OneSpan Inc. (OSPN) Risk Factors

Item 1A - Risk Factors

Risk Factors Summary

Our business is subject to numerous risks and uncertainties, including those highlighted in the section titled “Risk Factors” immediately following this Risk Factors Summary. These summary risks provide an overview of many of the risks we are exposed to in the normal course of our business, some of which have manifested and any of which may occur in the future. As a result, the following summary risks do not contain all of the information that may be important to you, and you should read them together with the more detailed discussion of risks set forth following this section under the heading “Risk Factors,” and with the other information in this Annual Report on Form 10-K. Additional risks beyond those summary risks discussed below, in “Risk Factors” or elsewhere in this Annual Report on Form 10-K, could have an adverse effect on our business, results of operations, financial condition or prospects, and could cause the trading price of our common stock to decline. Our business, results of operations, financial condition or prospects could also be harmed by risks and uncertainties not currently known to us or that we currently do not believe are material. Consistent with the foregoing, we are exposed to a variety of risks, including the following significant risks:

•We may encounter challenges in achieving our revenue growth objectives.

•Acquisitions or other strategic transactions, such as our planned acquisition of Build38, may not achieve the intended benefits and could disrupt our operations.

•If our new product offerings and product enhancements do not keep pace with the needs of our customers or do not achieve sufficient customer acceptance, our competitive position and financial results will be negatively impacted.

•A significant portion of our sales are to a limited number of customers. The loss of substantial sales to any one of them could have an adverse effect on revenues and profits.

•The markets we serve are highly competitive, which may negatively affect our ability to add new customers, retain existing customers and grow our business.

•If we are not able to enhance our brand recognition and maintain our brand reputation, our business may be adversely affected.

•Security breaches or cyberattacks could expose us to significant liability, cause our business and reputation to suffer and harm our competitive position.

•We face a number of risks associated with our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue.

•Our Digipass authenticator business has a complex global supply chain and is dependent on a limited number of suppliers for certain components, such that supply chain disruptions could materially impact our operations. Our Digipass business may also experience inventory-related losses.

10

•The sales cycle for our products is often long, and we may incur substantial expenses for sales that do not occur when anticipated or at all.

•Real or perceived malfunctions and errors in our products could result in warranty and product liability risks and economic and reputational damages.

•If we are unable to retain key employees and successfully hire and train qualified new employees, we may be unable to achieve our business objectives.

•Our financial results may fluctuate from period to period, making it difficult to project future results. If we fail to meet the expectations of securities analysts or investors, the price of our common stock could decline.

•We may be unable to maintain or increase our level of profitability.

•The credit agreement for our revolving credit facility contains financial covenants and various other restrictions and requirements that could limit our operational flexibility and adversely affect our financial condition and results of operations if we are unable to comply with them.

•We depend on third-party hosting providers and other technology vendors, as well as our own infrastructure, to provide our products and solutions to our customers in a timely manner. Interruptions or delays in performance of our products and solutions could result in customer dissatisfaction, damage to our reputation, loss of customers, and a reduction in revenue.

•Our success depends in part on establishing and maintaining relationships with other companies to distribute our technology and products or to incorporate their technology into our products and services, or vice versa.

•Consolidations, failures and other developments in the banking and financial services industry may adversely impact our revenue.

•U.S. trade policy or foreign policy developments could have a material adverse impact on our business.

•We may be subject to legal proceedings and/or liability for a variety of claims, including intellectual property disputes, labor and employment issues, commercial disagreements, securities law violations and other matters. These proceedings may be costly, subject us to significant liability, limit our ability to use certain technologies, increase our costs of doing business or otherwise adversely affect our business and operating results.

•We are subject to numerous laws, regulations and customer and product certification requirements governing the design, production, distribution, sale, use, and availability of our products. Any failure to comply with these laws, regulations and requirements could result in unanticipated costs and other negative impacts, and could have a materially adverse effect on our business, results of operations and financial condition.

Risk Factors

Our business involves significant risks, some of which are described below. You should carefully consider the following risks, some of which have manifested and any of which may occur in the future, together with all of the other information in this Annual Report on Form 10-K, including in the preceding Risk Factors Summary, and our consolidated financial statements and the related notes included elsewhere in this Annual Report on Form 10-K before making an investment decision with respect to any of our securities.

Risks Related to our Business and Industry

We may encounter challenges in achieving our revenue growth objectives.

Our total revenue for 2025 was approximately the same as our total revenue for 2024. We are aiming to grow our revenue in both Cybersecurity and Digital Agreements going forward; however, this may be challenging. We expect revenue from our Digipass authenticator tokens to decrease modestly on a year-over-year basis in 2026, consistent with trends over the past decade as our banking customers have generally moved toward “mobile-first” authentication (authentication solutions delivered through a software application on a mobile device), especially for consumer banking. We will therefore need to grow our revenue relatively more in the software component of our Cybersecurity division and in our Digital Agreements division to compensate for the anticipated decline in hardware. We are enhancing our software solutions through strategic acquisitions, including our acquisition of Nok Nok Labs in June 2025 and our entry into a definitive agreement to acquire Build38 in December 2025, and targeted additional investments in software product development; however, these efforts may not yield the additional software revenue we seek for various reasons, such as competition, delays and challenges in integrating acquisitions or developing products that meet our customers’ needs, long sales cycles, lack of brand awareness, general economic conditions, and other risks described in these Risk Factors. If we are unable to grow our revenue as planned, we may also be unable to maintain or increase our profitability.

Acquisitions or other strategic transactions, such as our planned acquisition of Build38, may not achieve the intended benefits and could disrupt our operations.

11

To remain competitive, we have in the past and may in the future acquire additional businesses, products or technologies or make investments in, or enter into joint ventures or similar transactions with, third parties. In 2025, we acquired Nok Nok Labs, a provider of FIDO passwordless software authentication solutions, and made a strategic investment in ThreatFabric Holding B.V., a provider of fraud detection, mobile threat intelligence, and malware defense solutions. In December 2025, we signed a definitive agreement to acquire Build38, a provider of mobile application protection software. The proposed Build38 acquisition is subject to customary closing conditions and is currently expected to close in March 2026. Acquisitions and other strategic transactions such as these involve numerous risks, including the following:

•Delays in completing acquisitions, or failure to complete planned acquisitions, due to longer than anticipated regulatory clearance processes or other unexpected challenges;

•Difficulties or delays in integrating the acquired businesses, which could prevent us from realizing the anticipated benefits of acquisitions;

•Challenges in successfully cross-selling acquired products to our existing customer base, or in cross-selling our products to the acquired company’s customer base;

•Delays or reductions in customer purchases for OneSpan and/or the company we acquired due to customer uncertainty about continuity and effectiveness of service from either company;

•Difficulties in supporting and, where applicable, migrating acquired customers to our platforms, which could cause customer churn, unanticipated costs, and damage to our reputation;

•Disruption of our ongoing business and diversion of management and other resources from existing operations;

•Constraints on our liquidity in the event that we use cash or incur debt to fund a significant acquisition, or dilution to existing stockholders in the event we issue equity securities as part of the consideration for such an acquisition;

•Assumption of debt or other actual or contingent liabilities of the acquired company, including litigation risk;

•Differences in corporate culture, compliance protocols, and risk management practices between us and acquired companies;

•Potential loss of the key employees of an acquired business;

•Potential loss of partners of OneSpan or an acquired business due to the actual or perceived impact of the acquisition;

•Difficulties associated with governance, management, and control matters in majority or minority investments or joint ventures;

•Unforeseen or undisclosed liabilities or challenges associated with the companies, businesses, or technologies we acquire;

•Adverse tax consequences, including exposure of our entire business to taxation in additional jurisdictions; and

•Accounting effects, including potential impairment charges and requirements that we record acquired deferred revenue at fair value.

Any of these risks could result in acquisitions or other strategic transactions failing to achieve their intended objectives and/or disrupting our business.

We also review our product portfolio from time to time for contributions to our objectives and alignment with our strategy, and we may pursue divestiture activities as a result of these reviews. However, we may not be successful in separating any underperforming or non-strategic assets, and gains or losses on any divestiture of, or lost operating income from, such assets may adversely affect our results of operations. Divestitures could also expose us to unanticipated liabilities or result in ongoing obligations, including transition service obligations and indemnity obligations.

If our new product offerings and product enhancements do not keep pace with the needs of our customers or do not achieve sufficient customer acceptance, our competitive position and financial results will be negatively impacted.

Technological changes occur rapidly in our industry and development of new products and features is critical to maintain and grow our revenue. Our ability to attract and retain customers will depend in part upon our ability to enhance our current products and develop innovative new solutions to distinguish us from the competition and to meet customers’ changing needs. For instance, we believe that our bank and financial institution customers, who account for a majority of our revenue, may increasingly move away from multi-factor authentication methods and toward passkeys that use the FIDO2 passwordless authentication standard. If we are unable to provide our customers with high quality and innovative passkey solutions, or if we otherwise do not anticipate or adapt to changing technology, industry standards or customer requirements on a timely basis, our competitive position and financial results will be negatively impacted.

12

Product developments and technology innovations by others may adversely affect our competitive position. The introduction by our competitors of products embodying new technologies or the emergence of new industry standards could render our existing products obsolete and unmarketable. For example, if our competitors are able to more quickly and effectively integrate technologies such as generative artificial intelligence into their products, our competitive position may suffer. In addition, AI may reduce barriers to entry in our markets by allowing new entrants to rapidly and cost-effectively create competitive and potentially disruptive software solutions.

