hiring of additional salespeople to support our growth plans. To achieve this, we must locate and hire a significant number of qualified individuals with the experience and skills necessary to sell our full product portfolio, and competition for such individuals is intense. Once a new salesperson is hired, we must invest considerable time and resources into training before the person is able to achieve full productivity. If we are unable to retain the individual for a sufficiently long period of time, we may never recoup this investment. We are also dedicating significant resources to demand generation and marketing efforts, and doing more outbound targeted marketing than we have historically. Since our investment in marketing has been relatively limited in the past and because we have limited brand awareness in many of our markets, it may take time and substantial expense to generate demand and a robust and consistent sales pipeline. If we cannot train or expand our sales force or successfully generate demand for our products through our marketing efforts in the timeframe contemplated by our strategic transformation plan, we may not be able to achieve the goals of the plan on time or at all, which may have a material adverse effect on our business. If our new product offerings and product enhancements do not keep pace with the needs of our customers or do not achieve sufficient customer acceptance, our competitive position and financial results will be negatively impacted. Technological changes occur rapidly in our industry and our development of new products and features is critical to maintain and grow our revenue. Our future growth will depend in part upon our ability to enhance our current products and develop innovative new solutions to distinguish us from the competition and to meet customers’ changing needs. Product developments and technology innovations by others may adversely affect our competitive position and we may not successfully anticipate or adapt to changing technology, industry standards or customer requirements on a timely basis. The introduction by our competitors of products embodying new technologies and the emergence of new industry standards could render our existing products obsolete and unmarketable. We spend substantial amounts of time and money to research and develop new offerings and enhanced versions of our existing offerings in order to meet our customers’ rapidly evolving needs. When we develop a new offering or an enhanced version of an existing offering, we typically incur expenses and expend resources upfront to market, promote and sell the new offering. Therefore, when we develop or acquire new or enhanced offerings, their introduction must achieve high levels of market acceptance in order to justify the amount of our investment in developing and bringing them to market. For example, if our recent new product offerings, such as our Digipass CX and OneSpan Notary products, do not garner widespread customer adoption and implementation, our business may be adversely affected. Any such adverse effect may be particularly acute because of the significant research, development, marketing, sales and other expenses we will have incurred in connection with the new offerings or enhancements. A significant portion of our sales are to a limited number of customers. The loss of substantial sales to any one of them could have an adverse effect on revenues and profits. We derive a substantial portion of our revenue from a limited number of customers. The loss of substantial sales to any one of them could adversely affect our operations and results. In 2022, 2021, and 2020, our top 10 largest customers contributed 23%, 22%, and 21%, respectively, of our total worldwide revenue. If we are not able to enhance our brand recognition and maintain our brand reputation, our business may be adversely affected. 12 We believe that enhancing our brand recognition is important to our efforts to attract new customers and channel partners. If we do not build awareness of our brand, we could be at a competitive disadvantage to companies whose brands are, or become, more recognizable than ours. Our brand recognition and reputation are dependent upon numerous factors including: • • • • • • • • our marketing efforts; our ability to continue to offer high quality, innovative and reliable products; our ability to maintain customer satisfaction with our products; our ability to be responsive to customer concerns and provide high quality customer support, training and professional services; any misuse or perceived misuse of our products; positive or negative publicity, including through reviews by industry analysts; our ability to prevent or quickly react to any cyberattack on our information technology systems or security breach of or related to our software; and litigation or regulatory-related developments. Improving our brand recognition is likely to require significant additional expenditures and may not be successful or yield increased revenues. If we do not successfully enhance our brand and maintain our reputation, we may have reduced pricing power relative to competitors with stronger brands and we could lose customers or renewals, which would adversely affect our business. The market we serve is highly competitive, which may negatively affect our ability to add new customers, retain existing customers and grow our business. The market for digital solutions for identity, authentication, and secure digital agreements is very competitive and, like most technology-driven markets, is subject to rapid change and constantly evolving solutions and services. Our identity verification and authentication products are designed to allow authorized users access to digital business processes and properties, in some cases using patented technology, as a replacement for or supplement to a static password. Our main competitors in our identity verification and authentication markets are Gemalto, a subsidiary of Thales Group, and RSA Security. There are also many other companies, such as Transmit Security, Symantec, and Duo Security, that offer competing services. In addition to these companies, we face competition from many small authentication solution providers, many of whom offer new technologies and niche solutions such as biometric or risk and behavioral analysis. We believe that competition in this market is likely to intensify as a result of increasing demand for security products. Our primary competitors for electronic signature solutions are DocuSign and Adobe Systems. Both companies are significantly larger than us. In addition to these companies, there are numerous smaller and regional or niche providers of electronic signing solutions. Some of our present and potential competitors have significantly greater financial, technical, marketing, purchasing, and other resources than we do. As a result, they may be able to respond more quickly to new or emerging technologies and changes in customer requirements, devote greater resources to the development, promotion and sale of products, or deliver competitive products at a lower end-user price than we do. Any of these factors would make it difficult for us to compete successfully, which would negatively affect our business. Our Digipass authenticator business is dependent on a limited number of suppliers, and the loss of their manufacturing capability, components and technology could materially impact our operations. Our Digipass business may also experience inventory-related losses. In the event that the supply of components or finished products for our Digipass authenticator business is interrupted or relations with any of our principal vendors is terminated, there could be increased costs and considerable delay in finding suitable replacement sources to manufacture our hardware products. Our hardware Digipass authentication devices are assembled at facilities located in mainland China and Romania. The importation of these products from China and Romania exposes us to the possibility of product supply disruption and increased costs in the event of changes in the policies of the Chinese government, political unrest or unstable economic conditions in China, or developments in the U.S. or EU that are adverse to trade, including enactment of protectionist legislation. We experienced supply chain disruption in 2022 as a result of the impact on our Chinese contract manufacturers of China’s implementation and subsequent reversal of 13 its “Zero COVID” policy. To mitigate the risks associated with our China-based contract manufacturing facilities, we are considering alternative manufacturing and supply arrangements, such as moving some of the Digipass manufacturing currently done in China to Romania or to other locations. It is possible that this transition may cause a disruption in our Digipass manufacturing operations. Product supply disruptions or related cost increases could have a material adverse impact on our business. Under some circumstances, we purchase multiple years’ supply of parts for our Digipass authenticator devices based on internal forecasts of demand, anticipated supply chain constraints, or other reasons. To meet customers’ demands for accelerated delivery of product, we sometimes produce finished product for existing customers before we receive the executed order from the customer. Should our forecasts of future demand be inaccurate or if we produce product that is never ordered, we could incur substantial losses related to the realization of our inventory. The sales cycle for our products is often long, and we may incur substantial expenses for sales that do not occur when anticipated or at all. The sales cycle for our products, which is the period of time between the identification of a potential customer and completion of the sale, is typically lengthy and subject to a number of significant risks over which we have little control. A typical sales cycle in the financial services market is often nine to 18 months long. We often need to spend significant time and resources to better educate and familiarize these potential customers with the value proposition of our products and solutions. Purchasing decisions for our products and services may be subject to delays due to a number of factors, many of which are outside of our control, such as: • • • • • • • • Time required for a prospective customer to recognize the need for our products; Effectiveness of our salesforce; Changes to regulatory requirements; The complexity of contracts with certain large business customers; The significant expense of some of our products and systems; Customer budgeting and procurement processes; Economic and other factors impacting customer budgets; and Customer evaluation, testing and approval process. The timing of sales with our enterprise customers and related revenue recognition is difficult to predict because of the length and unpredictability of the sales cycle for these customers. As our operating expenses are based on anticipated revenue levels, a small fluctuation in the timing of sales can cause our operating results to vary significantly between periods. In addition, during the sales cycle, we expend significant time and money on sales and marketing and contract negotiation activities, which may not result in a sale. If we are unable to successfully hire, train, and retain qualified personnel, we may be unable to achieve our business objectives. Our ability to successfully pursue our three-year strategic transformation plan will depend significantly on our ability to attract, motivate and retain employees, especially those in sales. We face intense competition for these employees from numerous technology, software and other companies, many of whom have greater resources than we do. In 2022, we incurred higher compensation-related expenses in order to remain competitive in a tight labor market, particularly in light of wage inflation, and we expect to continue to experience this type of cost pressure. Even with an increase in the compensation we offer, we may not be able to attract, motivate and/or retain sufficient qualified employees. Difficulties attracting and retaining personnel could have an adverse effect on our ability to achieve our sales, operational, or other business objectives and, as a result, our ability to compete could decrease and our financial results could be adversely affected. In addition, even if we are able to identify and recruit a sufficient number of new hires, these new hires will require significant training before they achieve full productivity, particularly in the case of sales employees. We are dependent on the continued services and performance of our senior management and other key employees, the loss of any of whom could adversely affect our business, operating results and financial condition. Our future performance depends on the continued services and contributions of our senior management, particularly Matthew Moynahan, our Chief Executive Officer, and other key sales and technical employees. Our senior management and key employees are employed on an at-will basis, which means that they could terminate their employment 14 with us at any time. The temporary or permanent loss of the services of our senior management or other key employees for any reason could significantly delay or prevent the achievement of our objectives and harm our business, financial condition and results of operations. Further, such a loss could be negatively perceived in the capital markets, which could reduce the market value of our securities. Security breaches or cyberattacks could expose us to significant liability and cause our business and reputation to suffer and harm our competitive position. Our corporate infrastructure stores and processes our sensitive, proprietary and other confidential information (including as related to financial, technology, employees, marketing, sales, etc.) which is used on a daily basis in our operations. In addition, our software involves transmission and processing of our customers' confidential, proprietary and sensitive information. We have legal and contractual obligations to protect the confidentiality and appropriate use of customer data. Because we are a cybersecurity company, and because the majority of our customers are banks and other financial institutions, which are frequent targets of cyberattacks, we may be an attractive target for cyber attackers or other data thieves. High-profile cyberattacks and security breaches have increased in recent years, with the potential for such acts heightened as a result of the number of employees working remotely due to the COVID-19 pandemic. Security industry experts and government officials have warned about the risks of hackers and cyberattacks targeting IT products and enterprise infrastructure. Because techniques used to obtain unauthorized access or to sabotage systems change frequently and often are not recognized until launched against a specific target, we may be unable to anticipate these techniques or to implement adequate preventative measures. As we seek to increase our client base and expand awareness of our brand, we may become more of a target for third parties seeking to compromise our security systems and we anticipate that hacking attempts and cyberattacks will increase in the future. We have experienced several security incidents in the past. None have been material to date, but it is possible that we will experience a material event in the future. Even though we have established teams, processes and strategies to protect our assets, we may not always be successful in preventing or repelling unauthorized access to our systems. We also may face delays in our ability to identify or otherwise respond to any cybersecurity incident or any other breach. Additionally, we use third-party service providers to provide some services to us that involve the storage or transmission of data, such as software as a service (SaaS), cloud computing, and internet infrastructure and bandwidth, and they face various cybersecurity threats and also may suffer cybersecurity incidents or other security breaches. Despite our security measures, our IT and infrastructure may be vulnerable to attacks. Threats to IT security can take a variety of forms. Individual and groups of hackers and sophisticated organizations, including state-sponsored organizations or nation- states, continuously undertake attacks that pose threats to our customers and our IT. These actors may use a wide variety of methods, which may include developing and deploying malicious software or exploiting vulnerabilities in hardware, software, or other infrastructure in order to attack our products and services or gain access to our networks, using social engineering techniques to induce our employees, users, partners, or customers to disclose passwords or other sensitive information or take other actions to gain access to our data or our users’ or customers’ data, or acting in a coordinated manner to launch distributed denial of service or other coordinated attacks. Inadequate account security practices may also result in unauthorized access to confidential and/or sensitive data. Security risks, including, but not limited to, unauthorized use or disclosure of customer data, theft of proprietary information, theft of intellectual property, theft of internal employees' personally identifiable information, theft of financial data and financial reports, loss or corruption of customer data and computer hacking attacks or other cyberattacks, could require us to expend significant capital and other resources to alleviate the problem and to improve technologies, may impair our ability to provide services to our customers and protect the privacy of their data, may result in product development delays, may compromise confidential or technical business information, may harm our competitive position, may result in theft or misuse of our intellectual property or other assets and could expose us to substantial litigation expenses and damages, indemnity and other contractual obligations, government fines and penalties, mitigation expenses, costs for remediation and incentives offered to affected parties, including customers, other business partners and employees, in an effort to maintain business relationships after a breach or other incident, and other liabilities. We are continuously working to improve our IT systems, together with creating security boundaries around our critical and sensitive assets. We provide advanced security awareness training to our employees and contractors that focuses on various aspects of cybersecurity. All of these steps are taken in order to mitigate the risk of attack and to ensure our readiness to responsibly handle any security violation or attack. However, because techniques used to obtain unauthorized access or to sabotage systems change frequently and generally are not recognized until successfully launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. If an actual or perceived breach 15 of our security occurs, the market perception of the effectiveness of our security measures and our products could be harmed, we could lose potential sales and existing customers, our ability to operate our business could be impaired, we may incur significant liabilities, we could suffer harm to our reputation and competitive position, and our business and financial condition could be negatively impacted. Real or perceived malfunctions and errors in our products could result in warranty and product liability risks and economic and reputational damages. Our products are inherently complex and may malfunction or contain undetected errors or defects when first introduced or as new versions are released. We have experienced these malfunctions and errors or defects in connection with new products and product upgrades, and we expect that these malfunctions, errors and defects will continue to be found from time to time in new or enhanced products. Malfunctions and defects may make our products vulnerable to attacks, prevent vulnerability detection, or temporarily impact our customer’s environments. These problems may result in a breach of a legal obligation or may cause physical harm or damage which could result in tort or warranty claims against us. We seek to reduce the risk of these losses by using qualified engineers in the design, manufacturing and testing of our hardware products, proper development, testing, and scanning of our software solutions (including SaaS), attempting to negotiate warranty disclaimers and liability limitation clauses in our sales agreements, and maintaining customary insurance coverage. However, these measures may ultimately prove ineffective in limiting our liability for damages. In addition to any monetary liability for the failure of our products, a publicly known defect or perceived defect in our products could lead to customers delaying or withholding payments, divert the attention of our key personnel, adversely affect the market’s perception of us and our products, and have an adverse effect on our reputation and the demand for our products. Our financial results may fluctuate from period to period, making it difficult to project future results. If we fail to meet the expectations of securities analysts or investors, the price of our common stock could decline. Our revenue and results of operations have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including: • • The size, timing, and payment terms of significant orders, and any unexpected delay or cancelation of such orders; The variability of revenue realized from individual customers, as their buying patterns can vary significantly from period to period and are affected by the individual solutions purchased and the structure of the contract; Larger customers delaying renewal of their subscriptions or failing to renew at all; Changes in customer budgets; The effectiveness of our sales and marketing programs, including our ability to hire, train and retain our sales personnel; Changes in pricing by competitors; • • • • • New product announcements or introductions by competitors; • • Our ability to develop, introduce and market new products and product enhancements on a timely basis; • Market and customer acceptance of any new products and product enhancements that we introduce; • With respect to our Digipass business, component costs and availability; • Network outages, security breaches, technical difficulties or interruptions affecting our products; • • • General economic and political conditions, as well as economic conditions specifically affecting industries in which our customers operate; and • Other events or factors, including those resulting from pandemics, war, natural disasters, incidents of terrorism or responses to these events. Technological changes in the market for our products, including the adoption of new technologies and standards; Seasonality in our business; Changes in foreign currency exchange rates; Any one of these or other factors discussed elsewhere in this Annual Report on Form 10-K, or the cumulative effect of a combination of these factors, may result in fluctuations in our financial results, which may cause us to miss our guidance and analyst expectations and cause the price of our common stock to decline. We have operated at a loss for each of the past three fiscal years, and we may not be profitable in the future. 16 Over our approximately 30-year operating history, we have operated at a loss for many of those years, including for the years ended December 31, 2022, 2021 and 2020, for which we reported a net loss of $14.4 million, $30.6 million, and $5.5 million, respectively. We will need to generate and sustain increased revenue levels and manage our expenses in future periods to become profitable and, even if we do, we may not be able to maintain or increase our level of profitability. We intend to continue to incur significant expenses to support growth, further develop and enhance our products and solutions, expand our infrastructure and technology, increase our sales headcount and marketing activities, and grow our customer base. Our efforts to grow our business may be costlier than we expect, and we may not be able to increase our revenue enough to offset our increased operating expenses. We may incur significant losses in the future for a number of reasons, including the other risks described herein, and experience unforeseen expenses, difficulties, complications and delays and other unknown events. If we are unable to achieve and sustain profitability, the value of our business and common stock may significantly decrease. Our business, operations and financial performance may be negatively affected by adverse changes in the evolving COVID-19 pandemic. The COVID-19 pandemic is continuing to evolve, and significant adverse changes in the spread or severity of COVID-19 infections and the resulting economic impact could have a material adverse effect on our business, operations and financial performance. In our Digipass authenticator device business, we are exposed to specific risks related to manufacturing, supply chain, shipping and distribution, all of which have been impacted by the COVID-19 pandemic. As a result of COVID-19, we have experienced, and may continue to experience, delays and increased costs related to fulfilling our device orders. Although we have managed these issues to date, ongoing disruptions in global transportation may continue to delay fulfillment, which may in turn delay our recognition of revenue from customer orders, or even prevent us from satisfying certain customer orders for our products in the future if orders substantially increase and/or further supply chain problems emerge. In order to meet our customers’ needs, we have and may continue to incur increased freight and other costs related to our Digipass devices, which would reduce our margins. We experienced some increased sales for our e-signature solution and products used to facilitate remote employee access in 2020 that we attribute in part to the COVID-19 pandemic; however, since that time, customer buying patterns have generally returned to more typical pre-pandemic levels. A resurgence or similar development in the COVID-19 pandemic would likely create additional economic uncertainty and have a number of adverse effects, including: a negative impact on our customers’ ability or willingness to attend our sales and marketing events or to purchase our offerings; a delay in prospective customers’ purchasing decisions; our inability to provide on-site sales meetings or professional services to our customers; delays in the provisioning of our products; longer customer payment terms; lower value or shorter duration of customer contracts; lower margins, especially in our Digipass business; or an increase in customer attrition rates, all of which could adversely affect our future sales, operating results and overall financial performance. We depend on third-party hosting providers and other technology vendors, as well as our own infrastructure, to provide our products and solutions to our customers in a timely manner. Interruptions or delays in performance of our products and solutions could result in customer dissatisfaction, damage to our reputation, loss of customers, and reduction in revenue. We outsource portions of our cloud infrastructure to third-party hosting providers, principally Amazon Web Services, or AWS. We also outsource components of our services to third-party technology vendors who host their products in the cloud. Customers of our products need to be able to access our platform at any time, without interruption or degradation of performance. AWS and other third-party hosting providers run their own platforms that we access, and we are therefore vulnerable to service interruptions on these third-party platforms, as well as to service interruptions affecting our third-party technology vendors. We have experienced interruptions, delays and outages in service and availability from time to time due to a variety of factors impacting our third-party hosting providers or other vendors, and we expect to experience these types of incidents in the future. If our products or platform are unavailable or our users are otherwise unable to use our products within a reasonable amount of time or at all, then our business, results of operations and financial condition could be adversely affected. In some instances, we may not be able to identify the cause or causes of these performance problems within a period of time acceptable to our customers. It may become increasingly difficult to maintain and improve our platform 17 performance, especially during peak usage times, as our products become more complex and the usage of our products increases. We have in the past and may in the future experience capacity constraints that affect our product performance and cause us to miss our service level agreements with our customers. These capacity constraints can be due to a number of causes, including technical failures, natural disasters, fraud or security attacks. To the extent that we do not effectively address capacity constraints, either through our current providers or alternative providers of cloud infrastructure, our business, results of operations and financial condition may be adversely affected. In addition, any changes in service levels from our third-party hosting providers or other cloud-based technology vendors may adversely affect our ability to meet our customers' requirements. Our third-party hosting providers have no obligations to renew their agreements with us on commercially reasonable terms or at all, and the agreements governing these relationships can generally be terminated by either party with limited notice. Access to hosting services may also be restricted by the provider at any time, with no or limited notice. Although we expect that we could receive similar services from other third parties, if any of our arrangements with AWS or other third-party hosting providers are terminated, we could experience interruptions on our platform and in our ability to make our platform available to customers, as well as downtime, delays and additional expenses in arranging alternative cloud infrastructure services. It is also possible that our customers and potential customers would hold us accountable for any breach of security affecting infrastructure of our third-party hosting providers. We may incur significant liability from those customers and from third parties with respect to any such breach, and we may not be able to recover a material portion of our liabilities to our customers and third parties from our hosting providers in the event of any breach affecting their systems. Any of the above circumstances or events may harm our reputation, cause customers to stop using our products, impair our ability to increase revenue from existing customers, impair our ability to grow our customer base, subject us to financial penalties and liabilities under our service level agreements and otherwise harm our business, results of operations and financial condition. Our success depends in part on establishing and maintaining relationships with other companies to distribute our technology and products or to incorporate their technology into our products and services, or vice versa. Part of our business strategy is to enter into partnerships and other cooperative arrangements with third parties. We are regularly involved in cooperative efforts with respect to the incorporation of our products into products of others and vice versa, research and development efforts, and marketing, distributor and reseller arrangements. These relationships are generally non-exclusive, and some of our partners also have cooperative relationships with certain of our competitors or offer some products and services that are competitive with ours. If we lose third-party relationships, if these relationships are not commercially successful, or if we are unable to enter into third-party relationships on commercially reasonable terms in the future, our business could be negatively impacted. SaaS offerings, which involve various risks, constitute an important part of our business. We expect that our SaaS offerings will constitute an increasingly important part of our business. As a result, we will need to continue to evolve our processes to meet a number of regulatory, intellectual property, contractual, service, and security compliance challenges. These challenges include compliance with licenses for open-source and third-party software embedded in our SaaS offerings, maintaining compliance with export control and privacy regulations (including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the General Data Protection Regulation (GDPR)), protecting our products from external threats, maintaining continuous service levels and data security practices expected by our customers, preventing inappropriate use of our products, and incurring significant up-front costs where desired higher margins are dependent on achieving significant sales volume and adapting our go-to-market efforts. In addition to using our internal resources, we also utilize third-party resources to deliver SaaS offerings, such as third-party data hosting vendors. The failure of a third-party provider to prevent service disruptions, data losses or security breaches may require us to issue credits or refunds or to indemnify or otherwise be liable to customers or third parties for damages that may occur. Additionally, if these third-party providers fail to deliver on their obligations, our reputation could be damaged, and our customers could lose confidence in us and our ability to maintain and expand our SaaS offerings. Finally, our SaaS offerings need to be designed to operate at significant transaction volumes. When combined with third-party software and hosting infrastructure, our SaaS offerings may not perform as designed, which could lead to service disruptions and associated damages. Failure to maintain high-quality customer support could have a material adverse effect on our business. 18 Our business relies on our customers’ satisfaction with the technical and customer support and professional services we provide to support our products. If we fail to provide customer and technical support services that are high-quality, responsive, and able to promptly resolve issues that our customers encounter with our products and services, then they may elect not to purchase or renew subscription licenses or may otherwise reduce or discontinue their business relationship with us. This would likely result in loss of revenue and damage to our reputation, which could have an adverse effect on our business. Failure to effectively manage our product and service lifecycles could harm our business. As part of the natural lifecycle of our products and services, we periodically inform customers that products or services have reached their end of life or end of availability and will no longer be supported or receive updates and security patches. Failure to effectively manage our product and service lifecycles could lead to customer dissatisfaction and contractual liabilities, which could adversely affect our business and operating results. In addition, the failure to generate new revenue to replace and/or expand the revenue realized from discontinued products or services could adversely affect our business and operating results. We are subject to foreign currency exchange rate fluctuations, which could adversely affect our financial condition and results of operations. Because a significant number of our principal customers are located outside the United States, we expect that international sales will continue to generate a significant portion of our total revenue. We are subject to foreign exchange fluctuations and risks because the majority of our product costs are denominated in U.S. Dollars, whereas a significant portion of the sales and expenses of our foreign operating subsidiaries are denominated in various foreign currencies. A decrease in the value of any of these foreign currencies relative to the U.S. Dollar could adversely affect our revenue and profitability in U.S. Dollars of our products sold in these markets. Furthermore, a strengthening of the U.S. dollar could increase the cost in local currency of our products and services to customers outside the United States, which could adversely affect our business, results of operations, financial condition and cash flows. The exchange rate between the U.S. Dollar and foreign currencies has fluctuated in recent years and may fluctuate substantially in the future. As discussed in Management’s Discussion and Analysis of Financial Condition and Results of Operations, the U.S. Dollar’s strength during foreign currencies, particularly the Euro, during 2022 had a significant impact on our 2022 financial results and may continue to adversely affect our results in the future. We do not currently use forward contracts or other hedging strategies such as options or foreign exchange swaps to mitigate our exposure to foreign currency fluctuations. We face a number of risks associated with our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue. In 2022, approximately 83% of our revenue and approximately 66% of our operating expenses were generated/incurred outside of the U.S, In 2021, approximately 86% of our revenue and approximately 68% of our operating expenses were generated/incurred outside of the U.S. In 2020, approximately 88% of our revenue and approximately 73% of our operating expenses were generated/incurred outside of the U.S. A severe economic decline in any of our major foreign markets could adversely affect our results of operations and financial condition. In addition to exposures to changes in the economic conditions of our major foreign markets, we are subject to a number of risks related to our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue. These include: • • • increased management, infrastructure and legal costs associated with having international operations; costs of compliance with foreign legal and regulatory requirements, including, but not limited to data privacy, data protection and data security regulations, and the risks and costs of non-compliance; costs of compliance with U.S. laws and regulations for foreign operations, including the U.S. Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell or provide our solutions in certain foreign markets, and the risks and costs of non-compliance; 19 • • • • • • • heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements; costs of compliance with multiple and possibly overlapping tax structures, and related potential adverse tax impacts; risks of reliance on channel partners for sales in some countries; differing technology standards in certain international markets; the uncertainty and limitation of protection for intellectual property rights in some countries; greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods; difficulties and costs of staffing and managing international operations, including maintaining internal controls and challenges in closing or restructuring such operations; difficulty in providing support and training to customers in certain international locations; • • management communication and integration problems resulting from cultural and linguistic differences and geographic dispersion; • • • foreign currency exchange rate fluctuations; adverse tax burdens and foreign exchange controls that could make it difficult to repatriate earnings and cash; increased exposure to climate change, natural disasters, acts of war, terrorism, epidemics, or pandemics and other health crises, including the ongoing COVID-19 pandemic; and economic or political instability in foreign markets, including instability related to the United Kingdom’s recent exit from the EU, China’s “zero COVID” policies, and the impact of geopolitical tensions between China and the U.S. over Taiwan, Hong Kong, tariffs and other matters. • Our business, including the sales of our products and professional services by us and our channel partners, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Our failure, or the failure by our channel partners, to comply with these regulations could adversely affect our business. Further, in some foreign countries, it may be more common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to us. Violations of laws or internal policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our products and could have a material adverse effect on our business and results of operations. If we are unable to successfully manage the challenges of international expansion and operations, our business and operating results could be adversely affected. If our goodwill or intangible assets become impaired, we may be required to record a significant charge to earnings. We review our goodwill and intangible assets for impairment when events or changes in circumstances indicate the carrying value may not be recoverable. Goodwill is required to be tested for impairment at least annually. At December 31, 2022, we had goodwill and intangible assets with a net book value of $103.0 million primarily related to our acquisitions. An adverse change in market conditions, particularly if such change has the effect of changing one of our critical assumptions or estimates, could result in a change to the estimation of fair value that could result in an impairment charge to our goodwill or intangible assets. Any such charges may have a material negative impact on our operating results. Because we recognize revenue from subscription-based software licenses over the term of the relevant contract, downturns or upturns in sales contracts are not immediately reflected in full in our operating results. In addition, our reported revenue may fluctuate widely due to the interpretation or application of accounting rules. Approximately 41% of our total revenue for the year ended December 31, 2022 was attributable to subscription license contracts. We recognize subscription revenue over the term of each of our subscription contracts,which are typically one year in length but may be up to three years or longer. As a result, much of our revenue is generated from the recognition of contract liabilities from contracts entered into during previous periods. Consequently, a shortfall in demand for our products or a decline in new or renewed contracts in any one quarter may not significantly reduce our revenue for that quarter but could negatively affect our revenue in future quarters. Our revenue recognition model also makes it difficult for us to rapidly increase our revenue through additional sales contracts in any period, as revenue from new customers is recognized over the applicable term of their contracts. In addition, our sales arrangements often include multiple elements, including hardware, services, software, maintenance and support. We have sold software related arrangements in multiple forms, including perpetual licenses, term-based licenses and SaaS subscriptions, each of which may be treated differently under accounting rules. The accounting rules for such arrangements are complex and subject to change from time to time. The nature of the 20 arrangement can create variations in the timing of revenue recognition. If applicable accounting standards or practices change, or if the judgments or estimates we use when applying existing standards prove to be incorrect, our financial results may be adversely affected. We could be subject to additional tax liabilities, and our ability to use our net operating losses may be limited. We are subject to U.S. federal, state, local and sales taxes in the United States and foreign income taxes, withholding taxes and transaction taxes in numerous foreign jurisdictions. Significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain and the relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes to our operating structure (including a currently in-process revenue of our intellectual property structure), by changes in foreign currency exchange rates, or by changes in the valuation of our deferred tax assets and liabilities. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, sales taxes and value-added taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period for which a determination is made. At December 31, 2022 we had U.S. federal, state and foreign net operating losses (NOLs), of $18.0 million, $27.7 million, and $80.1 million, respectively, available to offset future taxable income, some of which begin to expire in 2023. Federal NOLs incurred in taxable years beginning after December 31, 2017 can be carried forward indefinitely, but the deductibility of federal NOLs in taxable years beginning after December 31, 2021, is subject to certain limitations. A lack of future taxable income would adversely affect our ability to utilize these NOLs before they expire. In addition, under the provisions of the Internal Revenue Code of 1986, as amended, or the Internal Revenue Code, substantial changes in our ownership may limit the amount of pre-change NOLs that can be utilized annually in the future to offset taxable income. Section 382 of the Internal Revenue Code imposes limitations on a company’s ability to use its NOLs if one or more stockholders or groups of stockholders that own at least 5% of the company’s stock increase their ownership by more than 50 percentage points over their lowest ownership percentage within a rolling three-year period. Similar rules may apply under state tax laws. Based upon an analysis as of December 31, 2021, we determined that we do not expect these limitations to materially impair our ability to use our NOLs prior to expiration. However, if changes in our ownership occurred after such date, or occur in the future, our ability to use our NOLs may be further limited. Subsequent statutory or regulatory changes in respect of the utilization of NOLs for federal or state purposes, such as suspensions on the use of NOLs or limitations on the deductibility of NOLs carried forward, or other unforeseen reasons, may result in our existing NOLs expiring or otherwise being unavailable to offset future income tax liabilities. For these reasons, we may not be able to utilize a material portion of the NOLs, even if we achieve profitability. Acquisitions or other strategic transactions may not achieve the intended benefits or may disrupt our current plans and operations. In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products or technologies or to make investments in, or enter into joint ventures or similar transactions with, third parties. These transactions involve numerous risks, including the following: • Difficulties or delays in integrating the acquired businesses, which could prevent us from realizing the anticipated benefits of acquisitions; • Delays or reductions in customer purchases for both us and the company we acquired due to customer uncertainty about continuity and • effectiveness of service from either company; Challenges in successfully cross-selling acquired products to our existing customer base, or in cross-selling our products to the acquired company’s customer base; • Difficulties in supporting and migrating acquired customers, if any, to our platforms, which could cause customer churn, unanticipated costs, and damage to our reputation; • Disruption of our ongoing business and diversion of management and other resources from existing operations; • Constraints on our liquidity and in the event that we use cash or incur debt to fund an acquisition, or dilution to existing stockholders in the event we issue equity securities as part of the consideration for the acquisition; 21 • Our use of cash to pay for acquisitions would limit other potential uses for our cash and affect our liquidity; • Assumption of debt or other actual or contingent liabilities of the acquired company, including litigation risk; • Differences in in corporate culture, compliance protocols, and risk management practices between us and acquired companies; • • • • Unforeseen or undisclosed liabilities or challenges associated with the companies, businesses, or technologies we acquire; • Adverse tax consequences, including exposure of our entire business to taxation in additional jurisdictions; and • Accounting effects, including potential impairment charges and requirements that we record acquired deferred revenue at fair value. Potential loss of the key employees of an acquired business; Potential loss of the customers or partners of an acquired business due to the actual or perceived impact of the acquisition; Difficulties associated with governance, management, and control matters in majority or minority investments or joint ventures; Any of these risks could result in acquisitions or other strategic transactions disrupting our business and/or failing to achieve their intended objectives. We also review our product portfolio from time to time for contributions to our objectives and alignment with our strategy, and we may pursue divestiture activities as a result of these reviews. However, we may not be successful in separating any underperforming or non-strategic assets, and gains or losses on any divestiture of, or lost operating income from, such assets may adversely affect our results of operations. Divestitures could also expose us to unanticipated liabilities or result in ongoing obligations, including transition service obligations and indemnity obligations. Provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses. Our agreements with customers, solution partners and channel partners generally include provisions under which we agree to indemnify them for losses suffered or incurred as a result of claims of intellectual property infringement and, in some cases, for damages caused by us to property or persons or for other damages. In the past, we worked with a customer at our expense to resolve a claim brought against the customer related to our technology, and it is likely that we will need to indemnify our customers for similar claims in the future. The expense of defending these types claims may adversely affect our financial results and may not be covered by any insurance policies we maintain. In addition, any such disputes and litigation could divert management attention and harm our reputation in the market. We also make certain representations and warranties and incur obligations under our contracts in the ordinary course of business, including for items related to data security and potential data privacy breaches. Although we normally contractually limit our liability with respect to such representations, warranties and other contractual obligations, we may still incur substantial liability related to them. Not all of our potential losses under our contracts are covered by insurance policies, which could increase the impact of any such loss should it occur. Large indemnity payments or damages resulting from our contractual obligations could harm our business, operating results and financial condition. Any failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results. Our success is dependent, in part, upon protecting our proprietary technology. We rely on a combination of patents, copyrights, trademarks, service marks, trade secret laws and contractual provisions in an effort to establish and protect our proprietary rights. However, the steps we take to protect our intellectual property may be inadequate. While we have been issued patents in the U.S. and other countries and have additional patent applications pending, we may be unable to obtain patent protection for the technology covered in our patent applications. In addition, any patents issued in the future may not provide us with competitive advantages or may be successfully challenged by third parties. Any of our patents, trademarks or other intellectual property rights may be challenged or circumvented by others or invalidated through administrative process or litigation. There can be no guarantee that others will not independently develop similar products, duplicate any of our products or design around our patents. Furthermore, legal standards relating to the validity, enforceability and scope of protection of intellectual property rights are uncertain. Despite our precautions, it may be possible for unauthorized third parties to copy our products and use information that we regard as proprietary to create products and solutions that compete with ours. Some license provisions protecting against unauthorized use, copying, transfer and disclosure of our products may be unenforceable under the laws of jurisdictions outside the U.S. To the extent 22 we expand our international activities, our exposure to unauthorized copying and use of our products and proprietary information may increase. We enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with the parties with whom we have strategic relationships and business alliances. These agreements may not be effective in controlling access to and distribution of our products and proprietary information. Further, these agreements do not prevent our competitors or partners from independently developing technologies that are substantially equivalent or superior to our products and solutions. In order to protect our intellectual property rights, we may be required to spend significant resources to monitor and protect and enforce these rights, including through litigation. Litigation brought to protect and enforce our intellectual property rights could be costly, time consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management’s attention and resources, could delay further sales or the implementation of our products and solutions, impair the functionality of our products and solutions, delay introductions of new solutions, result in our substituting inferior or more costly technologies into our products and solutions or injure our reputation. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property may be difficult, expensive and time- consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the U.S. and where mechanisms for enforcement of intellectual property rights may be weak. If we fail to adequately protect our intellectual property and proprietary rights, our business, operating results and financial condition could be adversely affected. We may be subject to legal proceedings for a variety of claims, including intellectual property disputes, labor and employment issues, commercial disagreements, securities law violations and other matters. These proceedings may be costly, subject us to significant liability, limit our ability to use certain technologies, increase our costs of doing business or otherwise adversely affect our business and operating results. From time to time, we are involved as a party or an indemnitor in disputes or regulatory inquiries. These may include alleged claims, lawsuits and proceedings regarding intellectual property disputes, labor and employment issues, commercial disagreements, securities law violations and other matters. In particular, companies in the software industry are often required to defend against litigation or claims based on allegations of infringement or other violations of intellectual property rights. In certain instances, we receive claims that we have infringed the intellectual property rights of others, including claims regarding patents, copyrights, and trademarks. Because of constant technological change in the markets in which we compete, the extensive patent coverage of existing technologies, and the rapid rate of issuance of new patents, it is possible that the number of these claims may grow. Such claims sometimes involve patent holding companies or other adverse patent owners that have no relevant product revenue and against which our own patents may therefore provide little or no deterrence. In addition, former employers of our former, current, or future employees may assert claims that such employees have improperly disclosed to us the confidential or proprietary information of these former employers. If we are not successful in defending such claims, we could be required to stop selling our products, delay shipments, redesign our products, pay monetary amounts as damages, enter into royalty or licensing arrangements (which may not be available to us on commercially reasonable terms), or satisfy indemnification obligations to our customers, any of which could have a material adverse effect on our business. Regardless of the merits or ultimate outcome of any claims that have been or may be brought against us or that we may bring against others, lawsuits are time-consuming and expensive to resolve, divert management’s time and attention, and could harm our reputation. Although we carry general liability and other forms of insurance, our insurance may not cover potential claims that arise or may not be adequate to indemnify us for all liability that may be imposed. We may also determine that the most cost-effective way to resolve a dispute is to enter into a settlement agreement. Litigation is inherently unpredictable and we cannot predict the timing, nature, controversy or outcome of lawsuits, and it is possible that litigation could have an adverse effect on our business, operating results or financial condition. We use open-source software in our products, which could subject us to litigation or other actions. We use open-source software in our products and solutions. Any use of open-source software may expose us to greater risks than the use of commercial software because open-source licensors generally do not provide warranties or 23 controls on the functionality or origin of the software. Any use of open-source software may involve security risks, making it easier for hackers and other third parties to determine how to compromise our platform. From time to time, there have been claims challenging the ownership of open-source software against companies that incorporate open-source software into their products. