OneSpan (OSPN) pivots to software growth with deals and $100M credit line
Filing Impact
Filing Sentiment
Form Type
10-K
Rhea-AI Filing Summary
OneSpan Inc. describes a 2025 transition year where total revenue was roughly flat versus 2024, but the business continued to operate profitably after cost reductions that returned it to operating profitability in late 2023. The company is shifting from its legacy Digipass hardware tokens, which fell to 20% of revenue in 2025 from 78% in 2015, toward higher‑margin software in its Cybersecurity and Digital Agreements segments.
To support growth, OneSpan acquired Nok Nok Labs in June 2025 for FIDO‑based passwordless authentication, agreed in December 2025 to acquire mobile app protection provider Build38, and made a strategic investment in ThreatFabric for mobile threat intelligence. It also secured a $100 million revolving credit facility maturing in 2030 and returned about $31.6 million to shareholders via dividends and buybacks in 2025.
OneSpan highlights exposure to intense competition from larger players, rising AI‑driven cyber threats, complex global supply chains for Digipass devices, and extensive international regulatory and operational risks. The company ended 2025 with 602 employees across the Americas, EMEA and Asia Pacific, emphasizing talent retention, hybrid work, and relatively low voluntary turnover.
Positive
- None.
Negative
- None.
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
_____________________________________
FORM 10-K
FOR ANNUAL AND TRANSITION REPORTS PURSUANT TO
SECTIONS 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934
(Mark One)
or
Commission file number 000-24389
(Exact Name of Registrant as Specified in Its Charter)
| (State or Other Jurisdiction of Incorporation or Organization) | (IRS Employer Identification No.) | ||||
(Address of Principal Executive Offices)(Zip Code)
Registrant’s telephone number, including area code:
Securities registered pursuant to Section 12(b) of the Act:
| Title of each class | Trading Symbol | Name of exchange on which registered | ||||||||||||
Securities registered pursuant to Section 12(g) of the Act:
None
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined by Rule 405 of the Securities Act. Yes o No x
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the act. Yes o No x
Indicate by check mark whether the registrant: (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days. Yes x No o
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files). Yes x No o
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See definition of “large accelerated filer,” “accelerated filer”, “smaller reporting company”, and “emerging growth company” in Rule 12b-2 of the Exchange Act.
| Large accelerated filer | o | ☒ | Non-accelerated filer | o | Smaller reporting company | Emerging growth company | |||||||||||||||||||||||
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards pursuant to Section 13(a) of the Exchange Act. o
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report.x
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or issued its audit report.
If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the filing reflect the correction of an error to previously issued financial statements.
Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the registrant’s executive officers during the relevant recovery period pursuant to §240.10D-1(b). o
Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act). Yes
As of June 30, 2025, the aggregate market value of voting and non-voting common equity (based upon the last sale price of the common stock as reported on the NASDAQ Capital Market on June 30, 2025) held by non-affiliates of the registrant was $
As of February 19, 2026, there were
DOCUMENTS INCORPORATED BY REFERENCE
Certain sections of the registrant’s Notice of Annual Meeting of Stockholders and Proxy Statement for its 2026 Annual Meeting of Stockholders are incorporated by reference into Part III of this report.
Auditor Name: | Auditor Location: | Auditor Firm ID: | ||||||
OneSpan Inc.