We spend substantial amounts of time and money to research and develop new offerings and enhanced versions of our existing offerings in order to meet our customers’ rapidly evolving needs. When we develop a new offering or an enhanced version of an existing offering, we typically incur expenses and expend resources upfront to market, promote and sell the new offering. Therefore, when we develop or acquire new or enhanced offerings, their introduction must achieve high levels of market acceptance in order to justify the amount of our investment in developing and bringing them to market. In the past, we have determined that certain product initiatives we initially believed were promising did not warrant further investment, and incurred non-cash impairment charges as a result. If future new product initiatives do not garner widespread customer adoption and implementation, we may incur future non-cash charges and our business may be adversely affected.

A significant portion of our sales are to a limited number of customers. The loss of substantial sales to any one of them could have an adverse effect on revenues and profits.

We derive a substantial portion of our revenue from a limited number of customers. The loss of substantial sales to any one of them could adversely affect our operations and results. In 2025, 2024, and 2023, our top 10 largest customers contributed 18%, 20%, and 22%, respectively, of our total worldwide revenue.

The markets we serve are highly competitive, which may negatively affect our ability to add new customers, retain existing customers and grow our business.

The markets for cybersecurity and digital agreements solutions are very competitive and, like most technology-driven markets, are subject to rapid change and constantly evolving solutions and services. Competition in these markets may intensify further as advances in AI enable rapid, low-cost development of software applications.

The authentication products in our Cybersecurity division are designed to allow authorized users access to digital business processes, in some cases using patented technology. Our main competitors in our authentication market are Gemalto, a subsidiary of Thales Group, Yubico and RSA Security. There are also many other companies in adjacent areas, such as MDM, threat protection, and IAM, that offer competing services. In addition to these companies, we face competition from many small authentication solution providers, many of whom offer new technologies and niche solutions such as biometric or risk and behavioral analysis. We believe that competition in this market may to intensify as a result of increasing demand for security products.

Our primary competitors for electronic signature solutions in our Digital Agreements division are DocuSign and Adobe Systems. Both companies are significantly larger than us. In addition to these companies, there are numerous smaller and regional or niche providers of electronic signing solutions.

Some of our present and potential competitors have significantly greater brand awareness and financial, technical, marketing, purchasing, and other resources than we do. As a result, they may be able to respond more quickly to new or emerging technologies and changes in customer requirements, devote greater resources to the development, promotion and sale of products, or deliver competitive products at a lower end-user price than we do. These factors have made it more difficult for us to compete successfully and may continue to do so, which could negatively affect our business.

If we are not able to enhance our brand recognition and maintain our brand reputation, our business may be adversely affected.

We believe that enhancing our brand recognition is important to our efforts to attract new customers and channel partners, and that our relative lack of brand awareness has made it more challenging to acquire new customers. Our brand recognition and reputation are dependent upon numerous factors, including:

•our marketing efforts;

•our ability to continue to offer high quality, innovative and reliable products;

13

•our ability to maintain customer satisfaction with our products;

•our ability to be responsive to customer concerns and provide high quality customer support, training and professional services;

•any misuse or perceived misuse of our products;

•positive or negative publicity, including through reviews by industry analysts;

•our ability to prevent or quickly react to any cyberattack on our information technology systems or security breach of or related to our software; and

•litigation or regulatory-related developments.

Improving our brand recognition is likely to require significant additional expenditures and may not be successful or yield increased revenues. If we do not successfully enhance our brand and maintain our reputation, we may continue to have difficulties attracting new customers, including due to reduced pricing power relative to competitors with stronger brands, and we could lose customers or renewals, which would adversely affect our business.

Security breaches or cyberattacks could expose us to significant liability, cause our business and reputation to suffer and harm our competitive position.

Our corporate infrastructure stores and processes our sensitive, proprietary and other confidential information (including information related to finance, technology, employees, marketing, sales, etc.) which is used daily in our operations. In addition, our solutions involve the transmission and processing of our customers' confidential, proprietary, personal and sensitive information. We have legal and contractual obligations to protect the confidentiality and appropriate use of customer data. Because we are a digital agreements and cybersecurity company, and because the majority of our customers are banks and other financial institutions, which are frequent targets of cyberattacks, we may be an attractive target for cyber attackers or other data thieves.

High-profile cyberattacks and security breaches have increased in recent years, with the potential for such acts heightened because of the widespread adoption of remote working and the increase in sophisticated cyberattack methods, including the use of artificial intelligence to launch automated, accelerated and enhanced cyberattacks. Because techniques used to obtain unauthorized access or to sabotage systems are constantly evolving, change frequently and often are not recognized until launched against a specific target, we may be unable to anticipate these techniques or to implement adequate preventative measures. As we seek to increase our client base and expand awareness of our brand, we may become a greater target for third parties seeking to compromise our security systems and we anticipate that hacking attempts and cyberattacks will increase in the future.

Artificial intelligence technologies introduce evolving industry‑wide risks, including model manipulation, data poisoning, deceptive AI‑generated content, and rapidly expanding regulatory requirements. For OneSpan, the use of AI within security operations and product‑related processes may create vulnerabilities if systems are improperly designed, supervised, or governed, potentially resulting in unauthorized access, incorrect automated actions, exposure of confidential information, or operational failures. Despite policies governing AI usage, lifecycle risk management, and oversight, failures in design, monitoring, or compliance—as well as errors or misuse of AI‑enabled capabilities—could impair our security posture, reduce threat‑detection effectiveness, harm customer trust, or expose OneSpan to legal, regulatory, and reputational consequences.

We have experienced several security incidents in the past, none of which have been material to date. However, it is possible that we may experience a material event in the future. While we have established teams, processes and strategies to protect our assets, we may not always succeed in preventing or repelling unauthorized access to our systems. We also may face delays in detecting or otherwise responding to cybersecurity incidents or other breaches.

Additionally, we use third-party service providers for certain services involving data storage or transmission, such as SaaS, cloud computing, and internet infrastructure and bandwidth. These providers face various cybersecurity threats and may experience cybersecurity incidents or other security breaches. For example, the recent Salesloft, Inc. Drift data breach impacted hundreds of Salesforce.com customers worldwide. Although OneSpan was among the affected customers, the incident did not compromise our products and had minimal impact on our business, but it is possible that future third-party incidents may be more harmful to us.

14

Despite our security measures, our IT systems and infrastructure may be vulnerable to attacks. Threats to IT security can take a variety of forms. Individuals and groups of malicious actors and sophisticated organizations, including state-sponsored organizations or nation-states, continuously attempt to compromise systems using tactics, techniques, and procedures such as phishing attacks, malicious software, exploiting hardware or software vulnerabilities, social engineering, and coordinated attacks like distributed denial of service or other coordinated attacks. If account security controls are not effectively implemented or maintained, unauthorized access to confidential or sensitive information could occur.

Security incidents may have a number of negative consequences to us, including the following: requiring us to expend significant capital and other resources to alleviate the incidents and to improve our security technologies; impairing our ability to provide services to our customers and protect the privacy of their data delaying product development efforts; compromising confidential or technical business information or personal data; harming our reputation or competitive position; resulting in theft or misuse of our intellectual property or other assets; and exposing us to substantial litigation expenses and damages, indemnity and other contractual obligations, government fines and penalties, mitigation expenses, costs for remediation and incentives offered to affected parties, including customers, other business partners and employees, in an effort to maintain business relationships after an incident. We continually invest in strengthening our information technology systems and implementing robust security measures to protect critical and sensitive assets. Our cybersecurity program includes regular security awareness training for employees and key contractors, emphasizing best practices and emerging threats. These efforts are designed to reduce the likelihood of an attack and ensure preparedness to respond effectively to any security breach.

Despite these measures, we may not be able to anticipate or prevent all attacks. In the event of an actual or perceived security breach, confidence in our security practices and products could be diminished, resulting in loss of customers and sales, impairment of our operations, significant liabilities, reputational harm, and a negative impact on our business and financial condition.

We face a number of risks associated with our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue.

In 2025, 2024 and 2023, we generated approximately 79%, 83% and 83% of our revenue and incurred approximately 54%, 59% and 58% of our operating expenses outside of the U.S., respectively. A severe economic decline in any of our major foreign markets could adversely affect our results of operations and financial condition.

In addition to exposures to changes in the economic conditions of our major foreign markets, we are subject to a number of risks related to our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue. These include:

•geopolitical conflicts and related economic or political instability, including tensions or conflicts between the U.S. and other countries or regions, particularly China and the European Union, over territorial and sovereignty matters (including those related to Taiwan, Hong Kong, and Greenland), tariffs and trade, or U.S. foreign policy;

•increased management, infrastructure and legal costs associated with having international operations;

•costs of compliance with foreign legal and regulatory requirements, including, but not limited to data privacy, data protection and data security regulations and sustainability reporting requirements and the risks and costs of non-compliance;

•costs of compliance with U.S. laws and regulations for foreign operations, including the U.S. Foreign Corrupt Practices Act ("FCPA"), import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell or provide our solutions in certain foreign markets, and the risks and costs of non-compliance;

•heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;

•costs of compliance with multiple and possibly overlapping tax structures, and related potential adverse tax impacts;

•risks of reliance on channel partners for sales in some countries;

•differing technology standards in certain international markets;

•the uncertainty and limitation of protection for intellectual property rights in some countries;

•greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;

15

•difficulties and costs of staffing and managing international operations, including maintaining internal controls and challenges in closing or restructuring such operations;

•difficulty in providing support and training to customers in certain international locations;

•management communication and integration problems resulting from cultural and linguistic differences and geographic dispersion;

•foreign currency exchange rate fluctuations;

•adverse tax burdens and foreign exchange controls that could make it difficult to repatriate earnings and cash; and

•increased exposure to climate change, natural disasters, armed conflict, terrorism, epidemics, or pandemics and other health crises.