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open-source software. Litigation could be costly for us to defend, have a negative effect on our operating results and financial condition or require us to devote additional research and development resources to change our products. In addition, if we were to combine our proprietary software products with open-source software in a certain manner, we could, under certain of the open-source licenses, be required to release the source code of our proprietary software products. If we inappropriately use or incorporate open-source software subject to certain types of open-source licenses that challenge the proprietary nature of our software products, we may be required to re-engineer our products, discontinue the sale of our products and solutions or take other remedial actions. There is significant government regulation of technology imports and exports. If we cannot meet the requirements of the regulations we may be prohibited from exporting some of our products, which could negatively impact our revenue. Our international sales and operations are subject to risks such as the imposition of government controls, new or changed export license requirements, restrictions on the export of critical technology, trade restrictions and changes in tariffs. If we are unable to obtain regulatory approvals on a timely basis, our business may be impacted. Certain of our products are subject to export controls under U.S. law including the U.S. Export Administration Regulations, U.S. Customs regulations, and various economic and trade sanctions administered by the U.S. Treasury Department’s Office of Foreign Assets Control. The list of products and countries for which export approval is required, and the regulatory policies with respect thereto, may be revised from time to time and our inability to obtain required approvals under these regulations could materially and adversely affect our ability to make international sales. Additionally, we may be negatively affected if our third-party technology partners fail to obtain proper licenses and permits for the import and export of their products. We maintain trade control compliance requirements for our partners; however, we cannot guarantee that our partners will comply with these requirements. Violations of export control and international trade laws could result in penalties, fines, adverse reputational consequences, and other materially adverse consequences. In the past, we voluntarily disclosed a trade control matter to the U.S. government. Although this matter was closed during 2019 with no fines, penalties, or finding of wrongdoing, similar issues could arise in the future. In addition, future changes in government regulation technology imports and exports could negatively affect our business. We employ cryptographic technology in our authentication products. If the codes used in our cryptographic technology are eventually broken or become subject to additional government regulation, our technology and products may become less effective, which would have a material adverse effect on our business. A portion of our products are based on cryptographic technology. With cryptographic technology, a user is given a key that is required to encrypt and decode messages. The security afforded by this technology depends on the integrity of a user’s key and in part on the application of algorithms, which are advanced mathematical factoring equations. These codes may eventually be broken or become subject to government regulation regarding their use, which would render our technology and products less effective. The occurrence of any one of the following could result in a decline in demand for our technology and products, which would have a material adverse effect on our business: • Any significant advance in techniques for attacking cryptographic systems, including the development of an easy factoring method or faster, more powerful computers, such as quantum computing; • • Publicity of the successful decoding of cryptographic messages or the misappropriation of keys; and Increased government regulation limiting the use, scope or strength of cryptography. International and domestic regulatory environments regarding privacy and data protection regulations could have a material adverse impact on our results of operations. We collect, transmit, store, and otherwise process (on our systems and on our third-party partners’ systems) our customers’ and our employees’ data that includes personally identifiable information that is subject to international and domestic privacy and data protection regulations. For example, in Europe, we are subject to the European Union's General Data Protection Regulation, (EU) 2016/679, commonly known as the GDPR, and laws implemented by EU member states. The GDPR and member state laws impose restrictions on the collection and use of personal data that are generally more stringent, and impose more significant burdens on subject businesses, than current privacy standards in the United States. 24 They establish several obligations that organizations must follow with respect to use of personal data, including a prohibition on the transfer of personal information from the EU to other countries whose laws do not protect personal data to an adequate level of privacy or security. We continue to adapt our compliance with GDPR through the use of standard contractual clauses and other methods; however, it is difficult to be certain that compliance has been achieved. We have expended significant resources to comply, but those methods may be subject to scrutiny by data protection authorities in EU member states. Moreover, the decision of the United Kingdom, or UK to leave the EU has created uncertainty with regard to data protection regulations in the UK, particularly because the UK government has recently announced that it intends to revise aspects of its data protection regime to move further away from the EU approach. This may result in substantively different compliance obligations with respect to transfers of personal data out of the UK and the EU. Compliance with a newly adopted UK data privacy regime may result in substantial operational costs and require us to modify our data handling practices. The costs of compliance with GDPR and new UK data privacy laws, and other burdens imposed by such laws, regulations and policies that are applicable to us may limit our use of personal data and solutions and could have a material adverse impact on our results of operations. Additionally, we may face audits or investigations by one or more foreign government agencies relating to our compliance with GDPR and new UK data privacy laws that could result in the imposition of penalties or fines. In the United States the federal and state governments have also enacted privacy and data protection regulations that impact us, our customers, and partners. For example, in June 2018, California enacted the California Consumer Privacy Act, or CCPA, which took effect January 1, 2020, and imposed many requirements on businesses that process the personal information of California residents. Many of the CCPA’s requirements are similar to those found in the GDPR, including requiring businesses to provide notice to data subjects regarding the information collected about them and how such information is used and shared, and providing data subjects the right to request access to such personal information and, in certain cases, request the erasure of such personal information. The CCPA also affords California residents the right to opt-out of “sales” of their personal information. The CCPA contains significant penalties for companies that violate its requirements. In November 2020 California voters passed a ballot initiative for the California Privacy Rights Act of 2020, or CPRA, which went into effect on January 1, 2023, and significantly expanded the CCPA to incorporate additional GDPR-like provisions including requiring that the use, retention, and sharing of personal information of California residents be reasonably necessary and proportionate to the purposes of collection or processing, granting additional protections for sensitive personal information, and requiring greater disclosures related to notice to residents regarding retention of information. The CPRA also created a new enforcement agency – the California Privacy Protection Agency – whose sole responsibility is to enforce the CPRA, which will further increase compliance risk. The provisions in the CPRA may apply to some of our business activities. In addition, other states, including Virginia, Colorado, Utah, and Connecticut, already have passed state privacy laws. Virginia’s privacy law also went into effect on January 1, 2023, and the laws in the other three states will go into effect later in the year. Other states will be considering these laws in the future, and Congress has also been debating passing a federal privacy law. These laws may impact our business activities, including our identification of research subjects, relationships with business partners and ultimately the marketing and distribution of our products. We work to comply with all applicable international and domestic privacy and data protection regulations; however, these laws vary greatly from jurisdiction to jurisdiction, change rapidly, and are subject to interpretation, all of which leads to uncertainty in their applicability. Preparation and compliance with these regulations may require that we implement new processes and policies, or change our existing processes and policies or features of our systems, which may require substantial financial and other resources and which otherwise may be difficult to undertake. Any failure or perceived failure by us (or our third-party partners) to comply with these privacy and data protection regulations, our processes and policies, contractual provisions, or an actual, perceived or suspected data protection or information security incident could result in serious consequences for us. These consequences may include enforcement actions, investigations, prosecutions, fines, penalties, debarment, litigation, claims for damages by customers and other affected individuals, reputational loss, and financial and business losses. We must comply with the requirements of being a public company, including developing and maintaining proper and effective disclosure controls and procedures and internal control over financial reporting. Any failure to comply with these requirements may adversely affect investor confidence in our company and, as a result, the value of our common stock. As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act, the listing requirements of Nasdaq and other applicable securities rules and regulations that impose various requirements on public companies. Our management and other 25 personnel devote a substantial amount of time to compliance with these requirements and such compliance has increased, and may continue to increase, our legal, accounting and financial costs. The Sarbanes-Oxley Act requires that we maintain effective disclosure controls and procedures and internal control over financial reporting and furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting on an annual basis. This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting. We are also required to have our independent registered public accounting firm issue an opinion annually on the effectiveness of our internal control over financial reporting. During the evaluation and testing process, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal control over financial reporting is effective. We identified a material weakness in our internal control over financial reporting as of December 31, 2019. Although we remediated that material weakness, it is possible that additional material weaknesses, or significant deficiencies, in our internal controls will be identified in the future. Failure to maintain effective controls or implement new or improved controls could result in significant deficiencies or material weaknesses, affect management evaluations and auditor attestations regarding the effectiveness of our internal controls, failure to meet periodic reporting obligations, and material misstatements in our financial statements. Any material misstatement of our financial statements may result in a restatement, loss of investor and customer confidence, a decline in the market price of our common stock, and potential sanctions or investigations by Nasdaq, the SEC or other regulatory authorities. Failure to remedy any material weakness in our internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets. Our business in countries with a history of corruption and transactions with foreign governments increase the risks associated with our international activities. We are subject to anti-corruption laws in the jurisdictions in which we operate, including the U.S. Foreign Corrupt Practices Act (FCPA), the U.K. Bribery Act, and other similar laws that prohibit improper payments or offers of payments to foreign governments and their officials and political parties by U.S. and other business entities for the purpose of obtaining or retaining business. We have operations, deal with and make sales to governmental or quasi- governmental customers in countries known to experience corruption, particularly certain countries in the Middle East, Africa, East Asia and South and Central America, and further expansion of our international selling efforts may involve additional regions. Our activities in these countries create the risk of unauthorized payments or offers of payments by one of our employees, consultants, sales agents or channel partners that could be in violation of various laws, including the FCPA and the U.K. Bribery Act, even though these parties are not always subject to our control. While we have implemented policies and training that mandate compliance with these anti-corruption laws, we cannot guarantee that these policies and procedures will prevent reckless or criminal acts committed by our employees, consultants, sales agents or channel partners. Violations of these laws may result in materially significant diversion of management’s resources as well as significant investigation and outside counsel expense. Violations of these laws may also result in severe criminal or civil sanctions, including suspension or debarment from government contracting, and we may be subject to other liabilities which could disrupt our business and result in materially adverse effect on our reputation, business, results of operations, and financial condition. We are subject to numerous laws, regulations and customer requirements governing the production, distribution, sale and use of our products. Any failure to comply with these laws, regulations and requirements could result in unanticipated costs and could have a materially adverse effect on our business, results of operation, and financial condition. We are subject to global legal, regulatory, and customer compliance requirements that span many different areas. For example, we are subject to the Restriction on the Use of Hazardous Substances Directive 2002/95/EC (also known as the RoHS Directive) and the Waste Electrical and Electronic Equipment Directive (also known as the WEEE Directive), which restrict the distribution of products containing certain substances, including lead, within applicable geographies and require a manufacturer or importer to recycle products containing those substances. These directives affect the worldwide electronics and electronics components industries as a whole. If we or our customers fail to comply with such laws and regulations, we could incur liabilities and fines and our operations could be suspended. In addition, like many electronic devices, our hardware products contain certain minerals and derivatives that are subject to SEC disclosure and reporting requirements, or (Conflict Minerals). Compliance with these rules also requires due diligence including country of origin inquiries to determine the sources of Conflict Minerals used in our products. We may incur continued costs associated with complying with these disclosure requirements. These requirements may affect 26 pricing, sourcing and availability of Conflict Minerals used to produce our devices. We may be unable to verify the origin of all Conflict Minerals in our products. We may encounter challenges with customers and stakeholders if we are unable to certify that our products are conflict free. Environmental compliance and management of environmental factors has produced significant regulatory and legislative efforts on a global basis, a trend we expect to continue. New laws and regulations intended to curb environmental impacts such as climate change and pollution may result in added compliance requirements and increased costs of energy for the Company and our suppliers which could result in a significant negative impact on our ability to operate or operate profitably. In addition, disclosures we may be required to make with respect to climate change may damage our reputation and have an adverse impact on our business. We sell products and services to U.S. federal, state and local, as well as foreign government entities. Risks associated with selling our products and services to government entities include compliance with complex procurement regulations and government-specific contractual requirements that may vary from our standard terms and conditions, longer sales cycles that are not easy to predict, and varying government funding and budgeting processes. Selling to these entities is expensive and time-consuming and often requires significant up-front resource effort and expense. We have certain policies and processes in place to aid in compliance with applicable government contracting requirements; however, it is difficult to be certain that compliance has been achieved. Non-compliance with government entity requirements may result in significant material risk to the Company including debarment, reputational loss, and financial and business losses. New laws and regulations and changes to current laws and regulations are always possible and, in some jurisdictions they may be introduced with little or no time to bring related products into compliance. Furthermore, our products are used by customers to assist with achieving compliance with laws and regulations that apply to their industry. Our failure to comply with laws and regulations and to adapt to our customers’ needs may prevent us from selling our products in a certain country or to a particular customer. In addition, these laws, regulations, and requirements may increase our cost of supplying the products by forcing us to redesign existing products, change manufacturing practices, or to use more expensive designs or components. In these cases, we may experience unexpected disruptions in our ability to supply customers with products, or we may incur unexpected costs or operational complexities to bring products into compliance, and we may experience lowered customer demand. This could have an adverse effect on our revenues, gross profit margins and results of operations and increase the volatility of our financial results. We may require additional capital to support business growth, and this capital might not be available on acceptable terms, if at all. We expect that our existing cash and cash equivalents will be sufficient to meet our anticipated cash needs for working capital and capital expenditures for at least the next 12 months. Our estimate as to how long we expect our cash and cash equivalents to be able to fund our operations is based on assumptions that may prove to be wrong, and we could use our available capital resources sooner than we currently expect. Further, changing circumstances, some of which may be beyond our control, could cause us to consume capital significantly faster than we currently anticipate, and we may need to seek additional funds sooner than planned. We intend to continue to make investments to support our business growth and may require additional funds to achieve our objectives and respond to business challenges, including the need to develop new features or enhance our products, improve our operating infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in equity or debt financings to secure additional funds. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock. General economic conditions both inside and outside the U.S., as well as the COVID-19 pandemic and geopolitical events, have recently resulted in a significant disruption of global financial markets. If the disruption persists and deepens, we could experience an inability to access additional capital, which could in the future negatively affect our capacity for certain corporate development transactions or our ability to make other important, opportunistic investments. In addition, market volatility, high levels of inflation and interest rate fluctuations may increase our cost of financing or restrict our access to potential sources of future liquidity. Adequate additional financing may not be available to us on acceptable terms, or at all. If we are unable to obtain adequate financing or financing on terms satisfactory to us when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly impaired, and our business may be adversely affected. Our stock price has been and will likely continue to be volatile. Risks Related to Ownership of Our Common Stock 27 The market price of our common stock has been and may continue to be highly volatile and may fluctuate substantially as a result of a variety of factors, including those described in this “Risk Factors” section, many of which are beyond our control and may not be related to our operating performance. Factors that could cause fluctuations in the market price of our common stock include the following: • Actual or anticipated fluctuations in our quarterly or annual operating results; • Variance in our financial performance from our own financial guidance or from expectations of securities analysts; • • The trading volume of our common stock; Failure of securities analysts to maintain coverage of our company or changes in financial estimates by any securities analysts who follow our company; Changes in market valuations of other technology companies; • • Announcements by us or our competitors of significant technical innovations, contracts, acquisitions, strategic partnerships, joint ventures or capital commitments; Sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders; Repurchases pursuant to Board-authorized share repurchase programs, or announcements of the inception or discontinuation of any such program; Short sales, hedging and other derivative transactions involving our capital stock; • Our involvement in any litigation or investigations by regulators; • Our sale of our common stock or other securities in the future; • • • • Additions or departures of any of our key personnel; • • • Changing legal or regulatory developments; The inclusion or exclusion of our stock in ETFs, indices and other benchmarks, and changes made to related methodologies; Reactions by investors to uncertainties in the world economy and financial markets. In recent years, the stock markets have experienced price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies due to, among other factors, the actions of market participants or other actions outside of our control, including general market volatility caused by geopolitical events, developments in the COVID-19 pandemic, and general economic developments. These fluctuations have often been unrelated or disproportionate to the operating performance of those companies. Broad market and industry fluctuations, as well as general economic, political, regulatory and market conditions, may negatively impact the market price of our common stock. In the past, companies that have experienced volatility in the market price of their securities have been subject to securities class action litigation. We have been the target of this type of litigation in the past, and may be targeted again the future, which could result in substantial costs and divert our management’s attention. A small group of shareholders control a substantial amount of our common stock and could promote, delay or prevent a change of control. A small number of shareholders control a significant amount of our outstanding common stock, as follows: Blackrock, Inc. holds approximately 16.3% of our outstanding common stock; Legion Partners Asset Management holds approximately 8.8%; Mr. T. Kendall Hunt, our founder and former Chairman of the Board, holds approximately 8.6%; Vanguard Group Holdings holds approximately 6.8%; Altai Capital Management L.P. holds approximately 5.8%; and Legal & General Investment Management Limited holds approximately 5.3% This concentration of ownership may have the effect of a small number of investors promoting, discouraging, delaying or preventing a change in control and may also have an adverse effect on the market price of our common stock. Certain provisions of our charter and of Delaware law make a takeover of our Company more difficult. Our corporate charter and Delaware law contain provisions, such as a class of authorized but unissued preferred stock which may be issued by our Board without stockholder approval that might enable our management to resist a takeover of our Company. Delaware law also limits business combinations with interested stockholders. These provisions might discourage, delay or prevent a change in control or a change in our management. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors and take other corporate actions. The existence of these provisions could limit the price that investors might be willing to pay in the future for shares of our common stock. 28 Future issuances of blank check preferred stock may reduce voting power of common stock and may have anti-takeover effects that could prevent a change in control. Our corporate charter authorizes the issuance of up to 500,000 shares of preferred stock with such designations, rights, powers and preferences as may be determined from time to time by our Board of Directors, including such dividend, liquidation, conversion, voting or other rights, powers and preferences as may be determined from time to time by the Board of Directors without further stockholder approval. The issuance of preferred stock could adversely affect the voting power or other rights of the holders of common stock. In addition, the authorized shares of preferred stock and common stock could be utilized, under certain circumstances, as a method of discouraging, delaying or preventing a change in control. U.S. investors may have difficulties in making claims for any breach of their rights as holders of shares because some of our assets and key employees are not located in the United States. Several of our key employees are full-time or part-time residents of foreign countries, and a substantial portion of our assets and those of some of our key employees are located in foreign countries. As a result, it may not be possible for investors to effect service of process on those persons located in foreign countries, or to enforce judgments against some of our key employees based upon the securities or other laws of jurisdictions in those foreign countries. Our business could be adversely affected as a result of actions of activist stockholders. Although we strive to maintain constructive, ongoing communications with all of our stockholders, and welcome their views and opinions with the goal of enhancing value for all of our stockholders, our stockholders have in the past, and may from time to time in the future, engage in proxy solicitations, advance stockholder proposals or otherwise attempt to effect changes or acquire control of the Company. Campaigns by stockholders to effect changes at publicly traded companies are sometimes led by investors seeking to increase short-term stockholder value through actions such as stock repurchases or sales of assets or the entire company. Responding to proxy contests and other actions by activist stockholders can be costly and time- consuming and could divert the attention of our Board of Directors and senior management from the management of our operations and the pursuit of our business strategy. We cannot predict whether additional proxy contests or related matters will occur in the future and the time and cost associated with such matters. Any perceived uncertainties as to our future direction and control, our ability to execute on our strategy or changes to the composition of our Board of Directors or senior management team arising from proposals by activist stockholders or a proxy contest could lead to the perception of a change in the direction of our business or instability that may be exploited by our competitors and/or other activist stockholders, result in the loss of potential business opportunities, result in the loss of our employees and business partners and make it more difficult to pursue our strategic initiatives or attract and retain qualified personnel and business partners, any of which could have an adverse effect on our business, financial condition and operating results. Economic uncertainties or downturns could materially adversely affect our business. General Risks Negative economic conditions, including conditions resulting from changes in foreign currency rates, changes in interest rates, gross domestic product growth, financial and credit market fluctuations, inflation, political turmoil, geopolitical tensions, natural catastrophes, regional and global conflicts, natural disasters, and terrorist attacks, could cause a decrease in business investments, including spending on information technology, and negatively affect the growth of our business. If global or regional economic and financial market conditions remain uncertain and/or weak for an extended period of time, any of the following factors, among others, could have a material adverse effect on our financial condition and results of operations: • • slower consumer or business spending may result in reduced demand for our products and services, reduced orders from customers, order cancellations, lower revenues, increased inventories, and lower gross margins; continued volatility in the global markets and fluctuations in exchange rates for foreign currencies could negatively impact our reported financial results and condition; 29 • • • • • continued volatility in the prices for materials we use in our products could have a material adverse effect on our costs, gross margins, and profitability; restructurings, reorganizations, consolidations and other corporate events could affect our customers’ budgets and buying cycles, particularly in the banking and financial services industry; if our customers experience declining revenues, or experience difficulty obtaining financing in the capital and credit markets to purchase our products and services, this could result in reduced orders, longer sales cycles, order cancellations, inability of customers to timely meet their payment obligations to us, extended payment terms, higher accounts receivable, reduced cash flows, greater expense associated with collection efforts and increased bad debt expense; a severe financial difficulty experienced by our customers may cause them to become insolvent or cease business operations, which could reduce sales, cash collections and revenue streams; and any difficulty or inability on the part of manufacturers of our products or other participants in our supply chain in obtaining sufficient financing to purchase raw materials or to finance general working capital needs may result in delays or non-delivery of shipments of our products. Furthermore, in an adverse economic environment there is a risk that customers may delay their orders until the economic conditions improve. If a significant number of orders are delayed for an indefinite period of time, our revenue and cash receipts may not be sufficient to meet the operating needs of the business. If this is the case, we may need to significantly reduce our workforce, sell certain of our assets, enter into strategic relationships or business combinations, discontinue some or all of our operations, or take other similar restructuring actions. While we expect that these actions would result in a reduction of recurring costs, they also may result in a reduction of recurring revenue and cash receipts. It is also likely that we would incur substantial non- recurring costs to implement one or more of these restructuring actions. Catastrophic events may disrupt our business. Our business operations are subject to interruption by natural disasters, including those related to the effects of climate change, and other catastrophic events such as fire, floods, power loss, telecommunications failure, cyberattack, war or terrorist attack, or epidemic or pandemic, such as the COVID-19 pandemic. To the extent such events impact our facilities or off-premises infrastructure, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our software development, lengthy interruptions in our services, breaches of data security and loss of critical data, all of which could have an adverse effect on our future operating results. Item 1B - Unresolved Staff Comments None. Item 2 - Properties OneSpan has operations in Austria, Australia, Belgium, Canada, China, France, Japan, The Netherlands, Singapore, Switzerland, the United Arab Emirates, the United Kingdom, and the United States of America. Our corporate headquarters is in Chicago, Illinois; our European operational headquarters is in Brussels, Belgium; our primary global research and development center is in Montreal, Canada; and our Digipass authenticator logistics facility is located in Mollem, Belgium. We conduct sales and marketing, customer support, and general and administrative activities from various locations around the world. Each of our properties support the operations of our two lines of business, which are our reportable operating segments: Digital Agreements and Security Solutions. All of our properties are leased. We believe that our facilities are adequate for our current needs and that suitable additional or substitute space will be available as needed to accommodate expansion of our operations. Item 3 - Legal Proceedings We are subject to certain legal proceedings and claims incidental to the operations of our business. We are also subject to certain other legal proceedings and claims that have arisen in the ordinary course of business that have not been fully adjudicated. We currently do not anticipate that these matters, if resolved against us, will have a material adverse impact on our financial results or financial condition. 30 For further information regarding our legal proceedings and claims, see Note 18, Commitments and Contingencies, included in the notes to consolidated financial statements in Part IV of this Annual Report on Form 10-K. Item 4 - Mine Safety Disclosures Not applicable. Item 5 - Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities Our common stock, par value $0.001 per share, trades on the NASDAQ Capital Market under the symbol OSPN. PART II The following table sets forth, for the periods indicated, the range of high and low daily closing prices of our common stock on the NASDAQ Capital Market. 2022 Fourth quarter Third quarter Second quarter First quarter 2021 Fourth quarter Third quarter Second quarter First quarter High Low 14.12 $ 12.40 15.87 17.42 High Low 21.30 $ 25.55 $ 28.97 $ 26.77 $ 8.36 8.58 11.01 12.34 15.86 17.86 24.33 21.43 $ $ $ $ $ $ $ $ On February 18, 2023, there were 120 registered holders and approximately 10,799 street name holders of our common stock. Dividends We have not paid any dividends on our common stock since incorporation. The declaration and payment of dividends will be at the sole discretion of the Board of Directors and subject to certain limitations under the General Corporation Law of the State of Delaware. The timing, amount and form of dividends, if any, will depend, among other things, on our results of operations, financial condition, cash requirements, plans for expansion and other factors deemed relevant by the Board of Directors. We intend to retain any future earnings for use in our business and therefore do not anticipate paying any cash dividends in the foreseeable future. Recent Sales of Unregistered Securities None Issuer Purchases of Equity Securities On May 12, 2022, the Board of Directors terminated the stock repurchase program it adopted on September 10, 2020 and adopted a new stock repurchase program under which we are authorized to repurchase up to $50.0 million of our issued and outstanding shares of common stock. Share purchases under the program will take place in open market transactions or in privately negotiated transactions and may be made from time to time depending on market conditions, share price, trading volume, and other factors. The timing of the repurchases and the amount of stock repurchased in each transaction is subject to our sole discretion and will depend upon market and business conditions, applicable legal and credit requirements and other corporate considerations. The authorization is effective until May 11, 2024 unless the total 31 amount has been used or the authorization has been cancelled. During the year ended December 31, 2022, we repurchased 0.4 million shares of our stock for $5.7 million in the aggregate at an average cost of $12.83 per share under our repurchase program. An additional 0.1 million shares of our common stock were withheld to satisfy the mandatory tax withholding requirements upon vesting of restricted stock and restricted stock units issued to employees under our equity incentive plan. There were no shares of stock repurchased during the fourth quarter of 2022. Stock Performance Graph The Stock Performance Graph below compares the cumulative total return through December 31, 2022 assuming reinvestment of dividends, by an investor who invested $100.00 on December 31, 2017, in each of (i) our common stock, (ii) the Nasdaq Computer Index, (iii) the Russell 2000 Index, (iv) the Standard Industrial Code Index 3577 – Computer Peripheral Equipment, NEC and (v) a comparable industry index selected by the company (the peer group). The peer group for this purpose consists of: American Software, Inc., Appian Corporation, BlackLine, Inc., CPI Card Group, Inc., Mandiant, Inc., ProofPoint, Inc., PROS Holdings, Inc., Q2 Holdings, Inc., QAD, Inc., Qualys, Inc., Rapid7, Inc., Seachange, Inc., SecureWorks Corp., Varonis Systems, Inc. Of these peer group companies, three (Mandiant, ProofPoint, and QAD) were sold prior to December 31, 2022, and are therefore included in the graph only through their last trading day prior to the closing of their respective acquisitions. The stock price performance shown on the graph below is not necessarily indicative of future price performance. This graph shall not be deemed "soliciting material" or be deemed "filed" for purposes of Section 18 of the Exchange Act or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any of our filings under the Securities Act of 1933, as amended (the Securities Act), whether made before or after the date hereof and irrespective of any general incorporation language in any such filing. 32 12/31/2017 12/31/2018 12/31/2019 12/31/2020 12/31/2021 12/31/2022 OneSpan Inc. NASDAQ Computer Index Russell 2000 Index 3577 - Computer Peripheral Equipment, NEC Peer Group $ $ $ $ $ 100.00 $ 100.00 $ 100.00 $ 100.00 $ 100.00 $ 93.17 $ 96.32 $ 88.99 $ 116.39 $ 114.57 $ 123.17 $ 144.80 $ 111.70 $ 163.74 $ 156.68 $ 148.78 $ 217.17 $ 134.00 $ 235.43 $ 270.83 $ 121.80 $ 299.39 $ 153.85 $ 373.68 $ 232.95 $ 80.49 192.28 122.41 264.54 140.54 Item 6. [Reserved] Item 7 - Management’s Discussion and Analysis of Financial Condition and Results of Operations (in thousands, except head count, ratios, time periods and percentages) The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our financial statements and related notes appearing elsewhere in this Annual Report on Form 10-K. In addition to historical financial information, the following discussion may contain predictions, estimates and other forward-looking statements that involve a number of risks and uncertainties, including those discussed under Item 1A, Risk Factors and elsewhere in this Form 10-K. These risks could cause our actual results to differ materially from any future performance suggested below. Please see “Cautionary Note Regarding Forward Looking Statements” at the beginning of this Form 10-K. For a comparison of our results of operations for the fiscal years ended December 31, 2021 and 2020, see “Part II, Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations” of our Annual Report on Form 10-K for the year ended December 31, 2021, filed on February 22, 2022. Overview OneSpan helps organizations accelerate digital transformations by enabling secure, compliant, and refreshingly easy digital customer agreements and transaction experiences. We deliver digital agreement products and services that automate and secure customer-facing and revenue-generating business processes. Our solutions help organizations streamline and secure user experiences, which in turn allows them to drive growth, reduce risk, and unlock their business potential. We are a global leader in providing high-assurance identity and authentication security as well as enterprise-grade electronic signature (e- signature) solutions, for use cases ranging from simple transactions to workflows that are complex or require higher levels of security. Our solutions help our clients ensure the integrity of the people and records associated with digital agreements, transactions, and interactions in industries including banking, financial services, healthcare, digital services and others. We are trusted by global blue-chip enterprises, including more than 60% of the world’s largest 100 banks, and process millions of digital agreements and billions of transactions in more than 100 countries annually. Our solutions are powered by a portfolio of products and services across identity verification, authentication, virtual interactions and transactions, and secure digital storage. These products and services can be acquired and embedded individually within enterprise business workflows or assembled into tailored solutions for simple yet secure business-to-business, business-to-employee, and business-to-customer experiences. We offer our solutions through cloud-based and on-premises solutions using both open standards and proprietary technologies. We offer our products primarily through a subscription licensing model. Our solutions are sold worldwide through our direct sales force, as well as through distributors, resellers, systems integrators, and original equipment manufacturers. Business Transformation We are currently in the midst of a business transition and transformation. Our total revenue decreased on a year-over-year basis in 2020, and 2021, and we experienced negative operating income and net losses in both of those years. During 2021 and early 2022, our previous CEO, CFO, and several other senior executives left the company. In late 33 November 2021, our current CEO joined us and has built a new executive team over the course of 2022 to affect the transformation. In May 2022, we announced a three-year strategic transformation plan that began on January 1, 2023. We believe this transformation plan will enable us to build on our strong solution portfolio and market position, enhance our enterprise go-to-market strategy, accelerate revenue growth, and drive efficiencies to support margin expansion and increased profitability. In conjunction with the strategic transformation plan and to enable a more efficient capital deployment model, effective with the quarter ended June 30, 2022, we began reporting under the following two lines of business, which are our reportable operating segments: Digital Agreements and Security Solutions. • Digital Agreements. Digital Agreements consists of solutions that enable our clients to secure and automate business processes associated with their digital agreement and customer transaction lifecycles that require consent, non-repudiation and compliance. These solutions, which are largely cloud-based, include our OneSpan Sign e-signature solution and our recently introduced OneSpan Notary and Virtual Room solutions. As our transformation plan progresses, we expect to include other cloud-based security modules associated with the secure transaction lifecycle of identity verification, authentication, virtual interactions and transactions, and secure digital storage in the Digital Agreements segment. This segment also includes costs attributable to our transaction- cloud platform. • Security Solutions. Security Solutions consists of our broad portfolio of software products and/or software development kits (SDKs) that are used to build applications designed to defend against attacks on digital transactions across online environments, devices and applications. These solutions, which are largely on-premises software products, include identity verification, multi-factor authentication and transaction signing, such as mobile application security, mobile software tokens, and Digipass authenticators that are not cloud-connected devices. We expect to manage Digital Agreements for accelerated growth and market share gains and Security Solutions for cash flows given its more modest growth profile. Across both segments, we are building on our strong foundation in both e-signature and cybersecurity by enhancing product features, developing new solutions, and building out our next-generation transaction cloud platform, which we expect will allow us to efficiently deliver security and e-signature solutions to our customers across their entire digital agreement lifecycle. We also plan to enhance our go-to-market strategy by prioritizing growth at large enterprise accounts, expanding our direct sales force, and accessing new routes to market through alliances and partnerships. Our transformation plan involves numerous risks and uncertainties. Please see Item IA, Risk Factors. Restructuring Plan In December 2021, our Board approved a restructuring plan designed to advance our operating model, streamline our business, improve efficiency, and enhance our capital resources. The first phase of this restructuring plan began and was substantially completed during the three months ended March 31, 2022. In May 2022, our Board approved additional actions related to the restructuring plan through the year ending December 31, 2025. The additional actions consist primarily of headcount-related reductions designed to continue to advance the same objectives as the first phase of the plan. As part of the restructuring plan, we reduced headcount by eliminating approximately 100 positions. We incurred severance and related benefits costs, recorded in “Restructuring and other related charges” in the consolidated statement of operations for the year ended December 31, 2022. Macroeconomic Events Macroeconomic events impacting our business are discussed below. Throughout 2022, we operated under uncertain market conditions, influenced by events such as the Russia-Ukraine conflict, the continuing impact of the COVID-19 pandemic, disruption to our supply chain and the inflationary cost environment. For a more complete discussion of the risks we encounter in our business, please see Item 1A, Risk Factors. Russia-Ukraine Conflict While we do not anticipate that the current posture of the Russia-Ukraine conflict will materially and adversely affect our results of operations, the conflict is still ongoing and future impacts are difficult to estimate. An escalation of the conflict’s current scope or expansion of the conflict’s economic disruption could materially and adversely affect our 34 company and its operations. The conflict has and may continue to have a significant impact on the global macroeconomic and geopolitical environments, including increased volatility in capital and commodity markets, rapid changes to regulatory conditions (including the use of sanctions), supply chain and operational challenges for multinational corporations, inflationary pressures and an increased risk of cybersecurity incidents. COVID-19, Supply Chain Disruption and Inflationary Cost Environment During 2022, the supply chain for our Digipass devices was impacted by global issues related to the effects of the COVID-19 pandemic, the Russia- Ukraine conflict and the inflationary cost environment, particularly with respect to materials in the semiconductor market, including part shortages, increased freight costs, diminished transportation capacity and labor constraints. This has resulted in disruptions in our supply chain, as well as difficulties and delays in procuring certain semiconductor components. Since late 2021, our costs have increased due to elevated lead times and increased material costs, in particular the need to purchase semiconductor components from alternative sources. We expect increased costs to procure materials within the semiconductor market to continue in 2023. Further, we anticipate the broader impact of inflationary pressures and increased material and supply chain costs and disruptions will continue in 2023. In response to these supply chain conditions, in 2022 we focused on improving our supplier network, engineering alternative designs and working to reduce supply shortages. We are actively managing our inventory in an effort to minimize supply chain disruptions and enable continuity of supply and services to our customers, and we expect to maintain elevated levels of inventory for certain of our products until supply constraints have been remediated. We are also considering alternative manufacturing and supply arrangements, including moving more of our manufacturing from China to Romania or other locations, to mitigate these supply chain risks in the future. In order to combat rising inflation in the U.S., the Federal Reserve has raised interest rates multiple times since the beginning of 2022. The increase in U.S. dollar interest rates and overall market conditions led to significant strengthening of the U.S. dollar against other global currencies in 2022. The strong U.S. dollar reduced the impact of cash generated from our foreign operations during 2022, driven by revenues and costs that are denominated in foreign currencies, which impacted our revenue, operating cash flows and net income throughout 2022. We expect these impacts to continue into 2023. Although the macroeconomic environment presented challenges in 2022 and may continue to do so in 2023, we are encouraged by customer demand for our products and services, particularly in our e-signature solution in the Digital Agreements segment and our mobile, security, authentication server and Digipass solutions in our Security Solutions segment. We believe our existing balances of cash and cash equivalents, along with our short-term investments, will continue to be sufficient to satisfy our liquidity requirements associated with our existing operations. Components of Operating Results Revenue We generate revenue from the sale of our subscriptions, maintenance and support, professional services, and Digipass hardware products. We believe comparison of revenues between periods is heavily influenced by the timing of orders and shipments reflecting the transactional nature of significant parts of our business. • • Product and license revenue. Product and license revenue includes Digipass hardware products and software licenses, which are provided on a perpetual or term basis subscription model. Service and other revenue. Service and other revenue includes solutions that are provided on a cloud-based subscription model, maintenance and support, and professional services. Cost of Goods Sold Our total cost of goods sold consists of cost of product and license revenue and cost of service and other revenue. We expect our cost of goods sold to increase in absolute dollars as our business grows, although it may fluctuate as a percentage of total revenue from period to period. • Cost of product and license revenue. Cost of product and license revenue primarily consists of direct product and license costs, including personnel costs, production costs, and freight. 35 • Cost of service and other revenue. Cost of service and other revenue primarily consists of costs related to cloud subscription solutions, including personnel and equipment costs, and personnel costs of employees providing professional services and maintenance and support. Gross Profit Gross profit is revenue net of the cost of goods sold. Gross profit as a percentage of total revenue, or gross margin, has been and will continue to be affected by a variety of factors, including our average selling price, manufacturing costs, the mix of products sold, and the mix of revenue among products, subscriptions and services. We expect our gross margins to fluctuate over time depending on these factors. Operating Expenses Our operating expenses are generally based on anticipated revenue levels and fixed over short periods of time. As a result, small variations in revenue may cause significant variations in the period-to-period comparisons of operating income or operating income as a percentage of revenue. Generally, the most significant factor driving our operating expenses is headcount. Direct compensation and benefit plan expenses generally represent between 50% and 60% of our operating expenses. In addition, a number of other expense categories are directly related to headcount. We attempt to manage our headcount within the context of the economic environments in which we operate and the investments we believe we need to make for our infrastructure to support future growth and for our products to remain competitive. Historically, operating expenses have been impacted by changes in foreign exchange rates. We estimate the change in currency rates in 2022 compared to 2021 resulted in a decrease in operating expenses of approximately $7.5 million in 2022. The comparison of operating expenses can also be impacted significantly by costs related to our stock-based and long-term incentive plans. In 2022, 2021, and 2020, operating expenses included $8.8 million, $5.2 million, and $6.0 million, respectively, of expenses related to stock-based and long-term incentive plans. Stock-based compensation expense during 2022 included a significant number of new grants to our newly hired executives, as well as an overall expansion of the equity incentive program put in place for the long-term retention of our employees. Long-term incentive plan compensation expense includes both cash and stock-based incentives. • • Sales and marketing. Sales and marketing expenses consist primarily of personnel costs, commissions and bonuses, trade shows, marketing programs and other marketing activities, travel, outside consulting costs, and long-term incentive compensation. We expect sales and marketing expenses to increase in absolute dollars as we expand our salesforce and marketing activities to support our strategic transformation plan, although our sales and marketing expenses may fluctuate as a percentage of total revenue. Research and development. Research and development expenses consist primarily of personnel costs and long-term incentive compensation. We expect research and development costs to increase in absolute dollars as we continue to enhance and expand our product offerings and cloud platform. However, our research and development expenses may fluctuate as a percentage of total revenue due to expected growth of our team and continued capitalization of certain costs related to the expansion of our cloud product portfolio. • General and administrative. General and administrative expenses consist primarily of personnel costs, legal, consulting and other professional fees, and long-term incentive compensation. We expect general and administrative expenses to increase in absolute dollars to support the anticipated growth of our business, although our general and administrative expenses may fluctuate as a percentage of total revenue. Impairment of intangible assets. Impairment of intangible assets are incurred when we determine that the carrying value of an asset exceeds its fair value. We test annually, or when triggering events arise. • During the year ended December 31, 2022, we performed an impairment review of the customer relationships intangible assets obtained in our 2018 acquisition of Dealflo Limited (“Dealflo”). The impairment review was triggered by our July 2022 notification to customers regarding our intent to gradually sunset our Dealflo solution in the months leading up to December 31, 2023. The results of the impairment review indicated that the carrying value of the Dealflo customer relationships exceeded the fair value, and we recorded a $3.8 36 million impairment charge on the entire remaining value of the asset during the year ended December 31, 2022. • • Amortization of intangible assets. Acquired intangible assets are amortized over their respective amortization periods and are periodically evaluated for impairment. Restructuring and related charges. Restructuring and other related charges consists of severance and related benefits incurred from headcount reductions as part of our restructuring plan. We plan to incrementally incur additional restructuring costs through December 31, 2025, when the plan terminates. Segment Results Segment operating income (loss) consists of the revenue generated by a segment, less the direct costs of revenue, sales and marketing, research and development, and general and administrative expenses, amortization and impairment charges that are incurred directly by a segment. Unallocated corporate costs include companywide costs that are not attributable to a particular segment. Financial results by operating segment are included below under Results of Operations. Interest Income (Expense), Net Interest income (expense), net, consists of income earned on our cash equivalents and short-term investments. Our cash equivalents and short-term investments are invested in short-term instruments at current market rates. Other Income (Expense), Net Other income (expense), net, primarily includes exchange gains (losses) on transactions that are denominated in currencies other than our subsidiaries’ functional currencies, subsidies received from foreign governments in support of our research and development in those countries and other miscellaneous non-operational expenses. Income Taxes Our effective tax rate reflects our global structure related to the ownership of our intellectual property (“IP”). The majority of our IP in our Security Solutions business is owned by two subsidiaries, one in the U.S. and one in Switzerland. The IP in our Digital Agreements business is owned by a subsidiary in Canada. These subsidiaries have entered into agreements with most of the other OneSpan entities under which those other entities provide services to the IP owners on either a percentage of revenue or on a cost-plus basis or both. In addition, many of our OneSpan entities operate as distributors for all of our OneSpan products. Under this structure, the earnings of our service provider subsidiaries are relatively constant. These service provider companies tend to be in jurisdictions with higher effective tax rates. Fluctuations in earnings flow to the IP owners. As the majority of our revenues are generated outside of the U.S., our consolidated effective tax rate is influenced by the effective tax rate of our foreign operations. Changes in the effective rate related to foreign operations reflect changes in the geographic mix of earnings and the tax rates in each of the countries in which it is earned. The statutory tax rate for the primary foreign tax jurisdictions ranges from 11% to 35%. The Company recorded changes in valuation allowance of $4.4 million and $15.0 million, as of December 31, 2022 and 2021, respectively, against deferred tax assets that, based on management’s assessment are considered not to be more likely than not to be realized. The increase in the valuation allowance in 2022 reflects Net Operating Losses (“NOLs”), other deduction carryforwards, and credits for which the realization is not more likely than not. The change in valuation allowance also reflects other factors including, but not limited to, changes in management’s assessment of the ability to use existing deferred tax assets, including NOLs and other deduction carryforwards. Management assesses the need for a valuation allowance on a regular basis, weighing all positive and negative evidence to determine whether a deferred tax asset will be fully or partially realized. In evaluating the realizability of deferred tax assets, significant pieces of negative evidence such as 3- year cumulative losses are considered. Management also reviewed reversal patterns of temporary differences to determine if the Company would have sufficient taxable income due to the reversal of temporary differences to support the realization of deferred tax assets. In 2022, Management made the decision to establish a valuation allowance against certain deferred tax assets in jurisdictions that were not previously valued as the deferred tax assets were no longer more likely than not to be realized. Management continues to maintain a valuation allowance against certain deferred tax assets in other jurisdictions where assets had been previously valued. For 37 all other remaining deferred tax assets, management believes it is still more likely than not that the results of future operations will generate sufficient taxable income to realize the deferred tax assets. Impact of Currency Fluctuations In 2022 and 2021, respectively, we generated approximately 83% and 86% of our revenues and incurred approximately 66% and 68% of our operating expenses outside of the U.S. As a result, changes in currency exchange rates, especially the Euro exchange rate and the Canadian Dollar exchange rate, can have a significant impact on our revenue and operating expenses. While the majority of our revenue is generated outside of the U.S., a significant amount of our revenue earned during the year ended December 31, 2022 was denominated in U.S. Dollars. In 2022, approximately 54% of our revenue was denominated in U.S. Dollars, 42% was denominated in Euros and 4% was denominated in other currencies. In 2021, approximately 51% of our revenue was denominated in U.S. Dollars, 44% was denominated in Euros and 5% was denominated in other currencies. In general, to minimize the net impact of currency fluctuations on operating income, we attempt to denominate an amount of billings in a currency such that it would provide a hedge against the operating expenses being incurred in that currency. We expect that changes in currency rates may impact our future results if we are unable to match amounts of revenue with our operating expenses in the same currency. If the amount of our revenue in Europe denominated in Euros continues as it is now or declines, we may not be able to balance fully the exposures of currency exchange rates on revenue and operating expenses. The financial position and the results of operations of our foreign subsidiaries, with the exception of our subsidiaries in Switzerland, Singapore and Canada, are measured using the local currency as the functional currency. Accordingly, assets and liabilities are translated into U.S. Dollars using current exchange rates as of the balance sheet date. Revenues and expenses are translated at average exchange rates prevailing during the year. Translation adjustments arising from differences in exchange rates generated comprehensive loss of $7.2 million in 2022 and $3.0 million in 2021. These amounts are included as a separate component of stockholders’ equity. The functional currency for our subsidiaries in Switzerland, Singapore and Canada is the U.S. Dollar. Gains and losses resulting from foreign currency transactions are included in the consolidated statements of operations in other income (expense). Foreign exchange transaction losses aggregated $1.8 million and foreign exchange transaction gains aggregated less than $0.1 million for the years ended December 31, 2022 and 2021, respectively. 