Annual Report on Form 10-K
For the Year Ended December 31, 2025
TABLE OF CONTENTS
TABLE OF CONTENTS
| PAGE | ||||||||
Cautionary Note Regarding Forward-Looking Statements | ||||||||
PART I | ||||||||
Item 1. | Business | 1 | ||||||
Item 1A. | Risk Factors | 10 | ||||||
Item 1B. | Unresolved Staff Comments | 34 | ||||||
Item 1C. | Cybersecurity | 34 | ||||||
Item 2. | Properties | 35 | ||||||
Item 3. | Legal Proceedings | 35 | ||||||
Item 4. | Mine Safety Disclosures | 35 | ||||||
PART II | ||||||||
Item 5. | Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities | 36 | ||||||
Item 6. | [Reserved] | 37 | ||||||
Item 7. | Management’s Discussion and Analysis of Financial Condition and Results of Operations | 37 | ||||||
Item 7A. | Quantitative and Qualitative Disclosures About Market Risk | 55 | ||||||
Item 8. | Financial Statements and Supplementary Data | 55 | ||||||
Item 9. | Changes in and Disagreements with Accountants on Accounting and Financial Disclosures | 55 | ||||||
Item 9A. | Controls and Procedures | 55 | ||||||
Item 9B. | Other Information | 56 | ||||||
Item 9C. | Disclosure Regarding Foreign Jurisdictions that Prevent Inspections | 56 | ||||||
PART III | ||||||||
Item 10. | Directors, Executive Officers and Corporate Governance | 57 | ||||||
Item 11. | Executive Compensation | 57 | ||||||
Item 12. | Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters | 57 | ||||||
Item 13. | Certain Relationships and Related Transactions, and Director Independence | 57 | ||||||
Item 14. | Principal Accounting Fees and Services | 57 | ||||||
PART IV | ||||||||
Item 15. | Exhibits and Financial Statement Schedules | 58 | ||||||
CONSOLIDATED FINANCIAL STATEMENTS AND SCHEDULE | F-1 | |||||||
References to OneSpan
Throughout this Annual Report on Form 10-K, the “Company,” “OneSpan,” “we,” “us,” and “our,” except where the context requires otherwise, refer to OneSpan Inc. and its consolidated subsidiaries, and “our board of directors” refers to the board of directors of OneSpan Inc.
Cautionary Note Regarding Forward-Looking Statements
This Annual Report on Form 10-K contains forward-looking statements within the meaning of applicable U.S. securities laws, including statements regarding our focus on driving revenue growth in higher-margin software solutions; our plans for continued investment in hardware authentication solutions; revenue trends, including revenue expectations for our hardware business; estimates concerning the financial impact of any cost reduction and restructuring actions; our plans for managing our Cybersecurity and Digital Agreements segments; our potential plans for investing in our products, acquiring additional businesses or making additional strategic equity investments; expectations about trends in our cost of goods sold, gross margin, and sales and marketing, research and development, and general and administrative expenses; the impact of foreign currency rate fluctuations; expectations regarding sources and uses of cash; and our general expectations regarding our operational or financial performance in the future. Forward-looking statements may be identified by words such as "seek", "believe", "plan", "estimate", "anticipate", “expect", "intend", "continue", "outlook", "may", "will", "should", "could", or "might", and other similar expressions. These forward-looking statements involve risks and uncertainties, as well as assumptions that, if they do not fully materialize or prove incorrect, could cause our results to differ materially from those expressed or implied by such forward-looking statements. Factors that could materially affect our business and financial results include, but are not limited to: difficulties increasing or maintaining our rate of revenue growth; our ability to attract new customers and retain and expand sales to existing customers; our ability to successfully develop and market new product offerings and product enhancements; changes in customer requirements; the potential effects of technological changes, including the impact of advances in artificial intelligence; the loss of one or more large customers; difficulties enhancing and maintaining our brand recognition; competition; lengthy sales cycles; challenges retaining key employees and successfully hiring and training qualified new employees; security breaches or cyber-attacks; real or perceived malfunctions or errors in our products; interruptions or delays in the performance of our products and solutions; reliance on third parties for certain products and data center services; our ability to effectively manage third party partnerships, acquisitions, divestitures, alliances, or joint ventures; economic recession, inflation, tariffs or trade disputes, and political instability; claims that we have infringed the intellectual property rights of others; changing laws, government regulations or policies; pressures on price levels; component shortages; delays and disruption in global transportation and supply chains; impairment of goodwill or amortizable intangible assets causing a significant charge to earnings; actions of activist stockholders; and exposure to increased economic and operational uncertainties from operating a global business, as well as other factors described in the “Risk Factors” section of this Annual Report on Form 10-K. Our filings with the Securities and Exchange Commission (the “SEC”) and other important information can be found in the Investor Relations section of our website at investors.onespan.com. We do not have any intent, and disclaim any obligation, to update the forward-looking information to reflect events that occur, circumstances that exist or changes in our expectations after the date of this Form 10-K, except as required by law.