Our business, including the sales of our products and professional services by us and our channel partners, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Our failure, or the failure by our channel partners, to comply with these regulations could adversely affect our business. Further, in some foreign countries, it may be more common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to us. Violations of laws or internal policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our products and could have a material adverse effect on our business and results of operations. If we are unable to successfully manage the challenges of international expansion and operations, our business and operating results could be adversely affected.

Our Digipass authenticator business has a complex global supply chain and is dependent on a limited number of suppliers for certain components, such that supply chain disruptions could materially impact our operations. Our Digipass business may also experience inventory-related losses.

In the event that the supply of components or finished products for our Digipass authenticator business is interrupted or relations with any of our principal component vendors or contract manufacturers is terminated, there could be increased costs and considerable delay in finding suitable replacement sources for components or alternative manufacturers for our hardware products. Our Digipass authentication devices are currently assembled at several facilities located in mainland China and one facility in Romania. The importation of these products from China and Romania exposes us to the possibility of product supply disruption and increased costs in the event of changes in the policies of the Chinese, Romanian or EU governments, political unrest, natural disasters, extreme weather or unstable economic conditions in China, Romania or the EU, or developments in China, Romania, the U.S. or the EU that are adverse to trade, including threatened or actual military conflict or enactment of tariffs or other protectionist legislation. We have experienced supply chain disruption in the past as a result of China’s COVID-related policies and extreme heatwaves and drought affecting southern China, both of which affected our China-based contract manufacturers. We may experience similar disruptions again due to numerous factors, including tariffs and trade disputes, geopolitical tensions, armed conflict, pandemics or other public health threats, and natural disasters and extreme weather, which may occur more frequently due to climate change. These factors have in the past, and may in the future, cause delays in our fulfillment of customer orders, which may in turn delay our recognition of revenue from such orders or cause customers not to place orders or to seek alternative suppliers.

To mitigate the risks associated with our China-based contract manufacturing facilities, we regularly evaluate alternative manufacturing and supply arrangements, such as moving some of the Digipass manufacturing currently done in China to Romania or to other locations. It is possible that such a transition, if it occurred, would cause a disruption in our Digipass manufacturing operations. Regardless of whether we undertake such a transition, supply chain disruptions or related cost increases affecting our Digipass devices could have a material adverse impact on our business.

Under some circumstances, we may purchase multiple years’ supply of parts for our Digipass authenticator devices based on internal forecasts of demand, anticipated supply chain constraints, or other reasons. To meet customers’ demands for accelerated delivery of product, we sometimes produce finished product for existing customers before we receive the executed order from the customer. Should our forecasts of future demand be inaccurate or if we produce product that is never ordered, we could incur substantial losses related to the realization of our inventory.

The sales cycle for our products is often long, and we may incur substantial expenses for sales that do not occur when anticipated or at all.

16

The sales cycle for our products, which is the period of time between the identification of a potential customer and completion of the sale, is typically lengthy and subject to a number of significant risks over which we have little control.

A typical sales cycle in the financial services market is often 9 to 18 months long. We often need to spend significant time and resources to better educate and familiarize these potential customers with the value proposition of our products and solutions. Purchasing decisions for our products and services may be subject to delays due to a number of factors, many of which are outside of our control, such as:

•Time required for a prospective customer to recognize the need for our products;

•Effectiveness of our salesforce;

•Changes to regulatory requirements;

•The complexity of contracts with certain large business customers;

•The significant expense of some of our products and systems;

•Customer budgeting and procurement processes;

•Economic and other factors impacting customer budgets; and

•Customer evaluation, testing and approval process.

The timing of sales with our enterprise customers and related revenue recognition is difficult to predict because of the length and unpredictability of the sales cycle for these customers. As our operating expenses are based on anticipated revenue levels, a small fluctuation in the timing of sales can cause our operating results to vary significantly between periods. In addition, during the sales cycle, we expend significant time and money on sales and marketing and contract negotiation activities, which may not result in a sale.

Real or perceived malfunctions and errors in our products could result in warranty and product liability risks and economic and reputational damages.

Our products are inherently complex and may malfunction or contain undetected errors or defects when first introduced or as new versions are released. We have experienced these malfunctions and errors or defects in connection with new products and product upgrades, and we expect that these malfunctions, errors and defects will continue to be found from time to time in new or enhanced products. Malfunctions and defects may make our products vulnerable to attacks, prevent vulnerability detection, result in system instability or latency-related delays, or temporarily impact our customers' environments. These problems may result in a breach of a legal obligation or may cause physical harm or damage which could result in tort or warranty claims against us. We seek to reduce the risk of these losses by using qualified engineers in the design, manufacturing and testing of our hardware products, utilizing proper development, testing, and scanning of our software solutions (including SaaS), attempting to negotiate warranty disclaimers and liability limitation clauses in our sales agreements, and maintaining customary insurance coverage. However, these measures may ultimately prove ineffective in limiting our liability for damages.

In addition to any monetary liability for the failure of our products, a publicly known defect or perceived defect in our products could lead to customers delaying or withholding payments, regulatory audits, diverting the attention of our key personnel, an adverse impact on the market’s perception of us and our products, and negative effects on our reputation and the demand for our products.

If we are unable to retain key employees and successfully hire and train qualified new employees, we may be unable to achieve our business objectives.

Our ability to successfully attain our business objectives will depend significantly on our ability to retain and motivate key employees and attract qualified new hires. We face intense competition for these employees from numerous technology, software and other companies, many of whom have greater resources than we do, and our employees are generally employed on an at-will basis, which means that they could terminate their employment with us at any time. The temporary or permanent loss of the services of our CEO, other members of senior management or other key employees for any reason could significantly delay or prevent the achievement of our objectives and harm our business, financial condition and results of operations. Further, the loss of key employees, particularly those in senior management roles, could be negatively perceived in the capital markets, which could reduce the market value of our securities.

Difficulties retaining, motivating and attracting qualified employees could have an adverse effect on our ability to achieve our business objectives and, as a result, our ability to compete could decrease and our financial results could be adversely affected. In addition, even if we are able to identify and recruit a sufficient number of new hires, these new hires will require significant training before they achieve full productivity, particularly in the case of sales employees.

17

Our financial results may fluctuate from period to period, making it difficult to project future results. If we fail to meet the expectations of securities analysts or investors, the price of our common stock could decline.

Our revenue and results of operations have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including:

•The size, timing, and payment terms of significant orders, and any unexpected delay or cancellation of such orders;

•The variability of revenue realized from individual customers, as their buying patterns can vary significantly from period to period and are affected by the individual solutions purchased and the structure of the contract;

•Larger customers delaying renewal of their subscriptions or failing to renew at all;

•Changes in customer budgets;

•The effectiveness of our sales and marketing programs, including our ability to hire, train and retain our sales personnel;

•Changes in pricing by competitors;

•New product announcements or introductions by competitors;

•Technological changes in the market for our products, including the adoption of new technologies and standards;

•Our ability to develop, introduce and market new products and product enhancements on a timely basis;

•Market and customer acceptance of any new products and product enhancements that we introduce;

•Network outages, security breaches, technical difficulties or interruptions affecting our products;

•With respect to our Digipass business, component costs and availability;

•Seasonality in our business;

•Changes in foreign currency exchange rates;

•General economic and political conditions, as well as economic conditions specifically affecting industries in which our customers operate; and

•Other events or factors, including those resulting from pandemics, war and other geopolitical conflicts, natural disasters, incidents of terrorism or responses to these events.

Any one of these or other factors discussed elsewhere in this Annual Report on Form 10-K, or the cumulative effect of a combination of these factors, may result in fluctuations in our financial results, which may cause us to miss our guidance and analyst expectations and cause the price of our common stock to decline.

We may be unable to maintain or increase our level of profitability.

Over our approximately 30-year operating history, we have operated at a loss for many of those years, including for the year ended December 31, 2023, for which we reported a net loss of $29.8 million. Although we were profitable in 2024 and 2025, we may not be able to maintain or increase our level of profitability. We intend to continue to incur significant expenses to maintain, develop and enhance our products and solutions, improve our infrastructure and technology, and grow our customer base. These efforts may be costlier than we expect, and we may not be able to increase our revenue enough to offset our increased operating expenses. We may incur significant losses in the future for a number of reasons, including the other risks described herein, and experience unforeseen expenses, difficulties, complications and delays and other unknown events. If we are unable to achieve and sustain profitability, the value of our business and common stock may significantly decrease.

The credit agreement for our revolving credit facility contains financial covenants and various other restrictions and requirements that could limit our operational flexibility and adversely affect our financial condition and results of operations if we are unable to comply with them.

On June 23, 2025, we entered into the Credit Agreement with MUFG, as administrative agent, swingline lender and letter of credit issuer, and other lenders party thereto. The Credit Agreement provides for a $100.0 million revolving credit facility with a $10.0 million letter of credit sublimit and a $10.0 million swingline loan sublimit. It also provides that we may, with the agreement of the lenders and/or new lenders and subject to certain conditions and limitations, add one or more incremental revolving facilities to increase commitments under the credit facility in an aggregate amount not to exceed the greater of (x) $100.0 million and (y) 100% of Consolidated EBITDA (as defined in the Credit Agreement) for the four consecutive fiscal quarters most recently ended for which financial statements have been delivered pursuant to the terms of the Credit Agreement.

18

The proceeds of borrowings under the Credit Agreement may be used for general corporate purposes. We may borrow, repay and reborrow funds under the revolving credit facility until its maturity on June 23, 2030. As of December 31, 2025, we had outstanding letters of credit of $0.4 million and no borrowings outstanding under the Credit Agreement. Refer to Note 12, Debt in the Notes to Consolidated Financial Statements in Item 8 of Part II of this Annual Report on Form 10-K for further details on the Credit Agreement.