38 Results of Operations In conjunction with our strategic transformation plan, effective with the quarter ended June 30, 2022, we began reporting under the following two lines of business, which are our reportable operating segments: Digital Agreements and Security Solutions. The following table sets forth, for the periods indicated, selected segment and consolidated operating results. (In thousands, except percentages) Years Ended December 31, 2022 2021 Digital Agreements Revenue Gross profit Gross margin Operating income Security Revenue Gross profit Gross margin Operating income Total Company: Revenue Gross profit Gross margin Statements of operations reconciliation: Segment operating income Corporate operating expenses not allocated at the segment level Operating loss $ $ $ $ $ $ $ $ $ $ 48,401 37,488 77 % 5,348 170,605 111,082 65 % 32,051 219,006 148,570 68 % 37,399 64,514 (27,115) $ $ $ $ $ $ $ $ $ $ 40,551 29,557 73 % (1,612) 173,930 113,378 65 % 35,395 214,481 142,935 67 % 33,783 59,911 (26,128) Revenue Revenue by products and services allocated to the segments for the years ended December 31, 2022 and 2021 is as follows: 39 Years Ended December 31, 2022 2021 Digital Agreements Security Solutions Digital Agreements Security Solutions (In thousands) Subscription (1) Maintenance and support Professional services and other (2) Hardware products Total Revenue $ $ 42,029 $ 47,124 $ 33,283 $ 5,451 921 — 42,894 7,087 73,500 5,709 1,494 65 48,401 $ 170,605 $ 40,551 $ 35,224 45,567 13,703 79,436 173,930 (1) Subscription includes cloud and on-premises subscription revenue, previously referred to as "subscription" and "term-based software licenses", respectively. (2) Professional services and other includes perpetual software licenses revenue, which was approximately 2% of total revenue for the year ended December 31, 2022 and approximately 5% of revenue for the year ended December 31, 2021. For the year ended December 31, 2022, total revenue increased by $4.5 million, or 2%, compared to the year ended December 31, 2021. Changes in foreign exchange rates as compared to the same period in 2021 negatively impacted total revenue by approximately $12.2 million. Additional information on our revenue by segment follows. • Digital Agreements revenue increased $7.9 million, or 19%, during the year ended December 31, 2022 compared to the year ended December 31, 2021. The increase in Digital Agreements revenue was driven by new customer revenue and existing customer expansion, partially offset by the non-renewal of certain contracts and contraction. We saw the conversion of some of our large existing on-premises Digital Agreements customers convert to our cloud subscription model, contributing to the growth. Changes in foreign exchange rates as compared to the same period in 2021 negatively impacted Digital Agreements revenue by $0.4 million. • Security Solutions revenue decreased $3.3 million, or approximately 2%, during the year ended December 31, 2022 compared to the year ended December 31, 2021. This decrease was driven by lower hardware revenues as a result of delayed production deliveries due to global supply chain disruptions. In addition, we experienced lower volume hardware purchases from existing customers. Both maintenance and professional services and other revenue decreased while subscription revenue increased in conjunction with the transition from perpetual license to term license deals. Changes in foreign exchange rates compared to the same period in 2021 negatively impacted Security Solutions revenue by $11.8 million, driven largely by the US Dollar strengthening versus the Euro. Revenue by Geographic Regions: We classify our sales by customer location in three geographic regions: 1) EMEA, which includes Europe, Middle East and Africa; 2) the Americas, which includes sales in North, Central, and 40 South America; and 3) Asia Pacific (APAC), which also includes Australia, New Zealand, and India. The breakdown of revenue in each of our major geographic areas was as follows: (In thousands, except percentages) Revenue EMEA Americas APAC Total revenue % of Total Revenue EMEA Americas APAC Years Ended December 31, 2022 2021 $ Change % Change $ $ 100,298 $ 77,740 40,968 219,006 $ 104,878 68,646 40,957 214,481 ($4,580) 9,094 11 $4,525 (4)% 13 % — % 2 % 46 % 35 % 19 % 49 % 32 % 19 % For the year ended December 31, 2022, revenue generated in EMEA was $4.6 million or 4% lower than the same period in 2021, driven largely by the strengthening of the U.S. Dollar compared to the Euro, as well as lower hardware sales. For the year ended December 31, 2022, revenue generated in the Americas was $9.1 million or 13% higher than the same period in 2021, driven primarily by higher cloud subscription revenue as a result of both new customers and expansion of services to existing customers as a result of higher usage of our products. For the year ended December 31, 2022, revenue generated in the Asia Pacific region (APAC) was less than $0.1 million or less than 1% higher than the same period in 2021. Cost of Goods Sold and Gross Margin (In thousands, except percentages) Cost of goods sold Product and license Services and other Total cost of goods sold Gross profit Gross margin Product and license Services and other Total gross margin Years Ended December 31, 2022 2021 $ Change % Change $ $ $ 45,106 25,330 70,436 $ $ 46,196 25,350 71,546 $ $ 148,570 142,935 (1,090) (20) (1,110) 5,635 (2)% — % (2)% 4 % 63 % 74 % 68 % 62 % 73 % 67 % The cost of product and license revenue decreased $1.1 million or 2% for the year ended December 31, 2022 compared to the year ended December 31, 2021. The decrease in cost of product and license was driven by lower hardware sales, partially offset by higher third-party software licensing costs in conjunction with higher software license sales, as well as price increases for our hardware components, and higher shipping costs for certain hardware products. 41 The cost of services and other revenue decreased by less than $0.1 million, or less than 1% during the year ended December 31, 2022, compared to the year ended December 31, 2021. Gross profit increased $5.6 million, or 4% for the year ended December 31, 2022 compared to the year ended December 31, 2021. Total gross margin was 68% for the year ended December 31, 2022, compared to 67% for the year ended December 31, 2021. The improvement in total gross margin was primarily due to product mix and certain cloud cost incentives received, partially offset by foreign currency impact. Subscription revenue increased 30% year-over-year, while hardware revenue decreased 7%. The majority of our inventory purchases are denominated in U.S. Dollars. Our sales are denominated in various currencies, including the Euro. The impact of changes in currency rates are estimated to have had a favorable impact on overall cost of goods sold of approximately $1.0 million for the year ended December 31, 2022. Had currency rates in 2022 been equal to rates in the comparable period of 2021, the gross profit margin would have been approximately 1 percentage points higher for the year ended December 31, 2022. Additional information on our gross profit by segment follows. • Digital Agreements gross profit increased $7.9 million, or 27%, for the year ended December 31, 2022 compared to the prior year. The increase in gross profit was driven by higher revenues and lower outside services costs for operating our cloud platform due to higher usage tier discounts, including a one-time incentive credit. Digital Agreements gross margin for the years ended December 31, 2022 and 2021 was 77% and 73%, respectively. • Security Solutions Security Solutions gross profit decreased $2.3 million, or approximately 2%, for the year ended December 31, 2022 compared to the prior year. The decrease in profitability was primarily driven by higher hardware materials and logistics costs relative to the average selling price of the units. Security Solutions gross margin was 65% for each of the years ended December 31, 2022 and 2021 . Operating Expenses For the year ended December 31, 2022, operating expenses increased by $6.6 million, or 4%, compared to the year ended December 31, 2021. Changes in foreign exchange rates favorably impacted operating expenses by approximately $7.5 million as compared to the year ended December 31, 2021. The following table presents the breakout of operating expenses by category as of December 31, 2022 and 2021: (In thousands, except percentages) Operating costs Sales and marketing Research and development General and administrative Impairment of intangible assets Restructuring and other related charges Amortization of intangible assets Total operating costs Sales and Marketing Expenses Years Ended December 31, 2022 2021 $ Change % Change $ $ 60,949 41,735 55,552 3,828 9,482 4,139 62,730 $ 47,414 53,031 — — 5,888 175,685 $ 169,063 $ (1,781) (5,679) 2,521 3,828 9,482 (1,749) 6,622 (3)% (12)% 5 % NM NM (30)% 4 % Sales and marketing expenses decreased $1.8 million, or 3%, for the year ended December 31, 2022 compared to the year ended December 31, 2021. The decrease was primarily related to lower headcount and associated payroll related expenses during the year ended December 31, 2022 compared to the prior year. Average full-time sales and marketing employee headcount for year ended December 31, 2022 was 344, compared to 368 for year ended December 31, 2021. Average headcount in 2022 was 7% lower than in 2021. 42 In future periods, we expect sales and marketing spend to increase as we enhance our enterprise go-to-market strategy. We are focused on new logo growth through building brand awareness, as well as expanding offerings to our existing customers. We expect to expand our sales force and add new distribution channels. Research and Development Expenses Research and development expenses decreased $5.7 million, or 12%, for the year ended December 31, 2022 compared to the year ended December 31, 2021. The decrease in expense was driven primarily by the capitalization of expanded research and development costs of $4.0 million to enhance our transaction-cloud platform and our Digital Agreements product offerings. Personnel costs were also lower for the year ended December 31, 2022 compared to the prior year as a result of restructuring actions that reduced headcount. Average full-time research and development employee headcount for year ended December 31, 2022 was 340, compared to 363 for year ended December 31, 2021. Average headcount in 2022 was 6% lower than in 2021. General and Administrative Expenses General and administrative expenses increased $2.5 million, or 5%, for the year ended December 31, 2022 compared to the year ended December 31, 2021. This increase in expense was due to higher average compensation per employee, higher stock-based compensation expense, and higher travel costs. The increases were partially offset by lower outside services costs. Average full-time general and administrative employee headcount for year ended December 31, 2022 was 139, compared to 135 for the year ended December 31, 2021. Average general and administrative headcount in 2022 was 3% higher than in 2021. Impairment of Intangible Assets For the year ended December 31, 2022, we recorded $3.8 million of impairment of intangible assets charges. The impaired intangible assets were customer relationships associated with our Dealflo product, which was purchased in connection with a prior year acquisition. Restructuring and Other Related Charges Restructuring and other related charges were $9.5 million for the year ended December 31, 2022. The charges include severance, retention pay, and related benefit costs incurred in conjunction with our restructuring plans. Amortization of Intangible Assets Amortization of intangible assets for the year ended December 31, 2021 was $4.1 million, compared to $5.9 million for the year ended December 31, 2021, a decrease of $1.7 million or 30%. The decrease was driven by certain intangible assets acquired in the prior years becoming fully amortized. Segment Operating Income (Loss) Information on our operating income (loss) by segment follows. • Digital Agreements Operating income for the year ended December 31, 2022 was $5.4 million, compared to operating loss of $1.6 million for the the prior year. The operating income increase reflects our strategic transformation plan to accelerate growth in this operating segment, which drove higher revenues. The increase in operating income was also driven by the capitalization of research and development costs for internal-use software incurred to grow the Digital Agreements product offerings. A one-time incentive credit from our cloud services provider also contributed to the increase, as well as lower payroll related expenses due to lower headcount, partially offset by the impact of foreign currency fluctuations. 43 • Security Solutions For the year ended December 31, 2022, Security Solutions operating income was $32.1 million, which was $3.3 million, or 10%, lower than the prior year. This decrease was driven by the intangible assets impairment, an increase in material and freight costs, and the impact of foreign currency fluctuations. Interest Income (expense), net (In thousands, except percentages) Interest income (expense), net Years Ended December 31, 2022 2021 $ Change % Change $ 595 (1) $ 596 NM Interest income (expense), net, was $0.6 million for the year ended December 31, 2022, compared to less than $(0.1) million for the year ended December 31, 2021. The increase in interest income is related to higher interest rates favorably impacting our invested cash balances during 2022. Other Income (Expense), Net (In thousands, except percentages) Other income (expense), net Years Ended December 31, 2022 2021 $ Change % Change $ 14,827 (14) $ 14,841 NM Other income (expense), net, includes subsidies received from foreign governments in support of our research and development in those countries, exchange gains (losses) on transactions that are denominated in currencies other than our subsidiaries’ functional currencies, and other miscellaneous non- operational, non-recurring income and expenses. For the year ended December 31, 2022, other income (expense), net was $14.8 million, compared to less than $(0.1) million for the year ended December 31, 2021. The fluctuation was primarily driven by the $14.8 million gain on sale of our equity-method investment in Promon AS. Provision for income taxes (In thousands, except percentages) Provision for income taxes Years Ended December 31, 2022 2021 $ Change % Change $ 2,741 4,441 $ (1,700) (38)% We recorded Provision for income taxes for the year ended December 31, 2022 of $2.7 million compared to $4.4 million for the year ended December 31, 2021. The decrease in expense recorded for the year ended December 31, 2022 was primarily attributable to the jurisdictional mix of profit before taxes, and a lower valuation allowance recorded in 2022 compared to 2021. Loss Carryforwards Available At December 31, 2022, we have gross deferred tax assets of $46.8 million resulting from U.S. federal, foreign and state NOL carryforwards of $125.7 million and other foreign deductible carryforwards of $124.2 million. At December 31, 2022, we have a valuation allowance of $37.7 million against deferred tax assets related to certain carryforwards. Key Business Metrics and Non-GAAP Financial Measures In our quarterly earnings press releases and conference calls, we discuss the below key metrics and financial measures that are not calculated according to generally accepted accounting principles (“GAAP”). These metrics and non-GAAP financial measures help us monitor and evaluate the effectiveness of our operations and evaluate period-to-period comparisons. Management believes that these metrics and non-GAAP financial measures help illustrate underlying trends 44 in our business. We use these metrics and non-GAAP financial measures to establish budgets and operational goals (communicated internally and externally), manage our business and evaluate our performance. We also believe that both management and investors benefit from referring to these metrics and non-GAAP financial measures as supplemental information in assessing our performance and when planning, forecasting, and analyzing future periods. We believe these metrics and non-GAAP financial measures are useful to investors both because they allow for greater transparency with respect to financial measures used by management in their financial and operational decision-making and also because they are used by investors and the analyst community to help evaluate the health of our business. Annual Recurring Revenue We use annual recurring revenue, or ARR, as an approximate measure to monitor the revenue growth of our recurring business. ARR represents the annualized value of the active portion of SaaS, term-based license, maintenance and support contracts, and other subscription services at the end of the reporting period. ARR is calculated as the approximate annualized value of our customer recurring contracts as of the measurement date. These include subscription, term-based license, and maintenance contracts and exclude one-time fees. To the extent that we are negotiating a renewal with a customer after the expiration of a recurring contract, we continue to include that revenue in ARR if we are actively in discussions with the customer for a new recurring contract or renewal, or until such customer notifies us that it is not renewing its recurring contract. ARR does not have any standardized meaning and is therefore unlikely to be comparable to similarly titled measures presented by other companies. ARR should be viewed independently of revenue and deferred revenue as ARR is an operating metric and is not intended to be combined with or replace these items. ARR is not a forecast of future revenue, which can be impacted by contract start and end dates and renewal rates, and does not include revenue from perpetual licenses, purchases of Digipass authenticators that are not cloud-connected devices, training, professional services or other sources of revenue that are not deemed to be recurring in nature. At December 31, 2022, we reported ARR of $138.7 million, which was 12% higher than 2021 ARR of $124.1 million. Changes in foreign exchange rates during the year ended December 31, 2022 as compared to the prior year negatively impacted ARR by approximately $3.9 million. ARR growth was primarily driven by an increase in subscription contracts. Net Retention Rate Net Retention Rate, or NRR, is defined as the approximate year-over-year percentage growth in ARR from the same set of customers at the end of the prior year period. It measures the Company’s ability to increase revenue across our existing customer base through expanded use of our platform, offset by customers whose subscription contracts with us are not renewed or renew at a lower amount. The company’s ability to drive growth and generate incremental revenue depends, in part, on our ability to maintain and grow our relationships with customers. NRR is an important way in which we track our performance in this area. We previously referred to NRR as Dollar-Based Net Expansion (DBNE). There is no change in how we define or calculate NRR as compared to DBNE. We reported NRR of 107% and 115% at December 31, 2022 and 2021, respectively. Year-over-year, NRR was impacted by foreign currency exchange impacts, longer sales cycles in certain international regions, timing related to contract renewals, and contraction. Adjusted EBITDA We define Adjusted EBITDA as net income before interest, taxes, depreciation, amortization, long-term incentive compensation, and certain non- recurring items, including acquisition related costs, lease exit costs, rebranding costs, and non-routine shareholder matters. We use Adjusted EBITDA as a simplified measure of performance for use in communicating our performance to investors and analysts and for comparisons to other companies within our industry. As a performance measure, we believe that Adjusted EBITDA presents a view of our operating results that is most closely related to serving our customers. By excluding interest, taxes, depreciation, amortization, long-term incentive compensation, impairment of intangible assets, restructuring costs, and certain other non-recurring items, we are able to 45 evaluate performance without considering decisions that, in most cases, are not directly related to meeting our customers’ requirements and were either made in prior periods (e.g., depreciation, amortization, long-term incentive compensation, non-routine shareholder matters), deal with the structure or financing of the business (e.g., interest, one-time strategic action costs, restructuring costs, impairment charges) or reflect the application of regulations that are outside of the control of our management team (e.g., taxes). In addition, removing the impact of these items helps us compare our core business performance with that of our competitors. Non-GAAP financial metrics such as Adjusted EBITDA are not measures of performance under GAAP and should not be considered in isolation or as alternatives or substitutes for the most directly comparable financial measures calculated in accordance with GAAP, but, rather, should be considered together with our consolidated financial statements, which are prepared in accordance with GAAP and included in Part IV, Item 15, Exhibits and Financial Statement Schedules. The following table reconciles net income as reported on our consolidated statements of operations to non-GAAP Adjusted EBITDA: (In thousands) Net loss Interest (expense) income, net Provision for income taxes Depreciation and amortization of intangible assets Long-term incentive compensation Impairment of intangible assets Restructuring and other related charges Other non-recurring items (1) Adjusted EBITDA Years Ended December 31, 2022 2021 $ (14,434) $ (30,584) (595) 2,741 7,066 8,813 3,828 9,482 (10,505) 6,396 $ $ 1 4,441 8,926 5,202 — — 6,951 (5,063) (1) For the year ended December 31, 2022, non-recurring items consist of $4.3 million of outside services related to our strategic action plan, and a $(14.8) million non-operating gain on the sale of our equity-method investment in Promon AS. For the year ended December 31, 2021, non-recurring items consist of $3.5 million of outside service costs related to our strategic action plan, $2.8 million of outside service costs related to the proxy contest that took place in 2021 and the related $0.7 million settlement with Legion Partners. Adjusted EBITDA increased during the year ended December 31, 2022 compared to 2021, primarily due to higher Net income (loss) as well as increases in certain expenses excluded from Adjusted EBITDA. Long-term incentive compensation, Impairment of intangible assets, and Restructuring and other related charges were offset by a $14.8 million net gain from the sale of our equity-method investment in Promon. Please see further discussion in Item 7, Management's Discussion and Analysis of Financial Condition and Results of Operations for an analysis of what comprises Net loss in the consolidated statements of operations for the years ended December 31, 2022 and 2021, and additional detail around items excluded from Adjusted EBITDA. Liquidity and Capital Resources As of December 31, 2022, we had net cash balances (total cash and cash equivalents) of $96.5 million and short-term investments of $2.3 million. At December 31, 2022, short-term investments consist of corporate notes and bonds. At December 31, 2021, we had net cash balances of $63.4 million and short-term investments of $35.1 million. Short-term investments at December 31, 2021 consisted of U.S. treasury bills and notes, government agency notes, corporate notes and bonds, and high-quality commercial paper with maturities at acquisition of more than three months and less than twelve months. 46 We are party to lease agreements that require letters of credit to secure the obligations. The restricted cash related to these letters of credit is recorded in "Other non-current assets" on the consolidated balance sheets in the amounts of $0.8 million at December 31, 2022 and 2021. As of December 31, 2022, we held $58.9 million of cash and cash equivalents in subsidiaries outside of the United States. Of that amount, $58.0 million is not subject to repatriation restrictions, but may be subject to taxes upon repatriation. We expect that our existing cash and cash equivalents will be sufficient to meet our anticipated cash needs for working capital and capital expenditures for at least the next 12 months. Our cash flows are as follows: (In thousands) Cash provided by (used in): Operating activities Investing activities Financing activities Effect of foreign exchange rate changes on cash and cash equivalents Operating Activities Years Ended December 31, 2022 2021 (5,786) 46,587 (7,308) (372) (2,745) (10,980) (10,394) (895) Cash used in operating activities is primarily comprised of net income (loss), as adjusted for non-cash items, and changes in operating assets and liabilities. Non-cash adjustments consist primarily of amortization and impairment of intangible assets, deferred taxes, depreciation of property and equipment, and stock-based compensation. We expect cash inflows from operating activities to be affected by increases or decreases in sales and timing of collections and payment of expenditures. Our primary uses of cash from operating activities have been for personnel costs. We expect cash outflows from operating activities to be affected by increases in personnel cost as we grow our business. For the year ended December 31, 2022, $5.8 million of cash was used in operating activities. This was primarily driven by severance payments, offset by changes in accounts receivable, inventories, accounts payable, and deferred revenue. For the year ended December 31, 2021, $2.7 million of cash was used in operating activities. Our working capital at December 31, 2022 was $86.7 million, a decrease of $11.3 million, or 12%, from $98.0 million at December 31, 2021. The decrease was due to a lower operating income driven by restructuring and other related charges as well as lower capital needs as we better manage the timing of cash collections and vendor payments. Investing Activities The changes in cash flows from investing activities primarily relate to timing of purchases, maturities and sales of investments, purchases of property and equipment, and activity in connection with acquisitions. We expect to continue to purchase property and equipment to support the continued growth of our business as well to continue to invest in our infrastructure and activity in connection with acquisitions. For the year ended December 31, 2022 cash of $46.6 million was provided by investing activities, compared to cash of $11.0 million used in investing activities during the year ended December 31, 2021. The cash provided for the year ended December 31, 2022 was primarily attributable to the proceeds received from the sale of our equity investment in Promon AS and the sale of certain of our short-term investments. Financing Activities The changes in cash flows from financing activities primarily relate to the purchases of common stock under our share repurchase program and tax payments for restricted stock issuances. 47 For the year ended December 31, 2022, net cash used in financing activities was $7.3 million, which consisted of $5.7 million of common stock repurchased and $1.6 million of tax payments for restricted stock issuances. For the year ended December 31, 2021, net cash used in financing activities was $10.4 million, which consisted of $7.5 million of common stock repurchased and $2.9 million of tax payments for restricted stock issuances. Off-Balance Sheet Arrangements The Company has no off-balance sheet arrangements. Contractual Obligations and Commitments We have purchase obligations of $24.6 million, including $5.3 million of inventory purchase obligations which are expected to be consummated in the next 12 months, $17.4 million of committed hosting arrangements which we expect will be used in the next one to two years, and $2.0 million for other software agreements related to the administration of our business which range from one to three years. We have operating lease obligations of $10.7 million which will expire in the next one to seven years. The operating lease obligations do not include common area maintenance charges or real estate taxes under our operating leases, for which the Company is also obligated. These charges are generally not fixed and can fluctuate from year to year. We have taxes payable of $4.5 million due within the next one to three years, which primarily represent deemed repatriation tax from 2017. The Company had $0.0 million and $0.5 million of unrecognized tax benefits as of December 31, 2022 and 2021, respectively. Critical Accounting Policies and Estimates Management’s Discussion and Analysis of Financial Condition and Results of Operations discusses our consolidated financial statements, which have been prepared in accordance with accounting principles generally accepted in the U.S. The preparation of these financial statements requires management to make estimates and assumptions that affect the reported amounts of assets and liabilities and the disclosure of contingent assets and liabilities at the date of the consolidated financial statements and the reported amounts of revenue and expenses during the reporting period. On an on-going basis, management evaluates its estimates and judgments, including those related to bad debts, net realizable value of inventory and intangible assets. Management bases its estimates and judgments on historical experience and on various other factors that are believed to be reasonable under the circumstances, the results of which form the basis for making judgments about the carrying values of assets and liabilities that are not readily apparent from other sources. Actual results may differ from these estimates under different assumptions or conditions. Management believes the following critical accounting policies affect significant judgments and estimates used in the preparation of its consolidated financial statements. Revenue Recognition We record revenue in accordance with ASC Topic 606 "Revenue from Contracts with Customers". We determine revenue recognition through the following steps: • • Identification of the contract, or contracts, with a customer; Identification of the performance obligations in the contract; • Determination of the transaction price; • Allocation of the transaction price to the performance obligations in the contract; and • Recognition of revenue when, or as, we satisfy a performance obligation. Revenues are recognized when control of the promised goods or services is transferred to our customers, in an amount that reflects the consideration we expect to be entitled to in exchange for those products or services, which excludes any sales incentives and amounts collected on behalf of third parties. Taxes assessed by a governmental authority that are both imposed on and concurrent with a specific revenue-producing transaction, that are collected by us from a 48 customer, are excluded from revenue. Shipping and handling costs associated with outbound freight before control over a product has transferred to a customer are accounted for as a fulfillment cost and are included in "Cost of goods sold". Nature of Goods and Services We derive our revenues primarily from product and license revenue, which includes hardware products and on-premises subscription revenue, and services and other, which is inclusive of cloud subscription revenue, maintenance and support, and professional services. Subscription: Subscription includes cloud and on-premises subscription revenue, previously referred to as “subscription” and “term-based software licenses”, respectively. We generate cloud subscription revenues from our Digital Agreements and Security Solutions cloud service offerings. Our standard customer arrangements do not provide the customer with the right to take possession of the software supporting the cloud-based application service at any time. As such, these arrangements are considered service contracts and revenue is recognized ratably over the service period of the contract. Customer payments are normally in advance for annual service. Revenue from the sale of on-premises subscription revenue is recorded upon delivery which is the latter of when the customer receives the ability to access the software or when they are legally allowed to use the software. No significant obligations or contingencies exist with regard to delivery, customer acceptance or rights of return at the time revenue is recognized. We offer term licenses for on-premises subscription revenue ranging from one to five years in length. For term licenses, payments are either on installment or in advance. In limited circumstances, we integrate third-party software solutions into our software products. We have determined that, consistent with our conclusion under prior revenue recognition rules, generally we act as the principal with respect to the satisfaction of the related performance obligation and record the corresponding revenue on a gross basis from these transactions. For transactions in which we do not act as the principal, we recognize revenue on a net basis. The fees owed to the third parties are recognized as a component of cost of goods sold when the revenue is recognized. Maintenance and support: Maintenance and support agreements generally call for us to provide software updates and technical support, respectively, to customers. The annual fee for maintenance and technical support is recognized ratably over the term of the maintenance and support agreement as this is the period the services are delivered. Customer payments are normally in advance for annual service. Professional Services and other Revenue: Professional services revenues are primarily comprised of implementing, automating and extending business processes, technology infrastructure, and software applications. Professional services revenues are recognized over time as services are rendered, usually over a period of time that is generally less than a few months. Most projects are performed on a time and materials basis while a portion of revenues is derived from projects performed on a fixed fee. For time and material contracts, revenues are generally recognized and invoiced by multiplying the number of hours expended in the performance of the contract by the contractual hourly rates. For fixed fee contracts, revenues are generally recognized using an input method based on the ratio of hours expended to total estimated hours to complete the services. Customer payments normally correspond with delivery. Professional services and other revenue includes perpetual licenses revenue which was less than 3% of revenue for the year ended December 31, 2022 and less than 6% for the year ended December 31, 2021. Perpetual licenses grant the customer unlimited access to the software. Hardware products: Revenue from the sale of security hardware is recorded upon shipment, which is the point at which control of the goods are transferred and the completion of the performance obligations, unless there are specific terms that would suggest control is transferred at a later date (e.g. delivery). No significant obligations or contingencies typically exist with regard to delivery, customer acceptance or rights of return at the time revenue is recognized. Customer invoices and subsequent payments normally correspond with delivery. The Company also enters into separate service agreements with certain hardware customers to perform distribution services. In these situations, revenue is recognized prior to physical delivery of a good (i.e. “bill-and-hold arrangements). The Company evaluates bill-and-hold arrangement, and records revenue accordingly when the following criteria is met: • The reason for the bill-and-hold arrangement is substantive; 49 • • The product is identified separately as belonging to the customer; The product currently is ready for physical transfer to the customer; and • OneSpan does not have the ability to use the product or to direct it to another customer. Multiple-Element Arrangements In our typical multiple-element arrangement, the primary deliverables include: 1. A client component (i.e. an item that is used by the person being authenticated in the form of either a new standalone hardware device or software that is downloaded onto a device that the customer already owns); 2. Server system software that is installed on the customer’s systems (i.e., software on the server system that verifies the identity of the person being authenticated) or licenses for additional users on the server system software if the server system software had been installed previously; and 3. Post contract support (PCS) in the form of maintenance on the server system software or support. Our multiple-element arrangements may also include other items that are usually delivered prior to the recognition of any revenue and are incidental to the overall transaction such as initialization of the hardware device, customization of the hardware device itself or the packaging in which it is delivered, deployment services where we deliver the device to our customer’s end-use customer or employee and, in some limited cases, professional services to assist with the initial implementation of a new customer. Significant Judgments We enter into contracts to deliver a combination of hardware devices, software licenses, subscriptions, maintenance and support and, in some situations, professional services. The Company evaluates the nature of the goods or services promised in these arrangements to identify the distinct performance obligations. Determining whether products and services are considered distinct performance obligations that should be accounted for separately versus together may require significant judgment depending on the terms and conditions of the respective customer arrangement. When a hardware client device and licenses to server software are sold in a contract, they are treated as a single performance obligation because the software license is deemed to be a component of the hardware that is integral to the functionality of the hardware that is used by our customers for identity authentication. When a software client device is sold in a contract server software, the licenses are considered a single performance obligation to deliver the authentication solution to the customer. In either of these types of arrangements, maintenance and support and professional services are typically distinct separate performance obligations from the hardware or software solutions. Our contracts to deliver subscription services typically do not include multiple performance obligations; however, in certain limited cases customers may purchase professional services that are distinct performance obligations. For contracts that contain multiple performance obligations, the transaction price is allocated to the separate performance obligations based on their estimated relative standalone selling price. Judgment is required to determine the stand-alone selling price (“SSP”) of each distinct performance obligation. We determine SSP for maintenance and support and professional services based on observable inputs; specifically, the range of prices charged to customers to renew annual maintenance and support contracts and the range of hourly rates we charge our customers in standalone professional services contracts. In instances where SSP is not directly observable, and when we sell at a highly variable price range, such as for transactions involving software licenses or subscriptions, we determine the SSP for those performance obligations using the residual approach. Credit Losses In accordance with Accounting Standards Update (ASU) No. 2016-13, the Company evaluates its allowance based on expected losses rather than incurred losses, which is known as the current expected credit loss (CECL) model. The allowance is determined using the loss rate approach and is measured on a collective (pool) basis when similar risk characteristics exist. Where financial instruments do not share risk characteristics, they are evaluated on an individual 50 basis. The allowance is based on relevant available information, from internal and external sources, relating to past events, current conditions, and reasonable and supportable forecasts. Income Taxes As a global company, we calculate and provide for income taxes in each tax jurisdiction in which we operate. The provision for income taxes includes the amounts payable or refundable for the current year, the effect of deferred taxes and impacts from uncertain tax positions. Our provision for income taxes is significantly affected by shifts in the geographic mix of our pre-tax earnings across tax jurisdictions, changes in tax laws and regulations, and tax planning opportunities available in each tax jurisdiction. Deferred tax assets and liabilities are recognized for the expected future tax consequences of temporary differences between the financial statement and tax bases of our assets and liabilities and for operating losses and tax credit carryforwards. Deferred tax assets and liabilities are measured using enacted tax rates that will apply to taxable income in the years in which those differences are expected to be recovered or settled. Valuation allowances are established for deferred tax assets when it is more likely than not that a tax benefit will not be realized. We recognize the effect of a change in tax rates on deferred tax assets and liabilities and in income in the period that includes the enactment date. We recognize tax benefits for tax positions that are more likely than not to be sustained upon examination by tax authorities. The amount recognized is measured as the largest amount of benefit that is greater than 50 percent likely to be realized upon ultimate settlement. Unrecognized tax benefits are tax benefits claimed in our income tax returns that do not meet these recognition and measurement standards. Assumptions, judgments, and the use of estimates are required in determining whether the “more-likely-than-not” standard has been met when developing the provision for income taxes. We recognize the tax impact of including certain foreign earnings in U.S. taxable income as a period cost. We have recognized deferred income taxes for local country income and withholding taxes that could be incurred on distributions of non-U.S. earnings because we do not plan to indefinitely reinvest such earnings. We monitor for changes in tax laws and reflect the impacts of tax law changes in the period of enactment. Recently Issued Accounting Pronouncements For information regarding our new accounting pronouncements, see Note 2, Summary of Significant Accounting Policies, in the notes to consolidated financial statements included in Part IV, Item 15, Exhibits and Financial Statements Schedules. Item 7A - Quantitative and Qualitative Disclosures about Market Risk (In thousands) Foreign Currency Exchange Risk – In 2022, approximately 83% of our business was conducted outside the United States, primarily in Europe, Latin America and Asia Pacific. A significant portion of our business operations is transacted in foreign currencies. As a result, we have exposure to foreign exchange fluctuations. We are affected by both foreign currency translation and transaction adjustments. Translation adjustments result from the conversion of the foreign subsidiaries’ balance sheets and income statements to U.S. Dollars at year-end exchange rates and weighted average exchange rates, respectively. Translation adjustments resulting from this process are recorded directly into stockholders’ equity. Transaction adjustments result from currency exchange movements when one of our companies transacts business in a currency that differs from its local currency. These adjustments are recorded as gains or losses in our consolidated statements of operations. Our business transactions are spread across numerous countries and currencies. As noted in Management’s Discussion and Analysis above, we attempt to minimize the net impact of currency on operating earnings by denominating an amount of billings in a currency such that it would provide a hedge against the operating expenses being incurred in that currency. Interest Rate Risk – We have minimal interest rate risk. We had no debt outstanding at December 31, 2022. Our cash, cash equivalents, and short- term investments are invested in short-term instruments at current market rates. If rates were to increase or decrease by one percentage point, our interest income would increase or decrease by less than $0.1 million annually. 51 Item 8 - Financial Statements and Supplementary Data The information in response to this item is included in our consolidated financial statements, together with the report thereon of KPMG LLP, in Item 15, Exhibits and Financial Statement Schedules, and in Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations. Item 9 - Changes in and Disagreements with Accountants on Accounting and Financial Disclosure None. Item 9A - Controls and Procedures Evaluation of Disclosure Controls and Procedures Our management, with the participation of our Chief Executive Officer (our principal executive officer) and Chief Financial Officer (our principal financial officer), has evaluated the effectiveness of our disclosure controls and procedures (as defined in Rules 13a-15(e) and 15d-15(e) under Exchange Act as of December 31, 2022. Based upon that evaluation, our Chief Executive Officer and Chief Financial Officer have concluded that our disclosure controls and procedures were effective as of December 31, 2022, to provide reasonable assurance that the information required to be disclosed by us in reports filed under the Exchange Act, is recorded, processed, summarized and reported within the time period specified in the rules and forms of the SEC, and is accumulated and communicated to management, including our principal executive officer and principal financial officer, as appropriate, to allow timely decisions regarding required disclosure. Management’s Annual Report on Internal Control over Financial Reporting The management of OneSpan Inc. is responsible for establishing and maintaining adequate internal control over financial reporting (as defined in Rule 13a-15(f) and 15d-15(f) promulgated under the Exchange Act ). Management, led by our Chief Executive Officer and Chief Financial Officer, assessed the effectiveness of our internal control over financial reporting based upon the criteria set forth in the Internal Control Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in Internal Control—Integrated Framework (2013). Management has concluded that its internal control over financial reporting was effective as of December 31, 2022 to provide reasonable assurance regarding the reliability of our financial reporting and the preparation of financial statements in accordance with U.S. GAAP. KPMG LLP, an independent registered public accounting firm, has audited the effectiveness of our internal control over financial reporting as of December 31, 2022, included on page F-2 of this Annual Report on Form 10-K. Changes in Internal Control over Financial Reporting There were no changes in our internal control over financial reporting (as that term is defined in Rule 13a-15(f) and 15d-15(f) under the Exchange Act) during the quarter ended December 31, 2022, that have materially affected, or are reasonably likely to materially affect, our internal control over financial reporting Limitations on the Effectiveness of Controls Management believes that our disclosure controls and procedures and internal control over financial reporting are designed to provide reasonable assurance of achieving their objectives and are effective at the reasonable assurance level. However, our management does not expect that our disclosure controls and procedures or our internal control over financial reporting will prevent all errors and all fraud. A control system, no matter how well designed and operated, can provide only reasonable, not absolute, assurance that the objectives of the control system are met. Because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that all control issues and instances of fraud, if any, have been detected. Additionally, controls can be circumvented by the individual acts of some persons, by collusion of two or more people or by management override of the controls. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies and procedures may deteriorate. 52 Item 9B - Other Information On February 23, 2022, the Compensation Committee of our Board of Directors (the “Compensation Committee”) adopted the 2023 Management Incentive Plan (the “2023 MIP”), a cash-based incentive compensation plan pursuant to which eligible employees of OneSpan Inc. and its subsidiaries, including named executive officers, are eligible for an annual bonus. Participants in the 2023 MIP are eligible to receive a cash bonus (“Bonus”) based upon a combination of (1) our achievement against targets for designated performance metrics (“Company Performance Factors”) and (2) their individual performance (the “Individual Performance Factor”). The Company Performance Factors are weighted to account for a total of 90% of the potential Bonus amount and the Individual Performance Factor is weighted to account for 10% of the potential Bonus amount. The weighted Company Performance Factors and Individual Performance Factor are added together to create a Combined Performance Factor, which is used to calculate the amount of the Bonus. The two Company Performance Factors are Revenue and Adjusted EBITDA. “Revenue” refers to our publicly reported revenue, and Adjusted EBITDA is defined in Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations. The Revenue factor is weighted at 70% and the Adjusted EBITDA factor is weighted at 20% (for a total Company Performance Factor weighting of 90%). Different levels of achievement against the Revenue and Adjusted EBITDA targets will correspond to different Bonus payout levels, as follows: • Revenue: The Company must achieve a minimum of 97.9% of the Revenue target in order for the Revenue factor to contribute to the Bonus payout calculation. For the Revenue factor, a 97.9% achievement level would correspond to the minimum payout level of 50%; a 100% achievement level would correspond to the target payout level of 100%; and a 105.3% or greater achievement level would correspond to the maximum payout level of 150%. • Adjusted EBITDA: The Company must achieve a minimum of 66.7% of the Adjusted EBITDA target in order for the Adjusted EBITDA factor to contribute to the Bonus payout calculation. For the Adjusted EBITDA factor, a 66.7% achievement level would correspond to the minimum payout level of 50%; a 100% achievement level would correspond to the target payout level of 100%; and a 133.3% or greater achievement level would correspond to the maximum payout level of 125%. For achievement levels that fall between the maximum, target, and minimum Revenue and Adjusted EBITDA achievement levels, the corresponding payout levels will be calculated using linear interpolation. 10% of the potential Bonus amount is calculated based on a participant’s performance against individual performance objectives set by their manager. Performance that meets expectations will correspond to a 100% payout level for the Individual Performance Factor, and performance that is below or above expectations will be adjusted accordingly. In addition to the Company Performance Factors and the Individual Performance Factor, the potential Bonus under the 2023 MIP depends on a participant’s eligible target Bonus amount, which may be expressed either as a fixed dollar amount or as a percentage of the participant's base salary. Achievement against the Company Performance Factors is based on the Company's 2023 financial performance and is subject to approval by the Board of Directors or the Compensation Committee. The Board of Directors or the Compensation Committee may make adjustments to the targets for the Company Performance Factors to address the impact of any mergers, acquisitions or other unexpected activities, developments, trends or events. In addition, achievement of the targets for the Company Performance Factors may, in the Board of Directors' or Compensation Committee’s discretion, include or exclude the impact of any of the following events that occur during 2023: any reorganization or restructuring transactions; extraordinary nonrecurring items; and significant acquisitions or divestitures. OneSpan reserves the right to unilaterally alter or discontinue the 2023 MIP at its complete discretion, unless specifically prohibited under local law. The foregoing summary of the terms of the 2023 MIP is qualified in its entirety by reference to the 2023 MIP, which the Company expects to file as an exhibit to its Quarterly Report on Form 10-Q for the quarter ending March 31, 2023. 