Our website address is included in this Annual Report on Form 10-K as an inactive textual reference only.
PART I
Item 1 – Business
Overview
OneSpan helps organizations build secure, seamless, and trusted digital experiences through two solution portfolios: Cybersecurity and Digital Agreements. Our cybersecurity solutions protect identities, secure mobile apps, and safeguard access through advanced high-assurance authentication, threat intelligence, fraud prevention, and robust mobile app protection, defending users, devices, and applications against sophisticated attacks. Our digital agreement solutions streamline agreement workflows with secure e-signatures, identity verification, and smart digital forms, built to enable speed, compliance and exceptional customer experiences. Trusted by leading global enterprises, including more than 60% of the world’s 100 largest banks, OneSpan processes over 100 million digital agreements and billions of secure authentication transactions across more than 120 countries each year.
We offer our products primarily through a subscription licensing model and provide multiple deployment options, including cloud-based and on-premises solutions. Our solutions are sold worldwide through our direct sales force, as well as through distributors, resellers, systems integrators, and original equipment manufacturers.
We report our financial results under the following two business divisions, which are our reportable operating segments: Cybersecurity and Digital Agreements.
•Cybersecurity. Cybersecurity, formerly Security Solutions, consists of our broad portfolio of software products, software development kits ("SDKs") and Digipass authenticator devices that are used to build applications designed to defend against attacks on digital transactions across online environments, devices, and applications. The software products and SDKs included in the Cybersecurity segment are delivered through on-premises and cloud-based deployment models and include standards-based authentication technologies such as Fast Identity Online ("FIDO") authentication and passkeys, multi-factor authentication, transaction signing solutions and mobile application security.
•Digital Agreements. Digital Agreements consists of solutions that enable our clients to secure and automate business processes associated with their digital agreement and customer transaction lifecycles that require consent, non-repudiation and compliance. These solutions, which are cloud-based, include OneSpan Sign e-signature, OneSpan Notary, and OneSpan Identity Verification.
Beginning in mid-2023 and through the third quarter of 2024, our focus was on adjusting our cost structure to enable both business divisions to operate profitably. These cost optimization efforts were a major factor in the overall business returning to operating profitability in the fourth quarter of 2023. The subsequent increase in profitability, combined with high levels of cash generation, enabled us to return approximately $31.6 million to shareholders in 2025 in the form of quarterly dividends and share repurchases. Beginning in the fourth quarter of 2024 and continuing through 2025, we continued to operate profitably while taking a number of important steps to generate future revenue growth:
•In December 2024, we hired a new Chief Technology Officer, Ashish Jain, to lead our research and development efforts.
•In June 2025, we acquired Nok Nok Labs, Inc. ("Nok Nok Labs"), a provider of passwordless software authentication solutions, which brought S3, a leading FIDO software product, to our portfolio. This acquisition provides OneSpan's customers with a wider range of flexible, adaptable authentication options. See Note 6, Business Acquisitions, for additional information.
•In June 2025, we entered into a $100.0 million credit agreement (the “Credit Agreement") with MUFG Bank, Ltd ("MUFG") and other lenders party thereto. The Credit Agreement provides for a $100.0 million revolving credit facility with a $10.0 million letter of credit sublimit and a $10.0 million swingline loan sublimit. The proceeds of borrowings under the Credit Agreement may be used for general corporate purposes. We may borrow, repay and reborrow funds under the revolving credit facility until its maturity on June 23, 2030. See Note 12, Debt, for additional information.