The Credit Agreement contains certain customary representations and warranties, affirmative and negative covenants, minimum net leverage and interest coverage ratios that we must maintain, and other requirements. Subject to limited exceptions, the Credit Agreement restricts our ability to, among other things:

•incur additional indebtedness;

•incur liens upon our property;

•make prepayments or repurchases of subordinated debt;

•make certain amendments to subordinated debt agreements or our certificate of incorporation or bylaws;

•consolidate, merge, dissolve, or sell or otherwise dispose of all or substantially all of our assets;

•make certain investments or acquisitions or dispositions of assets;

•enter into certain sale and leaseback transactions;

•pay more than a specified amount of dividends on or make other distributions in respect of our capital stock or make other restricted payments; and

•enter into certain transactions with affiliates.

These negative covenants may prevent us from taking actions that we believe would be in the best interests of our business and may make it difficult for us to execute our business strategy successfully or effectively compete with companies that are not similarly restricted.

The Credit Agreement contains customary events of default relating to, among other things, payment defaults, breach of covenants, cross defaults to material indebtedness, bankruptcy-related defaults, judgment defaults, and the occurrence of certain change of control events. If an event of default occurs and is not cured or waived, the lenders under the Credit Agreement will be entitled to take various actions, including the termination of commitments and the acceleration of amounts due under the Credit Agreement in addition to charging default interest. If we are unable to repay our indebtedness, the lenders under our credit facility could proceed against the collateral securing the indebtedness, which would be likely to have a material adverse effect on our financial condition and results of operations. Additionally, any event of default may be a disclosable event and may be perceived negatively. Such perception could adversely affect the market price for our common stock and our ability to obtain financing in the future.

We depend on third-party hosting providers and other technology vendors, as well as our own infrastructure, to provide our products and solutions to our customers in a timely manner. Interruptions or delays in performance of our products and solutions could result in customer dissatisfaction, damage to our reputation, loss of customers, and reduction in revenue.

We outsource portions of our cloud infrastructure to third-party hosting providers, principally Amazon Web Services, ("AWS"). We also outsource components of our services to third-party technology vendors who host their products in the cloud. Customers of our products need to be able to access our platform at any time, without interruption or degradation of performance. AWS and other third-party hosting providers run their own platforms that we access, and we are therefore vulnerable to service interruptions on these third-party platforms, as well as to service interruptions affecting our own infrastructure and our third-party technology vendors. We have experienced interruptions, delays and outages in service and availability from time to time due to a variety of factors impacting our third-party hosting providers, our own infrastructure or other vendors, and we expect to experience these types of incidents in the future.

19

If our products or platform are unavailable or our users are otherwise unable to use our products within a reasonable amount of time or at all, then our business, results of operations and financial condition could be adversely affected. In some instances, we may not be able to identify the cause or causes of these performance problems within a period of time acceptable to our customers. It may become increasingly difficult to maintain and improve our platform performance, especially during peak usage times, as our products become more complex and the usage of our products increases. We have in the past and may in the future experience capacity constraints that affect our product performance and cause us to miss our service level agreements with our customers. These capacity constraints can be due to a number of causes, including technical failures, natural disasters, fraud or security attacks. To the extent that we do not effectively address capacity constraints, either through our own infrastructure, our current third-party providers or alternative providers of cloud infrastructure, our business, results of operations and financial condition may be adversely affected. In addition, any changes in service levels from our third-party hosting providers or other cloud-based technology vendors may adversely affect our ability to meet our customers' requirements.

Our third-party hosting providers have no obligations to renew their agreements with us on commercially reasonable terms or at all, and the agreements governing these relationships can generally be terminated by either party with limited notice. Access to hosting services may also be restricted by the provider at any time, with no or limited notice. Although we expect that we could receive similar services from other third parties, if any of our arrangements with AWS or other third-party hosting providers are terminated, we could experience interruptions on our platform and in our ability to make our platform available to customers, as well as downtime, delays and additional expenses in arranging alternative cloud infrastructure services.

It is also possible that our customers and potential customers would hold us accountable for any breach of security affecting infrastructure of our third-party hosting providers. We may incur significant liability from those customers and from third parties with respect to any such breach, and we may not be able to recover a material portion of our liabilities to our customers and third parties from our hosting providers in the event of any breach affecting their systems.

Any of the above circumstances or events may harm our reputation, cause customers to stop using our products, impair our ability to increase revenue from existing customers, impair our ability to grow our customer base, subject us to financial penalties and liabilities under our service level agreements and otherwise harm our business, results of operations and financial condition.

Our success depends in part on establishing and maintaining relationships with other companies to distribute our technology and products or to incorporate their technology into our products and services, or vice versa.

Part of our business strategy is to enter into partnerships and other cooperative arrangements with third parties. We are regularly involved in cooperative efforts with respect to the incorporation of our products into products of others and vice versa, research and development efforts, and marketing, distributor and reseller arrangements. These relationships are generally non-exclusive, and some of our partners also have cooperative relationships with certain of our competitors or offer some products and services that are competitive with ours. If we lose third-party relationships, if these relationships are not commercially successful, or if we are unable to enter into third-party relationships on commercially reasonable terms in the future, our business could be negatively impacted.

SaaS offerings, which involve various risks, constitute an important part of our business.

We expect that our SaaS offerings will constitute an increasingly important part of our business. As a result, we must continue to evolve our processes to meet a number of regulatory, intellectual property, contractual, service, and security compliance challenges. These challenges include: compliance with licenses for open-source and third-party software embedded in our SaaS offerings; maintaining compliance with global export control, privacy, data security, and resiliency regulations (including the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the EU General Data Protection Regulation ("GDPR"), the EU Digital Operational Resilience Act ("DORA"), and the Directive on Measures for a High Common Level of Cybersecurity Across the Union (EU) 2022/2555 (known as NIS2)); supporting contractual requirements that our customers impose on us due to their own legal obligations, such as compliance with DORA; protecting our products from external threats, including AI-driven attacks; maintaining continuous service levels and data security practices expected by our customers; and preventing inappropriate use of our products.

20

In addition to using our internal resources, we also utilize third-party resources to deliver SaaS offerings, such as third-party data hosting vendors. The failure of a third-party provider to prevent service disruptions, data losses or security breaches may require us to issue credits or refunds or to indemnify or otherwise be liable to customers or third parties for damages that may occur. Additionally, if these third-party providers fail to deliver on their obligations, our reputation could be damaged, and our customers could lose confidence in us and our ability to maintain and expand our SaaS offerings. Finally, our SaaS offerings must be designed to operate at significant transaction volumes. When combined with third-party software and hosting infrastructure, our SaaS offerings may not perform as designed, which could lead to service disruptions and associated damages.

Failure to maintain high-quality customer support could have a material adverse effect on our business.

Our business relies on our customers’ satisfaction with the technical and customer support and professional services we provide to support our products. If we fail to provide customer and technical support services that are high-quality, responsive, and able to promptly resolve issues that our customers encounter with our products and services, then they may elect not to purchase or renew subscription licenses or may otherwise reduce or discontinue their business relationship with us. Maintaining high-quality customer support can be costly, and therefore we have adopted, and expect to continue to adopt, online self-help tools and AI-enabled customer service technology. These types of tools may not always provide the service levels our customers expect, particularly when they are first adopted. This could result in loss of revenue and damage to our reputation, which could have an adverse effect on our business.

Failure to effectively manage our product and service lifecycles could harm our business.

As part of the natural lifecycle of our products and services, we periodically inform customers that products or services have reached their end of life or end of availability and will no longer be supported or receive updates and security patches. Failure to effectively manage our product and service lifecycles could lead to customer dissatisfaction and contractual liabilities, which could adversely affect our business and operating results. In addition, the failure to generate new revenue to replace and/or expand the revenue realized from discontinued products or services could adversely affect our business and operating results.

We are subject to foreign currency exchange rate fluctuations, which could adversely affect our financial condition and results of operations.

Because a significant number of our principal customers are located outside the United States, we expect that international sales will continue to generate a significant portion of our total revenue. We are subject to foreign exchange fluctuations and risks because the majority of our product costs are denominated in U.S. dollars, whereas a significant portion of the sales and expenses of our foreign operating subsidiaries are denominated in various foreign currencies. A decrease in the value of any of these foreign currencies relative to the U.S. dollar could adversely affect our revenue and profitability in U.S. dollars of our products sold in these markets. Furthermore, a strengthening of the U.S. dollar could increase the cost in local currency of our products and services to customers outside the United States, which could adversely affect our business, results of operations, financial condition and cash flows.

The exchange rate between the U.S. dollar and foreign currencies has fluctuated in recent years and may fluctuate substantially in the future. Although foreign exchange impact was not significant to our 2023, 2024 or 2025 results, it could adversely affect our results for 2026 and beyond. We do not currently use forward contracts or other hedging strategies such as options or foreign exchange swaps to mitigate our exposure to foreign currency fluctuations.

Consolidations, failures and other developments in the banking and financial services industry may adversely impact our revenue.

21

Mergers, acquisitions, and personnel changes at key banks and financial services organizations have the potential to adversely affect our business, financial condition, cash flows, and results of operations. A majority of our revenue is derived from customers in the banking and financial services industry, making us susceptible to consolidation in, or contraction of, the number of participating institutions within that industry. In addition, other factors affecting the banking and financial services industry, such as economic and credit conditions or additional regulations, may create uncertainty or financial pressures that cause our customers or potential customers to adopt cost reduction measures or reduce capital spending, resulting in longer sales cycles, deferrals or delays in purchases of our products, delays in paying our accounts receivable, and increased price competition, any of which could negatively impact our revenue. Furthermore, if customers respond to a negative or unpredictable economic climate by consolidating with other banks or financial institutions, it could reduce the number of our current and/or potential customers.

U.S. trade policy or foreign policy developments could have a material adverse impact on our business.