53 Also on February 23, 2022, the Compensation Committee approved, and on February 27, 2022 OneSpan entered into, the following two amendments to agreements with our CEO, Matthew Moynahan: Amendment and Restatement of 2022 PSU Agreement. The original 2022 performance-based restricted stock unit (PSU) agreement between Mr. Moynahan and the Company dated June 23, 2022 provided that one-third of the PSUs granted under the agreement would be earned and vest based on the Company’s performance against 2022 targets for Subscription and Term Revenue and Adjusted EBITDA; one-third would be earned and vest based on performance metrics to be established by the Compensation Committee for 2023; and one-third would be earned and vest based on performance metrics to be established by the Compensation Committee for 2024. The amendment and restatement of the 2022 PSU Agreement (the “Amended PSU Agreement”) provides that the PSUs granted under the Amended PSU Agreement are earned based entirely on the Company’s performance against 2022 targets for Subscription and Term Revenue and Adjusted EBITDA, and once earned, vest as to one-third of the earned shares on December 31 of each of 2022, 2023, and 2024, provided that Mr. Moynahan is still employed with the Company as of the applicable vesting date. In the event Mr. Moynahan is terminated without cause or resigns his employment within 18 months following a change in control of the Company, all earned shares will vest in full. The definitions of the terms “cause”, “good reason”, and “change in control” are set forth in the Amended PSU Agreement. The purpose of the Amended PSU Agreement was to effectuate the Compensation Committee’s original intent with respect to this 2022 grant to Mr. Moynahan, which was to incentivize and reward 2022 performance. Amendment and Restatement of Employment Agreement. This amendment and restatement (the “Amended Employment Agreement”) of Mr. Moynahan’s employment agreement with the Company dated November 29, 2021 makes a variety of changes to the original agreement in order to conform Mr. Moynahan’s agreement to certain of the Company’s practices for more recently hired executives, including: providing that Mr. Moynahan will receive the severance pay specified in the agreement if he is terminated without cause or resigns for good reason within 18 months (rather than 12 months) following a change in control of the Company; providing that in the event he is terminated without cause or leaves for good reason (whether or not in connection with a change in control), the Company will pay his full COBRA premiums rather than the employer portion only; requiring Mr. Moynahan to execute the Company’s standard executive non-disclosure and invention assignment agreement and standard non-competition and non-solicitation agreement for Massachusetts-based executives, the latter of which contemplates a one-year non-compete and non-solicit period; clarifying certain timing requirements and logistics in the event of Mr. Moynahan’s resignation for good reason; clarifying separation and release requirements in the event of a separation from the Company; and making certain other administrative, clarifying and conforming changes. The definitions of the terms “cause”, “good reason”, and “change in control” are set forth in the Amended Employment Agreement. The Amended Employment Agreement also increases Mr. Moynahan's base salary to $600,000 per year, effective in the next reasonably practicable pay period following the effective date of the Amended Employment Agreement. The foregoing summaries of the terms of the Amended PSU Agreement and the Amended Employment Agreement are qualified in their entirety by reference to the full respective agreements, which the Company expects to file as exhibits to its Quarterly Report on Form 10-Q for the quarter ending March 31, 2023. Item 9C - Disclosure Regarding Foreign Jurisdictions that Prevent Inspection Not applicable. Item 10 - Directors, Executive Officers and Corporate Governance PART III All information in response to this Item, other than the required information on executive officers, is incorporated by reference to the “Information regarding our Board of Directors” and “Delinquent Section 16(a) Reports” sections of OneSpan’s Proxy Statement to be filed with the SEC for the 2023 Annual Meeting of Stockholders. The required information on executive officers is set forth in Part I of this Form 10-K under "Information about our Executive Officers." Item 11 - Executive Compensation The information in response to this Item is incorporated by reference to the “Executive Compensation” and "Director Compensation" sections of OneSpan’s Proxy Statement (except for the section titled "Executive Compensation - Pay versus Performance) to be filed with the SEC for the 2023 Annual Meeting of Stockholders. 54 Item 12 - Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters The information in response to this Item is incorporated by reference to the “Security Ownership of Certain Beneficial Owners, Directors and Management” section of OneSpan’s Proxy Statement to be filed with the SEC for the 2023 Annual Meeting of Stockholders. Item 13 - Certain Relationships and Related Transactions, and Director Independence The information in response to this Item is incorporated by reference to the “Directors and Executive Officers” and “Transactions with Related Persons” sections of OneSpan’s Proxy Statement to be filed with the SEC for the 2023 Annual Meeting of Stockholders. Item 14 - Principal Accounting Fees and Services The information in response to this Item is incorporated by reference to the “Fees Paid to Independent Registered Public Accounting Firm for 2022 and 2021” section of OneSpan’s Proxy Statement to be filed with the SEC for the 2023 Annual Meeting of Stockholders. Item 15 - Exhibits and Financial Statement Schedules (a) The following documents are filed as part of this Annual Report on Form 10-K. PART IV (1) The following consolidated financial statements and notes thereto, and the related independent auditors’ report, are included on pages F-1 through F-39 of this Annual Report on Form 10-K: Report of Independent Registered Public Accounting Firm Consolidated Balance Sheets as of December 31, 2022 and 2021 Consolidated Statements of Operations for the Years Ended December 31, 2022, 2021 and 2020 Consolidated Statements of Comprehensive Income (Loss) for the Years Ended December 31, 2022, 2021 and 2020 Consolidated Statements of Stockholders’ Equity for the Years Ended December 31, 2022, 2021 and 2020 Consolidated Statements of Cash Flows for the Years Ended December 31, 2022, 2021 and 2020 Notes to Consolidated Financial Statements (2) The following consolidated financial statement schedule of the Company is included on page F-40 of this Form 10-K: Schedule II – Valuation and Qualifying Accounts All other financial statement schedules are omitted because such schedules are not required or the information required has been presented in the aforementioned consolidated financial statements. (3) The following exhibits are filed with this Annual Report on Form 10-K or incorporated by reference as set forth at the end of the list of exhibits: 55 Exhibit Number 2.1 2.2 3.1 3.2 4.1 10.1 10.2* 10.3* 10.4* 10.6* 10.7* 10.8* 10.10* 10.11* Description Agreement for the Sale and Purchase of the Entire Issued Capital of Cronto Limited dated May 20, 2013. (Incorporated by Reference to the Registrant's Form 8-K filed May 23, 2013) Arrangement Agreement, dated October 6, 2015, among VASCO Data Security International, Inc., 685102 N.B. Inc., Silanis Technology Inc., Silanis International Limited, Silanis Canada Inc., and Silanis Agent Inc. (Incorporated by Reference to the Registrant's Form 8-K filed October 13, 2015) Certificate of Incorporation of the Registrant, as amended (Incorporated by Reference to the Registrant’s Form 10-Q filed August 4, 2022) Amended and Restated Bylaws of Registrant, effective as of January 30, 2023. (Incorporated by Reference to the Registrant’s Form 8-K filed on February 1, 2023) Specimen of Registrant’s Common Stock Certificate. (Incorporated by Reference to the Registrant’s Registration Statement on Form S- 4, as amended (Registration No. 333-35563), originally filed on September 12, 1997.) Form of Director and Officer Indemnification Agreement Employment Agreement between the Registrant and Jorge Martell (Incorporated by Reference to the Registrant’s Form 10-Q filed November 1, 2022) Employment Agreement between the Registrant and Lara Mataac 2022 Management Incentive Plan of the Registrant (Incorporated by Reference to the Registrant’s Form 10-Q filed August 4, 2022) OneSpan Inc. 2019 Omnibus Incentive Plan (Incorporated by Reference to Attachment A to the Registrant’s Definitive Proxy Statement filed with the Securities and Exchange Commission on April 26, 2019) One-Time Special Grant Award Agreement dated November 29, 2021 for Time-Based Restricted Stock Units between the Registrant and Matthew Moynahan under the Registrant’s 2019 Omnibus Incentive Plan One-Time Special Grant Award Agreement dated November 29, 2021 for Performance-Based Restricted Stock Units between the Registrant and Matthew Moynahan under the Registrant’s 2019 Omnibus Incentive Plan Time-Based RSU Agreement dated February 17, 2022 between the Registrant and Matthew Moynahan (Incorporated by Reference to the Registrant's Form 10-Q filed November 1, 2022) Form of Performance-Based RSU Agreement under the Registrant’s 2019 Omnibus Incentive Plan (Incorporated by Reference to the Registrant's Form 10-Q filed November 1, 2022) 56 Exhibit Number 10.12* 10.13* 10.14 21 23 31.1 31.2 32.1 32.2 Form of Time-Based RSU Agreement (Executive) under the Registrant’s 2019 Omnibus Incentive Plan (Incorporated by Reference to the Registrant's Form 10-Q filed November 1, 2022) Description Form of Time-Based RSU Agreement (General) under the Registrant’s 2019 Omnibus Incentive Plan (Incorporated by Reference to the Registrant's Form 10-Q filed November 1, 2022) Cooperation Agreement dated May 28, 2021, by and among the Registrant, Legion Partners, Christopher S. Kiper and Raymond T. White (Incorporated by Reference to the Registrant's Form 8-K filed May 28, 2021) Subsidiaries of Registrant Consent of KPMG LLP Rule 13a-14(a)/15d-14(a) Certification of Principal Executive Officer pursuant to Section 302 of the Sarbanes-Oxley Act of 2002, dated February 28, 2023 Rule 13a-14(a)/15d-14(a) Certification of Principal Financial Officer pursuant to Section 302 of the Sarbanes-Oxley Act of 2002, dated February 28, 2023 Section 1350 Certification of Principal Executive Officer pursuant to Section 906 of the Sarbanes-Oxley Act of 2002, dated February 28, 2023 Section 1350 Certification of Principal Financial Officer pursuant to Section 906 of the Sarbanes-Oxley Act of 2002, dated February 28, 2023 101.INS XBRL Instance Document – the instance document does not appear in the Interactive Data File because its XBRL tags are embedded within the Inline XBRL document 101.SCH XBRL Taxonomy Extension Schema Document 101.CAL XBRL Taxonomy Extension Calculation Linkbase Document 101.LAB XBRL Taxonomy Extension Label Linkbase Document 101.PRE XBRL Taxonomy Extension Presentation Linkbase Document 101.DEF XBRL Taxonomy Extension Definition Linkbase Document 104 The cover page interactive data file does not appear in the Interactive Data File because its XBRL tags are embedded within the Inline XBRL document ___________________________ * Compensatory plan or management contract. OneSpan Inc. will furnish any of the above exhibits to stockholders upon written request addressed to the Secretary at the address given on the cover page of this Form 10-K. 57 OneSpan Inc. INDEX TO FINANCIAL STATEMENTS AND SCHEDULE Financial Statements Report of Independent Registered Public Accounting Firm Consolidated Balance Sheets as of December 31, 2022 and 2021 Consolidated Statements of Operations for the Years Ended December 31, 2022, 2021 and 2020 Consolidated Statements of Comprehensive Income (Loss) for the Years Ended December 31, 2022, 2021 and 2020 Consolidated Statements of Stockholders’ Equity for the Years Ended December 31, 2022, 2021 and 2020 Consolidated Statements of Cash Flows for the Years Ended December 31, 2022, 2021 and 2020 Notes to Consolidated Financial Statements Financial Statement Schedule The following consolidated financial statement schedule is included herein: Schedule II – Valuation and Qualifying Accounts F-2 F-4 F-5 F-6 F-7 F-8 F-9 F-40 All other financial statement schedules are omitted because they are not applicable or the required information is shown in the consolidated financial statements or notes thereto. F-1 Report of Independent Registered Public Accounting Firm To the Stockholders and Board of Directors OneSpan Inc.: Opinions on the Consolidated Financial Statements and Internal Control Over Financial Reporting We have audited the accompanying consolidated balance sheets of OneSpan Inc. and subsidiaries (the Company) as of December 31, 2022 and 2021, the related consolidated statements of operations, comprehensive income (loss), stockholders’ equity, and cash flows for each of the years in the three-year period ended December 31, 2022, and the related notes and financial statement schedule II (collectively, the consolidated financial statements). We also have audited the Company’s internal control over financial reporting as of December 31, 2022, based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission. In our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the financial position of the Company as of December 31, 2022 and 2021, and the results of its operations and its cash flows for each of the years in the three-year period ended December 31, 2022, in conformity with U.S. generally accepted accounting principles. Also in our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 2022 based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission. Basis for Opinions The Company’s management is responsible for these consolidated financial statements, for maintaining effective internal control over financial reporting, and for its assessment of the effectiveness of internal control over financial reporting, included in the accompanying Annual Report on Internal Control over Financial Reporting. Our responsibility is to express an opinion on the Company’s consolidated financial statements and an opinion on the Company’s internal control over financial reporting based on our audits. We are a public accounting firm registered with the Public Company Accounting Oversight Board (United States) (PCAOB) and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB. We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audits to obtain reasonable assurance about whether the consolidated financial statements are free of material misstatement, whether due to error or fraud, and whether effective internal control over financial reporting was maintained in all material respects. Our audit of the consolidated financial statements included performing procedures to assess the risks of material misstatement of the consolidated financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the consolidated financial statements. Our audit also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the consolidated financial statements. Our audit of internal control over financial reporting included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our audits also included performing such other procedures as we considered necessary in the circumstances. We believe that our audits provide a reasonable basis for our opinions. Definition and Limitations of Internal Control Over Financial Reporting A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and F-2 directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements. Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. Critical Audit Matter The critical audit matter communicated below is a matter arising from the current period audit of the consolidated financial statements that was communicated or required to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the consolidated financial statements and (2) involved our especially challenging, subjective, or complex judgments. The communication of a critical audit matter does not alter in any way our opinion on the consolidated financial statements, taken as a whole, and we are not, by communicating the critical audit matter below, providing a separate opinion on the critical audit matter or on the accounts or disclosures to which it relates. Identification of performance obligations in contracts containing software licenses with unique terms and conditions As discussed in Notes 2 and 5 to the consolidated financial statements, the Company enters into contracts to deliver a combination of hardware devices, software licenses, subscriptions, maintenance and support and, in some situations, professional services. The Company evaluates the nature of the goods and services promised in these arrangements to identify the distinct performance obligations. The Company recognized total revenue of $219 million, a portion of which related to contracts containing software licenses, for the year ended December 31, 2022. We identified the evaluation of the Company’s identification of performance obligations in contracts containing software licenses with unique terms and conditions as a critical audit matter. Specifically, complex auditor judgment was required to evaluate the Company's identification of performance obligations in such contracts, including for contracts with new customers or contracts that were amended with existing customers. The following are the primary procedures we performed to address this critical audit matter. We evaluated the design and tested the operating effectiveness of certain internal controls related to the Company’s revenue recognition process. This included controls related to the identification of performance obligations and evaluation of unique terms and conditions present in individual contracts. We tested a selection of contracts, including contracts with new customers and contracts that were amended with existing customers, by obtaining and reading the underlying contract and accounting analysis to evaluate the Company’s identification of performance obligations. Specifically, we evaluated the completeness and accuracy of the Company’s identification of terms and conditions that were unique to the selected contracts and the Company’s determination of the impact of those terms and conditions on revenue recognition. We have served as the Company’s auditor since 1996. Chicago, Illinois February 28, 2023 /s/ KPMG LLP F-3 OneSpan Inc. CONSOLIDATED BALANCE SHEETS (In thousands, except per share data) ASSETS Current assets Cash and cash equivalents Short-term investments Accounts receivable, net of allowances of $1,600 in 2022 and $1,419 in 2021 Inventories, net Prepaid expenses Contract assets Other current assets Total current assets Property and equipment, net Operating lease right-of-use assets Goodwill Intangible assets, net of accumulated amortization Deferred income taxes Other assets Total assets LIABILITIES AND STOCKHOLDERS' EQUITY Current liabilities Accounts payable Deferred revenue Accrued wages and payroll taxes Short-term income taxes payable Other accrued expenses Deferred compensation Total current liabilities Long-term deferred revenue Long-term lease liabilities Other long-term liabilities Long-term income taxes payable Deferred income taxes Total liabilities Stockholders' equity Preferred stock: 500 shares authorized, none issued and outstanding at December 31, 2022 and 2021 Common stock: $.001 par value per share, 75,000 shares authorized; 40,764 and 40,593 shares issued; 39,726 and 40,001 shares outstanding at December 31, 2022 and 2021, respectively Additional paid-in capital Treasury stock, at cost, 1,038 and 592 shares outstanding at December 31, 2022 and 2021, respectively Retained earnings Accumulated other comprehensive loss Total stockholders' equity Total liabilities and stockholders' equity See accompanying notes to consolidated financial statements. F-4 December 31, 2022 2021 $ 96,501 $ 2,328 65,132 12,054 6,222 4,520 10,783 197,540 12,681 8,022 90,514 12,482 1,901 11,942 63,380 35,108 56,612 10,345 7,594 4,694 9,356 187,089 10,757 9,197 96,174 21,270 3,786 13,998 $ $ 335,082 $ 342,271 17,357 $ 64,637 18,345 2,438 7,664 373 110,814 6,269 8,442 2,484 2,565 1,197 8,204 54,617 16,607 1,103 7,668 877 89,076 9,125 10,180 7,770 5,054 1,286 131,771 122,491 — 40 107,305 (18,222) 128,738 (14,550) 203,311 $ 335,082 $ — 40 100,250 (12,501) 143,173 (11,182) 219,780 342,271 OneSpan Inc. CONSOLIDATED STATEMENTS OF OPERATIONS (in thousands, except per share data) Revenue Product and license Services and other Total revenue Cost of goods sold Product and license Services and other Total cost of goods sold Gross profit Operating costs Sales and marketing Research and development General and administrative Impairment of intangible assets Restructuring and other related charges Amortization of intangible assets Total operating costs Operating loss Interest income (expense), net Other income (expense), net Loss before income taxes Provision for income taxes Net loss Net loss per share Basic Diluted Weighted average common shares outstanding Basic Diluted Years Ended December 31, 2022 2021 2020 $ 121,426 $ 120,358 $ 97,580 219,006 94,123 214,481 45,106 25,330 70,436 46,196 25,350 71,546 132,986 82,705 215,691 46,013 21,619 67,632 148,570 142,935 148,059 60,949 41,735 55,552 3,828 9,482 4,139 175,685 62,730 47,414 53,031 — — 5,888 169,063 56,663 41,194 46,338 — — 9,122 153,317 (27,115) (26,128) (5,258) 595 14,827 (11,693) 2,741 (1) (14) (26,143) 4,441 404 1,434 (3,420) 2,035 (14,434) $ (30,584) $ (5,455) (0.36) $ (0.36) $ (0.77) $ (0.77) $ 40,143 40,143 39,614 39,614 (0.14) (0.14) 40,035 40,035 $ $ $ See accompanying notes to consolidated financial statements. F-5 OneSpan Inc. CONSOLIDATED STATEMENTS OF COMPREHENSIVE INCOME (LOSS) (In thousands) Net loss Other comprehensive loss Cumulative translation adjustment, net of tax Pension adjustment, net of tax Unrealized losses on available-for-sale securities Comprehensive loss Years Ended December 31, 2022 2021 2020 (14,434) $ (30,584) $ (5,455) (7,245) 3,859 18 (2,997) 2,056 (21) (17,802) $ (31,546) $ 4,534 (1,459) — (2,380) $ $ See accompanying notes to consolidated financial statements. F-6 OneSpan Inc. CONSOLIDATED STATEMENTS OF STOCKHOLDERS’ EQUITY (In thousands) Description Common Stock Treasury - Common Stock Shares Amount Shares Amount Additional Paid-In Capital Retained Earnings Accumulated Other Comprehensive Income (Loss) Total Stockholders Equity Balance at December 31, 2019 40,207 $ Cumulative effect of change related to adoption of ASU 2016-13, net of tax Net income (loss) Foreign currency translation adjustment, net of tax Stock-based compensation Tax payments for stock issuances Pension adjustment, net of tax Repurchase of common shares Balance at December 31, 2020 Net income (loss) Foreign currency translation adjustment, net of tax Stock-based compensation Tax payments for stock issuances Pension adjustment, net of tax Repurchase of common shares Unrealized gain (loss) on available-for-sale securities Balance at December 31, 2021 Net income (loss) Foreign currency translation adjustment, net of tax Stock-based compensation Tax payments for stock issuances Share repurchase Pension adjustment, net of tax Unrealized gain (loss) on available-for-sale securities — — — 242 (96) — (250) 40,103 $ — — 385 (145) — (342) — 40,001 $ — — 263 (92) (446) — — Balance at December 31, 2022 39,726 $ 40 — — — — — — — 40 — — — — — — — 40 — — — — — — — 40 — $ — $ 96,109 $ 179,440 $ (13,295) $ 262,294 — — — — — — — — — — — — 250 (5,030) — — — 4,740 (2,030) — — (254) (5,455) — — — — — — — 4,534 — — (1,459) — (254) (5,455) 4,534 4,740 (2,030) (1,459) (5,030) 250 $ (5,030) $ 98,819 $ 173,731 $ (10,220) $ 257,340 — — — — — — — — — — 342 (7,471) — — — — 4,354 (2,923) — — — (30,584) — (30,584) 26 — — — — — (2,997) — 2,056 — (2,971) 4,354 (2,923) 2,056 (7,471) (21) (21) 592 $ (12,501) $ 100,250 $ 143,173 $ (11,182) $ 219,780 — — — — 446 — — — — — — (5,721) — — — — 8,642 (1,587) — — — (14,434) — (14,434) (1) — — — — — (7,245) — — 3,859 (7,246) 8,642 (1,587) (5,721) 3,859 18 18 1,038 $ (18,222) $ 107,305 $ 128,738 $ (14,550) $ 203,311 See accompanying notes to consolidated financial statements. F-7 OneSpan Inc. CONSOLIDATED STATEMENTS OF CASH FLOWS (In thousands) Cash flows from operating activities: Net loss from operations Adjustments to reconcile net loss from operations to net cash provided by (used in) operations: Years Ended December 31, 2022 2021 2020 $ (14,434) $ (30,584) $ (5,455) Depreciation and amortization of intangible assets Impairment of intangible assets Gains on sale of equity-method investment Deferred tax benefit Stock-based compensation Allowance for doubtful accounts Changes in operating assets and liabilities: Accounts receivable Inventories, net Contract assets Accounts payable Income taxes payable Accrued expenses Deferred compensation Deferred revenue Other assets and liabilities Net cash (used in) provided by operating activities Cash flows from investing activities: Purchase of short-term investments Maturities of short-term investments Additions to property and equipment Additions to intangible assets Sale of equity-method investment Net cash provided by (used in) investing activities Cash flows from financing activities: Repurchase of common stock Tax payments for restricted stock issuances Net cash used in financing activities Effect of exchange rate changes on cash Net increase (decrease) in cash Cash, cash equivalents, and restricted cash, beginning of period Cash, cash equivalents, and restricted cash, end of period (1) Supplemental cash flow disclosures: Cash paid for income taxes Cash paid for interest 7,066 3,828 (14,810) 1,637 8,642 184 (9,705) (2,168) 52 9,261 (1,140) 2,197 (504) 8,173 (4,065) (5,786) (15,812) 48,550 (4,996) (29) 18,874 46,587 (5,721) (1,587) (7,308) (372) 33,121 64,227 8,926 — — 2,823 4,354 (2,705) 2,047 2,209 3,787 2,716 (2,525) 3,089 (725) 9,713 (5,870) (2,745) (59,925) 51,149 (2,169) (35) — (10,980) (7,471) (2,923) (10,394) (895) (25,014) 89,241 $ $ $ 97,348 $ 64,227 $ 2,025 $ — $ 7,700 $ — $ 12,003 — — (1,487) 4,740 1,611 5,181 6,725 (191) (5,237) (5,642) (3,124) 574 8,342 (3,118) 14,922 (34,060) 32,630 (3,101) (133) — (4,664) (5,030) (2,030) (7,060) 914 4,112 85,129 89,241 9,442 — (1) End of period cash, cash equivalents, and restricted cash includes $0.8 million, $0.8 million and $0.9 million of restricted cash at December 31, 2022, 2021, and 2020, respectively. See accompanying notes to consolidated financial statements. F-8 OneSpan Inc. NOTES TO CONSOLIDATED FINANCIAL STATEMENTS Unless otherwise noted, references in this Annual Report on Form 10-K to “OneSpan” and “Company” refer to OneSpan Inc. and its subsidiaries. Note 1 – Description of the Company and Basis of Presentation Description of the Company OneSpan helps organizations accelerate digital transformations by enabling secure, compliant, and easy customer agreements and transaction experiences. The Company is a global leader in providing high-assurance identity and authentication security as well as enterprise-grade electronic signature (e-signature) solutions for use cases ranging from simple transactions to workflows that are complex or require higher levels of security. The Company’s solutions help its clients ensure the integrity of the people and records associated with digital agreements, transactions, and interactions in industries including banking, financial services, healthcare, and professional services. The Company offers a portfolio of products and services across identity verification, authentication, virtual interactions and transactions, and secure digital storage. OneSpan has operations in Austria, Australia, Belgium, Canada, China, France, Japan, The Netherlands, Singapore, Switzerland, the United Arab Emirates, the United Kingdom (U.K), and the United States (U.S.). Transformation Plan In May 2022, the Company announced a three-year strategic transformation plan that begins on January 1, 2023. The Company expects this transformation plan will enable it to build on its strong solution portfolio and market position, enhance its enterprise go-to-market strategy, accelerate revenue growth, and drive efficiencies to support margin expansion and increased profitability. In conjunction with the strategic transformation plan and to enable a more efficient capital deployment model, effective with the quarter ended June 30, 2022, the Company began reporting under the following two lines of business, which are its reportable operating segments: Digital Agreements and Security Solutions. The Company plans to manage Digital Agreements for accelerated growth and market share gains and Security Solutions for cash flow given its more modest growth profile. For further information regarding the Company’s reportable segments, see Note 3, Segment Information. While the Company’s consolidated results will not be impacted, the Company has recast its segment information during 2022 for comparable presentation. Principles of Consolidation The consolidated financial statements include the accounts of OneSpan Inc. and its wholly owned subsidiaries. Intercompany accounts and transactions have been eliminated in consolidation. Estimates and Assumptions The preparation of financial statements in conformity with U.S. GAAP requires management to make estimates and assumptions that affect the reported amounts of assets and liabilities and disclosure of contingent assets and liabilities at the date of the financial statements and the reported amounts of revenue and expenses during the reporting period. Actual results could differ from those estimates. Foreign Currency Translation and Transactions The financial position and results of the operations of the majority of the Company’s foreign subsidiaries are measured using the local currency as the functional currency. Accordingly, assets and liabilities are translated into U.S. Dollars using current exchange rates as of the balance sheet date. Revenue and expenses are translated at average exchange rates prevailing during the year. Translation adjustments arising from differences in exchange rates are charged or credited to other comprehensive income (loss). Gains or (losses) resulting from foreign currency transactions were $(1.9) million, less than $0.1 million, and less than $0.1 million in 2022, 2021, and 2020, respectively, and are included in "Other income (expense)" in the consolidated statements of operations. F-9 Note 2 – Summary of Significant Accounting Policies Cash and Cash Equivalents and Restricted Cash Cash and cash equivalents are stated at cost plus accrued interest, which approximates fair value. Cash equivalents are high-quality short-term money market instruments and commercial paper with maturities at acquisition of three months or less. Cash and cash equivalents are held by a number of U.S. and non-U.S. commercial banks and money market investment funds. The Company is party to lease agreements that require letters of credit to secure the obligations. The restricted cash related to these letters of credit is recorded in “Other non-current assets” in the consolidated balance sheets in the amount of $0.8 million at December 31, 2022 and 2021. Short-term Investments The Company’s short-term investments are in debt securities which consist of U.S treasury bills and notes, U.S. government agency notes, corporate notes, and high-quality commercial paper with maturities at acquisition of more than three months and less than twelve months. The Company classifies its investments in debt securities as available-for-sale. In accordance with Accounting Standards Update "ASU" No. 2016-13, credit impairments are recorded through an allowance and are recorded through a charge to the consolidated statement of operations. Unrealized gains or losses not related to credit impairments are recorded in “Accumulated other comprehensive loss” on the consolidated balance sheets. The Company reviews available-for-sale debt securities for impairments related to credit losses and other factors each quarter. As of December 31, 2022 and 2021, the unrealized gains and losses were not material. Credit Losses Reasonable assurance of collection is a requirement for revenue recognition. Credit limit adjustments for existing customers may result from the periodic review of outstanding accounts receivable. The Company records trade accounts receivable at invoice values, which are generally equal to fair value. In accordance with ASU No. 2016-13, the Company evaluates its allowance based on expected losses rather than incurred losses, which is known as the current expected credit loss (“CECL”) model. The allowance is determined using the loss rate approach and is measured on a collective (pool) basis when similar risk characteristics exist. Where financial instruments do not share risk characteristics, they are evaluated on an individual basis. The allowance is based on relevant available information, from internal and external sources, relating to past events, current conditions, and reasonable and supportable forecasts. Fair Value of Financial Instruments At December 31, 2022 and 2021, the Company's financial instruments were Cash and cash equivalents, Short-term investments, Accounts receivable, Accounts payable, and Accrued liabilities. The estimated fair value of financial instruments has been determined by using available market information and appropriate valuation methodologies, as defined in Accounting Standards Codification "ASC" 820, Fair Value Measurements. The fair values of the financial instruments were not materially different from their carrying amounts at December 31, 2022 and 2021. See Note 9, Fair Value Measurements, for additional detail. Inventories Inventories, consisting principally of hardware and component parts, are stated at the lower of cost or net realizable value. Cost is determined using the first-in-first-out (FIFO) method. The Company writes down inventory when it appears that the carrying cost of the inventory may not be recovered through subsequent sale of the inventory. The Company analyzes the quantity of inventory on hand, the quantity sold in the past year, the anticipated sales volume in the form of sales to new customers as well as sales to previous customers, the expected sales price and the cost of making the sale when evaluating the valuation of inventory. If the sales volume or sales price of a specific model declines significantly, additional write downs may be required. Property and Equipment, net Property and equipment, net, is stated at cost. Depreciation is computed using the straight-line method over the estimated useful lives of the related assets ranging from three to ten years. Leasehold improvements are depreciated over F-10 the lesser of the remaining lease term or 10 years. Additions and improvements are capitalized, while expenditures for maintenance and repairs are charged to operations as incurred. Gains or losses resulting from sales or retirements are recorded as incurred, at which time related costs and accumulated depreciation are removed from the accounts. Accounting for Leases All of the Company's leases are operating leases. The Company records leases in accordance with ASC Topic 842, Leases. The Company elected the following practical expedients: • • • • The package of practical expedients permitted under the transition guidance within the new standard. The practical expedient package applies to leases commenced prior to adoption of the new standard and permits companies not to reassess whether existing or expired contracts contain a lease, the lease classification, and any initial direct costs for existing leases. The short-term lease practical expedient, which allowed the Company to exclude short-term leases from recognition in the consolidated balance sheets; The Company has lease agreements that contain lease and non-lease components. For automobile leases, lease and non-lease components are accounted for together. For office leases, the components are accounted for separately using a relative standalone selling basis; and The Company applies the portfolio approach to automobile leases with similar characteristics that commence in the same period. The difference between the asset and liability is a result of lease incentives, such as tenant improvement allowances, and deferred rent on the consolidated balance sheet at transition. See Note 11, Leases, for additional information. Goodwill Goodwill represents the excess of purchase price over the fair value of net identifiable assets acquired in a business combination. The Company assesses the impairment of goodwill annually or whenever events or changes in circumstances indicate that the carrying value may not be recoverable. The annual impairment test date is October 1. The Company’s impairment assessment begins with a qualitative assessment to determine whether it is more likely than not that the fair value of a reporting unit is less than its carrying value. The qualitative assessment includes comparing the overall financial performance of the reporting unit against the planned results. Additionally, the reporting unit’s fair value is assessed in light of certain events and circumstances, including macroeconomic conditions, industry and market considerations, cost factors, and other relevant entity- and reporting unit specific events. The selection and assessment of qualitative factors used to determine whether it is more likely than not that the fair value of a reporting unit exceeds the carrying value involves significant judgments. If it is determined under the qualitative assessment that it is more likely than not that the fair value of a reporting unit is less than its carrying value, then the estimated fair value of the reporting unit is compared with its carrying value. An impairment charge is recognized for the amount by which the carrying amount exceeds the reporting unit’s fair value. As a result of the transformation plan and new reportable operating segments, the Company allocated the goodwill balance to each of its reporting units and respective reportable operating segments on May 17, 2022. Prior to the transformation plan, the Company operated under one reporting unit. See Note 1, Description of the Company and Basis of Presentation, for additional information. No goodwill impairment was recorded during the years ended December 31, 2022, 2021, and 2020. Long-Lived and Intangible Assets Finite-lived intangible assets include proprietary technology, customer relationships, and other intangible assets. Intangible assets other than patents with definite lives are amortized over the useful life, generally three to seven years for F-11 proprietary technology and five to twelve years for customer relationships. Patents are amortized over the life of the patent, generally 20 years in the U.S. Intangible assets arising from business combinations, such as acquired technology, customer relationships, and other intangible assets, are originally recorded at fair value. Long-lived assets, including property, plant and equipment, operating lease right-of-use assets, finite-lived intangible assets being amortized and capitalized software costs for internal use, are reviewed for impairment whenever events or changes in circumstances indicate that the carrying amount of the long-lived asset group may not be recoverable. An impairment loss shall be recognized if the carrying amount of a long-lived asset group exceeds the sum of the undiscounted cash flows expected to result from the use and eventual disposition of the asset. If it is determined that an impairment loss has occurred, the loss is measured as the amount by which the carrying amount of the long-lived asset group exceeds its fair value. Long-lived assets held for sale are reported at the lower of carrying value or fair value less cost to sell. Equity Method Investment On January 31, 2022, the Company sold its equity interest in Promon AS (Promon) for $18.9 million and recorded the gain on sale of $14.8 million in “Other income (expense), net”, on the consolidated statement of operations for the year ended December 31, 2022. Promon is a technology company headquartered in Norway that specializes in mobile app security, whose solutions focus largely on Runtime Application Self-Protection (RASP). Prior to January 31, 2022, the Company held a 17% interest in Promon and applied the equity method of accounting to its investment in Promon because it exercised significant influence on, but did not hold a controlling interest in, the investee. Under the equity method of accounting, the Company’s proportionate share of the net earnings (losses) of Promon was reported in “Other income (expense), net”, on the consolidated statements of operations. The impact of the proportionate share of net earnings (losses) was immaterial for the years ended December 31, 2022, 2021, and 2020, as were the relative size of Promon’s assets and operations in relation to the Company’s. The Company intends to continue to purchase and integrate Promon’s RASP technology into its customer software solutions. Share Repurchase Program On May 12, 2022, the Board of Directors terminated the stock repurchase program adopted on September 10, 2020 and adopted a new stock repurchase program under which the Company is authorized to repurchase up to $50.0 million of its issued and outstanding common stock. Share purchases under the program will take place in open market transactions or in privately negotiated transactions and may be made from time to time depending on market conditions, share price, trading volume, and other factors. The timing of the repurchases and the amount of stock repurchased in each transaction is subject to OneSpan’s sole discretion and will depend upon market and business conditions, applicable legal and credit requirements and other corporate considerations. The authorization is effective until May 11, 2024 unless the total amount has been used or authorization has been cancelled. During the year ended December 31, 2022, the Company repurchased 0.4 million shares of the Company’s stock for $5.7 million in the aggregate at an average cost of $12.83 per share under its repurchase program. Revenue Recognition We record revenue in accordance with ASC Topic 606 "Revenue from Contracts with Customers". We determine revenue recognition through the following steps: • • Identification of the contract, or contracts, with a customer; Identification of the performance obligations in the contract; • Determination of the transaction price; • Allocation of the transaction price to the performance obligations in the contract; and • Recognition of revenue when, or as, we satisfy a performance obligation. F-12 Revenues are recognized when control of the promised goods or services is transferred to the Company's customers, in an amount that reflects the consideration we expect to be entitled to in exchange for those products or services, which excludes any sales incentives and amounts collected on behalf of third parties. Taxes assessed by a governmental authority that are both imposed on and concurrent with a specific revenue-producing transaction, that are collected by the Company from a customer, are excluded from revenue. Shipping and handling costs associated with outbound freight before control over a product has transferred to a customer are accounted for as a fulfillment cost and are included in "Cost of goods sold". Nature of Goods and Services We derive our revenues primarily from product and license revenue, which includes hardware products and on-premises subscription revenue, and services and other, which is inclusive of cloud subscription revenue, maintenance and support, and professional services. Subscription: Subscription includes cloud and on-premises subscription revenue, previously referred to as “subscription” and “term-based software licenses”, respectively. Cloud subscription revenues are generated from from the Company's Digital Agreements and Secruity Solutions service offerings. Standard customer arrangements do not provide the customer with the right to take possession of the software supporting the cloud-based application service at any time. As such, these arrangements are considered service contracts and revenue is recognized ratably over the service period of the contract. Customer payments are normally in advance for annual service. Revenue from the sale of on-premises subscription revenue is recorded upon delivery which is the latter of when the customer receives the ability to access the software or when they are legally allowed to use the software. No significant obligations or contingencies exist with regard to delivery, customer acceptance or rights of return at the time revenue is recognized. We offer term licenses for on-premises subscription revenue ranging from one to five years in length.. For term licenses, payments are either on installment or in advance. In limited circumstances, we integrate third-party software solutions into our software products. We have determined that, consistent with our conclusion under prior revenue recognition rules, generally we act as the principal with respect to the satisfaction of the related performance obligation and records the corresponding revenue on a gross basis from these transactions. For transactions in which we do not act as the principal, we recognize revenue on a net basis. The fees owed to the third parties are recognized as a component of cost of goods sold when the revenue is recognized. Maintenance and support: Maintenance and support agreements generally call for the Company to provide software updates and technical support, respectively, to customers. The annual fee for maintenance and technical support is recognized ratably over the term of the maintenance and support agreement as this is the period the services are delivered. Customer payments are normally in advance for annual service. Professional Services and other Revenue: Professional services revenues are primarily comprised of implementing, automating and extending business processes, technology infrastructure, and software applications. Professional services revenues are recognized over time as services are rendered, usually over a period of time that is generally less than a few months. Most projects are performed on a time and materials basis while a portion of revenues is derived from projects performed on a fixed fee. For time and material contracts, revenues are generally recognized and invoiced by multiplying the number of hours expended in the performance of the contract by the contractual hourly rates. For fixed fee contracts, revenues are generally recognized using an input method based on the ratio of hours expended to total estimated hours to complete the services. Customer payments normally correspond with delivery. Professional services and other revenue includes perpetual licenses revenue, which was less than 3% of revenue for the year ended December 31, 2022 and less than 6% for the year ended December 31, 2021. Perpetual licenses grant the customer unlimited access to the software. Hardware products: Revenue from the sale of security hardware is recorded upon shipment, which is the point at which control of the goods are transferred and the performance obligations are completed, unless there are specific terms that would suggest control is transferred at a later date (e.g. delivery). No significant obligations or contingencies typically exist with regard to delivery, customer acceptance or rights of return at the time revenue is recognized. Customer invoices and subsequent payments normally correspond with delivery. F-13 The Company also enters into separate service agreements with certain hardware customers to perform distribution services. In these situations, revenue is recognized prior to physical delivery of a good (i.e. “bill-and-hold arrangements). The Company evaluates bill-and-hold arrangement, and records revenue accordingly when the following criteria is met: • • • • The reason for the bill-and-hold arrangement is substantive; The product is identified separately as belonging to the customer; The product currently is ready for physical transfer to the customer; The Company does not have the ability to use the product or to direct it to another customer. Multiple-Element Arrangements In the Company's typical multiple-element arrangement, the primary deliverables include: 1. A client component (i.e. an item that is used by the person being authenticated in the form of either a new standalone hardware device or software that is downloaded onto a device that the customer already owns); 2. Server system software that is installed on the customer’s systems (i.e. software on the server system that verifies the identity of the person being authenticated) or licenses for additional users on the server system software if the server system software had been installed previously; and 3. Post contract support (PCS) in the form of maintenance on the server system software or support. The Company's multiple-element arrangements may also include other items that are usually delivered prior to the recognition of any revenue and are incidental to the overall transaction such as initialization of the hardware device, customization of the hardware device itself or the packaging in which it is delivered, deployment services where the Company delivers the device to its customer’s end-use customer or employee and, in some limited cases, professional services to assist with the initial implementation of a new customer. Significant Judgments The Company enters into contracts to deliver a combination of hardware devices, software licenses, subscriptions, maintenance and support and, in some situations, professional services. The Company evaluates the nature of the goods or services promised in these arrangements to identify the distinct performance obligations. Determining whether products and services are considered distinct performance obligations that should be accounted for separately versus together may require significant judgment depending on the terms and conditions of the respective customer arrangement. When a hardware client device and licenses to server software are sold in a contract, they are treated as a single performance obligation because the software license is deemed to be a component of the hardware that is integral to the functionality of the hardware that is used by customers for identity authentication. When a software client device is sold in a contract server software, the licenses are considered a single performance obligation to deliver the authentication solution to the customer. In either of these types of arrangements, maintenance and support and professional services are typically distinct separate performance obligations from the hardware or software solutions. Contracts to deliver subscription services typically do not include multiple performance obligations; however, in certain limited cases customers may purchase professional services that are distinct performance obligations. For contracts that contain multiple performance obligations, the transaction price is allocated to the separate performance obligations based on their estimated relative standalone selling price. Judgment is required to determine the stand-alone selling price (“SSP”) of each distinct performance obligation. We determine SSP for maintenance and support and professional services based on observable inputs; specifically, the range of prices charged to customers to renew annual maintenance and support contracts and the range of hourly rates we charge customers in standalone professional services contracts. In instances where SSP is not directly observable, and when we sell at a highly variable price range, such as for transactions involving software licenses or subscriptions, we determine the SSP for those performance obligations using the residual approach. F-14 Cost of Goods Sold Included in "Product and license cost of goods sold" are direct product costs and direct costs to deliver and provide software licenses. Cost of goods sold related to service and other revenues are primarily costs related to cloud subscription solutions, including personnel and equipment costs, and personnel costs of employees providing professional services and maintenance support. Research and Development Costs As part of the strategic transformation plan announced in May 2022, the Company began investing in its Digital Agreements operating segment for accelerated growth. In conjunction with expanded research and development activities to grow the Company’s transaction-cloud platform and Digital Agreements product offerings, the Company began capitalizing certain costs incurred in connection with obtaining or developing internal-use software during the year ended December 31, 2022. These costs include payroll and payroll-related costs for employees who are directly associated with the internal-use software projects, external direct costs of materials and services costs while developing the software. Capitalized software costs are included in “Property and equipment, net” on the consolidated balance sheets and are amortized using the straight-line method over the estimated life of three years. Capitalization of such costs ceases when the project is substantially complete and ready for its intended purpose. Costs incurred during the preliminary project and post-implementation stages, as well as software maintenance and training costs, are expensed in the period in which they are incurred. Other costs for research and development, principally the design and development of hardware, and the design and development of software prior to the determination of technological feasibility, are expensed as incurred on a project-by-project basis. The Company capitalized $4.0 million of internal-use software during the year ended December 31, 2022. Other costs for research and development, principally the design and development of hardware, and the design and development of software prior to the determination of technological feasibility, are expensed as incurred on a project-by-project basis. Stock-Based Compensation The Company has stock-based employee compensation plans, described in Note 14, Stock Compensation. ASC 718, Stock Compensation, requires the Company to estimate the fair value of restricted stock granted to employees, directors and others to record compensation expense equal to the estimated fair value. Compensation expense is recorded on a straight-line basis over the vesting period for time-based awards and performance and market-based awards with cliff vesting provisions and on a graded basis for performance and market-based awards with graded vesting provisions. Forfeitures are recorded as incurred. Retirement Benefits The Company records annual expenses relating to defined benefit pension plans based on calculations which include various actuarial assumptions, including discount rates, assumed asset rates of return, compensation increases, and turnover rates. The Company reviews its actuarial assumptions on an annual basis and make modifications to the assumptions based on current rates and trends. The effects of gains, losses, and prior service costs and credits are amortized over the average service life. The funded status, or projected benefit obligation less plan assets, for each plan, is reflected in the consolidated financial statements using a December 31 measurement date. Other Income (Expense), Net Other income (expense), net, consists primarily of exchange gains (losses) on transactions that are denominated in currencies other than the Company’s subsidiaries’ functional currencies, subsidies received from foreign governments in support of the Company's research and development in those countries and other miscellaneous non-operational income and expenses. Income Taxes The Company calculates and provides for income taxes in each tax jurisdiction in which it operates. The provision for income taxes includes the amounts payable or refundable for the current year, the effect of deferred taxes and impacts F-15 from uncertain tax positions. The Company’s provision for income taxes is significantly affected by shifts in the geographic mix of its pre-tax earnings across tax jurisdictions, changes in tax laws and regulations, and tax planning opportunities available in each tax jurisdiction. Deferred tax assets and liabilities are recognized for the expected future tax consequences of temporary differences between the financial statement and tax bases of the Company's assets and liabilities and for operating losses and tax credit carryforwards. Deferred tax assets and liabilities are measured using enacted tax rates that will apply to taxable income in the years in which those differences are expected to be recovered or settled. Valuation allowances are established for deferred tax assets when it is more likely than not that a tax benefit will not be realized. The Company recognizes the effect of a change in tax rates on deferred tax assets and liabilities and in income in the period that includes the enactment date. The Company recognizes tax benefits for tax positions that are more likely than not to be sustained upon examination by tax authorities. The amount recognized is measured as the largest amount of benefit that is greater than 50 percent likely to be realized upon ultimate settlement. Unrecognized tax benefits are tax benefits claimed in the Company's income tax returns that do not meet these recognition and measurement standards. Assumptions, judgments, and the use of estimates are required in determining whether the “more-likely-than-not” standard has been met when developing the provision for income taxes. The Company recognizes the tax impact of including certain foreign earnings in U.S. taxable income as a period cost. The Company has recognized deferred income taxes for local country income and withholding taxes that could be incurred on distributions of non-U.S. earnings because management does not plan to indefinitely reinvest such earnings. The Company monitors for changes in tax laws and reflect the impacts of tax law changes in the period of enactment. Recently Issued Accounting Pronouncements In November 2021, the FASB issued ASU 2021-10, Government Assistance: Disclosures by Business Entities about Government Assistance ("ASU 2021-10"), which requires business entities to disclose certain information about certain government assistance they receive. ASU 2021-10 is effective for annual periods beginning after December 15, 2021. The adoption of this standard did not have a material impact on the Company's consolidated financial statements. From time to time, new accounting pronouncements are issued by the FASB or other standard setting bodies that are adopted by the Company as of the specified effective date. Unless otherwise discussed, management believes that the issued standards that are not yet effective will not have a material impact on the consolidated financial statements upon adoption. Note 3 - Segment Information In May 2022, the Company announced a three-year strategic transformation plan begins on January 1, 2023. The Company expects this transformation plan that will enable it to build on its strong solution portfolio and market position, enhance its enterprise go-to-market strategy, accelerate revenue growth, and drive efficiencies to support margin expansion and increased profitability. In conjunction with the strategic transformation plan and to enable a more efficient capital deployment model, effective with the quarter ended June 30, 2022, the Company began reporting under the following two lines of business, which are its reportable operating segments: Digital Agreements and Security Solutions. The Company expects to manage Digital Agreements for accelerated growth and market share gains and Security Solutions for cash flow given its more modest growth profile. Segments are defined as components of a company that engage in business activities from which they may earn revenues and incur expenses, and for which separate financial information is available and is evaluated regularly by the chief operating decision maker (CODM), in deciding how to allocate resources and in assessing performance. The Company’s CODM is its Chief Executive Officer. • Digital Agreements. Digital Agreements consists of solutions that enable the Company’s clients to secure and automate business processes associated with their digital agreement and customer transaction lifecycles that require consent, non-repudiation and compliance. These solutions, which are largely cloud-based, include the Company’s OneSpan Sign e-signature solution and its recently introduced OneSpan Notary and Virtual Room F-16 solutions. As the transformation plan progresses, the Company expects to include other cloud-based security modules associated with the secure transaction lifecycle of identity verification, authentication, virtual interactions and transactions, and secure digital storage in the Digital Agreements segment. This segment also includes costs attributable to our next-generation transaction-cloud platform. • Security Solutions. Security Solutions consists of a broad portfolio of software products and/or software development kits (SDKs) that are used to build applications designed to defend against attacks on digital transactions across online environments, devices and applications. These solutions, which are largely on-premises software products, include identity verification, multi-factor authentication and transaction signing, such as mobile application security, mobile software tokens, and Digipass authenticators that are not cloud-connected devices. Segment operating income consists of the revenues generated by a segment, less the direct costs of revenue, sales and marketing, research and development expenses, amortization expense, and restructuring and other related charges that are incurred directly by a segment. The Company recorded $2.3 million and $1.8 million of amortization expense in Digital Agreements operating income and Security Solutions operating income, respectively, during the year ended December 31, 2022. During the year ended December 31, 2021, the Company recorded $2.5 million and $3.3 million of amortization expense in Digital Agreements operating income and Security Solutions operating income, respectively. The Company recorded $5.9 million and $3.1 million of amortization expense in Digital Agreements operating income and Security Solutions operating income, respectively, during the year ended December 31, 2020.Unallocated corporate costs include costs related to administrative functions that are performed in a centralized manner that are not attributable to a particular segment. The tables below set forth information about the Company’s operating segments for the years ended December 31, 2022, 2021, and 2020, along with the items necessary to reconcile the segment information to the totals reported in the accompanying consolidated financial statements. F-17 (In thousands, except percentages) Years Ended December 31, 2022 2021 2020 Digital Agreements Revenue Gross profit Gross margin Operating income Security Revenue Gross profit Gross margin Operating income Total Company: Revenue Gross profit Gross margin Statements of operations reconciliation: Segment operating income Corporate operating expenses not allocated at the segment level Operating loss Interest income, net Other income (expense), net Loss before income taxes $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ 48,401 37,488 77 % 5,348 170,605 111,082 65 % 32,051 219,006 148,570 68 % 37,399 64,514 (27,115) 595 14,827 $ $ $ $ $ $ $ $ $ $ 40,551 29,557 73 % (1,612) 173,930 113,378 65 % 35,395 214,481 142,935 67 % 33,783 59,911 (26,128) (1) (14) (11,693) $ (26,143) $ 29,633 20,361 69 % (7,559) 186,058 127,698 69 % 55,295 215,691 148,059 69 % 47,736 52,994 (5,258) 404 1,434 (3,420) The following tables illustrate the disaggregation of revenues by category and services, including a reconciliation of the disaggregated revenues to revenues from the Company's two operating segments for the years ended December 31, 2022, 2021, and 2020. 