1
•In October 2025, we announced a strategic investment in, and partnership with, ThreatFabric Holding B.V., a Dutch company that provides mobile threat intelligence, malware risk detection, and behavioral analytics, to further enhance the value we offer to our customers. See Note 2, Summary of Significant Accounting Policies, for additional information.
•In December 2025, we hired a new Chief Revenue Officer, Shaun Bierweiler, to lead our go-to-market efforts, and to drive growth and customer success.
•Later in December 2025, we entered into a definitive agreement to acquire Build38 GmbH ("Build38"), a leader in next-generation mobile application protection solutions, to extend our investment in advanced mobile security technologies. See Note 6, Business Acquisitions, for additional information.
Our efforts to broaden and strengthen our product offerings are driven in part by a secular shift away from physical authentication devices such as our Digipass tokens. Because consumers increasingly interact with their banks through their mobile devices rather than desktop computers, they are more likely to prefer authentication methods that enable secure, convenient access to mobile banking apps without the need for a physical device. In response to this trend, our bank and financial institution customers have increasingly adopted a “mobile first” approach to consumer authentication that prioritizes the mobile user experience over traditional desktop experiences. This approach has resulted in a reduction of Digipass hardware authenticator sales and an increase in sales of software authentication licenses delivered through software applications on mobile devices. Due largely to the mobile first trend, our revenue from Digipass devices declined from 78% of our revenue in 2015 to 20% of our revenue in 2025. Although we plan to continue to invest in our Digipass authenticators, including our newer FIDO2 Digipass devices, as an important component of our broad authentication solution portfolio, we are focused on driving revenue growth in higher–margin software solutions, both through further expansion of our Cybersecurity software solutions and through continued growth in our Digital Agreements division.
Industry Background
While the continued shift toward cloud-delivered experiences and the rapid adoption of artificial intelligence (“AI”) technologies across industries have accelerated digital engagement, they have also expanded the threat landscape for organizations, their customers, and their employees. People, applications, and the digital records associated with business interactions, transactions, and agreements have become major targets for cyberattacks and fraud. As organizations digitize critical workflows, the security, integrity, and enforceability of these interactions have become increasingly essential to business operations.
Cybersecurity Market Trends
Cybersecurity threats continue to rise in frequency, sophistication, and impact. Attackers are leveraging advanced techniques—including AI-driven phishing, deepfake-enabled impersonation, and social engineering—to exploit weaknesses in digital channels. Account takeover attacks (“ATO”) remain among the fastest‑growing threats, as criminals target customer and workforce authentication processes across digital banking and enterprise applications. Authorized push payment (“APP”) fraud is also accelerating, with fraudsters manipulating individuals and businesses into sending real‑time payments to illegitimate destinations.
At the same time, mobile-first usage has made applications a central attack surface. Organizations increasingly face threats such as malware, reverse engineering, and injection attacks within their mobile apps, prompting a growing need for in-app protections, threat analytics, and mobile application shielding. These risks are compounded by the rise of hybrid work environments, which place additional pressure on organizations to secure employee access through phishing-resistant authentication and comprehensive workforce identity protections.
While organizations seek to safeguard their environments, they must also meet customer expectations for fast, intuitive, and low‑friction digital experiences. This tension between strong security requirements and seamless user experiences continues to challenge enterprises across regulated and unregulated industries.
Digital Agreements Market Trends
The digital agreements market continues to advance as organizations seek to improve efficiency, reduce risk, and meet regulatory requirements in increasingly complex operating environments. As businesses move beyond static,
2
PDF‑based documents, they are shifting toward intelligent, structured, and dynamic digital content that enables greater automation, analytics, and reuse across workflows.
The rise of agentic AI is also reshaping agreement processes. Rather than digitizing legacy steps, enterprises are reconstructing workflows to be adaptive, automated, and AI‑assisted - streamlining multi‑step processes and accelerating digital operations.