Our Digipass authentication devices are assembled by third-party manufacturers located in China and Romania, using components from suppliers in a wide range of geographic locations, including China. The U.S. presidential administration has imposed new or additional tariffs on foreign goods, including tariffs on certain Chinese imports. Although sales to U.S. customers account for a small portion of our Digipass sales, these tariffs could negatively impact our financial results. In some cases, we may not be able to pass the cost of the tariffs to our customers, which would negatively affect our profit margin. Even if we can pass on these costs, the tariffs and the economic uncertainty they cause may discourage customers from placing Digipass orders or lead them to decrease or delay such orders. Additional expansion of or increases to tariffs would exacerbate these impacts. Although we are planning measures to mitigate the potential impact of the China tariffs on our business, including moving more of our Digipass production to Romania or to other locations, these measures are unlikely to fully offset the impact, particularly since the U.S. has also imposed new tariffs on members of the European Union and other countries.

In addition, in response to tariffs or geopolitical actions by the U.S., other countries have implemented, or may implement in the future, retaliatory tariffs, other protective measures, or sanctions impacting U.S. companies and goods. Political tensions as a result of trade and foreign policies could reduce trade volume, investment, technological exchange, and other economic activities between major international economies, resulting in a material adverse effect on global economic conditions and the stability of global financial markets, which could in turn have a material adverse impact on our business and financial condition.

If our goodwill or intangible assets become impaired, we may be required to record a significant charge to earnings.

We review our goodwill and intangible assets for impairment when events or changes in circumstances indicate the carrying value may not be recoverable. Goodwill is required to be tested for impairment at least annually. At December 31, 2025, we had goodwill and intangible assets with a net book value of $113.6 million primarily related to our acquisitions. An adverse change in market conditions, particularly if such change has the effect of changing one of our critical assumptions or estimates, could result in a change to the estimation of fair value that could result in an impairment charge to our goodwill or intangible assets.

The revenue recognition treatment of SaaS subscriptions and term subscription licenses for on-premises software may make it more challenging to accurately assess our operating results and the condition of our business.

Approximately 64% of our total revenue for the year ended December 31, 2025 was attributable to our SaaS and on-premises term subscription contracts, and the revenue recognition treatment of both of these types of contracts under applicable accounting rules may make it more difficult for investors to accurately assess our operating results and the condition of our business.

22

We recognize SaaS subscription revenue ratably over the term of each of our contracts, which are typically one year in length but may be up to three years or longer. As a result, much of our SaaS revenue in a particular quarter is generated from the recognition of revenue from SaaS contracts we entered during previous periods, which can make it more challenging to assess the current state of our business. For instance, a shortfall in demand for our SaaS solutions or a decline in new or renewed SaaS contracts in any one quarter may not significantly reduce our revenue for that quarter (and may therefore not be apparent from our financial statements for that quarter), but could negatively affect our revenue in future quarters. In addition, the SaaS-based model of our Digital Agreements division makes it difficult for us to rapidly increase our Digital Agreements revenue through additional sales contracts in any period, since revenue from new customers is recognized over the applicable term of their contracts.

We recognize revenue from on-premises term subscription contracts upon delivery of the software to the customer, which is the latter of when the customer receives the ability to access the software or when they are legally allowed to use the software. Maintenance revenue associated with these contracts is recognized ratably over the term of their agreements, which typically range from one to five years in length. Although on-premises subscription contracts may have a term of up to five years, we generally recognize most of the revenue (the revenue associated with the license component of the contract) soon after the contract becomes effective. This can result in uneven revenue from quarter to quarter depending upon the number and timing of term licenses we sign, and results in a particular quarter provide minimal visibility into our performance in future periods.

In addition, our sales arrangements often include multiple elements, including hardware, services, software, maintenance and support, which complicates their treatment under the accounting rules and can result in further variations in the timing of revenue recognition. In addition, if applicable accounting standards or practices change, or if the judgments or estimates we use when applying existing standards prove to be incorrect, our financial results may be adversely affected.

We could be subject to additional tax liabilities, and our ability to use our net operating losses may be limited.

We are subject to U.S. federal, state, local and sales taxes in the United States and foreign income taxes, withholding taxes and transaction taxes in numerous foreign jurisdictions. Significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain and the relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes to our operating structure (including a currently in-process revenue of our intellectual property structure), by changes in foreign currency exchange rates, or by changes in the valuation of our deferred tax assets and liabilities. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, sales taxes and value-added taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period for which a determination is made.

At December 31, 2025 we had U.S. federal, U.S. state, foreign, and Canadian provincial net operating losses ("NOLs") of $6.6 million, $52.3 million, $32.6 million, and $23.2 million, respectively, available to offset future taxable income, some of which begin to expire in 2032. A lack of future taxable income would adversely affect our ability to utilize these NOLs before they expire. Also, certain NOLs have limitations on the amount that can be utilized each year.

23

In addition, under the provisions of the Internal Revenue Code of 1986, as amended (the "Internal Revenue Code"), substantial changes in our ownership may limit the amount of pre-change NOLs and other tax attributes that can be utilized annually in the future to offset taxable income. Section 382 of the Internal Revenue Code imposes limitations on a company’s ability to use its NOLs if one or more stockholders or groups of stockholders that own at least 5% of the company’s stock increase their ownership by more than 50 percentage points over their lowest ownership percentage within a rolling three-year period. Similar rules may apply under state tax laws. Based upon an analysis as of December 31, 2024, we determined that we do not expect these limitations to materially impair our ability to use our NOLs prior to expiration. However, if changes in our ownership occurred after such date, or occur in the future, our ability to use our NOLs may be further limited. Subsequent statutory or regulatory changes in respect of the utilization of NOLs for federal or state purposes, such as suspensions on the use of NOLs or limitations on the deductibility of NOLs carried forward, or other unforeseen reasons, may result in our existing NOLs expiring or otherwise being unavailable to offset future income tax liabilities. For these reasons, we may not be able to utilize a material portion of the NOLs, even if we achieve profitability.

Provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.

Our agreements with customers, solution partners and channel partners generally include provisions under which we agree to indemnify them for losses suffered or incurred as a result of claims of intellectual property infringement and, in some cases, for damages caused by us to property or persons or for other damages. These indemnification obligations may extend to claims arising from the use of third-party software, open-source components, or emerging novel legal theories, including those related to data usage or AI. In the past, we worked with a customer at our expense to resolve a claim brought against the customer related to our technology, and we may be required to indemnify customers for similar claims in the future. Defending such claims, regardless of their merit, could be costly and time-consuming, divert management attention and harm our reputation, and any resulting expense or liabilities may not be fully covered by insurance.

We also make certain representations and warranties and incur obligations under our contracts in the ordinary course of business, including for items related to data security, data privacy, and regulatory compliance. Our customers increasingly seek heightened contractual protections including broader indemnification obligations or higher liability caps, particularly in the event of data security incidents, privacy breaches, or regulatory non-compliance. Although we normally contractually limit our liability with respect to such representations, warranties and other contractual obligations, we may still incur substantial liability related to them. Not all of our potential losses under our contracts are covered by insurance policies, and such coverage may be subject to coverage limits or exclusions, which could increase the impact of any such loss should it occur. Large indemnity payments or damages resulting from our contractual obligations could harm our business, operating results and financial condition.

Any failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.

Our success is dependent, in part, upon protecting our proprietary technology. We rely on a combination of patents, copyrights, trademarks, service marks, trade secret laws and contractual provisions in an effort to establish and protect our proprietary rights. However, the steps we take to protect our intellectual property may be inadequate. While we have been issued patents in the U.S. and other countries and have additional patent applications pending, we may be unable to obtain patent protection for the technology covered in our patent applications. In addition, any patents issued in the future may not provide us with competitive advantages or may be successfully challenged by third parties. Any of our patents, trademarks or other intellectual property rights may be challenged or circumvented by others or invalidated through administrative process or litigation. There can be no guarantee that others will not independently develop similar products, duplicate any of our products or design around our patents. Furthermore, legal standards relating to the validity, enforceability and scope of protection of intellectual property rights are uncertain. Despite our precautions, it may be possible for unauthorized third parties to copy our products and use information that we regard as proprietary to create products and solutions that compete with ours. Some license provisions protecting against unauthorized use, copying, transfer and disclosure of our products may be unenforceable under the laws of jurisdictions outside the U.S. To the extent we expand our international activities, our exposure to unauthorized copying and use of our products and proprietary information may increase.

24

We enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with parties with whom we have strategic relationships and business alliances. These agreements may not be effective in controlling access to and distribution of our products and proprietary information. Further, these agreements do not prevent our competitors or partners from independently developing technologies that are substantially equivalent or superior to our products and solutions.

In order to protect our intellectual property rights, we may be required to spend significant resources to monitor and protect and enforce these rights, including through litigation. Litigation brought to protect and enforce our intellectual property rights could be costly, time-consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management’s attention and resources, could delay further sales or the implementation of our products and solutions, impair the functionality of our products and solutions, delay introductions of new solutions, result in our substituting inferior or more costly technologies into our products and solutions or injure our reputation. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property may be difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the U.S. and where mechanisms for enforcement of intellectual property rights may be weak. If we fail to adequately protect our intellectual property and proprietary rights, our business, operating results and financial condition could be adversely affected.

We may be subject to legal proceedings and/or liability for a variety of claims, including intellectual property disputes, labor and employment issues, commercial disagreements, securities law violations and other matters. These proceedings may be costly, subject us to significant liability, limit our ability to use certain technologies, increase our costs of doing business or otherwise adversely affect our business and operating results.