2022 2021 2020 Digital Agreements Security Solutions Digital Agreements Security Solutions Digital Agreements Security Solutions Years Ended December 31, (In thousands) Subscription (1) Maintenance and support Professional services and other (2) Hardware products Total Revenue $ $ 42,029 $ 47,124 $ 33,283 $ 35,224 $ 22,632 $ 5,451 42,894 921 — 7,087 73,500 5,709 1,494 65 45,567 13,703 79,436 5,035 1,966 — 29,757 44,193 30,259 81,849 48,401 $ 170,605 $ 40,551 $ 173,930 $ 29,633 $ 186,058 F-18 1. Subscription includes cloud and on-premises subscription revenue, previously referred to as “subscription” and “term-based software licenses”, respectively. 2. Professional services and other includes perpetual software licenses revenue, which was approximately 2%, 5%, and 12% of total revenue for the years ended December 31, 2022, 2021, and 2020, respectively. The Company allocates goodwill by reporting unit, in accordance with ASC 350 – Goodwill and Other. Asset information by segment is not reported to or reviewed by the CODM to allocate resources, and therefore, the Company has not disclosed asset information for the segments. Note 4 – Inventories, net Inventories, net, consisting principally of hardware and component parts, are stated at the lower of cost or net realizable value. Cost is determined using the FIFO method. Inventories, net, are comprised of the following as of December 31, 2022 and 2021: (In thousands) Component parts Work-in-process and finished goods Total Note 5 – Revenue Disaggregation of Revenues December 31, 2022 2021 $ $ 6,762 $ 5,292 12,054 $ 3,841 6,504 10,345 The following tables present the Company's revenues disaggregated by major products and services, geographical region and timing of revenue recognition. Revenue by major products and services (In thousands) Subscription (1) Maintenance and support Professional services and other (2) Hardware products Total Revenue Years Ended December 31, 2022 2021 2020 $ $ 89,153 $ 68,507 $ 48,345 8,008 73,500 51,276 15,197 79,501 52,389 49,228 32,225 81,849 219,006 $ 214,481 $ 215,691 1. Subscription includes cloud and on-premises subscription revenue, previously referred to as “subscription” and “term-based software licenses”, respectively. 2. Professional services and other includes perpetual software licenses revenue, which was approximately 2%, 5%, and 12% of total revenue for the years ended December 31, 2022, 2021, and 2020, respectively. F-19 Revenue by location of customer for the years ended December 31, 2022, 2021, and 2020 (In thousands, except percentages) Total Revenue: 2022 2021 2020 Percent of Total: 2022 2021 2020 Timing of revenue recognition (In thousands) Products and Licenses transferred at a point in time Services transferred over time Total Revenue Contract balances EMEA Americas APAC Total $ $ $ 100,298 104,878 117,086 $ $ $ 77,740 68,646 53,171 $ $ $ 40,968 40,957 45,434 $ $ $ 219,006 214,481 215,691 46 % 49 % 54 % 35 % 32 % 25 % 19 % 19 % 21 % 100 % 100 % 100 % Years Ended December 31, 2022 2021 2020 $ $ 121,426 $ 120,358 $ 97,580 94,123 219,006 $ 214,481 $ 132,986 82,705 215,691 The following table provides information about receivables, contract assets and contract liabilities from contracts with customers as of December 31, 2022 and 2021: (In thousands) Receivables, inclusive of trade and unbilled Contract Assets (current and non-current) Contract Liabilities (Deferred Revenue current and non-current) December 31, 2022 2021 $ $ $ 65,132 $ 4,642 $ 70,907 $ 56,612 4,889 63,742 Contract assets relate primarily to multi-year term license arrangements and the remaining contractual billings. These contract assets are transferred to receivables when the right to billing occurs, which is normally over 3-5 years. The contract liabilities primarily relate to the advance consideration received from customers for subscription and maintenance services. Revenue is recognized for these services over time. As a practical expedient, the Company does not adjust the promised amount of consideration for the effects of a significant financing component when it is expected, at contract inception, that the period between the Company's transfer of a promised product or service to a customer and when the customer pays for that product or service will be one year or less. Extended payment terms are not typically included in contracts with customers. Revenue recognized during the year ended December 31, 2022 included $52.8 million that was included on the December 31, 2021 consolidated balance sheet in contract liabilities. Deferred revenue increased in the same period due to timing of annual renewals. Transaction price allocated to the remaining performance obligations Remaining performance obligations represent the revenue that is expected to be recognized in future periods related to performance obligations that are unsatisfied, or partially unsatisfied, as of the end of the period. The following F-20 table includes estimated revenue expected to be recognized in the future related to performance obligations that are unsatisfied (or partially unsatisfied) as of December 31, 2022: (In thousands) 2023 2024 2025 Beyond 2025 Total Future revenue related to current unsatisfied performance obligations $ 44,407 $ 19,574 $ 7,872 $ 5,336 $ 77,189 The Company applies practical expedients and does not disclose information about remaining performance obligations (a) that have original expected durations of one year or less, or (b) where revenue is recognized as invoiced. Costs of obtaining a contract The Company incurs incremental costs related to commissions, which can be directly tied to obtaining a contract. The Company capitalizes commissions associated with certain new contracts and amortizes the costs over a period of up to seven years, which is the determined benefit period based on the transfer of goods or services. The Company determined the period of benefit by taking into consideration the customer contracts, its technology and other factors, including customer attrition. Commissions are earned upon invoicing to the customer. For contracts with multiple year payment terms, because the commissions that are payable after year 1 are payable based on continued employment, they are expensed when incurred. Commissions and amortization expense are included in “Sales and marketing” expense in the consolidated statements of operations. Applying the practical expedient, the Company recognizes the incremental costs of obtaining contracts as an expense when incurred if the amortization period for the assets that the Company otherwise would have recognized is one year or less. These costs are included in the “Sales and marketing” caption in the consolidated statements of operations. The following tables provide information related to the capitalized costs and amortization recognized in the current and prior period: (In thousands) Capitalized costs to obtain contracts, current Capitalized costs to obtain contracts, non-current (In thousands) Amortization of capitalized costs to obtain contracts Impairments of capitalized costs to obtain contracts Note 6 – Goodwill The following tables present the changes in goodwill during 2022 and 2021: December 31, 2022 2021 2,929 $ 10,571 $ Years Ended December 31, 2022 2021 2,404 $ — $ 2,134 8,675 1,555 — $ $ $ $ In thousands Net balance at December 31, 2020 Net foreign currency translation Net balance at December 31, 2021 Goodwill reallocation Net foreign currency translation Net balance at December 31, 2022 Digital Agreements Security Solutions Total — $ — — 20,966 (1,234) 19,732 $ — $ — — 75,208 (4,426) 70,782 $ 97,552 (1,378) 96,174 — (5,660) 90,514 $ $ F-21 Goodwill reallocation: As a result of the transformation plan and new reportable operating segments, the Company allocated the goodwill balance to each reporting unit and respective reportable operating segments on May 17, 2022 (see Note 1, Description of the Company and Basis of Presentation). Additionally, the Company performed a goodwill impairment test on the goodwill balances of each of the reporting units of its reportable operating segments as of May 17, 2022, by comparing the fair value of each reporting unit to its carrying value, including the allocated goodwill. The Company concluded that there was no indication of goodwill impairment for any of the reporting units as of May 17, 2022. No impairment of goodwill was recorded during the years ended December 31, 2022, 2021, or 2020. Note 7 – Intangible Assets Intangible assets as of December 31, 2022 and 2021 consist of the following: December 31, 2022 2021 (In thousands) Acquired technology Customer relationships Patents and trademarks Total Useful Life (in years) Gross Carrying Amount Accumulated Amortization Gross Carrying Amount Accumulated Amortization 3 to 7 5 to 12 10 to 20 $ $ 42,022 $ 41,894 $ 43,034 $ 34,386 13,518 23,323 12,227 39,814 13,549 89,926 $ 77,444 $ 96,397 $ 42,281 20,653 12,193 75,127 Amortization expense was $4.1 million, $5.9 million, and $9.1 million for the years ended December 31, 2022, 2021, and 2020, respectively. Certain intangible assets are denominated in local currencies and are subject to currency fluctuations. During the year ended December 31, 2022, the Company performed an impairment review of the customer relationships intangible assets obtained in its 2018 acquisition of Dealflo Limited (“Dealflo”). The impairment review was triggered by the Company’s July 2022 notification to customers regarding its intent to gradually sunset its Dealflo solution in the months leading up to December 31, 2023. As a result, all Dealflo solution customer contracts will terminate on or before December 31, 2023. The results of the impairment review indicated that the carrying value of the Dealflo customer relationships exceeded the fair value, and the Company recorded a $3.8 million impairment charge on the entire remaining value of the asset during the year ended December 31, 2022. The charge is included in “Impairment of intangible assets” on the consolidated statements of operations and is included in "Operating income" of the Security Solutions reportable operating segment. There were no additional impairments of intangible assets recorded during the years ended December 31, 2022, 2021, and 2020. The estimated future amortization expense of intangible assets as of December 31, 2022, is as follows: 2023 2024 2025 2026 2027 Thereafter Subject to amortization Trademarks Total intangible assets F-22 $ $ 2,338 2,335 2,334 2,328 2,123 263 11,721 761 12,482 Note 8 – Property and Equipment, net The following table presents the major classes of property and equipment, net, as of December 31, 2022 and 2021: (In thousands) Office equipment and software Leasehold improvements Furniture and fixtures Capitalized software Total Accumulated depreciation Property and equipment, net Useful Life (in years) 2022 2021 December 31, 3-5 10 5 3 $ $ 14,451 $ 9,927 4,260 4,007 32,645 (19,964) 12,681 $ 14,327 10,296 4,223 — 28,846 (18,089) 10,757 Depreciation expense was $2.9 million, $3.0 million, and $2.9 million for the years ended December 31, 2022, 2021, and 2020, respectively. Note 9 – Fair Value Measurements The fair values of cash equivalents, "Receivables, net", and "Accounts payable" approximate their carrying amounts due to their short duration. The fair value hierarchy is based on inputs to valuation techniques that are used to measure fair value that are either observable or unobservable. Observable inputs reflect assumptions market participants would use in pricing an asset or liability based on market data obtained from independent sources while unobservable inputs reflect a reporting entity’s pricing base upon its own market assumptions. The estimated fair value of financial instruments has been determined by using available market information and appropriate valuation methodologies, as defined in ASC 820, Fair Value Measurements. The fair value hierarchy consists of the following three levels: • • • Level 1 – Inputs are quoted prices in active markets for identical assets or liabilities. Level 2 – Inputs are quoted prices for similar assets or liabilities in an active market, quoted prices for identical or similar assets or liabilities in markets that are not active, inputs other than quoted prices that are observable and market-corroborated inputs which are derived primarily from or corroborated by observable market data. Level 3 – Inputs are derived from valuation techniques in which one or more significant inputs or value drivers are unobservable. F-23 The following tables summarize the Company’s financial assets by level in the fair value hierarchy, which are measured at fair value on a recurring basis, as of December 31, 2022 and 2021: (In thousands) Assets: Corporate Notes / Bonds Commercial Paper Money Market Funds (In thousands) Assets: U.S. Treasury Notes Corporate Notes / Bonds Commercial Paper U.S. Treasury Bills U.S. Government Agencies Fair Value Measurement at Reporting Date Using Quoted Prices in Active Markets for Identical Assets (Level 1) Significant Other Observable Inputs (Level 2) Significant Unobservable Inputs (Level 3) December 31, 2022 2,328 6,743 28,388 — $ — $ — $ 2,328 6,743 28,388 — — — Fair Value Measurement at Reporting Date Using Quoted Prices in Active Markets for Identical Assets (Level 1) Significant Other Observable Inputs (Level 2) Significant Unobservable Inputs (Level 3) December 31, 2021 4,038 9,585 8,996 9,990 2,499 — $ — $ — $ — $ — $ 4,038 9,585 8,996 9,990 2,499 — — — — — $ $ $ $ $ $ $ $ The Company classifies its investments in debt securities as available-for-sale. The Company reviews available-for-sale debt securities for impairments related to losses and other factors each quarter. The unrealized gains and losses on the available-for-sale debt securities were not material as of December 31, 2022 and 2021. The Company did not have any transfers of assets between Level 1 and Level 2 or Level 3 of the fair value hierarchy during the year ended December 31, 2022. Also, the Company did not have any financial liabilities that are measured at fair value on a recurring basis as of December 31, 2022 and 2021. The Company’s non-financial assets and liabilities, which include goodwill and long-lived assets held and used, are not required to be measured at fair value on a recurring basis. However, if certain triggering events occur, or if an annual impairment test is required, the Company would evaluate the non- financial assets and liabilities for impairment. If an impairment was to occur, the asset or liability would be recorded at its estimated fair value. During the year ended December 31, 2022, the Company recorded an impairment of its Dealflo customer relationships intangible asset in the amount of $3.8 million, which was the entire remaining value of the asset. See Note 7, Intangible Assets, for additional information. No impairment was recorded during the year ended December 31, 2021. F-24 Note 10 – Allowance for Credit Losses The change in the allowance for credit losses during the years ended December 31, 2021 and 2022 were as follows: (In thousands) Balance at December 31, 2020 Provision Write-offs Net foreign currency translation Balance at December 31, 2021 Provision Write-offs Net foreign currency translation Balance at December 31, 2022 4,135 (16) (2,689) (11) 1,419 517 (334) (2) 1,600 $ $ During the years ended December 31, 2022 and 2021, the Company wrote off $0.3 million and $2.7 million, respectively, of accounts receivable that were fully reserved for and no longer deemed collectible. Note 11 – Leases The Company leases certain real estate and automobiles. Leases with an initial term of 12 months or less (“short-term leases”) are not recorded on the consolidated balance sheet. The Company recognizes lease expense for these leases on a straight-line basis over the lease term. The Company determines if an arrangement is a lease at inception. All of the Company's leases are operating leases. Operating lease right-of-use (“ROU”) assets and operating lease liabilities are recognized based on the present value of lease payments over the lease term at commencement date. Because most of the Company’s leases do not provide an implicit rate of return, the Company uses its imputed collateralized rate based on the information available at the commencement date in determining the present value of lease payments. Operating lease ROU assets are comprised of the lease liability plus prepaid rents and are reduced by lease incentives or deferred rents. The Company has lease agreements with non-lease components which are not bifurcated. Some of the Company's leases include one or more options to renew, with renewal terms that can extend the lease from one to five years. The exercise of a lease renewal option typically occurs at the discretion of both parties. Certain leases also include options to purchase the leased property at fair value. For purposes of calculating operating lease liabilities, lease terms are deemed not to include options to extend the lease termination until it is reasonably certain that the Company will exercise that option. Certain of the Company’s lease agreements include payments adjusted periodically for inflation based on the consumer price index. The Company’s lease agreements do not contain any material residual value guarantees or material restrictive covenants. Operating lease cost details for the years ended December 31, 2022, 2021, and 2020 are as follows: (In thousands) Building rent Automobile rentals Total net operating lease costs Years Ended December 31, 2022 2021 2020 $ $ 2,117 $ 1,180 3,297 $ 2,564 $ 1,505 4,069 $ 2,978 1,576 4,554 Short-term lease costs and variable lease costs recognized during the years ended December 31, 2022, 2021, and 2020 are immaterial. F-25 Supplemental consolidated balance sheet information related to operating leases as of December 31, 2022 and 2021, is as follows: (In thousands) Leases Assets Operating lease right-of-use assets Liabilities Current Operating lease liabilities Noncurrent Operating lease liabilities Total lease liabilities December 31, 2022 2021 8,022 $ 8,022 $ 9,197 9,197 2,258 $ 2,476 8,442 10,700 $ 10,180 12,656 $ $ $ $ The weighted average remaining lease term for operating leases is 5.7 years. The weighted-average discount rate for operating leases is 5%. Supplemental consolidated cash flow information related to leases is as follows: Years Ended December 31, 2022 2021 2020 (In thousands) Supplemental cash flow and other information related to leases: Operating cash payments from operating leases ROU assets obtained in exchange for new operating lease liabilities $ $ 3,346 $ 3,630 $ 1,172 $ 589 $ 3,835 3,549 Maturities of the Company's operating leases as of December 31, 2022 are as follows: (In thousands) 2023 2024 2025 2026 2027 Later years Less imputed interest Total lease liabilities $ $ 2,743 2,082 1,778 1,698 1,530 2,713 (1,844) 10,700 F-26 Note 12 – Quarterly Results of Operations (unaudited) The quarterly results of operations are summarized in the following select income statement line items (in thousands, except per share data): 2022 Total revenues Gross profit Operating costs Operating income (loss) Provision (benefit) for income taxes Net income (loss) Net income/(loss) per share: Basic Diluted Total revenues Gross profit Operating costs 2021 Operating income (loss) Provision (benefit) for income taxes Net income (loss) Net income/(loss) per share: Basic Diluted Note 13 – Income Taxes First Quarter Second Quarter Third Quarter Fourth Quarter $ 52,447 $ 52,790 $ 57,147 $ 36,678 45,921 (9,243) 1,173 5,214 35,506 43,744 (8,238) 472 (9,350) 38,431 44,056 (5,625) 600 (7,201) 0.13 $ 0.13 $ (0.23) $ (0.23) $ (0.18) $ (0.18) $ 50,775 $ 52,277 $ 52,276 $ 34,242 43,536 (9,294) (501) (9,151) 34,831 43,690 (8,859) (1,143) (6,685) 36,395 38,411 (2,016) (762) (975) (0.23) $ (0.23) $ (0.17) $ (0.17) $ (0.02) $ (0.02) $ $ $ $ $ $ 56,622 37,955 41,964 (4,009) 496 (3,097) (0.08) (0.08) 59,153 37,467 43,426 (5,959) 6,847 (13,773) (0.36) (0.36) Income (loss) before income taxes was generated in the following jurisdictions: (In thousands) U.S. Non-U.S. Total Years Ended December 31, 2022 2021 2020 $ $ (9,569) $ (2,124) (11,693) $ (15,056) $ (11,087) (26,143) $ 1,046 (4,466) (3,420) F-27 For the years ended December 31, 2022, 2021, and 2020, domestic income excludes intercompany dividend income of $0 million, $0 million, and $38.0 million, respectively. The provision (benefit) for income taxes consists of the following: (In thousands) Current: Federal State Foreign Total current Deferred: Federal State Foreign Total deferred Total Years Ended December 31, 2022 2021 2020 $ 122 $ (11) $ 32 1,665 1,819 (349) 35 1,236 922 (23) 2,478 2,444 3,774 (3) (1,774) 1,997 $ 2,741 $ 4,441 $ 1,715 49 1,758 3,522 1,385 (24) (2,848) (1,487) 2,035 For 2022, 2021, and 2020, the Company's U.S. federal statutory rate was 21%. The differences between the income tax provisions computed using the statutory federal income tax rate and the provisions for income taxes reported in the consolidated statements of operations are as follows: (In thousands) Expected tax at statutory rate Foreign taxes at other rates Valuation allowance changes Global intangible low-taxed income inclusion State income taxes, net of federal benefit Uncertain tax positions Research credits Disallowed expenses and other Total Years Ended December 31, 2022 2021 2020 $ (2,456) $ (5,490) $ 3,373 4,370 — (322) (515) (2,568) 859 307 15,019 — (811) 12 (3,466) (1,130) $ 2,741 $ 4,441 $ (718) (309) 2,617 339 32 235 (1,029) 868 2,035 F-28 Significant components of the Company's deferred tax assets and liabilities as of December 31, 2022 and 2021, are as follows: December 31, 2022 2021 (In thousands) Deferred tax assets: Stock and long-term compensation plans Foreign NOL & other carryforwards US and state NOL carryforwards Deferred revenue Pension liability Amortization and depreciation Lease liability Capitalized research and development Accrued expenses and other Total gross deferred tax assets Less: Valuation allowance Net deferred income tax assets Deferred tax liabilities: Accruals Tax on unremitted foreign earnings Right of use asset Intangible assets Tax on credits Contract acquisition costs Deferred tax liabilities Net deferred tax assets Deferred tax assets and liabilities are netted by tax jurisdiction. F-29 $ 923 $ 41,154 5,654 863 498 526 2,641 487 1,427 54,173 (39,177) 14,996 $ 319 $ 1,249 2,531 3,009 3,736 3,448 1,337 38,153 5,539 2,068 1,547 257 3,171 — 1,157 53,229 (34,979) 18,250 231 1,357 2,872 5,225 3,439 2,626 14,292 $ 15,750 704 $ 2,500 $ $ $ $ At December 31, 2022, the Company had foreign and state net operating loss (NOL) carryforwards and other foreign deductible carryforwards as shown in the following table: (In thousands) NOL Carryforward Canada United States United Kingdom Switzerland Other foreign Canada province U.S. states Other Carryforwards United States credit Canada Canada province Capital loss Canada credits Canada province credits Carryforward Expiration $ $ $ $ $ 2034-2039 None None 2028-2029 None 2034-2039 2023-2042 2032 None None None 2025-2042 2036-2042 24,804 17,989 9,569 14,319 5,886 25,502 27,680 125,749 828 47,526 61,657 383 9,809 3,980 124,183 249,932 The valuation allowance against the net deferred tax assets as of December 31, 2022 and 2021 was $39.2 million and $35.0 million, respectively. The Company recorded changes in valuation allowance of $4.4 million and $15.0 million, during the years ended December 31, 2022 and 2021, respectively, against deferred tax assets that, based on the Company's assessment are considered not to be more likely than not to be realized. The increase in the valuation allowance in 2022 reflects Net Operating Losses (“NOLs”), other deduction carryforwards, and credits for which the realization is not more likely than not. The change in valuation allowance also reflects other factors including, but not limited to, changes in the Company's assessment of the ability to use existing deferred tax assets, including NOLs and other deduction carryforwards. The Company assesses the need for a valuation allowance on a regular basis, weighing all positive and negative evidence to determine whether a deferred tax asset will be fully or partially realized. In evaluating the realizability of deferred tax assets, significant pieces of negative evidence such as 3- year cumulative losses are considered. The Company also reviewed reversal patterns of temporary differences to determine if the Company would have sufficient taxable income due to the reversal of temporary differences to support the realization of deferred tax assets. In 2022 and 2021, the Company made the decision to establish a valuation allowance against certain deferred tax assets in jurisdictions that were not previously valued as the deferred tax assets were no longer more likely than not to be realized. The Company continues to maintain a valuation allowance against certain deferred tax assets in other jurisdictions where assets had been previously valued. For all other remaining deferred tax assets, the Company believes it is still more likely than not that the results of future operations or tax planning strategies will generate sufficient taxable income to realize the deferred tax assets. The Company's policy is to record interest and penalties on income taxes as income tax expense, It recorded expense of less than $0.1 million in 2022 and 2021, and $0.1 million during 2020. F-30 ASC 740, Income Taxes sets a “more-likely-than-not” criterion for recognizing the tax benefit of uncertain tax positions. As of December 31, 2022, 2021, and 2020, the Company had reserves of $0 million, $0.5 million, and $0.5 million, respectively. (In thousands) Reserve at beginning of year Increases related to prior year tax positions Decreases related to prior year tax positions Settlement Total 2022 December 31, 2021 2020 $ $ 512 $ 500 $ — (512) — 12 — — — $ 512 $ 2,923 277 (37) (2,663) 500 The Company files income tax returns in the U.S. federal jurisdiction and in many state and foreign jurisdictions, and is subject to examination of its income tax returns by the IRS and other tax authorities. The Company reduced an uncertain tax position in the U.S. upon filing of an accounting method change and receiving audit protection. The Company believes that an adequate provision has been made for any adjustments that may result from tax examinations. However, the outcome of tax audits cannot be predicted with certainty. If any issues addressed in the Company's tax audits are resolved in a manner not consistent with the Company's expectations, there could be a requirement to adjust the provision for income taxes in the period such resolution occurs. Included in the balance of unrecognized tax benefits as of December 31, 2022 is $0, of tax benefits that, if recognized, would affect the effective tax rate. The Company's primary tax jurisdictions and the earliest tax year subject to audit are presented in the following table. Australia Austria Belgium Canada Netherlands Singapore Switzerland United Kingdom United States 2014 2016 2018 2018 2017 2017 2020 2020 2017 Note 14 – Stock Compensation Plans The Company has a share-based compensation plan, the OneSpan Inc. 2019 Omnibus Incentive Plan (“Plan”), under which the Board of Directors may grant share-based awards including restricted stock units (RSUs) and performance restricted stock units (PSUs). The Plan may provide performance incentives to employees and non-employee directors, consultants and other key persons of the Company. The plan is administered by the Compensation Committee as appointed by the Board of Directors and is intended to be a non-qualified plan. As of December 31, 2022, the remaining number of shares allowed to be issued under the Plan was 1.9 million shares of the Company’s common stock, representing 4% of the issued and outstanding shares of the Company as of such date. F-31 The following table details long-term compensation plan and stock-based compensation expense for the years ended December 31, 2022, 2021, and 2020. (In thousands) Stock-based compensation Other long-term incentive plan compensation Total compensation Years Ended December 31, 2022 2021 2020 $ $ 8,642 $ 171 8,813 $ 4,354 $ 848 5,202 $ 4,740 1,262 6,002 Time-Based Restricted Stock Awards (sharecounts in thousands) Non-forfeited time-based restricted stock awards granted to certain executive officers and other employees under the VASCO Data Security International, Inc. 2009 Equity Plan became fully vested during the year ended December 31, 2022. Certain shares became subject to forfeiture when the service requirement was not met. Compensation expense was less than $0.1 million, $0.3 million, and $0.7 million for 2022, 2021, and 2020, respectively. Tax benefit related to the compensation expense was less than $0.1 million, $0.1 million, and $0.2 million for 2022, 2021, and 2020, respectively. The following table summarizes the time-based restricted stock activity for the year ended December 31, 2022. (In thousands) Outstanding at January 1, 2022 Shares vested Shares forfeited Outstanding at December 31, 2022 Weighted- average remaining term (years) Weighted- average grant date fair value Shares 7 (3) (4) — 0.42 $ — $ 16.23 16.17 17.75 — There was no unamortized future compensation expense for time-based restricted stock awards at December 31, 2022. Time-Based Restricted Stock Units (sharecounts in thousands) Under the OneSpan Inc. 2019 Omnibus Incentive Plan, the Company grants certain eligible employees RSUs that settle in Company stock. RSUs granted to non-employee directors vest on the first anniversary date of the grant. Awards granted vest in equal semi-annual installments over one to four years. Shares are subject to forfeiture if the service period is not met. Compensation expense was $6.9 million, $3.7 million, and $2.5 million for 2022, 2021, and 2020, respectively, and the related tax benefit was $0.2 million, $0.1 million, and $0.5 million, respectively. The following table summarizes the time-based restricted stock activity for the year ended December 31, 2022: (In thousands) Unearned, January 1, 2022 Shares vested Shares awarded Shares forfeited Unearned, December 31, 2022 Weighted- average remaining term (years) Weighted- average grant date fair value 3.08 $ 2.95 $ 19.30 17.19 11.97 15.06 12.82 Shares 559 (308) 2,064 (245) 2,070 The unamortized future compensation expense for time-based restricted stock awards was $19.4 million at December 31, 2022. F-32 Performance-Based Restricted Stock Units settled in stock (sharecounts in thousands) Performance-based restricted stock units granted to executive officers and certain other employees were subject to achievement of one to three year performance criteria established by the Board of Directors. Under certain grants, earned shares related to one to three-year targets cliff vest upon fulfillment of the performance criteria and completion of the requisite service period and per recommendation of the Compensation Committee of the OneSpan Inc. Board of Directors (“Compensation Committee”). Shares are subject to forfeiture if the performance criteria and service period are not met. The restricted stock units subject to achievement of future performance criteria awarded during the year ended December 31, 2022 will be earned if the performance criteria and service period are met at the end of the one to three year performance period. Compensation expense in 2022, 2021, and 2020 was $1.6 million, $0.3 million, and $1.1 million. Tax benefit related to the compensation expense was less than $0.1 million, $0.1 million, and $0.2 million for 2022, 2021, and 2020, respectively. The following table summarizes activity related to unvested performance restricted stock shares during 2022: (In thousands) Unearned, January 1, 2022 Shares vested Shares awarded Shares forfeited Unearned, December 31, 2022 Total Unvested Shares Weighted- average remaining term (years) Weighted- average grant date fair value 121 (50) 370 (52) 389 3.29 $ 2.76 $ 17.30 19.88 11.37 13.31 12.60 Unamortized future compensation expense for performance-based restricted stock was $3.1 million at December 31, 2022. Market-Based Restricted Stock Units settled in stock (sharecounts in thousands) Market-based restricted stock units granted to executive officers and certain other employees were subject to achievement of three year market- based performance criteria established by the Board of Directors. Under certain grants, earned shares related to three-year targets cliff vest upon fulfillment of the market-based performance criteria and completion of the three-year period. Shares are subject to forfeiture if the performance criteria and service period are not met. Compensation expense for the years ended December 31, 2022 and 2021 was $0.5 million and less than $0.1 million, respectively, and the related tax benefit was less than $0.1 million and $0 million, respectively. The following table summarizes activity related to unvested market and service restricted stock units settled in stock: (In thousands) Unearned, January 1, 2022 Shares awarded Shares forfeited Unearned, December 31, 2022 Weighted- average remaining term (years) Weighted- average grant date fair value 3.43 $ 3.43 $ 19.06 — — 19.06 Shares 283 — — 283 Unamortized future compensation expense for market-based restricted stock was $2.2 million at December 31, 2022. F-33 Note 15 – Earnings per Common Share (sharecounts in thousands) Basic earnings per share is based on the weighted average number of shares outstanding and excludes the dilutive effect of common stock equivalents. Diluted earnings per share is based on the weighted average number of shares outstanding and includes the dilutive effect of common stock equivalents to the extent they are not anti-dilutive. Because the Company is in a net loss position for the years ended December 31, 2022, 2021 and 2020, diluted net loss per share for these periods exclude the effects of all common stock equivalents, which are anti-dilutive. A reconciliation of the shares included in the basic and fully diluted earnings per share calculations is as follows: (In thousands, except per share data) Net loss Weighted average common shares outstanding: Basic Incremental shares with dilutive effect: Restricted stock awards Diluted Net loss per share: Basic Diluted Note 16 – Employee Benefit Plans U.S. Plan Years Ended December 31, 2022 2021 2020 $ (14,434) $ (30,584) $ (5,455) 40,143 39,614 40,035 — 40,143 — 39,614 $ $ (0.36) $ (0.36) $ (0.77) $ (0.77) $ — 40,035 (0.14) (0.14) The Company maintains a defined contribution pension plan for U.S. employees established pursuant to Section 401(k) of the Internal Revenue Code. The plan allows voluntary employee contributions and discretionary employer contributions. For the years ended December 31, 2022, 2021, and 2020, the Company expensed contributions of $0.3 million, $0.3 million, and $0.3 million, respectively. Non-U.S. Plans The Company is subject to national mandatory pension systems and other compulsory plans,or makes contributions to social pension funds based on local regulations. When the Company's obligation is limited to the payment of the contribution into these plans or funds, the recognition of such liabilities is not required. In addition, the Company has, in some countries, defined benefit plans consisting of final retirement salary and committed pension payments. In Switzerland, the pension plan is a cash balance plan where contributions are expressed as a percentage of the pensionable salary. Contributions to Swiss plans are paid by the employees and the employer. The pension plan guarantees the amount accrued on the members’ savings accounts, as well as a minimum interest on those savings accounts. The plan assets are held in guaranteed investment contracts. The Company also maintains a pension plan for Belgian employees, in compliance with Belgian law. Contributions to Belgium plans are paid by the employees and the employer. Certain features of the plans require them to be categorized as defined benefit plans under ASC 715 due to Belgian social legislation, which prescribes a minimum annual return of 1.8% on employer contributions and 1.8% for employee contributions. The plan assets are held in guaranteed investment contracts. The Company also includes a liability related to obligations to provide retirement benefits to employees who retire from the Company’s French subsidiary, as required by law. Per French regulations, each employee is entitled to a lump F-34 sum payment upon retirement based on years of service and salary at retirement. Benefit rights vest upon the statutory retirement age of 62. The obligation recorded represents the present value of amounts the Company expects to pay. Components of net periodic pension cost included in earnings: (In thousands) Service cost (gross) Interest cost Expected return on plan assets Amortization of unrecognized actuarial gain Net periodic pension cost Years Ended December 31, 2022 2021 2020 $ $ 1,107 $ 1,587 $ 138 (288) (90) 53 (302) (12) 867 $ 1,326 $ 1,549 106 (271) (40) 1,344 The net unfunded status of the Non-U.S. pension plans as of December 31, 2022 and 2021, is as follows: (In thousands) Fair value of plan assets Projected benefit obligation Net unfunded benefit obligation December 31, 2022 2021 $ $ 15,415 $ (17,715) (2,300) $ 17,394 (24,855) (7,461) Net unfunded benefit obligation is recorded as other long-term liabilities in the consolidated balance sheets. The change in the fair value of plan assets is as follows: (In thousands) Fair value of plan assets at January 1 Employee contributions Actual return on plan assets Benefits (paid), net of transfers Employer contributions Foreign exchange adjustment Fair value of plan assets at December 31 F-35 Years Ended December 31, 2022 2021 17,394 $ 17,290 437 (288) (2,361) 911 (678) 499 46 (492) 1,049 (998) 15,415 $ 17,394 $ $ The change in benefit obligations is as follows: (In thousands) Benefit obligations at January 1 Gross service cost Interest cost Employee contributions Actuarial (gains)/losses Benefits (paid), net of transfers Curtailments & settlements Foreign exchange adjustment Benefit obligations at December 31 Years Ended December 31, 2022 2021 $ 24,855 $ 1,107 138 437 (4,676) (2,361) (799) (986) $ 17,715 $ 27,431 1,587 53 499 (2,185) (432) (492) (1,606) 24,855 The decrease in benefit obligations at December 31, 2022 compared to December 31, 2021 was primarily driven by benefits paid, actuarial gains and foreign exchange adjustments, driven by the weakened Euro and Swiss Franc currencies. The decrease in benefit obligations at December 31, 2021 compared to December 31, 2020 was primarily driven by an increase in actuarial gains and the impact of foreign exchange adjustments. The Company's investment policy meets the responsibility under local social legislation and aligns plan assets with liabilities, while minimizing risk. For the years ended December 31, 2022 and 2021, plan assets are invested in guaranteed investment contracts. Fair value of guaranteed investment contracts is surrender value. Fair value for the year ended December 31, 2022 was determined using Level 3 inputs as defined by ASC 820, Fair Value Measurements. Changes in plan assets are attributable to benefit payments and contributions as the Company has not actively traded assets during the years ended December 31, 2022 and 2021. Other The accumulated benefit obligation for the plans were $16.8 million and $22.9 million as of December 31, 2022 and 2021, respectively. The Company expects to pay approximately $1.0 million of contributions over the next twelve months. The amounts reclassified out of other comprehensive income during the years ended December 31, 2022, 2021, and 2020 were not material. Actuarial Assumptions Certain actuarial assumptions such as the discount rate and the long-term rate of return on plan assets have a significant effect on the amounts reported for net periodic cost and the benefit obligation. The assumed discount rates reflect the prevailing market rates of a universe of high-quality, non- callable, corporate bonds currently available that, if the obligation were settled at the measurement date, would provide the necessary future cash flows to pay the benefit obligation when due. In determining the long-term return on plan assets, the Company considers long-term rates of return of comparable low risk investments, such as Euro AA bonds. F-36 The following weighted-average assumptions between all plans were utilized in the pension calculations: Discount rates Inflation Expected return on plan assets Rate of salary increases 2022 - - - - 2.15 1.25 2.00 2.25 3.50 2.20 2.50 3.20 December 31, (%) 0.20 0.90 1.25 1.90 Projected future pension benefits as of December 31, 2022 (in thousands): 2023 2024 2025 2026 2027 Beyond 2021 - - - - $ $ $ $ $ $ 0.90 1.90 2.00 2.80 662 426 643 1,204 474 5,628 Note 17 – Geographic, Customer and Supplier Information The Company classifies sales by customers’ locations in three geographic regions: 1) EMEA, which includes Europe, the Middle East, and Africa; 2) the Americas, which includes sales in North, Central, and South America and Canada; and 3) Asia Pacific, which also includes Australia and New Zealand. (In thousands) 2022 Revenue Gross profit Long-lived assets 2021 Revenue Gross profit Long-lived assets 2020 Revenue Gross profit Long-lived assets Europe, Middle East, Africa (EMEA) Americas Asia Pacific Total $ $ $ 100,298 $ 77,740 $ 40,968 $ 68,040 4,856 52,738 15,270 27,792 577 104,878 $ 68,646 $ 40,957 $ 69,893 5,978 45,747 13,634 27,295 342 117,086 $ 53,171 $ 45,434 $ 78,456 7,482 37,532 14,968 32,071 741 219,006 148,570 20,703 214,481 142,935 19,954 215,691 148,059 23,191 For the years 2022, 2021, and 2020, the top 10 customers contributed 23%, 22% and 21%, respectively, of total worldwide revenue. The majority of the Company's hardware products are assembled by four independent factories in China and one independent factory in Romania. Note 18 – Commitments and Contingencies The Company leases office space and automobiles under operating lease agreements. See Note 11, Leases, for future minimum rental payments required under non-cancelable leases. F-37 At December 31, 2022, the Company has purchase obligations of $24.6 million, including $5.3 million of inventory purchase obligations which are expected to be consummated in the next 12 months, $17.4 million of committed hosting arrangements which will be used in the next one to two years, and $2.0 million for other software agreements related to the administration of the Company's business which range from one to three years. The Company is subject to certain legal proceedings and claims incidental to the operations of its business. The Company is also subject to certain other legal proceedings and claims that have arisen in the ordinary course of business and that have not been fully adjudicated. The Company currently does not anticipate that these matters, if resolved against the Company, will have a material adverse impact on its financial results or financial condition. The Company accrues loss contingencies when losses become probable and are reasonably estimable. If the reasonable estimate of the loss is a range and no amount within the range is a better estimate, the minimum amount of the range is recorded as a liability. As of December 31, 2022, the Company has recorded an accrual of $1.5 million for loss contingencies, which represents the better estimate within the probable range of $1.5 million and $2.0 million, related to all probable losses where a reasonable estimate could be made. The Company does not accrue for contingent losses that, in the judgment of the Company, are considered to be reasonably possible, but not probable. As of December 31, 2022, the Company does not have any reasonably possible losses for which an estimate can be made. Although the Company intends to defend its legal matters vigorously, the ultimate outcome of these matters is uncertain. However, the Company does not expect the potential losses, if any, to have a material adverse impact on its operating results, cash flows, or financial condition. Note 19 – Restructuring and Other Related Charges In December 2021, the Board approved a restructuring plan (“Plan”) designed to advance the Company’s operating model, streamline its business, improve efficiency, and enhance its capital resources. As part of the first phase of the Plan, the Company reduced headcount by eliminating positions in certain areas of its organization. The first phase of the Plan began and was substantially completed during the three months ended March 31, 2022. In May 2022, the Board approved additional actions related to the Plan through the year ending December 31, 2025. This second phase of the Plan consists primarily of headcount-related actions and is designed to achieve the same objectives as the first phase of the Plan. In connection with the Plan, the Company incurred severance, retention pay, and related benefit costs. The Company recorded $9.5 million in “Restructuring and other related charges” in the consolidated statement of operations for the year ended December 31, 2022. Expense of $1.9 million and $5.1 million was recognized in Digital Agreements operating income and Security Solutions operating income, respectively, during the year ended December 31, 2022. In total, there were approximately 100 employees, across multiple functions, whose positions were made redundant. The table below sets forth the changes in the carrying amount of the restructuring charge liability for the year ended December 31, 2022. (In thousands) Balance as of December 31, 2021 Additions Payments Balance as of December 31, 2022 Restructuring Charge Liability — 9,482 (5,886) 3,596 $ $ The $3.6 million restructuring charge liability at December 31, 2022 is included in “Accrued wages and payroll taxes” in the consolidated balance sheet. The liability is entirely comprised of employee costs that are expected to be paid by December 31, 2023. F-38 Note 20 – Related Party Transactions Agreements with Related Parties The Company entered into an agreement to provide e-signature and secure agreement automation services to Cox Automotive in the fourth quarter of 2021. Marianne Johnson is an Executive Vice President and the Chief Product Officer at Cox Automotive. Ms. Johnson has served on the OneSpan Board of Directors since March 2020. The amount of revenue recognized for e-signature and secure agreement automation services during the years ended December 31, 2022 and 2021 was $0.7 million and $0.3 million, respectively, and is included in subscription revenue. The amount receivable as of December 31, 2022 and 2021 was $1 million and $0 million, respectively. The Company purchases subscription SMS services from Twilio, Inc. From February 2015 through August 2022, Marc Boroditsky was the Chief Revenue Officer of Twilio, Inc. Mr. Boroditsky has served on the OneSpan Board of Directors since June 2020. The total amount paid to Twilio, Inc. during the year ended December 31, 2022 was $1.0 million and is included in "Cost of goods sold". The amount payable at December 31, 2022 was $0.2 million. The total amount paid to Twilio, Inc. during the year ended December 31, 2021 was $0.8 million and the amount payable at December 31, 2021 was less than $0.1 million. The Company purchases cloud operations services from Cloudflare Inc. Mr. Boroditsky has served as the President of Revenue at Cloudflare Inc. since November 2022. The total amount paid to Cloudflare Inc. during the year ended December 31, 2022 was $0.2 million and is included in "Cost of goods sold". The amount payable at December 31, 2022 was less than $0.1 million. During the year ended December 31, 2021, the Company paid Cloudflare Inc. $0.1 million, and had no accounts payable due at December 31, 2021. Note 21 – Subsequent Events On February 22, 2023, the Company completed its previously announced acquisition of ProvenDB pursuant to an Asset Purchase Agreement, dated January 26, 2023 (the “Purchase Agreement”), by and between the Company, as purchaser, and Southbank Software Pty Ltd., the seller, for the acquisition of substantially all of the assets and the assumption of designated liabilities of the ProvenDB business. ProvenDB is a developer of secure storage that leverages blockchain technology in order to prevent data tampering or alteration of documents. The technology acquired in the acquisition is expected to provide a foundational architecture for future blockchain-based digital solutions, including secure storage. Pursuant to the Purchase Agreement, the Company agreed to purchase ProvenDB for an aggregate purchase price of $2.0 million, of which $1.8 million was paid upfront, and $0.2 million will be held and paid within 12 months of the acquisition date, to account for potential net working capital adjustments. The Company estimates that most of the purchase price will be allocated to capitalized software development and related technology costs. The Company's consolidated balance sheet as of December 31, 2022 and the Company's consolidated statement of operations and consolidated statement of cash flows for the year ended December 31, 2022 do not reflect the impacts of ProvenDB as the acquisition was completed after the balance sheet date. F-39 SCHEDULE II ONESPAN INC. VALUATION AND QUALIFYING ACCOUNTS Credit losses for trade receivables. Years Ended December 31, 2022 2021 2020 Beginning Balance Provision for Bad Debts Chargeoffs Foreign Currency Translation Ending Balance $ $ $ 1,419 4,135 2,812 (1) 517 (16) 2,306 (334) (2,689) (994) (2) $ (11) $ 11 $ 1,600 1,419 4,135 (1) Includes the $288 impact of the initial ASU No. 2016-13 adoption on January 1, 2020. See accompanying independent auditors’ report. F-40 Pursuant to the requirements of Section 13 or 15(d) of the Securities Exchange Act of 1934, the Registrant has duly caused this Report to be signed on its behalf by the undersigned, thereunto duly authorized February 28, 2023 SIGNATURES OneSpan Inc. /s/ Matthew P. Moynahan Matthew P. Moynahan Chief Executive Officer POWER OF ATTORNEY Each of the undersigned, in his or her capacity as an officer or director, or both, as the case may be, of OneSpan Inc. does hereby appoint Matthew Moynahan and Jorge Martell, and each of them severally, his or her true and lawful attorneys or attorney to execute in his or her name, place and stead, in his or her capacity as director or officer, or both, as the case may be, this Annual Report on Form 10-K for the fiscal year ended December 31, 2022 and any and all amendments thereto and to file the same with all exhibits thereto and other documents in connection therewith with the Securities and Exchange Commission. Each of said attorneys shall have power to act hereunder with or without the other attorney and shall have full power and authority to do and perform in the name and on behalf of each of said directors or officers, or both, as the case may be, every act whatsoever requisite or necessary to be done in the premises, as fully and to all intents and purposes as to which each of said officers or directors, or both, as the case may be, might or could do in person, hereby ratifying and confirming all that said attorneys or attorney may lawfully do or cause to be done by virtue hereof. Pursuant to the requirements of the Securities Exchange Act of 1934, this report has been signed below by the following persons on behalf of the registrant and in the capacities and on the dates indicated. SIGNATURE TITLE /s/ Matthew P. Moynahan Matthew P. Moynahan President and Chief Executive Officer (Principal Executive Officer) /s/ Jorge Martell Jorge Martell /s/ John Bosshart John Bosshart /s/ Alfred Nietzel Alfred Nietzel /s/ Marc D. Boroditsky Marc D. Boroditsky /s/ Garry Capers Garry Capers /s/ Sarika Garg Sarika Garg /s/ Marianne Johnson Marianne Johnson /s/ Michael McConnell Michael McConnell /s/ Marc Zenner Marc Zenner Chief Financial Officer (Principal Financial Officer) Chief Accounting Officer (Principal Accounting Officer) Chairman Director Director Director Director Director Director DATE February 28, 2023 February 28, 2023 February 28, 2023 February 28, 2023 February 28, 2023 February 28, 2023 February 28, 2023 February 28, 2023 February 28, 2023 February 28, 2023 Exhibit 10.1 INDEMNIFICATION AGREEMENT THIS INDEMNIFICATION AGREEMENT (this “Agreement”) is entered into as of the [___] day of [________], by and between OneSpan Inc., a Delaware corporation (the “Company”), and [___________] (“Indemnitee”). RECITALS A. The Company recognizes that competent and experienced persons are increasingly reluctant to serve or to continue to serve as directors or officers of public companies unless they are protected by comprehensive liability insurance, indemnification and advancement of expenses, due to the increased exposure to litigation costs and risks resulting from their service to such companies, and due to the fact that the exposure frequently bears no reasonable relationship to the compensation of such directors and officers. B. The Company and Indemnitee recognize that plaintiffs often seek damages in such large amounts and the costs of litigation may be so enormous (whether or not the case is meritorious), that the defense and/or settlement of such litigation is often beyond the personal resources of directors and officers. C. The Company believes that it is unfair for its directors and officers to assume the risk of large judgments and significant expenses that may occur in cases in which the director or officer received no personal profit and in cases where the director or officer was not culpable. D. the Company. The Company desires to attract and retain the services of highly qualified individuals, such as Indemnitee, to serve E. Indemnitee is a director and/or an officer of the Company and in such capacity is performing valuable services for the Company. F. In order to induce Indemnitee to continue to provide services to the Company, the Company wishes to provide for the indemnification of, and advancement of expenses to, Indemnitee to the maximum extent permitted by law. G. The current By-laws of the Company (the “By-laws”) require indemnification of the directors and officers of the Company, and Indemnitee also may be entitled to indemnification pursuant to the General Corporation Law of the State of Delaware; H. The By-laws expressly provide that the indemnification provisions set forth therein are not exclusive, and thereby contemplate that contracts may be entered into between the Company and members of the Company’s Board of Directors (the “Board”), officers and other persons with respect to indemnification; I. The Board has concluded that, to attract and retain competent and experienced persons to serve as directors and officers of the Company, it is not only reasonable and prudent but necessary to promote the best interests of the Company and its stockholders for the Company to contractually indemnify its directors and certain of its officers in the manner set forth herein, and to assume for itself liability for expenses and damages in connection with claims against such directors and officers in connection with their service to the Company as provided herein. J. This Agreement is a supplement to and in furtherance of the indemnification provided in the By-laws and any resolutions adopted pursuant thereto, and shall not be deemed a substitute therefor, nor to diminish or abrogate any rights of Indemnitee thereunder. 