At the same time, organizations are reassessing their e‑signature foundations. Many tools adopted rapidly during the COVID era were deployed in silos, offer limited customization, are costly to scale, and, in some cases, introduce additional security risks. As companies consolidate these fragmented deployments, they are prioritizing cost‑effective, enterprise‑wide solutions that support broad use‑case coverage and deliver a lower total cost of ownership.
Our Opportunity
The trends shaping both the cybersecurity and digital agreements markets point to a growing global need for technologies that secure identities, protect critical applications, and ensure the integrity of high-value digital transactions. In cybersecurity, rising threat sophistication, the expansion of mobile and cloud attack surfaces, and the ongoing tension between strong security and user experience are driving demand for robust, friction-resistant authentication and advanced application protection. In parallel, the digital agreements market is undergoing its own transformation as organizations shift toward intelligent documents, AI-driven workflows, and consolidated, enterprise-wide e-signature deployments that reduce cost, improve scalability, and require strong identity verification—particularly as digital wallets and new credential models emerge. Together, these market dynamics create a meaningful opportunity for OneSpan to leverage our global security heritage to deliver identity-assured, trusted solutions that help organizations reduce risk, meet regulatory requirements, and provide intuitive, secure digital experiences across both segments.
Our Products and Services Portfolio
We offer a portfolio of security, authentication, identity, electronic signature, and digital workflow products and solutions through our two business divisions, Cybersecurity and Digital Agreements.
Cybersecurity
Cloud Authentication is a quick-to-deploy, cloud-based multi-factor authentication solution that supports a full range of authentication options including biometrics, push notification, visual cryptograms for transaction data security, SMS, and hardware authenticators. This allows customers to solve strong authentication problems across different endpoints to best meet their unique requirements through a single provider rather than integrating multiple modalities together. It eliminates cost associated with managing legacy on-premises authentication technology and provides a straightforward upgrade path to more comprehensive capabilities such as intelligent adaptive authentication.
Digipass S3 Authentication Software is our authentication platform designed to enable passwordless, phishing-resistant authentication across web and mobile applications. The platform supports standards-based technologies, including FIDO. The software provides adaptive, policy-driven authentication using contextual and device-based signals to balance security and user experience. It offers centralized administration, lifecycle management, analytics, and integration with existing Identity and Access Management ("IAM") and Customer Identity and Access Management ("CIAM") platforms through APIs and out-of-the-box connectors. Digipass S3 Authentication Software can be deployed in cloud or on-premises environments and is designed to support enterprise-scale authentication volumes. Customers use Digipass S3 Authentication Software as part of their digital authentication environments across web and mobile applications.
Mobile Security Suite is a comprehensive SDK and unique single framework that integrates built-in application security to allow for a variety of strong authentication technologies, dynamic linking, WYSIWYS (What-You-See-Is-What-You-Sign), authentication orchestration, and improved authentication user interface. Through a comprehensive library of application programming interfaces ("APIs"), customers can extend and strengthen security for applications, deliver user convenience, and streamline the application deployment and lifecycle management process.
Mobile Application Shielding protects mobile applications from attacks by malware, allowing secure usage of mobile applications even in hostile environments (e.g., on jailbroken mobile phones). The technology helps protect mobile application code against malicious code injection such that if a device becomes infected with malware, the application shielding technology will detect and prevent that code from running.
3
Authentication Server is a comprehensive, centralized, and flexible authentication platform designed to provide full lifecycle management through a single, integrated system. It enables secure multi-factor authentication for digital transactions and user access, supporting a wide range of authentication methods, including biometrics, one-time passwords, and mobile push notifications. By offering broad access to enterprise resources—from SSL VPNs to cloud-based applications—it enhances security while simplifying authentication management for both administrators and end users.