From time to time, we are involved as a party or an indemnitor in disputes or regulatory inquiries. These may include alleged claims, lawsuits and proceedings regarding intellectual property disputes, labor and employment issues, commercial disagreements, securities law violations and other matters. In particular, companies in the software industry are often required to defend against litigation or claims based on allegations of infringement or other violations of intellectual property rights. In certain instances, we have received claims that we have infringed the intellectual property rights of others, including claims regarding patents, copyrights, and trademarks. Because of constant technological change in the markets in which we compete, the extensive patent coverage of existing technologies, and the rapid rate of issuance of new patents, it is possible that the number of these claims may grow. Such claims sometimes involve patent holding companies or other adverse patent owners that have no relevant product revenue and against which our own patents may therefore provide little or no deterrence. In addition, former employers of our former, current, or future employees may assert claims that such employees have improperly disclosed to us the confidential or proprietary information of these former employers. If we are not successful in defending such claims, we could be required to stop selling our products, delay shipments, redesign our products, pay monetary amounts as damages, enter into royalty or licensing arrangements (which may not be available to us on commercially reasonable terms), or satisfy indemnification obligations to our customers, any of which could have a material adverse effect on our business.

Regardless of the merits or ultimate outcome of any claims that have been or may be brought against us or that we may bring against others, lawsuits are time-consuming and expensive to resolve, divert management’s time and attention, and could harm our reputation. Although we carry general liability and other forms of insurance, our insurance may not cover potential claims that arise or may not be adequate to indemnify us for all liability that may be imposed. We may also determine that the most cost-effective way to resolve a dispute is to enter into a settlement agreement. Litigation is inherently unpredictable and we cannot predict the timing, nature, controversy or outcome of lawsuits, and it is possible that litigation could have an adverse effect on our business, operating results or financial condition.

We use open-source software in our products, which could subject us to litigation or other actions.

25

We use open-source software in our products and solutions. Any use of open-source software may expose us to greater risks than the use of commercial software because open-source licensors generally do not provide warranties or controls on the functionality or origin of the software. Any use of open-source software may involve security risks, making it easier for hackers and other third parties to determine how to compromise our platform. From time to time, there have been claims challenging the ownership of open-source software against companies that incorporate open-source software into their products. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open-source software. Litigation could be costly for us to defend, have a negative effect on our operating results and financial condition or require us to devote additional research and development resources to change our products. In addition, if we were to combine our proprietary software products with open-source software in a certain manner, we could, under certain of the open-source licenses, be required to release the source code of our proprietary software products. If we inappropriately use or incorporate open-source software subject to certain types of open-source licenses that challenge the proprietary nature of our software products, we may be required to re-engineer our products, discontinue the sale of our products and solutions or take other remedial actions.

In addition, as we increasingly use of generative AI coding tools to assist in software development, these tools may introduce similar or heightened risks. For example, AI-generated snippets of code could inadvertently include open-source components subject to restrictive licenses or that infringe third-party intellectual property rights. If such risks materialize, we could face legal claims, be required to modify or replace portions of our code, or incur additional compliance costs.

There is significant government regulation of technology imports and exports. If we cannot meet the requirements of applicable regulations, we may be prohibited from exporting some of our products, which could negatively impact our revenue.

Our international sales and operations are subject to risks such as the imposition of government controls, new or changed export license requirements, restrictions on the export of critical technology, trade restrictions and changes in tariffs. If we are unable to obtain regulatory approvals on a timely basis, our business may be impacted. Certain of our products are subject to export controls under U.S. law including the U.S. Export Administration Regulations, U.S. Customs regulations, and various economic and trade sanctions administered by the U.S. Treasury Department’s Office of Foreign Assets Control. The list of products and countries for which export approval is required, and the regulatory policies with respect thereto, may be revised from time to time and our inability to obtain required approvals under these regulations could materially and adversely affect our ability to make international sales. Additionally, we may be negatively affected if our third-party technology partners fail to obtain proper licenses and permits for the import and export of their products. We maintain trade control compliance requirements for our partners; however, we cannot guarantee that our partners will comply with these requirements. Violations of export control and international trade laws could result in penalties, fines, adverse reputational consequences, and other materially adverse consequences. In the past, we voluntarily disclosed a trade control matter to the U.S. government. Although this matter was closed during 2019 with no fines, penalties, or finding of wrongdoing, similar issues could arise in the future. In addition, future changes in government regulation of technology imports and exports, including tariffs and other protective measures that have been or may be imposed by the current U.S. presidential administration, could negatively affect our business.

We employ cryptographic technology in our authentication products. If the codes used in our cryptographic technology are eventually broken or become subject to additional government regulation, our technology and products may become less effective, which would have a material adverse effect on our business.

A portion of our products are based on cryptographic technology. With cryptographic technology, a user is given a key that is required to encrypt and decode messages. The security afforded by this technology depends on the integrity of a user’s key and in part on the application of algorithms, which are advanced mathematical factoring equations. These codes may eventually be broken or become subject to government regulation regarding their use, which would render our technology and products less effective. The occurrence of any one of the following could result in a decline in demand for our technology and products, which would have a material adverse effect on our business:

•Any significant advance in techniques for attacking cryptographic systems, including the development of an easy factoring method or faster, more powerful computers, such as quantum computing;

•Publicity of the successful decoding of cryptographic messages or the misappropriation of keys; and

•Increased government regulation limiting the use, scope or strength of cryptography.

26

International and domestic laws and regulations relating to data privacy, protection, access, sharing, portability and use could have a material adverse impact on our results of operations.

Our business is subject to a rapidly expanding and increasingly complex set of international, federal, state, and local laws and regulations governing the collection, use, access, sharing, transfer, portability, interoperability, and other processing and use of data worldwide. Globally, virtually every jurisdiction in which we operate has established its own data security, privacy, and broader data governance frameworks with which we must comply, including regimes that regulate data access and sharing rights, data portability and interoperability, restrictions on use and commercialization, and obligations imposed on cloud and other data processing services. We collect, transmit, store, and otherwise process (on our systems and on our third-party partners’ systems) our customers’, their end users, and our employees’ data that includes personal data subject to these international and domestic privacy, data protection, and data governance laws and regulations. Failure to comply, or a perceived failure to comply, with these requirements could subject us to enhanced regulatory and customer monitoring, audits, and related expenses, restrict our ability to deliver or enhance our services, limit our ability to use data, expose us to regulatory enforcement actions, litigation and fines, and harm our reputation and customer relationships.

For example, in the European Economic Area (“EEA”), we are subject to Regulation (EU) 2016/679 (the General Data Protection Regulation or “GDPR”) and related national implementing laws. The GDPR is wide-ranging in scope and imposes numerous requirements on companies that process personal data, including requirements relating to lawful basis for processing, transparency, data subject rights, security safeguards, breach notification, accountability, and the oversight of third-party processors. Certain categories of data, including biometric and other sensitive data are subject to heightened requirements. In addition, the GDPR permits data protection authorities to impose corrective measures and/or administrative fines of up to the greater of 20 million Euros or four percent of global annual revenues, and allows data subjects to seek judicial remedies and compensation. Moreover, the EU Data Act (Regulation (EU) 2023/2854) establishes new rules governing access to, sharing of, and switching of data generated by connected products and related services, including mandatory data access rights for users and restrictions on contractual and technical barriers to data portability. The Data Act may require us to modify product design, data architectures, commercial terms, and cloud or data processing arrangements, and could limit our ability to monetize or control certain data assets. Although we have implemented policies, technical measures, and contractual safeguards designed to support compliance, the interpretation and enforcement of GDPR and the EU Data Act obligations continue to evolve and may differ across EEA member states. As a result, there can be no assurance that our compliance measures will not be challenged by regulators, courts, or other parties, which could result in investigations, fines, restrictions on processing or data sharing activities, or civil claims.

Our operations also depend on the ability of companies to transfer personal data across borders, including from the EEA to the United States and other jurisdictions. While the European Commission has adopted an adequacy decision for the EU-U.S. Data Privacy Framework, the long-term availability and scope of this and other transfer mechanisms remain subject to legal, regulatory, and political uncertainty. We rely on multiple transfer tools, including standard contractual clauses and supplementary measures, to support international data flows. If existing transfer mechanisms are invalidated, restricted, or require additional safeguards, we may be required to restructure data flows, localize certain processing activities, or implement new technical and contractual controls. These changes could increase operational complexity and costs, delay service delivery, limit product functionality, and expose us to regulatory scrutiny during transition periods. Beyond the GDPR, there are privacy, data security, and data governance laws in a growing number of countries around the world. For example, other jurisdictions such as Brazil, Canada, and the United Kingdom have enacted privacy and data protection laws and regulations that impose similar restrictions and obligations on products and services we sell and that otherwise may impact our ability to conduct our business activities.

In the United States, we are subject to a fragmented and expanding regulatory landscape at both the federal and state levels. Federal data privacy and security enforcement continues to evolve, and although the current federal regulatory environment is expected to shift toward more traditional and narrower enforcement priorities, our company remains exposed to potential actions by federal agencies such as the FTC under existing privacy laws, especially in the area of processing biometrics and other sensitive data. At the state level, comprehensive privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020, and other similar statutes adopted by more than a dozen other states, impose varying obligations and grant enhanced enforcement powers, and in some cases, private rights of action. In addition, certain state laws regulate specific categories of information, such as biometric or health-related information. This patchwork of requirements increases compliance costs, audit and reporting obligations, litigation, fine and penalty exposure, and the risk that we may be subject to inconsistent or conflicting legal standards.

27

Several jurisdictions impose particularly stringent requirements on the processing of biometric data. Laws such as the Illinois Biometric Information Privacy Act, Québec's Act respecting the protection of personal data in the private sector, and other similar laws regulate the collection, use, safeguarding, storage, governance, transparency and disclosure of biometric identifiers and information. Many of these laws also require informed consent, and provide for statutory damages and private rights of action. Because some of our SaaS solutions support identity verification, authentication, fraud prevention, and similar use cases that may involve biometric identifiers processed on behalf of customers, we may face heightened regulatory scrutiny and litigation risk.