4894-3716-4339v.1 NOW, THEREFORE, in consideration of the foregoing premises and the mutual covenants and agreements set forth below, the Company and Indemnitee, intending to be legally bound, hereby agree as follows: 1. Definitions. For purposes of this Agreement, the following terms shall have the corresponding meanings set forth below. “Claim” means a claim or action asserted by a Person in a Proceeding or any other written demand for relief, in either case in connection with or arising from an Indemnification Event. “Company Action” means a Proceeding in which a Claim has been brought by or in the name of the Company to procure a judgment in its favor. “Corporate Status” describes the status of a Person who is, was or may be deemed to be a director, officer, limited liability company manager, partner, employee, controlling person, agent or fiduciary of any Covered Entity. “Covered Entity” means (i) the Company, (ii) any subsidiary of the Company or (iii) any other Person for which Indemnitee is, was or may be deemed to be serving at the request of the Company, or at the request of any subsidiary of the Company, as a director, officer, employee, controlling person, agent or fiduciary. For purposes of clarification, “serving at the request of the Company” includes any service as a director, officer, limited liability company manager, partner, employee, controlling person, fiduciary or agent with respect to an employee benefit plan, its participants or beneficiaries. “Disinterested Director” means, with respect to any determination contemplated by this Agreement, any Person who, as of the time of such determination, is a member of the Board but is not a party to any Proceeding then pending with respect to any Indemnification Event. “ERISA” means the Employee Retirement Income Security Act of 1974, as amended, or any similar federal statute then in effect. “Exchange Act” means the Securities Exchange Act of 1934, as amended, or any similar federal statute then in effect. “Expenses” means any and all direct and indirect fees, costs, retainers, court costs, transcript costs, expert fees, witness fees, travel expenses, duplicating costs, printing costs, binding costs, telephone charges, postage and delivery service fees, and all other disbursements or expenses of any type or nature whatsoever actually and reasonably incurred by Indemnitee (including, subject to the limitations set forth in Section 3(c) below, reasonable attorneys’ fees) in connection with or arising from an Indemnification Event, including: (i) (ii) Proceeding; the investigation or defense of a Claim; being, or preparing to be, a witness or otherwise participating, or preparing to participate, in any (iii) furnishing, or preparing to furnish, documents in response to a subpoena or otherwise in connection with any Proceeding; 4894-3716-4339v.1 2 security for and other costs relating to any cost bond, supersedeas bond or any other appeal bond or its equivalent); (iv) any appeal of any judgment, outcome or determination in any Proceeding (including any premium, (v) establishing or enforcing any right to indemnification or advancement of expenses under this Agreement (including pursuant to Section 2(c) below), Delaware law or otherwise, regardless of whether Indemnitee is ultimately successful in such action, unless as a part of such action, a court of competent jurisdiction over such action determines that each of the material assertions made by Indemnitee as a basis for such action was not made in good faith or was frivolous; (vi) Indemnitee’s defense of any Proceeding instituted by or in the name of the Company under this Agreement to enforce or interpret any of the terms of this Agreement (including costs and expenses incurred with respect to Indemnitee’s counterclaims and cross-claims made in such action); and (vii) any federal, state, local or foreign taxes imposed on Indemnitee as a result of the actual or deemed receipt of any payments under this Agreement, including all interest, assessments and other charges paid or payable with respect to such payments. For purposes of clarification, Expenses shall not include Losses. “Former Director or Officer” means, with respect to a determination contemplated by this Agreement, a Person who was a member of the Board or an executive officer of the Company but who is no longer serving on the Board or as an executive officer of the Company as of the time of such determination. An “Indemnification Event” shall be deemed to have occurred if Indemnitee was, is or becomes, or is threatened to be made, a party to or witness or other participant in, or was, is or becomes obligated to furnish or furnishes documents in response to a subpoena or otherwise in connection with, any Proceeding by reason of Indemnitee’s Corporate Status, or by reason of any action or inaction on the part of Indemnitee while serving in any such capacity (including rendering any written statement that is a Required Statement or is made to another director, officer, limited liability company manager, partner, employee, controlling person, agent or fiduciary of a Covered Entity to support a Required Statement). “Independent Legal Counsel” means an attorney or firm of attorneys designated by Indemnitee that is acceptable, in their reasonable discretion, to a majority of the Disinterested Directors (or, if there are no Disinterested Directors, the Board) and that is experienced in matters of corporate law and neither presently is, nor in the three years prior to such designation has been, retained to represent (i) the Company or Indemnitee in any matter material to either such party (other than with respect to matters concerning the rights of Indemnitee under this Agreement, or other indemnitees under similar indemnity agreements), or (ii) any other party to the Proceeding giving rise to a claim for indemnification, advancement of Expenses or contribution hereunder. “Losses” means any and all losses, claims, damages, liabilities, judgments, fines, penalties, settlement payments, awards and amounts of any type whatsoever incurred by Indemnitee in connection with or arising from an Indemnification Event. For purposes of clarification, Losses shall not include Expenses. 4894-3716-4339v.1 3 “Organizational Documents” means any and all organizational documents, charters or similar agreements or governing documents, including (i) with respect to a corporation, its certificate (or articles) of incorporation and by-laws, (ii) with respect to a limited liability company, its certificate of formation and operating agreement, and (iii) with respect to a limited partnership, its certificate of partnership and partnership agreement. “Proceeding” means any threatened, pending or completed action, suit, proceeding, arbitration or alternative dispute resolution mechanism, investigation, inquiry, administrative hearing or any other actual, threatened or completed proceeding, whether brought in the right of a Covered Entity or otherwise and whether of a civil (including intentional or unintentional tort claims), criminal, administrative or investigative nature. “Person” means an individual, a partnership, a corporation, a limited liability company, an association, a joint stock company, a trust, a joint venture, an unincorporated organization, any other enterprise or any government, agency or political subdivision thereof. For purposes of clarification, “any other enterprise” includes employee benefit plans and their related trusts. “Required Statement” means a written statement of a Person that is required to be, and is, filed with the SEC regarding the design, adequacy or evaluation of a Covered Entity’s disclosure controls and procedures (as such term is defined in Rules 13a-15(e) and 15d-15(e) under the Exchange Act) or its internal control over financial reporting (as such term is defined in Rules 13a-15(f) and 15d-15(f) under the Exchange Act), or the accuracy, sufficiency or completeness of reports or statements filed by a Covered Entity with the SEC pursuant to federal law and/or administrative regulations, including the certifications contemplated by Sections 302 and 906 of the Sarbanes-Oxley Act of 2002, as amended, or any rule or regulation promulgated pursuant thereto. “Reviewing Party” means, with respect to any determination contemplated by this Agreement, any one of the following: (i) a majority of all Disinterested Directors, even if such Disinterested Directors do not constitute a quorum of the Board; (ii) a committee consisting solely of Disinterested Directors, even if such committee members do not constitute a quorum of the Board, so long as such committee was designated by a majority of all Disinterested Directors; (iii) in the absence of any Disinterested Directors and upon the written consent of Indemnitee, the Company’s stockholders; (iv) Independent Legal Counsel, in which case the applicable determination shall be provided in a written opinion to the Board, with a copy provided to Indemnitee; or (v) if Indemnitee is a Former Director or Officer of the Company at the time of such determination, Independent Legal Counsel “SEC” means the Securities and Exchange Commission. “Securities Act” means the Securities Act of 1933, as amended, or any similar federal statute then in effect. 2. Indemnification. (a) Indemnification of Losses and Expenses. If an Indemnification Event has occurred, then, subject to Section 9 and the other provisions of this Agreement below, the Company shall indemnify and hold harmless Indemnitee, to the fullest extent permitted by law, against any and all Losses and Expenses, but only if Indemnitee acted in good faith and in a 4894-3716-4339v.1 4 manner Indemnitee reasonably believed to be in, or not opposed to, the best interests of the Company, and, with respect to any criminal Proceeding, only if Indemnitee had no reasonable cause to believe Indemnitee’s conduct was unlawful. The termination of any Proceeding by judgment, court order, settlement or conviction, or on plea of nolo contendere or its equivalent, shall not, of itself, create a presumption that Indemnitee (i) did not act in good faith and in a manner which Indemnitee reasonably believed to be in, or not opposed to, the best interests of the Company or (ii) with respect to any criminal Proceeding, had reasonable cause to believe that Indemnitee’s conduct was unlawful. For purposes of clarification, a Person who acted in good faith and in a manner such Person reasonably believed to be in the interest of the participants and beneficiaries of an employee benefit plan and/or related trust shall be deemed to have acted in a manner “not opposed to the best interests of the Company” as referred to in this paragraph. (b) Limitation with Respect to Company Actions. Notwithstanding any other provision of this Agreement to the contrary, the Company shall not indemnify and hold harmless Indemnitee with respect to any Losses (as opposed to Expenses) in connection with or arising from any Company Action. Furthermore, the Company shall not indemnify and hold harmless Indemnitee with respect to any Expenses in connection with or arising from any Company Action as to which Indemnitee shall have been finally adjudged to be liable to the Company in a non-appealable judgment by a court of competent jurisdiction unless, and then only to extent that, any court of competent jurisdiction in which such Company Action was brought shall determine upon application that, despite the adjudication of liability, but in view of all of the circumstances of the case, Indemnitee is fairly and reasonably entitled to indemnification for such Expenses as such court shall deem proper. (c) Advancement of Expenses. To the extent permitted by applicable law and until a determination that Indemnitee is not entitled to be indemnified by the Company under the terms hereof, the Company shall advance Expenses to or on behalf of Indemnitee as soon as practicable, but in any event not later than 30 days after written request therefor by Indemnitee, which request shall be accompanied by vouchers, invoices or similar evidence documenting in reasonable detail the Expenses incurred or to be incurred by Indemnitee. Execution and delivery of this Agreement by the Indemnitee hereby constitutes an undertaking to repay such amounts advanced if, and only to the extent that, it shall ultimately be determined that Indemnitee is not entitled to be indemnified by the Company for such Expenses under this Agreement. Advances shall be unsecured and interest free. Advances shall be made without regard to Indemnitee’s ability to repay such advances. (d) Contribution. If, and to the extent, the indemnification of Indemnitee provided for in Section 2(a) above for any reason is held by a court of competent jurisdiction not to be permissible for liabilities arising under federal securities laws or ERISA, then the Company, in lieu of indemnifying Indemnitee under this Agreement, shall contribute to the amount paid or payable by Indemnitee as a result of such Losses or Expenses (i) in such proportion as is appropriate to reflect the relative benefits received by the Covered Entities and all officers, directors, limited liability company managers, partners, employees, controlling persons, agents or fiduciaries of the Covered Entities other than Indemnitee who are jointly liable with Indemnitee (or would be if joined in such Proceeding), on the one hand, and Indemnitee, on the other hand, or (ii) if the allocation provided by clause (i) above is not permitted by applicable law, in such proportion as is appropriate to reflect not only the relative benefits referred to in clause (i) above but also the relative fault of the Covered Entities and all officers, directors, limited liability company managers, partners, employees, controlling persons, agents or fiduciaries of the Covered Entities other than Indemnitee who are jointly liable with Indemnitee (or would be if joined in such Proceeding), on the one hand, and Indemnitee, on the other hand, in connection with the action or inaction that resulted in such Losses or Expenses, as well as any other relevant equitable considerations. The relative fault of the Covered Entities and all 4894-3716-4339v.1 5 officers, directors, limited liability company managers, partners, employees, controlling persons, agents or fiduciaries of the Covered Entities other than Indemnitee who are jointly liable with Indemnitee (or would be if joined in such Proceeding), on the one hand, and Indemnitee, on the other hand, shall be determined by reference to, among other things, the degree to which their actions were motivated by intent to gain personal profit or advantage, the degree to which their liability is primary or secondary, and the degree to which their conduct is active or passive. Notwithstanding the foregoing, no Person found guilty of fraudulent misrepresentation (within the meaning of Section 11(f) of the Securities Act) shall be entitled to contribution from any Person who was not found guilty of such fraudulent misrepresentation. 3. Indemnification and Advancement of Expenses Procedures. (a) Notice of Indemnification Event. Indemnitee shall give the Company written notice as soon as practicable of any Indemnification Event of which Indemnitee becomes aware and of any request for indemnification or advancement of Expenses hereunder, provided that any failure to so notify the Company shall not relieve the Company of any of its obligations under this Agreement, except if, and then only to the extent that, such failure materially increases the liability of the Company under this Agreement. The written notice will include such documentation and information as is reasonably available to Indemnitee and is reasonably necessary to determine whether and to what extent Indemnitee is entitled to indemnification and/or advancement of Expenses. Promptly upon receipt of any such request for indemnification or advancement of Expenses, the Secretary of the Company shall advise the Board of Directors in writing that Indemnitee has made such request. (b) Notice to Insurers. If, at the time the Company receives notice of an Indemnification Event pursuant to Section 3(a) above, the Company has liability insurance in effect which may cover such Indemnification Event, the Company shall give prompt written notice of such Indemnification Event to the insurers in accordance with the procedures set forth in each of the applicable policies of insurance and provide a copy of each such notice to Indemnitee and to the Chair of the Corporate Governance and Nominating Committee of the Board. The Company shall thereafter take all necessary or desirable action to cause such insurers to pay, on behalf of Indemnitee, all amounts payable as a result of such Indemnification Event in accordance with the terms of such policies; provided that nothing in this Section 3(b) shall affect the Company’s obligations under this Agreement or the Company’s obligations to comply with the provisions of this Agreement in a timely manner as provided. (c) Selection of Counsel. If the Company shall be obligated hereunder to pay or advance Expenses or indemnify Indemnitee with respect to any Losses, the Company shall be entitled to assume the defense of any related Claims, with counsel selected by the Company and reasonably acceptable to Indemnitee, which approval shall not be unreasonably withheld, conditioned or delayed. After the retention of such counsel by the Company and the receipt of any approval required under the preceding sentence, the Company will not be liable to Indemnitee under this Agreement for any fees of counsel subsequently incurred by Indemnitee with respect to the defense of such Claims; provided, however, that: (i) Indemnitee shall have the right to employ counsel in connection with any such Claim at Indemnitee’s expense and (ii) if (A) the employment of counsel by Indemnitee has been previously authorized by the Company with respect to the period after the Company has retained counsel to defend such Claim and such authorization has not been withdrawn, (B) counsel for Indemnitee or counsel for the Company has provided the Company with a written opinion that there is or there is reasonably likely to be a conflict of interest between the Company and Indemnitee on any significant issue in the conduct of any such defense or (C) the Company has ceased its retention of such counsel to defend such Claim, then the fees and expenses of Indemnitee’s counsel shall be at the expense of the Company. The Company shall not be entitled, without the consent of Indemnitee, to assume 4894-3716-4339v.1 6 the defense of any Claim brought by or in the right of the Company or as to which counsel for the Company or counsel for the Indemnitee shall have reasonably made the conclusion provided for in clause (B) in the immediately preceding sentence. 4. Determination of Right to Indemnification. (a) Successful Proceeding. To the extent Indemnitee has been successful, on the merits or otherwise, in defense of any Proceeding referred to in Section 2(a) or 2(b), the Company shall indemnify Indemnitee against Losses and Expenses incurred by Indemnitee in connection therewith, except as limited by such Sections or otherwise by this Agreement. If Indemnitee is not wholly successful in such Proceeding, but is successful, on the merits or otherwise, as to one or more but less than all Claims in such Proceeding, the Company shall indemnify Indemnitee against all Expenses actually or reasonably incurred by Indemnitee in connection with each successfully resolved Claim. (b) Presumption of Success. The Company acknowledges that a settlement or other disposition short of final judgment shall be deemed a successful resolution for purposes of Section 4(a) if it permits a party to avoid expense, delay, distraction, disruption or uncertainty. In the event that any Proceeding to which Indemnitee is a party is resolved in any manner other than by adverse judgment against Indemnitee (including settlement of such Proceeding with or without payment of money or other consideration), it shall be presumed that Indemnitee has been successful on the merits or otherwise in such Proceeding, unless there has been a finding (either adjudicated or pursuant to Section 4(d) below) that Indemnitee (i) did not act in good faith, (ii) did not act in a manner reasonably believed to be in, or not opposed to, the best interests of the Company, or (iii) with respect to any criminal proceeding, had reasonable grounds to believe his conduct was unlawful. Anyone seeking to overcome this presumption shall have the burden of proof and the burden of persuasion, by a preponderance of the evidence. (c) Other Proceedings. To the extent Section 4(a) is inapplicable, the Company shall nevertheless indemnify Indemnitee, unless and to the extent a Reviewing Party chosen pursuant to Section 4(d) determines that Indemnitee has not met the applicable standard of conduct set forth in Section 2(a) or 2(b), as applicable, as a condition to such indemnification. (d) Reviewing Party Determination. If, and to the extent, any applicable law or this Agreement requires the determination that Indemnitee has met the applicable standard of conduct set forth in Section 2(a) or 2(b), as applicable, as a condition to any such indemnification, a Reviewing Party chosen by the Board (which Reviewing Party shall be an Independent Legal Counsel in the event any Former Director or Officer is seeking indemnification hereunder) shall make such determination in writing, subject to the following: (i) A Reviewing Party so chosen shall act in the utmost good faith to assure Indemnitee a complete opportunity to present to such Reviewing Party Indemnitee’s evidence that Indemnitee has met the applicable standard of conduct. (ii) Indemnitee shall be deemed to have acted in good faith if Indemnitee’s action is based on the records or books of account of a Covered Entity, including its financial statements, or on information supplied to Indemnitee by the officers or employees of a Covered Entity in the course of their duties, or on the advice of legal counsel for a Covered Entity or on information or records given, or reports made, to a Covered Entity by an independent certified public accountant or by an appraiser or other expert selected with reasonable care by a Covered Entity, except and to the extent that (A) Indemnitee knew or had reason to know that such records or books of account of a Covered Entity, information supplied by the officers or employees of a Covered Entity, 4894-3716-4339v.1 7 advice of legal counsel or information or records given or reports made by an independent certified public accountant or by an appraiser or other expert were materially false or materially inaccurate, or (B) Indemnitee has not satisfied Indemnitee’s duty of loyalty to the Covered Entity. In addition, the knowledge and/or actions, or failure to act, of any director, officer, limited liability company manager, partner, employee, controlling person, agent or fiduciary of a Covered Entity shall not be imputed to Indemnitee for purposes of determining the right to indemnification under this Agreement. Whether or not the foregoing provisions of this Section 4(d)(ii) are satisfied, it shall in any event be presumed that Indemnitee has at all times acted in good faith and in a manner Indemnitee reasonably believed to be in, or not opposed to, the best interests of the Company. Any Person seeking to overcome this presumption shall have the burden of proof and the burden of persuasion, by a preponderance of the evidence. (iii) If a Reviewing Party chosen pursuant to this Section 4(d) has not made a determination whether Indemnitee is entitled to indemnification within 30 days after being chosen as the Reviewing Party, the requisite determination of entitlement to indemnification shall be deemed to have been made and Indemnitee shall be entitled to such indemnification, absent (A) a misstatement by Indemnitee of a material fact, or an omission of a material fact necessary to make Indemnitee’s statement not materially misleading, in connection with the request for indemnification, or (B) a prohibition of such indemnification under applicable law; provided, however, that such 30-day period may be extended for a reasonable time, not to exceed an additional 30 days, if the Reviewing Party in good faith requires such additional time for obtaining or evaluating documentation and/or information relating thereto; and provided, further, that the foregoing provisions of this Section 4(d)(iii) shall not apply if (I) the determination of entitlement to indemnification is to be made by the stockholders of the Company, (II) a special meeting of stockholders is called by the Board for such purpose within thirty (30) days after the stockholders are chosen as the Reviewing Party, (III) such meeting is held for such purpose within 60 days after having been so called, and (IV) such determination is made thereat. (e) Appeal to Court; Enforcement of Agreement by Indemnitee. (i) Notwithstanding a determination by a Reviewing Party chosen pursuant to Section 4(d) that Indemnitee is not entitled to indemnification with respect to a specific Claim or Proceeding (an “Adverse Determination”), Indemnitee shall have the right to apply to the court in which that Claim or Proceeding is or was pending or any other court of competent jurisdiction for the purpose of enforcing Indemnitee’s right to indemnification pursuant to this Agreement; provided that Indemnitee shall commence any such proceeding seeking to enforce Indemnitee’s right to indemnification within one year following the date upon which Indemnitee is notified in writing by the Company of the Adverse Determination. If a determination shall have been made pursuant to Section 4(d) of this Agreement that Indemnitee is not entitled to indemnification, any judicial proceeding commenced pursuant to this Section 4(d) shall be conducted in all respects as a de novo trial on the merits and Indemnitee shall not be prejudiced by reason of the prior adverse determination. (ii) In the event of any judicial proceeding between the parties concerning their respective rights and obligations hereunder, the Company shall have the burden of proving by a preponderance of the evidence that the Company is not obligated to make the payment or advance claimed by Indemnitee. 4894-3716-4339v.1 8 (iii) If a determination shall have been made pursuant to Section 4(d) of this Agreement that Indemnitee is entitled to indemnification, the Company shall be bound by such determination in any judicial proceeding commenced pursuant to this Section 4(e), absent (i) a misstatement by Indemnitee of a material fact, or an omission of a material fact necessary to make Indemnitee’s statement not materially misleading, in connection with the application for indemnification, or (ii) a prohibition of such indemnification under applicable law. (iv) The Company shall not oppose Indemnitee’s right to seek any judicial adjudication of Indemnitee’s rights under this Agreement. The Company shall be precluded from asserting in any judicial proceeding commenced pursuant to this Section 4 that the procedures and presumptions of this Agreement are not valid, binding and enforceable. The Company agrees that its execution of this Agreement shall constitute a stipulation by which it shall be irrevocably bound in any court of competent jurisdiction in which a proceeding by Indemnitee for enforcement of Indemnitee’s rights hereunder shall have been commenced, continued or appealed, that the Company is bound by all the provisions of this Agreement, that the Company’s obligations set forth in this Agreement are unique and special, and that failure of the Company to comply with the provisions of this Agreement will cause irreparable and irremediable injury to Indemnitee, for which a remedy at law will be inadequate. As a result, in addition to any other right or remedy Indemnitee may have at law or in equity with respect to a breach of this Agreement, Indemnitee shall be entitled to injunctive or mandatory relief directing specific performance by the Company of its obligations under this Agreement. 5. Additional Indemnification Rights; Non-exclusivity. (a) Scope. The Company hereby agrees to indemnify Indemnitee to the fullest extent permitted by law, even if such indemnification is not specifically authorized by the other provisions of this Agreement or any other agreement, the Organizational Documents of any Covered Entity or by applicable law. In the event of any change after the date of this Agreement in any applicable law, statute or rule, that expands the right of a Delaware corporation to indemnify a member of its board of directors or an officer, employee, controlling person, agent or fiduciary, it is the intent of the parties hereto that Indemnitee shall enjoy by this Agreement the greater benefits afforded by such change. In the event of any change in any applicable law, statute or rule that narrows the right of a Delaware corporation to indemnify a member of its board of directors or an officer, employee, controlling person, agent or fiduciary, such change, to the extent not otherwise required by such law, statute or rule to be applied to this Agreement, shall have no effect on this Agreement or the parties rights and obligations hereunder except as set forth in Section 9(c) hereof. (b) Non-exclusivity. The rights to indemnification, contribution and advancement of Expenses provided in this Agreement shall not be deemed exclusive of, but shall be in addition to, any other rights to which Indemnitee may at any time be entitled under the Organizational Documents of any Covered Entity, any other agreement, any vote of stockholders or Disinterested Directors, the laws of the State of Delaware or otherwise. Furthermore, no right or remedy herein conferred is intended to be exclusive of any other right or remedy, and every other right and remedy shall be cumulative and in addition to every other right and remedy given hereunder or now or hereafter existing at law or in equity or otherwise. The assertion of any right or remedy hereunder or otherwise shall not prevent the concurrent assertion of any other right or remedy. The rights to indemnification, contribution and advancement of Expenses provided in this Agreement shall continue as to Indemnitee for any action Indemnitee took or did not take while serving in an indemnified capacity even though Indemnitee may have ceased to serve in such capacity. 4894-3716-4339v.1 9 6. No Duplication of Payments. Notwithstanding anything to the contrary herein, the Company shall not be liable under this Agreement to make any payment of any amount otherwise indemnifiable hereunder, or for which advancement is provided hereunder, if and to the extent Indemnitee has otherwise actually received such payment, whether pursuant to any insurance policy, the Organizational Documents of any Covered Entity or otherwise. 7. Mutual Acknowledgment. Both the Company and Indemnitee acknowledge that, in certain instances, federal law or public policy may override applicable state law and prohibit the Company from indemnifying its directors and officers under this Agreement or otherwise. For example, the Company and Indemnitee acknowledge that the SEC has taken the position that indemnification is not permissible for liabilities arising under certain federal securities laws, and federal legislation prohibits indemnification for certain ERISA violations. Indemnitee understands and acknowledges that the Company has undertaken, or may be required in the future to undertake, with the SEC to submit the question of indemnification to a court in certain circumstances for a determination of the Company’s right under public policy to indemnify Indemnitee, and any right to indemnification hereunder shall be subject to, and conditioned upon, any such required court determination. 8. Liability Insurance. To the extent the Company maintains liability insurance applicable to directors, officers, limited liability company managers, partners, employees, controlling persons, agents or fiduciaries of any Covered Entity, Indemnitee shall be covered by such policy or policies in such a manner as to provide Indemnitee the same rights and benefits as are accorded to the most favorably insured of the Covered Entity’s directors (or limited liability company manager or partner), if Indemnitee is a director (or limited liability company manager or partner) of such Covered Entity, or of the Covered Entity’s officers, if Indemnitee is not a director of such Covered Entity but is an officer of such Covered Entity, or of the Covered Entity’s key employees, controlling persons, agents or fiduciaries, if Indemnitee is not an officer or director but is an employee, controlling person, agent or fiduciary of such Covered Entity, as the case may be. The Company shall advise Indemnitee as to the general terms of, and the amounts of coverage provided by, any liability insurance policy described in this Section 8 and shall promptly notify Indemnitee if, at any time, any such insurance policy will no longer be maintained or the amount of coverage under any such insurance policy will be decreased. 9. Exceptions. Any other provision herein to the contrary notwithstanding, the Company shall not be obligated pursuant to the terms of this Agreement to indemnify Indemnitee: (a) against any Losses or Expenses, or to advance Expenses to Indemnitee, with respect to Claims initiated or brought voluntarily by Indemnitee, and not by way of defense, except (i) Claims to establish or enforce a right to indemnification, contribution or advancement with respect to an Indemnification Event, whether under this Agreement, any other agreement or insurance policy, the Company’s Organizational Documents of any Covered Entity, the laws of the State of Delaware or otherwise, or (ii) if the Board has approved specifically the initiation or bringing of such Claim; (b) against any Losses or Expenses, or to advance Expenses to Indemnitee, with respect to Claims arising (i) with respect to an accounting of profits made from the purchase and sale (or sale and purchase) by Indemnitee of securities of the Company within the meaning of Section 16(b) of the Exchange Act or (ii) pursuant to Section 304 or 306 of the Sarbanes-Oxley Act of 2002, as amended, or any rule or regulation promulgated pursuant thereto; (c) if, and to the extent, that such indemnification is not lawful; 4894-3716-4339v.1 10 (d) for any amounts paid in settlement of any Claim effected without the Company’s prior written consent. The Company shall not settle any Claim in any manner which would impose any fine or obligation on Indemnitee that is not indemnified by the Company hereunder, without Indemnitee’s prior written consent. The Company shall not be liable to indemnify the Indemnitee under this Agreement with regard to any judicial award if the Company was not given a reasonable and timely opportunity, at its expense, to participate in the defense of such action, provided that the Company’s liability hereunder shall not be excused if participation in the Proceeding by the Company was barred by this Agreement; (e) if, and to the extent, that the amounts paid in settlement of any Claim were pursuant to a settlement approved by a court of competent jurisdiction and indemnification would be inconsistent with any condition with respect to indemnification expressly imposed by the court in approving the settlement; (f) against any Losses or Expenses, or to advance Expenses to Indemnitee, with respect to Claims or Proceedings involving the enforcement of non-compete, non-disclosure, non-solicitation and/or clawback, return, forfeiture and/or offset of compensation agreements, or the non-compete, non-disclosure, non-solicitation and/or clawback, return, forfeiture and/or offset provisions of employment, consulting or similar agreements to which Indemnitee may be a party with any Covered Entity. 10. Miscellaneous. (a) Counterparts. This Agreement may be executed in one or more counterparts, each of which when so executed and delivered shall be deemed an original, and such counterparts together shall constitute one instrument. In the event any signature to this Agreement is delivered by facsimile transmission or by email delivery of a “.pdf” format data file, such signature shall create a valid and binding obligation of the party executing (or on whose behalf such signature is executed) with the same force and effect as if such facsimile or “.pdf” signature page were an original thereof. (b) Binding Effect; Successors and Assigns. This Agreement shall be binding upon and inure to the benefit of and be enforceable by the parties hereto and their respective successors and assigns (including with respect to the Company, any direct or indirect successor by purchase, merger, consolidation or otherwise to all or substantially all of the business and/or assets of the Company) and with respect to Indemnitee, his spouse, heirs, and personal and legal representatives. The Company shall require and cause any successor or assign (whether direct or indirect, by purchase, merger, consolidation or otherwise) to all, substantially all, or a substantial part, of the business and/or assets of the Company, to assume and agree to perform this Agreement in the same manner and to the same extent that the Company would be required to perform if no such succession or assignment had taken place. This Agreement shall continue in effect with respect to Claims relating to Indemnification Events regardless of whether Indemnitee continues to serve as a director, officer, limited liability company manager, partner, employee, controlling person, agent or fiduciary of any Covered Entity. (c) Notice. All notices and other communications required or permitted hereunder shall be in writing, shall be effective when given, and shall in any event be deemed to be given (a) five days after deposit with the U.S. Postal Service or other applicable postal service, if delivered by certified mail, postage prepaid, (b) upon delivery, if delivered by hand, (c) one business day after the business day of deposit with Federal Express or similar, nationally recognized overnight courier, freight prepaid, or (d) one business day after delivery by confirmed facsimile transmission, if deliverable by facsimile transmission, with copy by other means 4894-3716-4339v.1 11 permitted hereunder, and addressed, if to Indemnitee, to Indemnitee’s address or facsimile number (as applicable) as set forth beneath Indemnitee’s signature to this Agreement, or, if to the Company, at the address or facsimile number (as applicable) of its principal corporate offices (attention: Secretary), or at such other address or facsimile number (as applicable) as such party may designate to the other parties hereto. (d) Consent to Jurisdiction. Subject to the first sentence of Section 4(e), the Company and Indemnitee each hereby irrevocably consents to the jurisdiction and venue of the courts of the State of Delaware for all purposes in connection with any Proceeding which arises out of or relates to this Agreement and agree that any Proceeding instituted under this Agreement shall be commenced, prosecuted and continued only in the courts of the State of Delaware. THE COMPANY AND INDEMNITEE EACH HEREBY IRREVOCABLY WAIVES ANY AND ALL RIGHTS TO TRIAL BY JURY IN ANY LEGAL PROCEEDING ARISING OUT OF OR RELATED TO THIS AGREEMENT. The Company and Indemnitee each hereby appoints, to the extent such party is not otherwise subject to service of process in the State of Delaware, The Corporation Trust Company, Wilmington, Delaware as its agent in the State of Delaware as such party’s agent for acceptance of legal process in connection with any such action or proceeding against such party with the same legal force and validity as if served upon such party personally within the State of Delaware, and agrees not to plead or to make, any claim that any such action or proceeding brought in the Delaware Court has been brought in an improper or inconvenient forum. (e) Severability. The provisions of this Agreement shall be severable in the event that any of the provisions hereof (including any provision within a single section, paragraph or sentence) are held by a court of competent jurisdiction to be invalid, void or otherwise unenforceable, and the remaining provisions shall remain enforceable to the fullest extent permitted by law. Furthermore, to the fullest extent possible, the provisions of this Agreement (including each portion of this Agreement containing any provision held to be invalid, void or otherwise unenforceable that is not itself invalid, void or unenforceable) shall be construed so as to give effect to the purposes manifested by the provision held invalid, illegal or unenforceable. (f) Choice of Law. This Agreement shall be governed by and its provisions shall be construed and enforced in accordance with, the laws of the State of Delaware, without regard to the conflict of laws principles thereof. (g) Subrogation. In the event of payment under this Agreement, the Company shall be subrogated to the extent of such payment to all of the rights of recovery of Indemnitee who shall execute all documents required and shall do all acts that may be necessary to secure such rights and to enable the Company effectively to bring suit to enforce such rights. (h) Amendment and Termination. No amendment, modification, termination, cancellation, waiver of any provision, of this Agreement shall be effective unless it is in a writing signed by the parties to be bound thereby. Notice of same shall be provided to all parties hereto. No waiver of any of the provisions of this Agreement shall be deemed or shall constitute a waiver of any other provisions hereof (whether or not similar) nor shall such waiver constitute a continuing waiver. giving Indemnitee any right to be retained or continue in the employ or service of any Covered Entity. (i) No Construction as Employment Agreement. Nothing contained in this Agreement shall be construed as 4894-3716-4339v.1 12 (j) Rules of Construction. Unless otherwise expressly stated: (i) references to numbered or lettered sections and subsections refer to sections and subsections of this Agreement unless otherwise expressly stated, (ii) any reference to statutes or laws shall include all amendments, modifications or replacements of the specific sections and provisions concerned, (iii) common nouns and pronouns shall be deemed to refer to the masculine, feminine, neuter, singular and plural, as the identity of the person may in the context require, and (iv) the word “including,” and variations thereof, shall mean “including without limitation.” (k) Code Section 409A Compliance. The Company and Indemnitee intend for this Agreement and the benefits provided herein to be exempt from the application of Section 409A of the Internal Revenue Code of 1986, as amended ("Code Section 409A"), pursuant to Treasury Regulation Section 1.409A-1(b)(10). To the extent that Code Section 409A applies to any payment of Expenses or Losses under this Agreement, the affected payment shall be paid by the Company to Indemnitee when due in accordance with the applicable Agreement provisions; provided, however, that any such payment: (i) shall be made no later than (a) the end of Indemnitee's taxable year following the taxable year in which Indemnitee incurs such Expense or Loss, (b) with respect to taxes, the end of Indemnitee's taxable year following the taxable year in which Indemnitee remits such taxes to the applicable taxing authority, or (c) with respect to interest and penalties incurred by Indemnitee with respect to taxes, the end of Indemnitee's taxable year following the taxable year in which Indemnitee incurs such interest and/or penalties, as applicable; payable or reimbursable by the Company during a subsequent calendar year; and (ii) paid by the Company under the Agreement during one calendar year shall not affect the amount (iii) may not be exchanged or substituted for other payments to Indemnitee. [remainder of page intentionally left blank; signature page follows] 4894-3716-4339v.1 13 SIGNATURE PAGE TO INDEMNIFICATION AGREEMENT In Witness Whereof, the parties hereto have executed this Agreement on and as of the day and year first above written. OneSpan Inc., a Delaware corporation By: _________________________________ Name: Title: INDEMNITEE: Signature: Name: 4894-3716-4339v.1 Exhibit 10.3 Executive Employment Agreement This EMPLOYMENT AGREEMENT (this “Agreement”) is made effective as of June 13, 2022 (the “Effective Date”), by and between OneSpan North America, Inc. (the “Company”), and Lara Mataac (“you”). WHEREAS the Company desires to continue to employ you, and you desire to continue to be employed by the Company, as General Counsel and Chief Compliance Officer, on the terms outlined in this Agreement. NOW, THEREFORE, in consideration of the mutual undertakings of the parties hereto, the Company and you agree as follows: ARTICLE I EMPLOYMENT SERVICES 1.1 Term of Employment. The term of your employment under this Agreement shall commence on the Effective Date and continue until the second anniversary of such date (the “Initial Term”), which shall automatically renew on the second and each following anniversary of the Effective Date for successive one (1) year terms (each, a “Successive Term”) (the Initial Term, together with all Successive Terms, if any, are collectively referred to herein as the “Employment Period”), unless either party provides the other party with written notice at least ninety (90) days prior to the expiration of the Initial Term, or any Successive Term, of its or their intent not to renew the Initial Term, or any Successive Term, respectively. The Employment Period may be terminated earlier under the terms of Article III below. 1.2 Position and Duties. On the terms and subject to the conditions set forth in this Agreement, commencing on the Effective Date and thereafter during the Employment Period, you shall hold the position of General Counsel and Chief Compliance Officer or a similar title and shall report to the Chief Executive Officer. You shall perform such duties and responsibilities as are consistent with your position and as may be reasonably assigned to you from time to time. You shall devote your full business time, attention, skill, and energy to the business and affairs of the Company and shall use your reasonable best efforts to perform such responsibilities in a diligent, loyal, and businesslike manner so as to advance the best interests of the Company. 1.3 Other Activities. Notwithstanding Section 1.2, you shall be permitted to devote a reasonable amount of time and effort to professional, industry, civic and charitable organizations and managing personal investments but only to the extent that such activities, individually or as a whole, do not materially interfere with the execution of your duties hereunder, or otherwise violate any provision of this Agreement or the Company’s Code of Conduct and Ethics (or similar successor document) as in effect from time to time (the “Code of Conduct”). You shall not become involved in the management of any for-profit corporation, partnership, or other for-profit entity, including serving on the board of directors (or similar governing body) of any such entity, without the prior consent of the Chief Executive Officer; provided, however, that this restriction shall not apply to any affiliate of the Company. You agree to serve without additional compensation as an officer and director of any of the Company’s affiliates if requested by the Company. If you do receive any compensation or other remuneration for such service, the Company may offset it against the amounts due hereunder. 1.4 Location. You will perform your services for the Company primarily from your home office, provided that you agree to be reasonably available to travel for business purposes (including to any offices or other premises used by the Company), which may include significant travel, including internationally. 1.5 Compliance with Policies. As an employee of the Company, you will be required to comply with all Company written policies and procedures, including the Code of Conduct. Violations of the Company’s policies may lead to immediate termination of your employment. Further, the Company’s premises, including all workspaces, furniture, documents, and other tangible materials, and all information technology resources of the Company (including computers, data and other electronic files, and all internet and email) are subject to oversight and inspection by the Company at any time. Company employees should have no expectation of privacy with regard to any Company premises, materials, resources, or information. ARTICLE II COMPENSATION 1.1 Base Salary. The Company shall pay you a base salary at a semi-monthly rate of $13,750.00 (annualizing to $330,000) (“Base Salary”), payable in accordance with payroll practices in effect for employees of the Company generally. Base Salary shall be subject to review in accordance with the Company’s normal practice for executive salary review from time to time in effect, and may be increased, but will not be reduced, without your prior consent except for a reduction that is commensurate with and part of a general salary reduction program applicable to all similar level executives of the Company. 1.2 Annual Incentive Compensation. During the Employment Period, you will be eligible to participate in an annual bonus plan or program established from time to time by the Company (the “Annual Bonus Plan”) in accordance with the terms and conditions thereof and on the same basis as other executives of the Company. Subject to and in accordance with the terms of the Annual Bonus Plan, you shall be eligible for a target bonus equal to 50% of your Base Salary. Your annual target bonus for 2022 will be prorated for the period from and including the Effective Date through December 31, 2022. 1.3 Long-Term Incentive Compensation. During the Employment Period, you shall participate in the Company’s equity incentive plan (currently the 2019 Omnibus Incentive Plan) and any successor thereto (as applicable, the “Long-Term Incentive Plan”) in accordance with the terms and conditions thereof and on the same basis as other senior executives of the Company. In connection with the commencement of your employment, the Company will award you the following equity grants under the Long-Term Incentive Plan: a time-based grant (the “Time-Based Grant”) for $300,000 of the Company’s restricted (i) stock units, which will vest in equal semi-annual installments over three years, provided that you remain employed by the Company. 2 a performance-based grant for $300,000 of the Company’s restricted stock units (the (ii) “Performance Grant”), which will be earned based upon the Company’s achievement against 2022 Company metrics established by the Board or a committee of the Board. Any performance- based restricted stock units earned under the Performance Grant will vest on December 31, 2024, provided that you remain employed by the Company. The terms and conditions of the Time-Based Grant and the Performance Grant (together, the “Grants”) shall be governed by the Long-Term Incentive Plan and the applicable award agreements. 1.4 Employee Benefit Plans. You will be eligible to participate on substantially the same basis as the Company’s other executive officers in any other employee benefit plans offered by the Company, currently including medical, dental, short-term and long-term disability, life insurance, and 401(k) savings plan (in each case, subject to the eligibility requirements of such plans). The Company reserves the right to modify, suspend or discontinue any and all of its employee benefit plans, practices, policies, and programs at any time without recourse by you, so long as the Company takes such action generally with respect to other similarly situated senior executive officers. 1.5 Flexible Time-Away Policy. You will participate in the Company’s FlexTime Policy or such successor or replacement program that the Company adopts. 1.6 Business Expenses. The Company will reimburse you for all reasonable and necessary business expenses incurred in the performance of services with the Company, according to Company’s policies and upon your presentation of an itemized written statement and such verification as the Company may require, in a manner that complies with Treasury Regulation Section 1.409A-3(i)(1)(iv). ARTICLE III TERMINATION OF EMPLOYMENT 1.1 Payments on Termination. When your employment ends for any reason, you (or your designated beneficiary, as applicable) will be entitled to receive (in addition to any compensation and benefits you may receive under Section 3.4): (i) any earned but unpaid Base Salary through your termination date, to be paid in accordance with applicable law, (ii) any incentive compensation payment(s) previously approved by the Company’s Board (or a committee of the Board) for the prior calendar year but not yet paid, (iii) unreimbursed business expenses incurred through your termination date in accordance with the Company’s policies for which expenses you have provided or do provide appropriate documentation within the time limits of such policies, to be paid in accordance with Section 409A of the Internal Revenue Code of 1986 (“Section 409A” of the “Code”), and (iv) any amounts or benefits to which you are then entitled under the terms of the benefit plans then sponsored by the Company in accordance with their terms (and not accelerated to the extent acceleration does not satisfy Section 409A). The compensation and other payments described above are the “Accrued Obligations.” 1.2 Cessation of Employment by Resignation without Good Reason or on Death or Disability. If your employment ends because of your resignation without Good Reason or as a result of your death or Disability (as defined below), you will not receive compensation or benefits beyond the Accrued Obligations. 