Authentication Suite is a comprehensive solution designed to protect organizations from cyber threats while offering authentication experiences across channels. With a flexible API-driven backend, support for both hardware and software authenticators, and a robust mobile SDK, the suite provides scalable security for high-volume applications like online banking, e-commerce, and gaming. Organizations can tailor authentication methods to meet their unique security needs, leveraging industry standards and technologies such as the FIDO and OATH standards, our Digipass technology, and our Cronto visual transaction signing solution for enhanced protection against sophisticated attacks. Its integration capabilities simplify deployment without disrupting existing systems, while built-in mobile authentication licenses enable secure user access across multiple devices.
Digipass Authenticators are our hardware authenticators, consisting of a wide variety of authentication devices, each of which has its own distinct characteristics to meet the needs of our customers. All models of Digipass authenticators are designed to work together so customers can switch devices without making changes to their existing infrastructure, and they are also fully interoperable with our mobile authentication software. Our Digipass models range from one-button devices and smart card readers to devices that include more advanced technologies, such as public key infrastructure ("PKI") and visual cryptography.
Our Digipass authenticators provide proven multi-factor authentication and transaction data signing. Our newer Digipass FX family of authenticators are FIDO2-certified phishing-resistant passkeys that enable passwordless authentication, significantly reducing the risk of social engineering. Our Digipass FX authenticators use the FIDO2 protocol, employing a private and public key pair system whereby private keys and biometric data never leave the device, thereby avoiding vulnerabilities associated with human error, such as phishing and password reuse.
Digital Agreements
OneSpan Sign, our primary Digital Agreements product offering, supports a broad range of e-signature requirements from simple to complex, and from the occasional agreement to processing tens of thousands of transactions. OneSpan Sign provides multiple public cloud deployment options to meet global data residency needs. The solution is also available in a Federal Risk and Authorization Management Program ("FedRAMP") SaaS-level compliant cloud, allowing U.S. government agencies to implement e- signatures in the cloud and meet General Services Administration ("GSA") security requirements.
Customers can fully "white-label" and configure OneSpan Sign to reinforce their brand for a seamless signing experience. Each step of the digital agreement workflow can be customized, from data capture and agreement creation to signer identification, signature collection, and authentication. OneSpan Sign also provides comprehensive, secure electronic evidence to support strong legal protection by capturing all actions during the agreement process. This reduces the time and cost of gathering evidence and demonstrating legal and regulatory compliance. E-signature capabilities can be a critical component of the account opening and onboarding processes, providing a secure and user-friendly way to execute legally binding agreements.
OneSpan Notary is an online notary solution developed for organizations with in-house notaries. It includes live electronic signature, two-way secured videoconferencing, and strong identity proofing options, like Identity Verification and Knowledge-based Authentication ("KBA"). It also simplifies the notarization process with guided workflows, the ability to upload eNotary Seal, recording, eJournaling, and audit trail capabilities in a single solution. OneSpan Notary is currently available for use in 30 U.S. states.
OneSpan Sign Identity Verification gives banks and other financial institutions access to a wide range of identity verification services – all through a single API integration. This includes identity document (e.g., driver’s license, passport, etc.) capture and real-time authenticity verification, as well as facial comparison (“selfie”) and liveness detection (the ability to detect whether a digital interaction is with a live human being) to establish that the individual presenting the identity document is the same person whose picture appears on the authenticated identity document. Starting January 1, 2024, we began presenting OneSpan Identity Verification in the Digital Agreements segment to reflect the greater alignment of this solution with our Digital Agreements product portfolio.
4
OneSpan Sign Authentication offers a broad set of configurable authentication options designed to help organizations balance user experience, risk, and compliance across the digital agreement lifecycle. The solution provides robust methods to verify both senders and signers, adding essential layers of security to e-signature transactions. Supported authentication options include SMS one‑time passcodes, shared‑secret Q&A, KBA, digital certificates, smart cards, and FIDO passkeys for higher‑risk scenarios. For enhanced assurance, OneSpan Sign also includes government‑issued ID verification, document authenticity checks, and biometric facial comparisons with liveness detection. Whether organizations are orchestrating automated workflows through APIs or sending one‑off signature requests, adding authentication remains a simple yet powerful step to safeguard digital agreements, protect sensitive data, and reinforce trust throughout the signing process.