A substantial portion of our activities as a SaaS solution provider involves processing personal data on behalf of our customers in our capacity as a data processor. As a data processor acting on behalf of our customers, we collect, transmit, store, and process a wide range of data, including personal data and biometric information from individuals worldwide. This data is handled both on our systems and those of our third-party partners, increasing the complexity of compliance and the potential impact of any failure or perceived failure by us or our third-party partners to meet applicable legal, contractual, or security standards. Adapting to these requirements may entail significant operational changes, including revising data processing and storage practices, enhancing data security measures, implementing data access and sharing controls, enabling data portability and interoperability features, ensuring transparent communication with data subjects about their rights and our data handling practices, and it may impact our business activities, including our relationships with business partners and the marketing and distribution of our products.

Additionally, our products may increasingly incorporate advanced analytics, automation, and AI-enabled features. The regulatory landscape governing the use of automated decision-making, AI systems, and data-driven technologies is evolving rapidly, with increasing convergence between privacy, data protection, consumer protection, and AI-specific regulatory regimes. New or emerging requirements may restrict how we design, deploy, or market certain features, require additional transparency or governance measures, or increase the risk of regulatory enforcement and legal claims related to data use, transparency and accountability.

We work to comply with all applicable international and domestic privacy, data protection, and data governance laws and regulations; however, these laws and regulations vary greatly from jurisdiction to jurisdiction, change rapidly, and are subject to interpretation, all of which leads to uncertainty in their applicability. Compliance may increase costs and require that we modify existing products, delay or limit the rollout of new features, increase investment in technical and organizational safeguards, renegotiate contractual arrangements with customers or partners, and dedicate significant legal, compliance, and engineering resources. Any actual, alleged or perceived failure to comply with applicable data-related laws and regulations, our processes and policies, contractual provisions, or an actual or suspected data privacy or information security incident could result in serious consequences for us. These consequences may include enforcement actions, audits, investigations, prosecutions, fines, penalties, debarment, litigation, contractual liability, loss of customer trust, reputational harm, and overall material adverse effects on our business, results of operations, and financial condition.

We must comply with the requirements of being a public company, including developing and maintaining proper and effective disclosure controls and procedures and internal control over financial reporting. Any failure to comply with these requirements may adversely affect investor confidence in our company and, as a result, the value of our common stock.

As a public company, we are subject to the reporting requirements of the Securities Exchange Act of 1934, as amended, the Sarbanes-Oxley Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act, the listing requirements of Nasdaq and other applicable securities rules and regulations that impose various requirements on public companies. Our management and other personnel devote a substantial amount of time to compliance with these requirements and such compliance requires significant ongoing legal, accounting and financial reporting costs.

The Sarbanes-Oxley Act requires that we maintain effective disclosure controls and procedures and internal control over financial reporting and furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting on an annual basis. This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting. We are also required to have our independent registered public accounting firm issue an opinion annually on the effectiveness of our internal control over financial reporting. During the evaluation and testing process, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal control over financial reporting is effective.

28

We have identified a material weakness in the past and it is possible that other material weaknesses, or significant deficiencies, in our internal controls will be identified in the future. Failure to maintain effective controls or implement new or improved controls could result in significant deficiencies or material weaknesses, affect management evaluations and auditor attestations regarding the effectiveness of our internal controls, failure to meet periodic reporting obligations, and material misstatements in our financial statements. Any material misstatement of our financial statements may result in a restatement, loss of investor and customer confidence, a decline in the market price of our common stock, and potential sanctions or investigations by Nasdaq, the SEC or other regulatory authorities. Failure to remedy any material weakness in our internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.

Our business in certain countries and transactions with foreign governments increase the risks associated with our international activities.

We are subject to anti-corruption laws in the jurisdictions in which we operate, including the FCPA, the U.K. Bribery Act, and other similar laws that prohibit improper payments or offers of payments to foreign governments and their officials and political parties by U.S. and other business entities for the purpose of obtaining or retaining business. We have operations, deal with and make sales to governmental or quasi-governmental customers in countries known to experience corruption, particularly certain countries in the Middle East, Africa, Asia and South and Central America. Our activities in these countries create the risk of unauthorized payments or offers of payments by one of our employees, consultants, sales agents or channel partners that could be in violation of various laws, including the FCPA and the U.K. Bribery Act, even though these parties are not always subject to our control. While we have implemented policies and training that mandate compliance with these anti-corruption laws, we cannot guarantee that these policies and procedures will prevent reckless or criminal acts committed by our employees, consultants, sales agents or channel partners. Violations of these laws may result in materially significant diversion of management’s resources as well as significant investigation and outside counsel expense. Violations of these laws may also result in severe criminal or civil sanctions, including suspension or debarment from government contracting, and we may be subject to other liabilities which could disrupt our business and result in a materially adverse effect on our reputation, business, results of operations, and financial condition.

We are subject to numerous laws, regulations and customer and product certification requirements governing the design, production, distribution, sale and use of our products. Any failure to comply with these laws, regulations and requirements could result in unanticipated costs and other negative impacts, and could have a materially adverse effect on our business, results of operations, and financial condition.

We are subject to global legal, regulatory, and customer compliance requirements that span many different areas. For example, we are subject to the Directive on Measures for a High Common Level of Cybersecurity Across the Union (EU) 2022/2555 (known as NIS2), which introduces a common cybersecurity framework that imposes stringent security and cybersecurity incident reporting obligations on organizations operating in the European Union. Our ability to comply with these requirements, including enhanced reporting obligations, risk management process, and network security standards, may require additional investment in technology, personnel, and training. Non-compliance with NIS2 could result in significant penalties, legal liabilities, reputational damage, and operational disruptions.

In addition, as an information communication technology provider to financial entities in the European Union, we are affected by the Regulation on Digital Operational Resilience for the Financial Sector (EU) 2022/2554 (known as DORA). DORA imposes significant obligations on our financial entity customers to ensure their third-party technology vendors, such as OneSpan, protect against disruptions in their products or services that could affect important or critical financial services in the EU. In order to meet their own compliance obligations under DORA, our customers are imposing additional contractual requirements on OneSpan to ensure the security, continuity, and resilience of our products and services, increase oversight of our critical third-party service providers, and undergo additional audits, all of which may require significant investment in technology, personnel, and training. If we fail to meet DORA’s requirements, our financial entity customers could be negatively impacted, and we could incur liabilities, suspension or termination of our products and services, reputational damage, loss of competitive positioning, and potential loss of business. Furthermore, evolving interpretations of DORA or additional regulatory updates could lead to unexpected compliance challenges and costs.

29

Our Digipass authenticator devices are subject to a variety of laws applicable to electronic devices, such as the EU Regulation on the Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH), the EU Restriction on the Use of Hazardous Substances Directive (the RoHS Directive), the EU Waste Electrical and Electronic Equipment Directive (the WEE Directive) and “conflict minerals” regulations that require us to perform supply chain due diligence to determine the sources and origin of certain minerals used in our devices. We expect to incur ongoing costs associated with complying with these requirements, and may be subject to reputational damage, fines, penalties or loss of customers if we fail to comply. These requirements may also affect pricing, sourcing and availability of materials used to produce our Digipass devices. Our products, including our Digipass authenticators, may also require various industry certifications, including certifications under the Federal Information Processing Standards (FIPS) and from industry standards organizations such as the FIDO Alliance. Failure to obtain these certifications in a timely manner could harm our business.

Efforts to manage and mitigate climate change, pollution, biodiversity loss, human rights violations in corporate supply chains, and other environmental and social impacts have produced significant regulatory and legislative efforts on a global basis, a trend we expect to continue. We anticipate that new laws and regulations in this area will result in added compliance requirements and increased costs for us and our suppliers, which could result in a significant negative impact on our ability to operate profitably. In particular, we expect to become subject to several complex and costly new EU sustainability laws over the next five years, including laws addressing sustainable product design and packaging. In addition, many of our customers are also subject to significant new environmental and climate-related regulations or stakeholder pressure, which may affect their purchasing decisions in ways unfavorable to us. For instance, customers who purchase our Digipass authenticator devices sometimes inquire about the environmental impact of the devices, and customers who are especially focused on carbon footprint or waste minimization may choose software-based authentication methods rather than physical authentication devices. Finally, disclosures we may be required to make with respect to climate change, pollution or other environmental or social impacts may damage our reputation and have an adverse impact on our business.

We sell products and services to U.S. federal, state and local governments as well as foreign government entities. Risks associated with selling our products and services to government entities include compliance with complex procurement regulations and government-specific contractual requirements that may vary from our standard terms and conditions, longer sales cycles that are not easy to predict, and varying government funding and budgeting processes. Selling to these entities is expensive and time-consuming and often requires significant up-front effort and expense. We have processes in place to aid in compliance with applicable government contracting requirements; however, it is difficult to be certain that compliance has been achieved. Non-compliance with government entity requirements may result in significant material risk to the Company including debarment, reputational loss, and financial and business losses.

New laws and regulations and changes to current laws and regulations are always possible and, in some cases they may be introduced with little or no time to bring related products into compliance. Furthermore, our products are used by customers to assist with achieving compliance with laws and regulations that apply to their industry. Our failure to comply with laws and regulations and to adapt to our customers’ needs may prevent us from selling our products in a certain country or to a particular customer. In addition, these laws, regulations, and requirements may increase our cost of supplying the products by forcing us to redesign existing products, change manufacturing practices, or to use more expensive designs or components. In these cases, we may experience unexpected disruptions in our ability to supply customers with products, or we may incur unexpected costs or operational complexities to bring products into compliance, and we may experience lowered customer demand. This could have an adverse effect on our revenues, gross profit margins and results of operations and increase the volatility of our financial results.