3 1.3 Termination By Company for Cause. The Company may terminate your employment for Cause (as defined below) by giving written notice to you designating an immediate or future termination date. Such notice shall indicate the specific provisions of this Agreement relied upon as the basis of such termination. In the event of a termination for Cause, the Company shall provide the Accrued Obligations but no other compensation, except as may be provided in its discretion under the the applicable Restrictive Covenant Agreement (as defined below). For purposes of this Agreement, “Cause” means: (i) established policy of the Company You materially breach your obligations under this Agreement, the Code of Conduct or an You engage in conduct prohibited by law (other than minor violations), commit an act of (ii) dishonesty, fraud, or serious or willful misconduct in connection with your job duties, or engage in unethical or immoral conduct that, in the reasonable judgment of the Company, could injure the integrity, character or reputation of Company; You fail or refuse to perform, or habitually neglect, your duties and responsibilities (iii) hereunder other than on account of Disability (as defined below), and continue such failure, refusal or neglect after having been given written notice by the Company that specifies what duties you failed to perform and an opportunity to cure of ten days; You use or disclose confidential information or trade secrets other than in the furtherance (iv) of the Company’s (or its subsidiaries’) business interests, or commit another violation of a fiduciary duty to the Company (including entering into any transaction or contractual relationship causing diversion of business opportunity from the Company (other than with the prior written consent of the Board)), or otherwise breach either of the Restrictive Covenant Agreements; or (v) You fail to reasonably cooperate with any audit or investigation involving the Company or its business practices after having been given written notice by the Company that specifies your failure to cooperate and an opportunity to cure of five days. 1.4 Termination By Company Without Cause or Termination by You for Good Reason. The Company may terminate your employment without Cause at any time during the Employment Period by giving written notice to you designating an immediate or future termination date. You may resign from employment during the Employment Period due to: (i) relationship is not a material breach; The Company’s material breach of this Agreement, provided that a change in reporting A reduction in your Base Salary below the Base Salary in effect during the immediately (ii) preceding year, unless such reduction is commensurate with and part of a general salary reduction program 4 applicable to all senior executives of the Company or agreed to in writing by you; (iii) A requirement that you relocate your primary place of work by more than 45 miles (including a requirement that you work primarily at a Company office that is located more than 45 miles from the location of your home office), provided that the travel requirements described in Section 1.4 above will not be treated as a violation of this clause (iii); (iv) Any material diminution of your authority, duties or responsibilities (provided that a diminution in connection with a Change in Control (as defined below) that results in your having authority, duties, or responsibilities with respect to the business represented by the Company that are reasonably comparable to those in effect before the Change in Control shall not be treated as Good Reason); (each of which shall constitute “Good Reason” for resignation) and such resignation shall be treated as a termination by you for Good Reason; provided that, (a) you have provided written notice describing such Good Reason in reasonable detail to the Company within 90 days of the initial occurrence of such Good Reason, (b) the Company failed to cure such Good Reason within 30 days of receipt of such written notice from you, and (c) your resignation occurs within 60 days following the end of the cure period; and provided, further, that in the case of clauses (ii) and (iv), an act or omission shall not constitute Good Reason if you have incurred a Disability (as defined below). Your election to not renew the Initial Term or any Successive Terms pursuant to Section 1.1 shall not be a termination for Good Reason and shall not entitle you to Severance Pay. However, the election by the Company to not renew the Initial Term or any Successive Terms pursuant to Section 1.1 shall be deemed to be a termination without Cause effective as of the termination of the Initial Term or Successive Term as applicable and shall entitle you to Severance Pay as hereinafter provided. In the event of a termination by the Company without Cause or a termination by you for Good Reason, the Company shall provide your Accrued Obligations. In addition, subject to the requirements set forth in Section 3.7, Section 3.8, and Section 3.9, the Company will provide the following compensation and benefits to you (collectively, the “Severance Pay”): (a) An amount equal to 12 months of your then current Base Salary, less applicable withholdings, payable in equal installments on each regularly scheduled payroll pay date during the 12-month period that begins on the first day immediately after the Release Effective Date (as defined in Section 3.7); and (b) and conditions of the Long-Term Incentive Plan and the applicable awards; Awards, if any, under the Long-Term Incentive Plan shall be paid in accordance with the terms (c) employed, payable in full with the first installment of the salary-based severance; and A prorated portion of your target bonus based on the period during the year in which you were (d) premiums as part of your severance benefits until the earliest If you elect to continue health care coverage, the Company will pay your monthly COBRA 5 of (i) 12 months after your last day of employment with the Company; (ii) the date you become eligible for group health insurance coverage through a new employer; or (iii) the date your COBRA continuation coverage would terminate in accordance with the provisions of COBRA. Thereafter, medical, dental and vision insurance coverage shall be continued only to the extent required by COBRA and only to the extent you timely pay the premium payments yourself. Notwithstanding the foregoing, the Company may end the payment of premiums earlier (but not your eligibility for COBRA) if it reasonably determines that applicable laws or regulations are reasonably likely to cause the payment of these premiums to trigger taxes or penalties on the Company or other participants or, to the extent you would be taxed on more than the amount of the premiums, to you. 1.5 Disability. “Disability” means your being unable to perform your duties to the Company as provided in this Agreement (Section 1.2) for a period of at least 120 continuous days as a result of a mental or physical condition. The Company may terminate your employment for Disability during the Employment Period by giving written notice to you designating a termination date that is at least 30 days after the date of the notice of termination if you do not return to work on a substantially full-time basis within 30 days after notice of termination on account of Disability is provided to you. A return to work of less than 30 continuous days on a substantially full-time basis shall not interrupt a continuous period of Disability. 1.6 Change in Control. “Change in Control” has the meaning assigned to such term in the Long- Term Incentive Plan as in effect from time to time. Notwithstanding anything in this Agreement to the contrary, a Change in Control will have occurred only if such change in ownership also constitutes a change in control under Section 409A. If contemporaneous with or within 18 months after a Change in Control that occurred during the Employment Period (a) the Company terminates your employment without Cause or (b) you terminate your employment for Good Reason, then, provided you comply with the requirements set forth in Section 3.7, Section 3.8, and Section 3.9, you will be eligible to receive the benefits set forth in Section 3.4 above, but the installment payment of the salary-based portion of the Severance Pay will be accelerated and paid within 10 days following the Release Effective Date. The treatment of each of the Grants in connection with a Change in Control is set forth in the applicable award agreements. 1.7 Execution of Separation Agreement. As a condition to receiving Severance Pay (whether or not accelerated), you must execute and return to the Company, and not revoke any part of, a general release and waiver of claims against the Company and its officers, directors, stockholders, employees and affiliates with respect to your employment, and other customary terms, on a form provided by the Company on or around your date of employment termination (the “Release”). You must deliver the executed Release within 60 days following your termination (or such shorter period as the Company specifies in providing the Release (which will be provided not more than 15 days after your termination of Employment). The Release will become effective on the date the revocation period of the ADEA Release expires without your revoking the ADEA Release (the “Release Effective Date”). Payment of the Severance Pay will begin (or be made, as applicable) in the first payroll whose cutoff date follows the Release Effective Date, provided that if the 60 day following your termination of employment is in the calendar year subsequent to termination, the payment will not be made earlier than the first business day of such subsequent year unless earlier payment can be made without violation of Section 409A. Any obligation of the Company to th 6 provide the Severance Pay shall cease: (i) if you materially breached or breach your contractual obligations to the Company, including those set forth in Article IV or Article V herein, or in the Release or (ii) if, within 90 days after your termination, the Company discovers facts and circumstances that would have justified a termination for Cause during the Employment Period. 1.8 Timing of Payments; Section 409A. All payments in a series of payments will be treated for purposes of Section 409A as separate payments. Notwithstanding any other provision of this Agreement, in the event of a payment to be made, or a benefit to be provided, pursuant to this Agreement based upon your “separation from service” (as defined below) for a reason other than death at a time when you are a Specified Employee (as defined below) and such payment or provision of such benefit is not exempt or otherwise permitted under Section 409A without the imposition of any Section 409A Penalty (as defined below), such payment shall not be made, and such benefit shall not be provided, before the earlier of the date which is the first day of the seventh month after your separation from service or 30 days after your death or such later date as is required to permit the Company to reasonably determine the recipient(s) of the payments, but no longer than is permitted by Section 409A. All payments or benefits delayed pursuant to this Section 3.8 shall be aggregated into one lump sum payment to be made as of the Company’s first business day following the first day of the seventh month after your separation from service (or if earlier, as of 30 days after your death or such later date as is described above). (a) For purposes of this Agreement: (i) Treas. Reg. 1.409A-1(h); “Separation from service” has the meaning provided under Code Section 409A and “Specified Employee” has the meaning given that term in Code Section 409A and Treas. (ii) Reg. 1.409A-1(c)(i) as determined in accordance with the Company’s policy for determining Specified Employees; and (iii) Section 409A “Section 409A Penalty” means any increase in tax or any other penalty pursuant to (b) be administered, interpreted, and construed in a manner consistent with such intent. This Agreement is intended not to result in the imposition of any Section 409A Penalty and shall (c) appropriate to avoid the imposition of any Section 409A Penalty. You and the Company agree to cooperate to amend this Agreement from time to time as (d) to any Section 409A Penalty. In no event shall the Company be required to provide a tax gross-up payment to you with respect Notwithstanding any provision of this Agreement to the contrary, this Agreement is intended to be (e) exempt from or, in the alternative, comply with Section 409A and the interpretive guidance in effect thereunder, including the exceptions for short-term deferrals, separation pay arrangements, reimbursements, and in-kind distributions. The Agreement shall be construed and interpreted in accordance with such intent. 7 1.9 Excess Parachute Payments; No Excise Tax Gross-Up. Notwithstanding any provision of this Agreement to the contrary, if it is determined by the Company’s independent auditors or its counsel that any amount or benefit to be paid or provided under this Agreement or otherwise, whether or not in connection with a Change in Control, would be an “Excess Parachute Payment” within the meaning of Code Section 280G but for the application of this sentence, then the payments and benefits to be paid or provided under this Agreement or otherwise will be reduced to the minimum extent necessary (but in no event to less than zero under this Agreement) so that no portion of any such payment or benefit, as so reduced, constitutes an Excess Parachute Payment; provided, however, that the foregoing reduction will be made only if and to the extent that such reduction would result in an increase in the aggregate payment and benefits to be provided, determined on an after-tax basis (taking into account the excise tax imposed pursuant to Code Section 4999, any tax imposed by any comparable provision of state law, and any applicable federal, state and local income and employment taxes). The fact that your right to payments or benefits may be reduced by reason of the limitations contained in this Section 3.9 will not of itself limit or otherwise affect any other rights of yours other than pursuant to this Agreement. In the event that any payment or benefit intended to be provided under this Agreement or otherwise is required to be reduced pursuant to this Section 3.9, the Company will effect such reduction by first reducing the lump sum cash payment related to Base Salary (a “Reduction”). In the event that, after such Reduction any payment or benefit intended to be provided under this Agreement or otherwise is still required to be reduced pursuant to this Section 3.9, the Company will effect such reduction by reducing other consideration due to you. 1.10 Removal from any Boards and Positions. If your employment ends for any reason under this Agreement, you agree that you are automatically resigning from (i) if a member, the board of directors of any subsidiary or affiliate of the Company or any other board to which you have been appointed or nominated by or on behalf of the Company, (ii) any position with the Company or any subsidiary of the Company, including as an officer of the Company or any of its subsidiaries, and (iii) any fiduciary positions with respect to the Company’s benefit plans. ARTICLE IV RESTRICTIVE COVENANTS 1.1 Restrictive Covenants. You will be required to execute an Invention and Non-Disclosure Agreement and a Non-Competition and Non-Solicitation Agreement in the forms attached as Exhibit A and Exhibit B, as a condition of your continued employment (together, the “Restrictive Covenant Agreements”). POST-TERMINATION OBLIGATIONS ARTICLE V 1.1 Return of Company Materials. No later than three business days following the cessation of your employment for any reason, you shall return to the Company all manuals, policies, building keys and passes, parking passes, credit cards, telephone lists or directories, equipment and other assets, and any other property owned by, provided by, prepared on behalf of the Company or purchased with the Company’s funds in your possession or control, including any containing or summarizing Company confidential information. You agree that you will return such property without making or keeping any copies of such 8 property. You further agree that, if you discover after such date any other confidential and proprietary information or property owned by, prepared for, purchased by or provided to you by the Companies, you will immediately return such material to the Company. You will leave intact with, or deliver intact to, the Company all electronic Company documents and internal and external websites including those that you developed or helped to develop during your employment, and destroy or delete any copies of all electronic files or hard copies relating to Company that were in your possession or control, including any that were located on any of your personal computers, cell phones, tablets, or external or cloud storage. 1.2 Executive Assistance. During your employment with the Company and for a period of two years after the termination of such employment, you shall, upon reasonable notice, furnish the Company with such information as may be in your possession or control, and cooperate with the Company in any reasonable manner that the Company may request, including conferring with the Company with regard to any litigation, claim, or other dispute in which the Company is or may become a party. Your obligation to cooperate shall be reasonably limited so as not to unreasonably interfere with your other business or personal obligations. The Company shall reimburse you for all reasonable out-of-pocket expenses incurred by you in fulfilling your obligations under this Section 5.2. The Company will make any such reimbursement within 30 days of the date you provide the Company with documentary evidence of such expense consistent with the policies of the Company. The Company will also pay you a reasonable fee per hour for your assistance during the year commencing on the first anniversary of the termination of your employment with the Company. Notwithstanding anything to the contrary, any such reimbursement shall be administered so as to comply with Treasury Regulation Section 1.409A-3(i)(1)(iv). ARTICLE VI MISCELLANEOUS 1.1 Notices. Any notices, consents or other communications required or permitted to be sent or given hereunder shall be in writing and shall be deemed properly served if (a) delivered personally, in which case the date of such notice shall be the date of delivery; (b) delivered prepaid to a nationally recognized overnight courier service, in which case the date of delivery shall be the next business day; or (c) sent by electronic transmission (with a copy sent by first-class mail), in which case the date of delivery shall be the next business day. If not personally delivered, notice shall be sent using the addresses set forth below: If to you, to the last address on file in the records of the Company. If to the Company: OneSpan 121 West Wacker Drive 20th Floor Chicago, IL 60601 Attention: General Counsel or such other address as may hereafter be specified by notice given by either party to the other party. You shall promptly notify the Company of any change in your address set forth on the signature page. 9 1.2 Withholding. The Company may withhold from any payment that it is required to make under this Agreement amounts sufficient to satisfy applicable withholding requirements under any federal, state or local law, as well as any other amounts due and owing to the Company from you. 1.3 Successors and Assigns. This Agreement shall be binding upon and inure to the benefit of the parties hereto and their respective heirs, personal representatives, successors and assigns; provided that you may not assign any of their rights or obligations under this Agreement without the Company’s prior written consent. 1.4 Nonalienation of Benefits. Benefits payable under this Agreement shall not be subject in any manner to anticipation, alienation, sale, transfer, assignment, pledge, encumbrance, charge, garnishment, execution or levy of any kind, either voluntary or involuntary, prior to actually being received by you, and any such attempt to dispose of any right to benefits payable hereunder shall be void. 1.5 Amendment; Waiver. No failure or delay by the Company or you in enforcing or exercising any right or remedy hereunder will operate as a waiver thereof. No modification, amendment or waiver of this Agreement or consent to any departure by you from any of the terms or conditions thereof, will be effective unless in writing and signed by the Company. Any such waiver or consent will be effective only in the specific instance and for the purpose for which given. 1.6 Severability; Survivability. If any term or provision of this Agreement shall be held to be invalid or unenforceable, the remaining terms and provisions hereof shall not be affected thereby and shall be enforced to the fullest extent permitted under law. Your obligations in Articles IV and V shall survive and continue in full force notwithstanding the termination of this Agreement or your employment for any reason. 1.7 Execution in Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be considered an original instrument, but all of which shall be considered one and the same agreement and may be executed by electronic signature. 1.8 Governing Law and Dispute Resolution. This Agreement shall in all respects be subject to, governed by and construed in accordance with the laws of the Commonwealth of Massachusetts without reference to the principles of conflicts of laws thereof. Except as noted below, all disputes arising with respect to your employment relationship, this Agreement, and/or the equity referenced in this letter agreement, including whether the dispute is arbitrable, shall be resolved exclusively through final and binding arbitration in Boston, Massachusetts in accordance with the Employment Rules of the American Arbitration Association then in effect (the “Employment Rules”) and the Federal Arbitration Act, 9 U.S.C. §1 et seq. Neither party will invoke arbitration until after it has given the other party written notice of the dispute and a ten-day period to resolve the dispute. The parties will in good faith attempt to settle any disputes through direct or attorney-led negotiations before participating in an arbitration hearing. Arbitration under this section will require a neutral arbitrator, will permit appropriate and adequate discovery, and will permit the parties to the arbitration to seek relief that would otherwise be available if the matter were brought in an appropriate court with civil jurisdiction over the parties. The Company will pay the entire amount of the arbitration filing fees and related expenses (less any amounts that may be charged to you under the then applicable version of the Employment Rules), including the arbitrator’s fees and costs (but excluding, for the avoidance of doubt, your attorneys’ fees and related costs), for any dispute described in this section, provided that you acknowledge that 10 some or all of the arbitration and arbitrator fees and expenses may be reallocated and charged to you by the arbitrator if a claim or counterclaim was filed by you for purposes of harassment or is patently frivolous (or as otherwise permitted under the Employment Rules). For the avoidance of doubt, this arbitration provision does not apply to any disputes arising under or relating to the Restrictive Covenant Agreements, which shall instead be brought in court and in accordance with the terms thereof. 1.9 Construction. The language used in this Agreement will be deemed to be the language chosen by you and the Company to express their mutual intent, and no rule of strict construction will be applied against you or the Company. The heading in this Agreement is for convenience of reference only and will not limit or otherwise affect the meaning of the provision. References to “including” or similar forms are to be read as “including, without limitation” or similar forms other than where the meaning would not make sense. 1.10 Entire Agreement; Amendments. This Agreement contains the entire understanding of the parties hereto with regard to the subject matter contained herein, and supersedes all prior agreements, understandings or letters of intent (including without limitation the offer letter dated June 13, 2022 between you and the Company) with regard to the subject matter contained herein between the parties hereto. This Agreement shall not be amended, modified or supplemented except by a written instrument signed by each of the parties hereto. [Signature Page to Lara Mataac Employment Agreement] IN WITNESS WHEREOF, each of the parties hereto has duly executed this Employment Agreement. OneSpan North America Inc. /s/ Lara Mataac /s/ Tom Aurelio Signature Tom Aurelio Chief People Officer August 19, 2022 August 19, 2022 11 ONESPAN NORTH AMERICA, INC. INVENTION AND NON-DISCLOSURE AGREEMENT This Invention and Non-Disclosure Agreement (this “Agreement”) is made by and between OneSpan North America, Inc. (hereinafter referred to as the “Company”), and Lara Mataac (“you”). In consideration of your employment or continued employment by the Company, the Company and you agree as follows: 1. Condition of Employment. You acknowledge that your employment and/or the continuance of that employment with the Company is contingent upon your agreement to sign and adhere to the provisions of this Agreement. You further acknowledge that the nature of the Company’s business is such that protection of its proprietary and confidential information is critical to the survival and success of the Company’s business. 2. Proprietary and Confidential Information. (a) You agree that all information and know-how, whether or not in writing, of a private, secret or confidential nature concerning the Company’s business or financial affairs (collectively, “Proprietary Information”) is and shall be the exclusive property of the Company. By way of illustration, but not limitation, Proprietary Information may include discoveries, ideas, inventions, products, product improvements, product enhancements, processes, methods, techniques, negotiation strategies and positions, projects, developments, plans (including business and marketing plans), research data, financial data (including sales costs, profits, pricing methods), personnel data obtained pursuant to your duties and responsibilities, computer programs (including software used pursuant to a license agreement), customer, prospect and supplier lists, and contacts at or knowledge of customers or prospective customers of the Company. Except as otherwise permitted by Section 5 below, you will not disclose any Proprietary Information to any person or entity other than employees of the Company or use the same for any purposes (other than in the performance of your duties as an employee of the Company) without written approval by an officer of the Company, either during or after your employment with the Company, unless and until such Proprietary Information has become public knowledge without your fault; provided that this prohibition does not prevent your use of your general knowledge, education, training and/or experience or generally known or used by persons with the general knowledge, education, training or experience comparable to yours. While employed by the Company, you will use your best efforts to prevent unauthorized publication or disclosure of any of the Company’s Proprietary Information. References to the “Company” in this Agreement include the subsidiaries of, parent of, and companies related to OneSpan North America, Inc. (b) You agree that all files, documents, letters, memoranda, reports, records, data, sketches, drawings, models, laboratory notebooks, program listings, computer equipment or devices, computer programs or other written, photographic, or other tangible or intangible material containing Proprietary Information, whether created by you or others, that come into your custody or possession, shall be and are the exclusive property of the Company to be used by you only in the performance of your duties for the Company and shall not be copied or removed from the Company’s premises except in the pursuit of the business of the Company. All such materials or copies thereof and all tangible property of the Company in your custody 12 or possession shall be delivered to the Company, upon the earlier of (i) a request by the Company or (ii) termination of your employment for any reason, provided that electronic materials on personal devices that are merely copies of originals maintained on the Company’s servers or in other Company records may be permanently deleted rather than returned. After such delivery and/or deletion, you shall not retain any such materials or copies thereof or any such tangible property. (c) You agree that your obligation not to disclose or to use information and materials of the types set forth in Sections 2(a) and 2(b) above, and your obligation to return materials and tangible property, set forth in Section 2(b) above, also extends to such types of information, materials and tangible property of customers of the Company or suppliers to the Company or other third parties who may have disclosed or entrusted the same to the Company or to you in the course of the Company’s business. 3. Developments. (a) You have attached hereto, as Exhibit A, a list describing all discoveries, ideas, inventions, improvements, enhancements, processes, methods, techniques, developments, software, and works of authorship, whether patentable or not, which you created, made, conceived or reduced to practice prior to your employment by the Company and that you own, and that are not assigned to the Company hereunder (collectively, “Prior Developments”); or, if no such list is attached, you represent that there are no Prior Developments. You agree not to incorporate any Prior Developments into any Company product, material, process or service without prior written consent of an officer of the Company. If you do incorporate or have incorporated any Prior Development into any Company product, material, process or service, you hereby grant to the Company a non-exclusive, worldwide, perpetual, transferable, irrevocable, royalty-free, fully-paid right and license to make, have made, use, offer for sale, sell, import, reproduce, modify, prepare derivative works, display, perform, transmit, distribute and otherwise exploit such Prior Development and to practice any method related thereto. (b) You will make full and prompt disclosure to the Company of all discoveries, ideas, inventions, improvements, enhancements, processes, methods, techniques, developments, software, and works of authorship, whether patentable or not, that are created, made, conceived or reduced to practice by you or under your direction or jointly with others during your employment by the Company, whether or not during normal working hours or on the premises of the Company (all of which are collectively referred to in this Agreement as “Developments”). You acknowledge that each original work of authorship that you make (solely or jointly with others) within the scope of and during the period of your employment with the Company and that is protectable by copyright is a “work made for hire,” as that term is defined in the United States Copyright Act. You agree to assign and do hereby assign to the Company (or any person or entity designated by the Company) all your rights, titles and interests in and to all Developments (other than Prior Developments listed on Exhibit A, if any) and all related patents, patent applications, copyrights and copyright applications. However, this Section 3(b) shall not apply to Developments that: (a) by law you cannot be required to so assign; and/or (b) do not relate to the business or research and development conducted or planned to be conducted by the Company at the time such Development is created, made, conceived or reduced to practice and that you made and conceived not during normal working hours, not on the Company’s premises and not using the Company’s tools, devices, equipment or Proprietary Information. You understand that, to the extent this Agreement shall be construed in accordance with the laws of any state that precludes a requirement in an employee agreement to assign certain classes of inventions made by an employee, this 13 Section 3(b) shall be interpreted not to apply to any invention which a court rules and/or the Company agrees falls within such classes. You also hereby waive all claims to moral rights in any Developments. (c) You agree to cooperate with the Company, both during and after your employment with the Company, with respect to the procurement, maintenance and enforcement of copyrights, patents and other intellectual property rights (both in the United States and foreign countries) relating to Developments. You shall sign all papers, including copyright applications, patent applications, declarations, oaths, formal assignments, assignments of priority rights, and powers of attorney, that the Company may deem necessary or desirable to protect its rights and interests in any Development. You further agree that if the Company is unable, after reasonable effort, to secure your signature on any such papers, after prior written notice has been sent to you at the address on the Company’s personnel records, any executive officer of the Company shall be entitled to execute any such papers as your agent and attorney-in-fact, and you hereby irrevocably designate and appoint each executive officer of the Company as your agent and attorney-in-fact to execute any such papers on your behalf, and to take any and all actions as the Company may deem necessary or desirable in order to protect its rights and interests in any Development, under the conditions described in this sentence. 4. Obligations to Third Parties. You represent that, except as you have disclosed in writing to the Company on Exhibit A attached hereto, you are not bound by the terms of any agreement with any other party (aside from standard employee non-disclosure agreements with previous employers) to refrain from using or disclosing any trade secret or confidential or proprietary information in the course of your employment with the Company, to refrain from competing, directly or indirectly, with the business of any previous employer or any other party or to refrain from soliciting employees, customers or suppliers of such previous employer or other party. You further represent that your performance of all the terms of this Agreement and the performance of your duties as an employee of the Company do not and will not conflict with or breach any agreement with any prior employer or other party (including any nondisclosure or non-competition agreement), and that you will not disclose to the Company or induce the Company to use any confidential or proprietary information or material belonging to any previous employer or others. 5. Scope of Disclosure Restrictions. Nothing in this Agreement prohibits you from communicating with government agencies about possible violations of federal, state, or local laws or otherwise providing information to government agencies, filing a complaint with government agencies, or participating in government agency investigations or proceedings. You are not required to notify the Company of any such communications; provided, however, that nothing herein authorizes the disclosure of information you obtained through a communication that was subject to the attorney-client privilege. Further, notwithstanding your confidentiality and nondisclosure obligations, you are hereby advised as follows pursuant to the Defend Trade Secrets Act: “An individual shall not be held criminally or civilly liable under any Federal or State trade secret law for the disclosure of a trade secret that (A) is made (i) in confidence to a Federal, State, or local government official, either directly or indirectly, or to an attorney; and (ii) solely for the purpose of reporting or investigating a suspected violation of law; or (B) is made in a complaint or other document filed in a lawsuit or other proceeding, if such filing is made under seal. An individual who files a lawsuit for retaliation by an employer for reporting a suspected violation of law may disclose the trade secret to the attorney of the individual and use the trade secret information in the 14 court proceeding, if the individual (A) files any document containing the trade secret under seal; and (B) does not disclose the trade secret, except pursuant to court order.” 6. United States Government Obligations. You acknowledge that the Company from time to time may have agreements with other persons or with the United States Government, or agencies thereof, which impose obligations or restrictions on the Company regarding inventions made during the course of work under such agreements or regarding the confidential nature of such work. You agree to be bound by all such obligations and restrictions which are made known to you and to discharge the obligations of the Company under such agreements. 7. Miscellaneous. (a) Equitable Remedies. You acknowledge that the restrictions contained in this Agreement are necessary for the protection of the business and goodwill of the Company, and you consider them to be reasonable for such purpose. You agree that any breach or threatened breach of this Agreement is likely to cause the Company substantial and irrevocable damage that is difficult to measure. Therefore, in the event of any such breach or threatened breach, you agree that the Company, in addition to such other remedies that may be available, shall have the right to obtain an injunction from a court restraining such a breach or threatened breach without posting a bond and the right to specific performance of the provisions of this Agreement and you hereby waive the adequacy of a remedy at law as a defense to such relief. (b) Disclosure of this Agreement. You hereby authorize the Company to notify others, including customers of the Company and any of your future employers or prospective business associates, of the terms and existence of this Agreement and your continuing obligations to the Company hereunder. Not Employment Contract. You acknowledge that this Agreement does not constitute a contract of employment, does not imply that the Company will continue your employment for any period of time and does not change the at-will nature of your employment. (c) (d) Successors and Assigns. This Agreement shall be binding upon and inure to the benefit of both parties and their respective successors and assigns, including any corporation with which, or into which, the Company may be merged or which may succeed to the Company’s assets or business, provided, however, that your obligations are personal and shall not be assigned by you. You expressly consent to be bound by the provisions of this Agreement for the benefit of the Company or any subsidiary or affiliate thereof to whose employ you may be transferred without the necessity that this Agreement be re-signed at the time of such transfer. (e) Severability. In case any provision of this Agreement shall be invalid, illegal or otherwise unenforceable, the validity, legality and enforceability of the remaining provisions shall in no way be affected or impaired thereby. (f) Waivers. No delay or omission by the Company in exercising any right under this Agreement will operate as a waiver of that or any other right. A waiver or consent given by the Company on any one occasion is effective only in that instance and will not be construed as a bar to or waiver of any right on any other occasion. 15 (g) Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts (without reference to the conflicts of law provisions thereof). Any action, suit, or other legal proceeding that is commenced to resolve any matter arising under or relating to any provision of this Agreement shall be commenced only in a court of the Commonwealth of Massachusetts (or, if appropriate, a federal court located within the Commonwealth of Massachusetts), and the Company and you each consent to the jurisdiction of such a court. (h) Entire Agreement; Amendment. This Agreement supersedes all prior agreements, written or oral, between you and the Company relating to the subject matter of this Agreement (including without limitation your employee confidential information and invention agreement with the Company dated on or about May 15, 2022). This Agreement may not be modified, changed or discharged in whole or in part, except by an agreement in writing signed by you and the Company. You agree that any change or changes in your duties, authority, title, reporting relationship, territory, salary or compensation after the signing of this Agreement shall not affect the validity or scope of this Agreement. limitation” or similar forms other than where the meaning would not make sense. Interpretation. References to “including” or similar forms are to be read as “including, without and in no way define, limit or affect the scope or substance of any section of this Agreement. Captions. The captions of the sections of this Agreement are for convenience of reference only (i) (j) [Remainder of Page Intentionally Left Blank] 16 YOU ACKNOWLEDGE THAT YOU HAVE CAREFULLY READ THIS AGREEMENT AND UNDERSTAND AND AGREE TO ALL OF THE PROVISIONS IN THIS AGREEMENT. Date: August 19, 2022 Date: August 19, 2022 ONESPAN NORTH AMERICA, INC. By: /s/ Tom Aurelio Chief People Officer LARA MATAAC /s/ Lara Mataac 17 NON-COMPETITION AND NON-SOLICITATION AGREEMENT This Non-Competition and Non-Solicitation Agreement (the “Agreement”) is made by and between OneSpan North America, Inc, a Delaware corporation (hereinafter referred to collectively with its parent and subsidiaries as the “Company”), and the undersigned employee (“you”). For good consideration, including your employment by the Company and, with respect to the non-competition restrictions, the additional consideration set forth in Section 1(d), the Company and you agree as follows: 1. Non-Competition. (a) During the Restricted Period (as defined below), you will not, in the Applicable Territory (as defined below), directly or indirectly, whether as an owner, partner, officer, director, employee, consultant, investor, lender or otherwise engage or assist others in engaging in any business or enterprise that is competitive with the Company’s business (consisting, as of the date of this Agreement, of the digital agreements and security solutions business and other businesses as described in the Company’s most recently filed reports with the United States Securities and Exchange Commission), including any business or enterprise that researches, develops, manufactures, markets, licenses, sells or provides any product or service that competes with any product or service researched, developed, manufactured, marketed, licensed, sold or provided, or planned to be researched, developed, manufactured, marketed, licensed, sold or provided by the Company (a “Competitive Company”), if you would be performing job duties or services for the Competitive Company that are of a similar type that you performed for the Company at any time during the last two years of your employment. Notwithstanding the foregoing, you may be the passive holder of less than 2% of the outstanding stock of a publicly-held company. As a senior executive for the Company, you acknowledge and agree that, in the performance of your duties for the Company (including, assisting the Company with its overall business strategy), you are or will be involved in all aspects of the Company’s business and operations. Accordingly, you acknowledge and agree that undertaking any leadership role in a Competitive Company would constitute performing job duties or services of a similar type that you performed for the Company and its affiliates. (b) Certain Definitions. Solely for purposes of this Section 1: i. the “Restricted Period” shall include the duration of your employment with the Company and the 12-month period thereafter; provided, however, that the Restricted Period shall automatically be extended to two years following the cessation of your employment if you breach a fiduciary duty to the Company or you unlawfully take, physically or electronically, any property belonging to the Company. Notwithstanding the foregoing, the Restricted Period shall end immediately upon your last day of employment with the Company if: (x) the Company terminates your employment other than for Cause (as defined below); or (y) the Company notifies you in writing that it is waiving the post-employment restrictions set forth in this Section 1 (such notice to be provided no later than your last day of employment or by the seventh business day following your notice of resignation, if later). ii. “Applicable Territory” shall mean the geographic areas in which you provided services or had a material presence or influence at any time during your last two years of employment. As a senior leader for the Company, you acknowledge that your duties and responsibilities require you to have a material presence and/or influence anywhere that the Company does business. iii. “Cause” shall mean any of (a) your conviction of, or plea of guilty or nolo contendere to, any crime involving dishonesty or moral turpitude, or any felony; or (b) a good faith finding by the Company in its sole discretion that you have (i) engaged in dishonesty, misconduct or gross negligence; (ii) committed an act that injures or would reasonably be expected to injure the reputation, business or business relationships of the Company; (iii) breached the terms of this Agreement or any other restrictive covenant or confidentiality agreement with or policy of the Company; (iv) failed or refused to comply with any of the Company’s policies or procedures and such failure or refusal continues after you have received written notice by the Company that specifies such failure or refusal and a period of 10 days in which to cure such failure or refusal (but only to the extent such failure or refusal is capable of being cured); or (v) failed to perform your duties and/or responsibilities to the Company’s satisfaction. (c) Rules of Professional Conduct. Nothing in this Agreement shall be deemed to limit or waive your professional duties and responsibilities under the Massachusetts Rules of Professional Conduct for Lawyers, including those arising from your service as a lawyer for the Company, its subsidiaries and affiliates and including duties and responsibilities relating to maintaining client confidences, limitations on the use of client information, and prohibitions on conflicts of interest. Nothing in this Agreement is intended to be or shall serve as a restriction in violation of such Rules of Professional Conduct relating to your right to practice. (d) Additional Consideration for Non-Competition Restrictions. In exchange for your compliance with the restrictions set forth in this Section 1, the Company will award you the Time-Based Grant (as defined in the Employment Agreement between you and the Company dated on or about the date hereof). You understand and agree that the foregoing consideration has been mutually agreed upon by the Company and you, is fair and reasonable, and is sufficient consideration in exchange for the restrictions set forth in this Section 1. Non-Solicitation. cessation of such employment for any reason, you will not directly or indirectly: (a) While you are employed by the Company and for a period of 12 months after the termination or (i) Either alone or in association with others, solicit, divert or take away, or attempt to divert or take away, the business or patronage of any of the actual or prospective clients, customers, accounts or business partners of the Company that were contacted, solicited, or served by the Company during your employment with the Company; or (ii) Either alone or in association with others (I) solicit, induce or attempt to induce, any employee or independent contractor of the Company to terminate such individual’s employment or other engagement with the Company, or (II) hire or recruit, or attempt to hire or recruit, or engage or attempt to engage as an independent contractor, any person who was employed or otherwise engaged by the Company at any time during the term of your employment with the Company; provided, that this clause (II) shall not apply to the recruitment or hiring or other engagement of any individual whose employment or other engagement with the Company ended at least six months before the recruitment, hiring, or other engagement. 19 (b) If you violate the provisions of any of the preceding paragraphs of this Section 2, you shall continue to be bound by the restrictions set forth in such paragraph until a period of 12 months has expired without any violation of such provisions. Further, the 12 month post-employment restrictions set forth in this Section 2 shall be extended to two years if you breach a fiduciary duty to the Company or you unlawfully take, physically or electronically, any property belonging to the Company. Notice of New Business Activities. You agree that during any period of time when you are subject to restrictions pursuant to Section 1 or Section 2, you will notify any prospective employer or business associate of the terms and existence of this Agreement and your continuing obligations to the Company hereunder. You also agree to provide the Company with other pertinent information concerning such business activity as the Company may reasonably request to determine your continued compliance with your obligations under this Agreement. You hereby authorize the Company to notify others, including customers of the Company and any of your future employers or prospective business associates, of the terms and existence of this Agreement and your continuing obligations to the Company hereunder. Miscellaneous. (a) Equitable Remedies. You acknowledge that the restrictions contained in this Agreement are necessary for the protection of the business and goodwill of the Company, and you consider them to be reasonable for such purpose. You agree that any breach or threatened breach of this Agreement is likely to cause the Company substantial and irrevocable damage that is difficult to measure. Therefore, in the event of any such breach or threatened breach, you agree that the Company, in addition to such other remedies that may be available, shall have the right to obtain an injunction from a court restraining such a breach or threatened breach without posting a bond and the right to specific performance of the provisions of this Agreement and you hereby waive the adequacy of a remedy at law as a defense to such relief. Additionally, you acknowledge and agree that, while any non-solicitation obligations you may have are essential to the protection of the Company’s legitimate business interests, such interests cannot be adequately protected without the non-competition obligations set forth in Section 1. (b) Obligations to Third Parties. You represent that, except as you have disclosed in writing to the Company, you are not bound by the terms of any agreement with any previous employer or other party to refrain from using or disclosing any trade secret or confidential or proprietary information in the course of your employment with the Company, to refrain from competing, directly or indirectly, with the business of such previous employer or any other party, or to refrain from soliciting employees, customers or suppliers of such previous employer or other party. You further represent that your performance of all the terms of this Agreement and the performance of your duties as an employee of the Company does not and will not conflict with or breach any agreement with any prior employer or other party (including any nondisclosure or non-competition agreement), and that you will not disclose to the Company or induce the Company to use any confidential or proprietary information or material belonging to any previous employer or others. Not Employment Contract. You acknowledge that this Agreement does not constitute a contract of employment, does not imply that the Company will continue your employment for any period of time, and does not change the at-will nature of your employment. (c) 20 (d) Acknowledgments; Waiver. You acknowledge that you have the right to consult with counsel prior to signing this Agreement. You further acknowledge that you were provided this Agreement and given at least ten business days prior to the commencement of your employment to consider whether to enter into this Agreement and that the Agreement is supported by fair and reasonable consideration independent from your employment. You hereby waive any obligation on the part of the Company to provide you with a copy of this agreement on the date of the Company’s initial offer of employment to you. (e) Successors and Assigns. Your obligations under this Agreement are personal and shall not be assigned by you. This Agreement shall, however, be binding upon and inure to the benefit of the Company and its successors and assigns, including any corporation or entity with which or into which the Company may be merged or that may succeed to all or substantially all of its assets or business. You expressly consent to be bound by the provisions of this Agreement for the benefit of any successor or assign of the Company without the necessity that this Agreement be re-signed, in which event “Company” shall be interpreted to include any successor or assign of the Company. (f) Interpretation. If any restriction or definition set forth in Section 1 or Section 2 is found by any court of competent jurisdiction to be unenforceable because it extends for too long a period of time or over too great a range of conduct, activities, or geographic area, it shall be interpreted to extend only over the maximum period of time, range of conduct, activities or geographic area as to which it may be enforceable. References to “including” or similar forms are to be read as “including, without limitation” or similar forms other than where the meaning would not make sense. (g) Severability. In case any provision of this Agreement shall be invalid, illegal or otherwise unenforceable, the validity, legality and enforceability of the remaining provisions shall in no way be affected or impaired thereby. (h) Waivers. No delay or omission by the Company in exercising any right under this Agreement will operate as a waiver of that or any other right. A waiver or consent given by the Company on any one occasion is effective only in that instance and will not be construed as a bar to or waiver of any right on any other occasion. (i) Tax Withholding; Section 409A. Any compensatory payments under or referred to in this Agreement will be subject to all required tax and other withholdings. This Agreement is intended to comply with or be exempt from the provisions of Section 409A of the Internal Revenue Code of 1986, as amended (“Section 409A”) and the Agreement will, to the extent practicable, be construed in accordance therewith. Terms defined in this Agreement will have the meanings given such terms under Section 409A if and to the extent required to comply with Section 409A and a termination of employment will mean a “separation from service” as defined in Section 409A. For purposes of this Agreement, each amount to be paid or benefit to be provided as a series of installment payments will be construed as a separate identified payment for purposes of Section 409A. If and to the extent any portion of any payment, compensation or other benefit provided to you in connection with your separation from service (as defined in Section 409A) is determined to constitute “nonqualified deferred compensation” within the meaning of Section 409A and you are a specified employee as defined in Section 409A(a)(2)(B)(i) of the Code, as determined by the Company in accordance with its procedures, by which determination you hereby agree that you are bound, such portion of the payment, compensation or other benefit will not be paid before the earlier of (i) the day that is six months plus one day after the date of separation from service (as determined under Section 409A) or (ii) as soon as practicable after the date of your death (as applicable, the “New 21 Payment Date”). The aggregate of any payments that otherwise would have been paid to you during the period between the date of separation from service and the New Payment Date will be paid to you in a lump sum in the first payroll period beginning after such New Payment Date (or, with respect to payment after death, as soon as reasonably practicable and within the time limits permitted by Section 409A), and any remaining payments will be paid on their original schedule. In any event, the Company makes no representations or warranty and will have no liability to you or any other person if any provisions of or payments under this Agreement are determined to constitute deferred compensation subject to Section 409A but not to satisfy the conditions of that section. (j) Governing Law and Consent to Jurisdiction. This Agreement shall be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts (without reference to the conflicts of law provisions thereof). Any action, suit, or other legal proceeding that is commenced to resolve any matter arising under or relating to any provision of this Agreement shall be commenced only in a court in Suffolk County, Massachusetts (or, if appropriate, a federal court located within Massachusetts), and the Company and you each consent to the jurisdiction of such courts. The Company and you each hereby irrevocably waive any right to a trial by jury in any action, suit or other legal proceeding arising under or relating to any provision of this Agreement. (k) Entire Agreement; Amendment. This Agreement supersedes all prior agreements, written or oral, between you and the Company relating to the subject matter of this Agreement. This Agreement may not be modified, changed or discharged in whole or in part, except by an agreement in writing signed by you and the Company. You agree that any change or changes in your duties, authority, title, reporting relationship, territory, salary or compensation after the signing of this Agreement shall not affect the validity or scope of this Agreement. and in no way define, limit or affect the scope or substance of any section of this Agreement. (l) Captions. The captions of the sections of this Agreement are for convenience of reference only UNDERSTAND AND AGREE TO ALL OF THE PROVISIONS IN THIS AGREEMENT. YOU ACKNOWLEDGE THAT YOU HAVE CAREFULLY READ THIS AGREEMENT AND 22 Date: August 19, 2022 Date: August 19, 2022 EMPLOYEE /s/ Lara Mataac Name: Lara Mataac ONESPAN NORTH AMERICA, INC. By: /s/ Tom Aurelio Name: Tom Aurelio Title: Chief People Officer 23 Moynahan, Matthew - 2021 Time Based Share Grant Exhibit 10.7 ONE-TIME SPECIAL GRANT AWARD AGREEMENT FOR TIME-BASED RESTRICTED STOCK UNITS UNDER THE ONESPAN INC. 2019 OMNIBUS INCENTIVE PLAN THIS AWARD AGREEMENT FOR RESTRICTED STOCK UNITS (this “Agreement”) is made as of November 29, 2021 (the “Effective Date”), between OneSpan Inc. (the “Company”) and the individual identified on the signature page and Exhibit A hereto (the “Grantee”). WHEREAS, the Company maintains the OneSpan Inc. 2019 Omnibus Incentive Plan (as amended, the “Plan”) for the benefit of its employees, directors, consultants, and other individuals who provide services to the Company; and WHEREAS, to further align the Grantee’s personal financial interests with those of the Company’s stockholders, the Company wishes to award the Grantee restricted stock units with respect to shares of Common Stock (as defined below), subject to the restrictions, terms and conditions contained in the Plan and this Agreement. NOW, THEREFORE, in consideration of these premises and the agreements set forth herein, the parties, intending to be legally bound hereby, agree as follows: 1. Grant of Restricted Stock Units. Pursuant to Article III of the Plan, the Company hereby grants to the Grantee an award of restricted stock units (the “Restricted Stock Units”) with respect to the number of shares of the Company’s common stock, par value of $0.001 per share (the “Common Stock”), as set forth on Exhibit A hereto, subject to the terms and conditions set forth in this Agreement and in the Plan. The terms of the Plan are hereby incorporated into this Agreement by this reference, as though fully set forth herein. Capitalized terms used but not defined in this Agreement have the meanings set forth in the Plan. 2. Vesting of Restricted Stock Units. The Restricted Stock Units will become vested in accordance with this Section 2. Restricted Stock Units will become vested in accordance with the following schedule, provided that on each (a) vesting date, the Grantee has, from the date hereof, continuously provided services to the Company: 25% of the Restricted Stock Units will vest on the first annual anniversary date of the Effective Date; (i) (ii) An additional 25% of the Restricted Stock Units will vest on the second annual anniversary date of the Effective Date; (iii) An additional 25% of the Restricted Stock Units will vest on the third annual anniversary date of the Effective Date; and (iv) The final 25% of the Restricted Stock Units will vest on the fourth annual anniversary date of the Effective Date. (b) If Grantee’s employment with the Company terminates as a result of death or by the Company due to Disability, the Restricted Stock Units that are unvested as of such termination of employment shall become immediately vested. 