OneSpan Integration Platform is a modern pre-built platform that enables organizations to easily embed e-signatures powered by OneSpan Sign into well-known applications such as Salesforce, SharePoint, and Guidewire. These pre-built integrations allow organizations to manage an efficient, modern digital agreement process. Customers can automate a wide range of digital agreement workflows by leveraging comprehensive APIs, efficient low-code/no-code automations, and partner-provided integration platform as a service ("iPaaS") solutions, enabling cross‑departmental consistency, operational efficiency, and strong security and compliance controls.
Intellectual Property and Proprietary Rights and Licenses
We rely on a combination of patent, copyright, trademark, design, and trade secret laws, as well as employee and third-party non-disclosure agreements, to protect our intellectual property ("IP") and other proprietary rights. We hold patents which cover multiple aspects of our technology in the U.S., Europe, Japan, China, Hong Kong and other countries. These patents expire between 2026 and 2045. In addition to issued patents, we also have patent applications pending in the U.S., Europe, Japan, China, Hong Kong and other countries. Many of our issued and pending patents are related to our Digipass and Nok Nok Labs product lines. In addition to our owned IP, we license software from third parties for integration into our solutions, including open-source software and other software available on commercially reasonable terms.
We furthermore have registrations for most of our trademarks in most of the markets where we sell the corresponding products and services, as well as registrations of the designs of many of our Digipass devices, primarily in the European Union ("EU") and China.
Protecting IP rights can be difficult, particularly in countries that provide less protection to IP rights and in the absence of harmonized international IP standards. Competitors and others may already have IP rights covering similar products. We may not be able to secure IP rights covering our own products or may have difficulties obtaining IP licenses from other companies on commercially favorable terms. For a discussion of IP-related risks, see Item IA, Risk Factors.
Research and Development
Our research and development efforts are focused primarily on enhancing our solutions by building new features, functionality, and applications; developing technology to support new products; enhancing our transaction-cloud platform; and conducting product and quality assurance testing. We employ a team of full-time engineers and, from time to time, also engage independent engineering firms to conduct certain product development efforts on our behalf. For fiscal years ended December 31, 2025, 2024, and 2023, we incurred expenses, net of software capitalization, of $34.2 million, $32.4 million, and $38.4 million, respectively, for research and development.
Production
Our Digipass authentication devices are manufactured by third-party manufacturers at several independent factories in Southern China and one within the European Union, in Romania. We maintain local personnel in China to conduct quality control and quality assurance procedures. Periodic visits to the factories are conducted by our personnel for quality management, assembly process review, and supplier relations.
Digipass devices are made primarily from commercially available electronic components, including microprocessors purchased from several suppliers. We purchase microprocessors and arrange for shipment to our third-party manufacturers for assembly and testing in accordance with our design specifications. The microprocessors are the most important components of the devices which are not commodity items readily available on the open market.
5
In late 2021 and 2022, the supply chain for our Digipass devices was impacted by the effects of the COVID-19 pandemic, the Russia-Ukraine conflict and the inflationary cost environment, particularly with respect to materials in the semiconductor market, including part shortages, increased freight costs, diminished transportation capacity and labor constraints. This resulted in an increase in material costs, difficulties and delays in procuring certain microprocessors, and other disruptions in our supply chain. Although these supply chain issues stabilized during 2023 and continued to be relatively stable in 2025, global supply chains for semiconductors and electronic components remain vulnerable to disruption from range of risks, including natural disasters and extreme weather, geopolitical disputes, tariffs or trade disputes, regional or global conflicts, and scarcity of certain minerals and components.