We may require additional capital to support our business objectives, and this capital might not be available on acceptable terms, if at all.

30

We expect that our existing cash and cash equivalents and borrowing capacity under our Credit Agreement will be sufficient to meet our anticipated cash needs for working capital and capital expenditures for at least the next 12 months. Our estimate as to how long we expect our cash and cash equivalents to be able to fund our operations is based on assumptions that may prove to be wrong, and we could use our available capital resources sooner than we currently expect. Further, changing circumstances, some of which may be beyond our control, could cause us to consume capital significantly faster than we currently anticipate, and we may need to seek additional funds sooner than planned. We intend to continue to make investments to support our business objectives and may require additional funds to achieve our objectives and respond to business challenges, including the need to develop new features or enhance our products, improve our operating infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in expanded or additional debt financings or equity financings to secure additional funds. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock.

General economic conditions and geopolitical events have resulted in significant volatility in global financial markets in recent years. If this volatility persists or becomes more pronounced, we could experience an inability to access additional capital, which could in the future negatively affect our capacity for certain corporate development transactions or our ability to make other important, opportunistic investments. In addition, market volatility, high levels of inflation and interest rate fluctuations may increase our cost of financing or restrict our access to potential sources of future liquidity. Adequate additional financing may not be available to us on acceptable terms, or at all. If we are unable to obtain adequate financing or financing on terms satisfactory to us when we require it, our ability to continue to support our business objectives and to respond to business challenges could be significantly impaired, and our business may be adversely affected.

Risks Related to Ownership of Our Common Stock

Our stock price has been and will likely continue to be volatile.

The market price of our common stock has been and may continue to be highly volatile and may fluctuate substantially as a result of a variety of factors, including those described in this “Risk Factors” section, many of which are beyond our control and may not be related to our operating performance. Factors that could cause fluctuations in the market price of our common stock include the following:

•Actual or anticipated fluctuations in our quarterly or annual operating results;

•Variance in our financial performance from our own financial guidance or from expectations of securities analysts;

•The trading volume of our common stock;

•Failure of securities analysts to maintain coverage of our company or changes in financial estimates by any securities analysts who follow our company;

•Changes in market valuations of other technology companies;

•Announcements by us or our competitors of significant technical innovations, contracts, acquisitions, strategic partnerships, joint ventures or capital commitments;

•Our involvement in any litigation or investigations by regulators;

•Our sale of our common stock or other securities in the future;

•Sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders;

•Repurchases pursuant to board-authorized share repurchase programs, or announcements of the inception or discontinuation of any such program;

•Increases or decreases in the dividend amount paid under our quarterly dividend program announced in December 2024, the modification or discontinuation of such program, or other changes in our capital allocation strategy;

•Mergers, acquisitions, or divestitures;

•Short sales, hedging and other derivative transactions involving our capital stock;

•Additions or departures of any of our key personnel;

•Changing legal or regulatory developments;

•The inclusion or exclusion of our stock in ETFs, indices and other benchmarks, and changes made to related methodologies;

•Reactions by investors to uncertainties in the world economy, the global geopolitical environment, and financial markets.

31

In recent years, the stock markets have experienced price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies due to, among other factors, the actions of market participants or other actions outside of our control, including market volatility caused by geopolitical events, and general economic developments. These fluctuations have often been unrelated or disproportionate to the operating performance of those companies. Broad market and industry fluctuations, as well as general economic, political, regulatory and market conditions, may negatively impact the market price of our common stock. In the past, companies that have experienced volatility in the market price of their securities have been subject to securities class action litigation. We have been the target of this type of litigation in the past, and may be targeted again the future, which could result in substantial costs and divert our management’s attention.

A small group of shareholders control a substantial amount of our common stock and could promote, delay or prevent a change of control.

A small number of shareholders control a significant amount of our outstanding common stock, as follows (based on the number of our shares of common stock outstanding as of December 31, 2025 and the most recent Schedule 13G or Schedule 13G/A filing made by each of these parties): Blackrock, Inc. holds approximately 9.9% of our outstanding common stock; Vanguard Group Holdings holds approximately 9.3%; Legal & General Group Plc holds approximately 5.9%; and Ameriprise Financial, Inc. holds approximately 5.4%. This concentration of ownership may have the effect of a small number of investors promoting, discouraging, delaying or preventing a change in control and may also have an adverse effect on the market price of our common stock.

Certain provisions of our charter and of Delaware law make a takeover of our Company more difficult.

Our corporate charter and Delaware law contain provisions, such as a class of authorized but unissued preferred stock which may be issued by our board of directors without stockholder approval that might enable our management to resist a takeover of our Company. Delaware law also limits business combinations with interested stockholders. These provisions might discourage, delay or prevent a change in control or a change in our management. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors and take other corporate actions. The existence of these provisions could limit the price that investors might be willing to pay in the future for shares of our common stock.

Future issuances of blank check preferred stock may reduce voting power of common stock and may have anti-takeover effects that could prevent a change in control.

Our corporate charter authorizes the issuance of up to 500,000 shares of preferred stock with such designations, rights, powers and preferences as may be determined from time to time by our board of directors, including such dividend, liquidation, conversion, voting or other rights, powers and preferences as may be determined from time to time by the board of directors without further stockholder approval.

The issuance of preferred stock could adversely affect the voting power or other rights of the holders of common stock. In addition, the authorized shares of preferred stock and common stock could be utilized, under certain circumstances, as a method of discouraging, delaying or preventing a change in control.

Our business could be adversely affected as a result of actions of activist stockholders.

Although we strive to maintain constructive, ongoing communications with all of our stockholders, and welcome their views and opinions with the goal of enhancing value for all of our stockholders, our stockholders have in the past, and may from time to time in the future, engage in proxy solicitations, advance stockholder proposals or otherwise attempt to effect changes at or acquire control of the Company. Campaigns by stockholders to effect changes at publicly traded companies are sometimes led by investors seeking to increase short-term stockholder value through actions such as stock repurchases or sales of assets or the entire company. Responding to proxy contests and other actions by activist stockholders can be costly and time-consuming and could divert the attention of our board of directors and senior management from the management of our operations and the pursuit of our business strategy. We cannot predict whether additional proxy contests or related matters will occur in the future and the time and cost associated with such matters.

32

Any perceived uncertainties as to our future direction and control, our ability to execute on our strategy or changes to the composition of our board of directors or senior management team arising from proposals by activist stockholders or a proxy contest could lead to the perception of a change in the direction of our business or instability that may be exploited by our competitors and/or other activist stockholders, result in the loss of customers or potential business opportunities, and make it more difficult to pursue our strategic initiatives or attract and retain qualified employees and business partners, any of which could have an adverse effect on our business, financial condition and operating results.

General Risks

Economic uncertainties or downturns could materially adversely affect our business.

Negative economic conditions, including conditions resulting from changes in foreign currency rates, changes in interest rates, gross domestic product growth, financial and credit market fluctuations, inflation, political turmoil, geopolitical tensions, tariffs, international trade disputes, natural catastrophes, regional and global conflicts, natural disasters, and terrorist attacks, could cause a decrease in business investments, including spending on information technology, and negatively affect the performance of our business. If global or regional economic and financial market conditions remain uncertain and/or weak for an extended period of time, any of the following factors, among others, could have a material adverse effect on our financial condition and results of operations:

•slower consumer or business spending may result in reduced demand for our products and services, reduced orders from customers, order cancellations, lower revenues, increased inventories, and lower gross margins;

•volatility in global markets, tariffs or international trade disputes, and fluctuations in exchange rates for foreign currencies could negatively impact our reported financial results and condition;

•restructurings, reorganizations, consolidations and other corporate events could affect our customers’ budgets and buying cycles, particularly in the banking and financial services industry, where we have particular exposure due to the majority of our customers being banks and financial institutions;

•if our customers experience declining revenues, or experience difficulty obtaining financing in the capital and credit markets to purchase our products and services, this could result in reduced orders, longer sales cycles, order cancellations, inability of customers to timely meet their payment obligations to us, extended payment terms, higher accounts receivable, reduced cash flows, greater expense associated with collection efforts and increased bad debt expense;

•severe financial difficulty experienced by our customers (such as the mid-market bank failures that occurred in 2023) may cause them to become insolvent or cease business operations, which could reduce sales, cash collections and revenue streams;

•volatility in the prices for materials and components we use in our Digipass products could have a material adverse effect on our costs, gross margins, and profitability; and

•any difficulty or inability on the part of manufacturers of our products or other participants in our supply chain in obtaining sufficient financing to purchase raw materials or to finance general working capital needs may result in delays or non-delivery of shipments of our products.

Furthermore, in an adverse economic environment there is a risk that customers may delay their orders until the economic conditions improve. If a significant number of orders are delayed for an indefinite period of time, our revenue and cash receipts may not be sufficient to meet the operating needs of the business. If this is the case, we may need to significantly reduce our workforce, sell certain of our assets, enter into strategic relationships or business combinations, discontinue some or all of our operations, or take other similar restructuring actions. While we expect that these actions would result in a reduction of recurring costs, they also may result in a reduction of recurring revenue and cash receipts. It is also likely that we would incur substantial non-recurring costs to implement one or more of these restructuring actions.

Catastrophic events may disrupt our business.

Our business operations are subject to interruption by natural disasters, including extreme weather related to the effects of climate change, and other catastrophic events such as fire, floods, power loss, telecommunications failure, cyberattack, war or terrorist attack, or epidemic or pandemic. To the extent such events impact our facilities or off-premises or third-party infrastructure, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our software development, lengthy interruptions in our services, breaches of data security and loss of critical data, all of which could have an adverse effect on our future operating results.

33