1 Moynahan, Matthew - 2021 Time Based Share Grant (c) If Grantee’s employment with the Company terminates on or within one year following a Change in Control for reasons other than (i) resignation without Good Reason or (ii) by the Company for Cause, then the Restricted Stock Units that are unvested as of such termination of employment shall become immediately vested. (d) Except as provided in this Agreement, by the Company’s Compensation Committee (the “Committee”) or in any other agreement between the Grantee and the Company or any of its Subsidiaries, upon cessation of the Grantee’s service with the Company for any reason or for no reason (and whether such cessation is initiated by the Company, the Grantee or otherwise): (i) any Restricted Stock Units that have not, prior to such cessation, become vested shall immediately and automatically, without any action on the part of the Company, be forfeited, and (ii) the Grantee shall have no further rights with respect to those Restricted Stock Units (or the underlying shares of Common Stock). For purposes of this Agreement, service with the Company shall be deemed to include service with any (e) Subsidiary of the Company for only so long as such entity remains a Subsidiary. For purposes of this Agreement, “Disability” means a mental or physical impairment of Grantee that is expected (f) to result in death or that has lasted or is expected to last for a continuous period of 12 months or more and that causes Grantee to be unable to perform his or her material duties for the Company and to be engaged in any substantial gainful activity, in each case as determined by the Company’s chief human resources officer or other person performing that function or, in the case of directors and executive officers, the Committee, whose determination shall be conclusive and binding. The determination of Disability for purposes of this Agreement shall not be construed to be an admission of disability for any other purpose. (g) For purposes of this Agreement, “Good Reason” means: The assignment to Grantee of any duties inconsistent in any respect with Grantee’s position (including (i) status, offices, titles and reporting requirements), authority, duties or responsibilities or any other action by the Company or its affiliates that results in a material diminution in such position, authority, duties or responsibilities, excluding for this purpose an isolated, insubstantial and inadvertent action not taken in bad faith; (ii) Any failure by the Company or its affiliates to comply with any provision of any employment agreement entered into between Grantee and the Company or an affiliate other than an isolated, insubstantial and inadvertent failure not occurring in bad faith; (iii) The Company or any of its affiliates requiring Grantee to be based at any office or location other than the office occupied by Grantee as of the date of this Agreement or a reasonably comparable office located within a 40-mile radius of 2 Moynahan, Matthew - 2021 Time Based Share Grant such current office; or (iv) A material adverse change in Grantee’s base salary. provided, however, that a “Good Reason” termination will have occurred only if (1) Grantee terminates his or her employment during the one year following the initial existence of a Good Reason event; (b) Grantee provided notice to Company within 90 days of the initial existence of a Good Reason condition; and (c) the Company failed to cure the Good Reason event within 30 days of such notice from Grantee; provided that these notice and cure periods may extend the termination date beyond one year if the Grantee provides notice within one year following the initial existence of a Good Reason event. Further, the amount, time and form of payment must be substantially identical to the amount, time and form of payments made due to an involuntary termination. (h) For purposes of this Agreement, “Cause” and “Wrongful Act” mean: Grantee materially breaches Grantee’s obligations under any employment, consulting, or other agreement (i) between the Grantee and the Company (each, a “Company Agreement”); (ii) Grantee materially breaches Grantee’s obligations under the Company’s Code of Ethics and Conduct (or any successor thereto) or an established policy of the Company; (iii) Grantee engages in conduct prohibited by law (other than minor violations), commits an act of dishonesty, fraud, or serious or willful misconduct in connection with Grantee’s job duties, or engages in unethical or immoral conduct that, in the reasonable judgment of the Committee, could injure the integrity, character or reputation of Company; (iv) Grantee fails or refuses to perform, or habitually neglects, Grantee’s duties and responsibilities under any Company Agreement (other than on account of Disability), and continues such failure, refusal or neglect after having been given written notice by the Company that specifies what duties Grantee failed to perform and an opportunity to cure of 30 days; (v) Subject to Section 10, use or disclosure by Grantee of confidential information or trade secrets other than in the furtherance of the Company’s (or its Subsidiaries’) business interests, or other violation of a fiduciary duty to the Company (including, without limitation, entering into any transaction or contractual relationship causing diversion of business opportunity from the Company (other than with the prior written consent of the Board)); or (vi) Grantee fails to reasonably cooperate with any audit or investigation involving the Company or its business practices after having been given written notice by the Company that specifies Grantee’s failure to cooperate and an opportunity to cure of ten days. (vii) Any other act or omission on the part of the Grantee that would constitute just cause for termination under applicable law. Delivery of Common Stock Underlying Restricted Stock Units. Within 60 days after the vesting of any Restricted 3. Stock Units (or such later date as may be required to comply with Section 409A of the Internal Revenue Code of 1986, as amended (“Section 409A”)), the 3 Moynahan, Matthew - 2021 Time Based Share Grant Company will issue or deliver, subject to the conditions of this Agreement, the shares of Common Stock in respect of such vested Restricted Stock Units to Grantee. Such issuance or delivery shall be evidenced by the appropriate entry on the books of the Company or of a duly authorized transfer agent of the Company. The Company shall pay all original issue or transfer taxes and all fees and expenses incident to such issuance or delivery, except as otherwise provided herein. Prior to the issuance to Grantee of the shares of Common Stock subject to the Restricted Stock Units, Grantee shall have no direct or secured claim in any specific assets of the Company or in such shares, and will have the status of a general unsecured creditor of the Company. 4. Adjustments. In the event of any equity restructuring (within the meaning of Financial Accounting Standards Board Accounting Standards Codification Topic 718, Compensation— Stock Compensation) that causes the per share value of shares of Common Stock to change, such as a stock dividend, stock split, spinoff, rights offering or recapitalization through an extraordinary dividend, the terms of this Agreement, including the number and class of securities subject hereto, shall be appropriately adjusted by the Committee. In the event of any other change in corporate capitalization, including a merger, consolidation, reorganization, or partial or complete liquidation of the Company, such equitable adjustments described in the foregoing sentence may be made as determined to be appropriate and equitable by the Committee (or, if the Company is not the surviving corporation in any such transaction, the board of directors of the surviving corporation) to prevent dilution or enlargement of rights of the Grantee. The decision of the Committee regarding any such adjustment shall be final, binding and conclusive. 5. Rights as a Stockholder. The Grantee shall have no rights as a stockholder of the Company with respect to the shares of Common Stock subject to the Restricted Stock Units (including the right to vote) until the underlying Common Stock becomes vested pursuant to Section 2 and the Grantee becomes a stockholder of record with respect to such shares, except that the Grantee shall be entitled to receive dividend equivalents related to the Restricted Stock Units equal in amount to the dividends declared on the underlying shares of Common Stock. Dividend equivalent amounts shall accrue and be paid or distributed in cash at the same time the underlying shares of Common Stock are distributed to Grantee in accordance with Section 3. 6. Tax Consequences. (a) The Grantee acknowledges that the Company has not advised the Grantee regarding the Grantee’s income tax liability in connection with the grant or vesting of the Restricted Stock Units, the dividend equivalents contemplated hereunder or the delivery of the Common Stock underlying the Restricted Stock Units. The Grantee has reviewed with the Grantee’s own tax advisors the federal, state, local and foreign tax consequences of this investment and the transactions contemplated by this Agreement. The Grantee is relying solely on such advisors and not on any statements or representations of the Company or any of its agents. The Grantee understands that the Grantee (and not the Company) will be responsible for the Grantee’s own tax liability that may arise as a result 4 Moynahan, Matthew - 2021 Time Based Share Grant of the transactions contemplated by this Agreement. (b) As a condition precedent to the delivery of the shares of Common Stock upon the vesting of the Restricted Stock Units, the Grantee acknowledges and agrees that the Company may be required, under all applicable federal, state, local or other laws or regulations, to withhold and pay over as income or other withholding taxes (the “Required Tax Payments”) with respect to such shares of Common Stock. If the Grantee has not been given permission by the Company to advance the Required Tax Payments in cash, then the Company may, in its discretion, deduct any Required Tax Payments from any amount then or thereafter payable by the Company to the Grantee. (c) The obligation to advance the Required Tax Payments by the Grantee shall by default take place by the Company withholding whole shares of Common Stock which would otherwise be delivered to the Grantee having an aggregate Fair Market Value, determined as of the applicable date, equal to the Required Tax Payments. Shares of Common Stock to be delivered or withheld may not have a Fair Market Value in excess of the minimum amount of the Required Tax Payments. Any fraction of a share of Common Stock which would be required to satisfy any such obligation shall be disregarded and the remaining amount due shall be paid in cash by the Grantee. No certificate representing a share of Common Stock shall be delivered until the Required Tax Payments have been satisfied in full. 7. Nontransferability of Award. The Grantee may not sell, pledge, assign, encumber, hypothecate, gift, transfer, bequeath, devise, donate or otherwise dispose of, in any way or manner whatsoever, whether voluntary or involuntary, any legal or beneficial interest in any of the Restricted Stock Units until the Restricted Stock Units become vested in accordance with Section 2; provided, however, that the restrictions of this Section 7 shall not apply to any transfer (i) pursuant to applicable laws of descent and distribution or (ii) among Grantee’s family group; provided that such restrictions will continue to be applicable to the Restricted Stock Units after any such transfer and the transferees of such Restricted Stock Units have agreed in writing to be bound by the provisions of this Agreement. Grantee’s "family group" means Grantee’s spouse and descendants (whether natural or adopted) and any trust solely for the benefit of Grantee and/or Grantee’s spouse and/or descendants during Grantee’s lifetime. Securities Laws. The Company may from time to time impose any conditions on the Restricted Stock Units or any 8. underlying shares of Common Stock as it deems necessary or advisable to ensure that the Plan satisfies the conditions of Rule 16b-3 adopted under the Securities and Exchange Act of 1934 and otherwise complies with applicable rules and laws. 9. Recoupment of Award. Notwithstanding anything in this Agreement to the contrary, if the Company determines that the Grantee’s Wrongful Act was a significant contributing factor to the Company or a Subsidiary having to restate all or a portion of its financial statements, all outstanding Restricted Stock Units will immediately and automatically be forfeited and the Grantee shall promptly repay to the Company any shares of Common Stock, cash or other property paid in respect of any Restricted Stock Units during the period beginning on the date the financial statements requiring restatement were originally released to the public or submitted to the Securities and Exchange Commission (whichever is earlier) and ending on the date the restated financial statements are filed with the Securities and Exchange Commission. Protected Rights. Grantee understands that nothing contained in this Agreement limits Grantee’s ability to report 10. possible violations of law or regulation to, or file a charge or complaint with, the Securities and Exchange Commission, the Equal Employment Opportunity Commission, the National Labor Relations Board, the Occupational Safety and Health 5 Moynahan, Matthew - 2021 Time Based Share Grant Administration, the Department of Justice, the Congress, any Inspector General, or any other federal, state or local governmental agency or commission (“Government Agencies”). Grantee further understands that this Agreement does not limit Grantee’s ability to communicate with any Government Agencies or otherwise participate in any investigation or proceeding that may be conducted by any Government Agency, including providing documents or other information, without notice to the Company. Nothing in this Agreement shall limit Grantee’s ability under applicable United States federal law to (i) disclose in confidence trade secrets to federal, state, and local government officials, or to an attorney, for the sole purpose of reporting or investigating a suspected violation of law or (ii) disclose trade secrets in a document filed in a lawsuit or other proceeding, but only if the filing is made under seal and protected from public disclosure. 11. Compliance with Section 409A. The Restricted Stock Units are intended to be exempt from or comply with Section 409A, and shall be interpreted and construed accordingly, and each payment hereunder shall be considered a separate payment. To the extent this Agreement provides for the Restricted Stock Units to become vested and be settled upon the Grantee’s termination of employment, the applicable shares of Common Stock shall be transferred to the Grantee or his or her beneficiary upon the Grantee’s “separation from service,” within the meaning of Section 409A. Notwithstanding any other provision in this Agreement, to the extent any payments hereunder constitute nonqualified deferred compensation, within the meaning of Section 409A, then (a) each such payment which is conditioned upon Grantee’s execution of a release of claims and which is to be paid or provided during a designated period that begins in one taxable year and ends in a second taxable year, shall be paid or provided in the later of the two taxable years, and (b) if Grantee is a specified employee (within the meaning of Section 409A) as of the date of Grantee’s separation from service, each such payment that is payable upon Grantee’s separation from service and would have been paid prior to the six- month anniversary of Grantee’s separation from service, shall be delayed until the earlier to occur of (i) the first day of the seventh month following the Grantee’s separation from service or (ii) the date of Grantee’s death. 12. General Provisions. This Agreement and the Plan together represent the entire agreement between the parties with respect to the (a) granting of the Restricted Stock Units and may only be modified or amended in a writing signed by both parties. (b) Any notice, demand or request required or permitted to be given by either the Company or the Grantee pursuant to the terms of this Agreement must be in writing and will be deemed given (i) on the date and at the time delivered via personal, courier or recognized overnight delivery service, (ii) if sent via telecopier on the date and at the time telecopied with confirmation of delivery, (iii) if sent via email or other electronic delivery and receipt is confirmed, on the date and at the time received, or (iv) if mailed, on the date five days after the date of the mailing (which must be by registered or certified mail). Delivery of a notice by telecopy (with confirmation) or by email or other electronic delivery (with confirmation or receipt) will be permitted and will be considered delivery of a notice notwithstanding that it is not an original that is received. Any notice to Grantee under this 6 Moynahan, Matthew - 2021 Time Based Share Grant Agreement will be made to Grantee at the address (or telecopy number, email or other electronic address, as the case may be) listed in the Company’s personnel files. If directed to the Company, any such notice, demand or request will be sent to the Corporate Secretary at the Company’s principal executive office, or to such other address or person as the Company may hereafter specify in writing. (c) The Company may condition delivery of certificates for shares of Common Stock subject to the Restricted Stock Units (or, if the shares are not certificated, the entry in the stock record books of the Company of the transfer to the Grantee of the shares of Common Stock) upon the prior receipt from Grantee of any undertakings which it may determine are required to assure that the certificates are being issued in compliance with federal and state securities laws. (d) The Grantee has received a copy of the Plan, has read the Plan and is familiar with its terms, and hereby accepts the Restricted Stock Units subject to all of the terms and provisions of the Plan, as amended from time to time. Pursuant to the Plan, the Board and the Committee are authorized to interpret the Plan and to adopt rules and regulations not inconsistent with the Plan as they deem appropriate. The Grantee hereby agrees to accept as binding, conclusive and final all decisions or interpretations of the Board or the Committee upon any questions arising under the Plan. (e) Subject to Section 7, neither this Agreement nor any rights or interest hereunder will be assignable by the Grantee, the Grantee’s beneficiaries or legal representatives, and any purported assignment in violation hereof will be null and void. (f) Either party’s failure to enforce any provision or provisions of this Agreement will not in any way be construed as a waiver of any such provision or provisions, nor prevent that party thereafter from enforcing each and every other provision of this Agreement. The rights granted both parties herein are cumulative and will not constitute a waiver of either party’s right to assert all other legal remedies available to it under the circumstances. The grant of Restricted Stock Units hereunder does not confer upon the Grantee any right to continue in service (g) with the Company. This Agreement shall be governed by, and enforced in accordance with, the laws of the State of Delaware, (h) without regard to the application of the principles of conflicts or choice of laws. (i) This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, and all of which together shall be deemed to be one and the same instrument. In the event that any signature to this Agreement is delivered by facsimile transmission or by e- mail delivery of a “.pdf” format data file or picture format data file, such signature shall create a valid and binding obligation of the party executing (or on whose behalf such signature is executed) with the same force and effect as if such electronic facsimile signature page were an original thereof. The parties confirm that it is their wish that this Agreement may be executed by means of electronic signature. The parties hereto have expressly required that this Agreement and any other contract or document relating (j) thereto be drafted in the English language. all other 7 Moynahan, Matthew - 2021 Time Based Share Grant documents, notices and legal proceedings entered into, given or instituted pursuant to the Award, be drawn up in English. If the Grantee has received the Agreement or any other documents related to the Award translated into a language other than English, and if the meaning of the translated version is different than the English version, the English version shall control. [Signature Page Follows] 8 Moynahan, Matthew - 2021 Time Based Share Grant [SIGNATURE PAGE TO AWARD AGREEMENT FOR TIME-BASED RESTRICTED STOCK UNITS] IN WITNESS WHEREOF, the parties have duly executed this Award Agreement intending it to be effective as of the first date written above. ONESPAN INC. By /s/ Steven Worth Name: Steven Worth Its: General Counsel GRANTEE Name: Matthew Moynahan Signature: /s/ Matthew Moynahan CHRO REVIEW Initial: Date: CAO Initial: Date: 9 T.M. December 10, 2021 J.B. December 10, 2021 Moynahan, Matthew - 2021 Time Based Share Grant GRANTEE SPECIFIC INFORMATION: Exhibit A Grantee Matthew Moynahan Grant Date 11/29/2021 Grant Date Price $16.80 Target # of RSU’s 250,000 10 Moynahan, Matthew - 2021 Performance Based Share Grant Exhibit 10.8 ONE-TIME SPECIAL GRANT AWARD AGREEMENT FOR PERFORMANCE-BASED RESTRICTED STOCK UNITS UNDER THE ONESPAN INC. 2019 OMNIBUS INCENTIVE PLAN THIS AWARD AGREEMENT FOR RESTRICTED STOCK UNITS (this “Agreement”) is made as of November 29, 2021 (the “Effective Date”), between OneSpan Inc. (the “Company”) and the individual identified on the signature page and Exhibit A hereto (the “Grantee”). WHEREAS, the Company maintains the OneSpan Inc. 2019 Omnibus Incentive Plan (as amended, the “Plan”) for the benefit of its employees, directors, consultants, and other individuals who provide services to the Company; and WHEREAS, to further align the Grantee’s personal financial interests with those of the Company’s stockholders, the Company wishes to award the Grantee restricted stock units with respect to shares of Common Stock (as defined below), subject to the restrictions, terms and conditions contained in the Plan and this Agreement. NOW, THEREFORE, in consideration of these premises and the agreements set forth herein, the parties, intending to be legally bound hereby, agree as follows: 1. Grant of Restricted Stock Units. Pursuant to Article IV of the Plan, the Company hereby grants to the Grantee an award of restricted stock units (the “Restricted Stock Units”) with respect to the number of shares of the Company’s common stock, par value of $0.001 per share (the “Common Stock”), as set forth on Exhibit A hereto, subject to the terms and conditions set forth in this Agreement and in the Plan. The terms of the Plan are hereby incorporated into this Agreement by this reference, as though fully set forth herein. Capitalized terms used but not defined in this Agreement have the meanings set forth in the Plan. 2. Vesting of Restricted Stock Units. The Restricted Stock Units will become vested in accordance with this Section 2. (a) Performance Period. The number of Restricted Stock Units that are earned (the “Earned RSUs”) shall be determined by the Company’s Compensation Committee (the “Committee”), in its sole and absolute discretion, in accordance with Exhibit A, based upon the Company’s achievement relative to the applicable Performance Targets (as described on Exhibit A) for the Restricted Stock Units (the “Four Year RSUs”) during the period commencing on the November 29, 2021 and ending on November 28, 2025 (the “Performance Period”). In the event of the occurrence of a Change in Control that is a Company Transaction prior to the expiration of the (b) Performance Period and there is a termination of employment as described in Section 2(c) below, any remaining Restricted Stock Units outstanding as of the date of the Change in Control shall be prorated (based on the ratio of (x) the number of days that have elapsed in the Performance Period to (y) the total number of days in the Performance Period) at the target (100%) payout level up to and including the date of such Change in Control (the “Prorated RSUs”) and the Grantee shall be vested in the Prorated RSUs; provided, however, that if the Company Transaction is a sale of assets or otherwise does not result in direct receipt of consideration by the holders of Common Stock, the Grantee shall receive, in exchange for and in lieu of shares of Common Stock in respect of the Prorated RSUs, a cash 1 Moynahan, Matthew - 2021 Performance Based Share Grant payment equal to the product of (1) the value of the deemed per share consideration received by the Company in the Company Transaction, in each case as determined by the Committee, multiplied by (2) the number of shares of Common Stock that would have otherwise been delivered in respect of the Prorated RSUs; provided further, if the Restricted Stock Units constitute “nonqualified deferred compensation” within the meaning of Section 409A of the Internal Revenue Code of 1986, as amended (“Section 409A”), then (A) the Prorated RSUs shall vest but not be settled upon a Change in Control that is a Company Transaction unless such Change in Control constitutes a “change in control event” within the meaning of Section 409A, to the extent required to comply with Section 409A, and (B) if the Change in Control is not a “change in control event” within the meaning of Section 409A, then the Prorated RSUs shall be settled in accordance with the normal vesting schedule applicable to the Restricted Stock Units under this Agreement or, if earlier, the Grantee’s death or termination of employment. (c) In the event of (i) the occurrence of a Change in Control that is a Company Transaction during the Performance Period and (ii) the Grantee’s termination of employment for reasons other than (A) voluntary resignation without Good Reason or (B) termination for Cause, during the one-year period following the Change in Control, the Prorated RSUs shall become vested immediately prior to (and contingent upon) such termination of employment. (d) If the Grantee’s service with the Company ceases by reason of the Grantee’s death or termination by the Company due to Disability prior to the expiration of the Performance Period, 100% of the Restricted Stock Units based upon the target (100%) payout level shall become vested immediately prior to (and contingent on) the occurrence of such death or termination by the Company due to Disability. Notwithstanding the foregoing, a Disability shall not qualify if it is the result of (A) a willfully self-inflicted injury or willfully self- induced sickness; or (B) an injury or disease contracted, suffered, or incurred while participating in a criminal offense. The determination of Disability for purposes of this Agreement shall not be construed to be an admission of disability for any other purpose. Except as provided in this Agreement, by the Company’s Compensation Committee (the “Committee”) or in any (e) other agreement between the Grantee and the Company or any of its Subsidiaries, upon cessation of the Grantee’s service with the Company for any reason or for no reason (and whether such cessation is initiated by the Company, the Grantee or otherwise): (i) any Restricted Stock Units that have not, prior to such cessation, become vested shall immediately and automatically, without any action on the part of the Company, be forfeited, and (ii) the Grantee shall have no further rights with respect to those Restricted Stock Units (or the underlying shares of Common Stock). For purposes of this Agreement, service with the Company shall be deemed to include service with any (f) Subsidiary of the Company for only so long as such entity remains a Subsidiary. (g) For purposes of this Agreement, “Cause” and “Wrongful Act” mean: Grantee materially breaches Grantee’s obligations under any employment, consulting, or other agreement (i) between the Grantee and the Company (each, a “Company Agreement”); (ii) Grantee materially breaches Grantee’s obligations under the Company’s Code of Ethics and Conduct (or any successor thereto) or an established policy of the Company; 2 Moynahan, Matthew - 2021 Performance Based Share Grant (iii) Grantee engages in conduct prohibited by law (other than minor violations), commits an act of dishonesty, fraud, or serious or willful misconduct in connection with Grantee’s job duties, or engages in unethical or immoral conduct that, in the reasonable judgment of the Committee, could injure the integrity, character or reputation of Company; (iv) Grantee fails or refuses to perform, or habitually neglects, Grantee’s duties and responsibilities under any Company Agreement (other than on account of Disability), and continues such failure, refusal or neglect after having been given written notice by the Company that specifies what duties Grantee failed to perform and an opportunity to cure of 30 days; Subject to Section 10, use or disclosure by Grantee of confidential information or trade secrets other than (v) in the furtherance of the Company’s (or its Subsidiaries’) business interests, or other violation of a fiduciary duty to the Company (including, without limitation, entering into any transaction or contractual relationship causing diversion of business opportunity from the Company (other than with the prior written consent of the Board)); or (vi) Grantee fails to reasonably cooperate with any audit or investigation involving the Company or its business practices after having been given written notice by the Company that specifies Grantee’s failure to cooperate and an opportunity to cure of ten days. (h) For purposes of this Agreement, “Disability” means a mental or physical impairment of Grantee that is expected to result in death or that has lasted or is expected to last for a continuous period of 12 months or more and that causes Grantee to be unable to perform his or her material duties for the Company and to be engaged in any substantial gainful activity, in each case as determined by the Company’s chief human resources officer or other person performing that function or, in the case of directors and executive officers, the Committee, whose determination shall be conclusive and binding. (i) For purposes of this Agreement, “Good Reason” means: (i) The assignment to Grantee of any duties inconsistent in any respect with Grantee’s position (including status, offices, titles and reporting requirements), authority, duties or responsibilities or any other action by the Company or its affiliates that results in a material diminution in such position, authority, duties or responsibilities, excluding for this purpose an isolated, insubstantial and inadvertent action not taken in bad faith; (ii) Any failure by the Company or its affiliates to comply with any provision of any employment agreement entered into between Grantee and the Company or an affiliate other than an isolated, insubstantial and inadvertent failure not occurring in bad faith; (iii) The Company or any of its affiliates requiring Grantee to be based at any office or location other than the office occupied by Grantee as of the date of this Agreement or a reasonably comparable office located within a 40-mile radius of such current office; or (iv) A material adverse change in Grantee’s base salary. provided, however, that a “Good Reason” termination will have occurred only if 3 Moynahan, Matthew - 2021 Performance Based Share Grant (1) Grantee terminates his or her employment during the one year following the initial existence of a Good Reason event; (b) Grantee provided notice to Company within 90 days of the initial existence of a Good Reason condition; and (c) the Company failed to cure the Good Reason event within 30 days of such notice from Grantee; provided that these notice and cure periods may extend the termination date beyond one year if the Grantee provides notice within one year following the initial existence of a Good Reason event. Further, the amount, time and form of payment must be substantially identical to the amount, time and form of payments made due to an involuntary termination. 3. Delivery of Common Stock Underlying Restricted Stock Units. Within 60 days after the vesting of any Restricted Stock Units (or such later date as may be required to comply with Section 409A, the Company will issue or deliver, subject to the conditions of this Agreement, the vested shares of Common Stock in respect of such Restricted Stock Units to Grantee. Such issuance or delivery shall be evidenced by the appropriate entry on the books of the Company or of a duly authorized transfer agent of the Company. The Company shall pay all original issue or transfer taxes and all fees and expenses incident to such issuance or delivery, except as otherwise provided herein. Prior to the issuance to Grantee of the shares of Common Stock subject to the Restricted Stock Units, Grantee shall have no direct or secured claim in any specific assets of the Company or in such shares, and will have the status of a general unsecured creditor of the Company. 4. Adjustments. In the event of any equity restructuring (within the meaning of Financial Accounting Standards Board Accounting Standards Codification Topic 718, Compensation— Stock Compensation) that causes the per share value of shares of Common Stock to change, such as a stock dividend, stock split, spinoff, rights offering or recapitalization through an extraordinary dividend, the terms of this Agreement, including the number and class of securities subject hereto, shall be appropriately adjusted by the Committee. In the event of any other change in corporate capitalization, including a merger, consolidation, reorganization, or partial or complete liquidation of the Company, such equitable adjustments described in the foregoing sentence may be made as determined to be appropriate and equitable by the Committee (or, if the Company is not the surviving corporation in any such transaction, the board of directors of the surviving corporation) to prevent dilution or enlargement of rights of the Grantee. The decision of the Committee regarding any such adjustment shall be final, binding and conclusive. 5. Rights as a Stockholder. The Grantee shall have no rights as a stockholder of the Company with respect to the shares of Common Stock subject to the Restricted Stock Units (including the right to vote) until the underlying Common Stock becomes vested pursuant to Section 2 and the Grantee becomes a stockholder of record with respect to such shares, except that the Grantee shall be entitled to receive dividend equivalents related to the Restricted Stock Units equal in amount to the dividends declared on the underlying shares of Common Stock that become vested pursuant to this Agreement. Dividend equivalent amounts shall be paid or distributed in cash at the same time the underlying shares of Common Stock are distributed to Grantee in accordance with Section 3. 6. Tax Consequences. The Grantee acknowledges that the Company has not advised the Grantee regarding the Grantee’s income tax (a) liability in connection with the grant or vesting of the Restricted Stock Units, the dividend equivalents contemplated hereunder or the delivery of the Common Stock underlying the Restricted Stock Units. The Grantee has reviewed with the Grantee’s own tax advisors the federal, state, local and foreign tax consequences of this investment and the transactions contemplated by this Agreement. The Grantee is relying solely on such advisors and not on any statements or representations of the Company or any of its agents. The Grantee understands that the Grantee (and not the 4 Moynahan, Matthew - 2021 Performance Based Share Grant Company) will be responsible for the Grantee’s own tax liability that may arise as a result of the transactions contemplated by this Agreement. (b) As a condition precedent to the delivery of the shares of Common Stock upon the vesting of the Restricted Stock Units, the Grantee acknowledges and agrees that the Company may be required, under all applicable federal, state, local or other laws or regulations, to withhold and pay over as income or other withholding taxes (the “Required Tax Payments”) with respect to such shares of Common Stock. If the Grantee has not been given permission by the Company to advance the Required Tax Payments in cash, then the Company may, in its discretion, deduct any Required Tax Payments from any amount then or thereafter payable by the Company to the Grantee. The obligation to advance the Required Tax Payments by the Grantee shall by default take place by the Company (c) withholding whole shares of Common Stock which would otherwise be delivered to the Grantee having an aggregate Fair Market Value, determined as of the applicable date, equal to the Required Tax Payments. Shares of Common Stock to be delivered or withheld may not have a Fair Market Value in excess of the minimum amount of the Required Tax Payments. Any fraction of a share of Common Stock which would be required to satisfy any such obligation shall be disregarded and the remaining amount due shall be paid in cash by the Grantee. No certificate representing a share of Common Stock shall be delivered until the Required Tax Payments have been satisfied in full. Nontransferability of Award. The Grantee may not sell, pledge, assign, encumber, hypothecate, gift, transfer, bequeath, 7. devise, donate or otherwise dispose of, in any way or manner whatsoever, whether voluntary or involuntary, any legal or beneficial interest in any of the Restricted Stock Units until the Restricted Stock Units become vested in accordance with Section 2; provided, however, that the restrictions of this Section 7 shall not apply to any transfer (i) pursuant to applicable laws of descent and distribution or (ii) among Grantee’s family group; provided that such restrictions will continue to be applicable to the Restricted Stock Units after any such transfer and the transferees of such Restricted Stock Units have agreed in writing to be bound by the provisions of this Agreement. Grantee’s "family group" means Grantee’s spouse and descendants (whether natural or adopted) and any trust solely for the benefit of Grantee and/or Grantee’s spouse and/or descendants during Grantee’s lifetime. 8. Securities Laws. The Company may from time to time impose any conditions on the Restricted Stock Units or any underlying shares of Common Stock as it deems necessary or advisable to ensure that the Plan satisfies the conditions of Rule 16b-3 adopted under the Securities and Exchange Act of 1934 and otherwise complies with applicable rules and laws. Recoupment of Award. Notwithstanding anything in this Agreement to the contrary, if the Company determines that the 9. Grantee’s Wrongful Act was a significant contributing factor to the Company or a Subsidiary having to restate all or a portion of its financial statements, all outstanding Restricted Stock Units will immediately and automatically be forfeited and the Grantee shall promptly repay to the Company any shares of Common Stock, cash or other property paid in respect of any Restricted Stock Units during the period beginning on the date the financial statements requiring restatement were originally released to the public or submitted to the Securities and Exchange Commission (whichever is earlier) and ending on the date the restated financial statements are filed with the Securities and Exchange Commission. 10. Protected Rights. Grantee understands that nothing contained in this Agreement limits Grantee’s ability to report possible violations of law or regulation to, or file a charge or complaint with, the Securities and Exchange Commission, the Equal Employment Opportunity Commission, the National Labor Relations Board, the Occupational Safety and Health Administration, the Department of Justice, the Congress, any Inspector General, or any other 5 Moynahan, Matthew - 2021 Performance Based Share Grant federal, state or local governmental agency or commission (“Government Agencies”). Grantee further understands that this Agreement does not limit Grantee’s ability to communicate with any Government Agencies or otherwise participate in any investigation or proceeding that may be conducted by any Government Agency, including providing documents or other information, without notice to the Company. Nothing in this Agreement shall limit Grantee’s ability under applicable United States federal law to (i) disclose in confidence trade secrets to federal, state, and local government officials, or to an attorney, for the sole purpose of reporting or investigating a suspected violation of law or (ii) disclose trade secrets in a document filed in a lawsuit or other proceeding, but only if the filing is made under seal and protected from public disclosure. 11. Compliance with Section 409A. The Restricted Stock Units are intended to be exempt from or comply with Section 409A, and shall be interpreted and construed accordingly, and each payment hereunder shall be considered a separate payment. To the extent this Agreement provides for the Restricted Stock Units to become vested and be settled upon the Grantee’s termination of employment, the applicable shares of Common Stock shall be transferred to the Grantee or his or 6 Moynahan, Matthew - 2021 Performance Based Share Grant her beneficiary upon the Grantee’s “separation from service,” within the meaning of Section 409A. Notwithstanding any other provision in this Agreement, to the extent any payments hereunder constitute nonqualified deferred compensation, within the meaning of Section 409A, then (a) each such payment which is conditioned upon Grantee’s execution of a release of claims and which is to be paid or provided during a designated period that begins in one taxable year and ends in a second taxable year, shall be paid or provided in the later of the two taxable years, and (b) if Grantee is a specified employee (within the meaning of Section 409A) as of the date of Grantee’s separation from service, each such payment that is payable upon Grantee’s separation from service and would have been paid prior to the six-month anniversary of Grantee’s separation from service, shall be delayed until the earlier to occur of (i) the first day of the seventh month following the Grantee’s separation from service or (ii) the date of Grantee’s death. 12. General Provisions This Agreement and the Plan together represent the entire agreement between the parties with respect to the (a) granting of the Restricted Stock Units and may only be modified or amended in a writing signed by both parties. (b) Any notice, demand or request required or permitted to be given by either the Company or the Grantee pursuant to the terms of this Agreement must be in writing and will be deemed given (i) on the date and at the time delivered via personal, courier or recognized overnight delivery service, (ii) if sent via telecopier on the date and at the time telecopied with confirmation of delivery, (iii) if sent via email or other electronic delivery and receipt is confirmed, on the date and at the time received, or (iv) if mailed, on the date five days after the date of the mailing (which must be by registered or certified mail). Delivery of a notice by telecopy (with confirmation) or by email or other electronic delivery (with confirmation or receipt) will be permitted and will be considered delivery of a notice notwithstanding that it is not an original that is received. Any notice to Grantee under this Agreement will be made to Grantee at the address (or telecopy number, email or other electronic address, as the case may be) listed in the Company’s personnel files. If directed to the Company, any such notice, demand or request will be sent to the Corporate Secretary at the Company’s principal executive office, or such other address or person as the Company may hereafter specify in writing. The Company may condition delivery of certificates for shares of Common Stock subject to the Restricted Stock (c) Units (or, if the shares are not certificated, the entry in the stock record books of the Company of the transfer to the Grantee of the shares of Common Stock) upon the prior receipt from Grantee of any undertakings which it may determine are required to assure that the certificates are being issued in compliance with federal and state securities laws. (d) The Grantee has received a copy of the Plan, has read the Plan and is familiar with its terms, and hereby accepts the Restricted Stock Units subject to all of the terms and provisions of the Plan, as amended from time to time. Pursuant to the Plan, the Board and the Committee are authorized to interpret the Plan and to adopt rules and regulations not inconsistent with the Plan as they deem appropriate. The Grantee hereby agrees to accept as binding, conclusive and final all decisions or interpretations of the Board or the Committee upon any questions arising under the Plan. (e) Subject to Section 7, neither this Agreement nor any rights or interest hereunder will be assignable by the Grantee, the Grantee’s beneficiaries or legal representatives, and any purported assignment in violation hereof will be null and void. 7 Moynahan, Matthew - 2021 Performance Based Share Grant (f) Either party’s failure to enforce any provision or provisions of this Agreement will not in any way be construed as a waiver of any such provision or provisions, nor prevent that party thereafter from enforcing each and every other provision of this Agreement. The rights granted both parties herein are cumulative and will not constitute a waiver of either party’s right to assert all other legal remedies available to it under the circumstances. The grant of Restricted Stock Units hereunder does not confer upon the Grantee any right to continue in service (g) with the Company. This Agreement shall be governed by, and enforced in accordance with, the laws of the State of Delaware, (h) without regard to the application of the principles of conflicts or choice of laws. (i) This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, and all of which together shall be deemed to be one and the same instrument. In the event that any signature to this Agreement is delivered by facsimile transmission or by e-mail delivery of a “.pdf” format data file or picture format data file, such signature shall create a valid and binding obligation of the party executing (or on whose behalf such signature is executed) with the same force and effect as if such electronic facsimile signature page were an original thereof. The parties confirm that it is their wish that this Agreement may be executed by means of electronic signature. [Signature Page Follows] 8 Moynahan, Matthew - 2021 Performance Based Share Grant [SIGNATURE PAGE TO AWARD AGREEMENT FOR PERFORMANCE-BASED RESTRICTED STOCK UNITS] IN WITNESS WHEREOF, the parties have duly executed this Award Agreement intending it to be effective as of the first date written above. ONESPAN INC. By /s/ Steven Worth Name: Steven Worth Its: General Counsel GRANTEE Name: Matthew Moynahan Signature: /s/ Matthew Moynahan CHRO REVIEW 9 Moynahan, Matthew - 2021 Performance Based Share Grant T.M. December 10, 2021 J.B. Initial: Date: CAO Initial: Date: December 10, 2021 10 Moynahan, Matthew - 2021 Performance Based Share Grant GRANTEE SPECIFIC INFORMATION: Exhibit A Grantee Matthew Moynahan Grant Date 11/29/2021 Grant Date Price $16.80 Target # of Restricted Stock Units 250,000 Performance Targets The number of Earned RSUs, if any, will be dependent on the Company’s achievement of the Performance Targets as defined below: The “Performance Target” for the Four Year RSUs is comprised of the following metrics and weightings: Metric Weighting Awarded RSUs “First RSU Tranche”: The Company's stock (NASDAQ: OSPN) having a 45 trading day average closing price of at least $30.00 “Second RSU Tranche”: The Company's stock (NASDAQ: OSPN) having a 45 trading day average closing price of at least $40.00 or higher 45% 55% 112,500 137,500 If the first RSU Tranche shall have vested and the Performance Period has not expired but the closing price target of $40.00 is not reached, then Executive shall be entitled to a portion of the Second RSU Tranche based on a linear interpolation between $30.00 and $40.00 for the highest 45 trading day average closing price achieved before the end of the Performance Period. Further, in the case of a termination without Cause or for Good Reason prior to the expiration of the Performance Period where not all of the One-Time RSU Special Grant have vested, then there shall be an additional 18 month vesting period extension ("Tail Period"). During the Tail Period, Executive shall continue to be eligible to vest in the One-Time RSU Special Grant at the same performance measures except that the number of RSU's delivered shall be reduced for the ratio of the number of days between termination and four years over four years plus 18-months. For purposes of these vesting conditions, the stock prices above are without the effect of any extraordinary Company transactions such as tender offers or recapitalizations, which, if effected, the Board shall adjust the stock price targets. Notwithstanding anything in this Agreement to the contrary, in the event of a Change in Control during the Performance Period described in Section 2(a) above, then subject to Executive remaining continuously employed with the Company through the date of such Change in Control (except as specified in the following sentence): (a) if the applicable per share consideration for Company stock in such Change in Control is less than $30.00, the First RSU Tranche shall immediately vest in full, and the Second RSU Tranche shall be forfeited and Executive shall not 11 Moynahan, Matthew - 2021 Performance Based Share Grant have any further rights with respect thereto; (b) if the applicable per share consideration for Company stock in such Change in Control is between $30.00 and S40.00, the First RSU Tranche 12 Moynahan, Matthew - 2021 Performance Based Share Grant shall immediately vest in full, and Executive shall be entitled to a portion of the Second RSU Tranche based on the application of linear interpolation between $30.00 and $40.00 (with the portion of the Second RSU Tranche that does not vest pursuant to such linear interpolation being forfeited); and (c) if the applicable per share consideration for Company stock in such Change in Control is $40.00 or greater, both the First RSU Tranche and the Second RSU Tranche shall immediately vest in full as described in Grantee’s employment agreement.” 13 Subsidiaries of Registrant Place of Incorporation or Organization Exhibit 2.1 Entity Name OneSpan Australia Pty Ltd OneSpan Pty Ltd OneSpan Austria GmbH OneSpan Europe NV OneSpan NV OneSpan Seguranca de Dados Brasil Ltda Dealflo Technology Inc. OneSpan Canada Inc. OneSpan Software (Beijing) Co. Ltd. OneSpan Software (Beijing) Co. Ltd. (Shanghai Branch) OneSpan France SAS OneSpan Japan Kabushiki Kaisha Diginotar Notariaat B.V. OneSpan Netherlands B.V. OneSpan Asia Pacific Pte Ltd OneSpan International GmbH OneSpan Solutions GmbH OneSpan Middle East FZE OneSpan Solutions UK Limited OneSpan Technology Limited OneSpan Inc. OneSpan North America Inc. Australia Australia Austria Belgium Belgium Brazil New Brunswick, Canada New Brunswick, Canada China China France Japan Netherlands Netherlands Singapore Switzerland Switzerland Dubai, United Arab Emirates United Kingdom United Kingdom USA, State of Delaware USA, State of Delaware KPMG LLP Aon Center Suite 5500 200 E. Randolph Street Chicago, IL 60601-6436 Consent of Independent Registered Public Accounting Firm We consent to the incorporation by reference in the registration statements (No. 333-62829, 333-161158, and No. 333-232207) on Form S- 8 of our report dated February 28, 2023, with respect to the consolidated financial statements of OneSpan Inc. and the effectiveness of internal control over financial reporting. /s/ KPMG LLP Chicago, Illinois February 28, 2023 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. Exhibit 31.1 I, Matthew Moynahan, certify that: Certification of Principal Executive Officer Pursuant to Section 302 of the Sarbanes-Oxley Act of 2002 1. 2. 3. 4. I have reviewed this annual report on Form 10-K of OneSpan Inc.; Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report; Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report; The registrant’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d- 15(f)) for the registrant and have: (a) (b) (c) (d) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared; and Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles; and Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures as of the end of the period covered by the report based on such evaluation; and Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting. 5. The registrant’s other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant’s auditors and the audit committee of registrant’s board of directors (or persons performing the equivalent functions): (a) (b) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant’s ability to record, process, summarize and report financial information; and Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal control over financial reporting. Dated: February 28, 2023 /s/ Matthew Moynahan Matthew Moynahan President and Chief Executive Officer (Principal Executive Officer) Exhibit 31.2 I, Jorge Martell, certify that: Certification of Principal Financial Officer Pursuant to Section 302 of the Sarbanes-Oxley Act of 2002 1. 2. 3. 4. I have reviewed this annual report on Form 10-K of OneSpan Inc.; Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report; Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report; The registrant’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d- 15(f)) for the registrant and have: (a) (b) (c) (d) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared; and Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles; and Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures as of the end of the period covered by the report based on such evaluation; and Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting. 5. The registrant’s other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant’s auditors and the audit committee of registrant’s board of directors (or persons performing the equivalent functions): (a) (b) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant’s ability to record, process, summarize and report financial information; and Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal control over financial reporting. Dated: February 28, 2023 /s/ Jorge Martell Jorge Martell Chief Financial Officer (Principal Financial Officer) CERTIFICATION OF CHIEF EXECUTIVE OFFICER Pursuant to 18 U.S.C. Section 1350, as adopted pursuant to Section 906 of the Sarbanes-Oxley Act of 2002 Exhibit 32.1 In connection with the filing with the Securities and Exchange Commission of the Annual Report of OneSpan Inc. (the company) on Form 10-K for the period ended December 31, 2022 (the Report), I, Matthew Moynahan, President and Chief Executive Officer of the company, certify, pursuant to 18 U.S.C. Section 1350, as adopted pursuant to Section 906 of the Sarbanes-Oxley Act of 2002, that to the best of my knowledge: i. ii. The Report fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of 1934; and The information contained in the Report fairly presents, in all material respects, the financial condition and results of operations of the company. /s/ Matthew Moynahan Matthew Moynahan President and Chief Executive Officer February 28, 2023 CERTIFICATION OF CHIEF FINANCIAL OFFICER Pursuant to 18 U.S.C. Section 1350, as adopted pursuant to Section 906 of the Sarbanes-Oxley Act of 2002 Exhibit 32.2 In connection with the filing with the Securities and Exchange Commission of the Annual Report of OneSpan Inc. (the company) on Form 10-K for the period ended December 31, 2022 (the Report), I, Jorge Martell, Chief Financial Officer of the company, certify, pursuant to 18 U.S.C. Section 1350, as adopted pursuant to Section 906 of the Sarbanes-Oxley Act of 2002, that to the best of my knowledge: i. ii. The Report fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of 1934; and The information contained in the Report fairly presents, in all material respects, the financial condition and results of operations of the company. /s/ Jorge Martell Jorge Martell Chief Financial Officer February 28, 2023
Continue reading text version or see original annual report in PDF format above