In response to these supply chain conditions, we have focused on improving our supplier network, engineering alternative designs, and working to mitigate the impact of potential future supply shortages. We actively manage our inventory in an effort to minimize supply chain disruptions and enable continuity of supply and services to our customers, and we may maintain elevated levels of inventory for certain of our products to prepare for potential supply constraints. We also regularly evaluate alternative manufacturing and supply arrangements, including moving more of our manufacturing from China to Romania or other locations, to mitigate supply chain risks. Despite these efforts, we may experience additional supply chain disruptions or cost increases affecting our Digipass business in the future. Please see Item IA, Risk Factors, for additional information.
Our software solutions are produced in-house or developed by third parties and sold under license.
Competition
The market for digital solutions for security, authentication, identity, electronic signature, and digital workflow products is very competitive and, like most technology-driven markets, is subject to rapid change and constantly evolving solutions and services. Competition in our markets may intensify further as advances in AI enable rapid, low-cost development of software applications.
Our authentication products are designed to allow authorized users access to digital business processes and properties, in some cases using patented technology. Our authentication products are often used to supplement, or to enhance and modernize, existing authentication solutions, including static passwords. Our main competitors in the authentication market are Gemalto (a subsidiary of Thales Group), RSA Security and Yubico. There are also many other companies in adjacent areas, such as mobile device management ("MDM"), threat protection, and IAM, that offer competing services. In addition to these companies, we face competition from many small authentication solution providers, many of whom offer new technologies and niche solutions such as biometric or risk and behavioral analysis. We believe that competition in this market may intensify as a result of increasing demand for security products.
Our primary competitors for electronic signature solutions are Docusign and Adobe Systems. Both companies are significantly larger than us. In addition to these companies, there are numerous smaller and regional or niche providers of electronic signing solutions.
We believe that the principal competitive factors affecting the market for digital solutions for security, authentication, identity, electronic signature, and digital workflow products include the strength and effectiveness of the solution, technical features, ease of use, quality and reliability, customer service and support, brand recognition, customer base, distribution channels, and the total cost of ownership of the solution. With the exception of brand recognition, we believe that our products are currently competitive with respect to these factors; nevertheless, we may not be able to maintain our competitive position against current and potential competitors. Some of our present and potential competitors have significantly greater financial, technical, marketing, purchasing, and other resources. As a result, they may be able to respond more quickly to new or emerging technologies and changes in customer requirements, to devote greater resources to the development, promotion and sale of products, to establish and maintain greater brand recognition, or to deliver competitive products at a lower end-user price. Please see Item IA, Risk Factors, for additional information.
Sales and Marketing
Our solutions are sold globally through our direct sales force and through channel partners, including distributors, resellers, systems integrators, and original equipment manufacturers. Our sales organization coordinates sales activity across our direct and partner channels and engages directly with customers independently or alongside partner sales personnel. We also provide product education and enablement to sales and technical personnel of our channel partners and to prospective end users of our products.
6
Customers and Markets
The majority of our revenue is derived from financial institutions, which include traditional banks, credit unions, and online-only banks. We also sell to the enterprise market segment, government, healthcare, and insurance industries in select regions around the globe.
Our top 10 customers contributed 18%, 20%, and 22% in 2025, 2024, and 2023, respectively, of our total worldwide revenue.
Because a significant portion of our sales is denominated in foreign currencies, changes in exchange rates impact results of operations. To mitigate exposure to risks associated with fluctuations in currency exchange rates, we attempt to denominate an amount of billings in a currency such that it would provide a natural hedge against operating expenses being incurred in that currency. For additional information regarding how currency fluctuations can affect our business, please refer to Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations.
Financial Information Relating to Foreign and Domestic Operations
For financial information regarding OneSpan, see our consolidated financial statements and the related notes, which are included in Part IV of this Annual Report on Form 10-K. See Note 18, Geographic, Customer and Supplier Information included in the notes to consolidated financial statements in Part IV of this Annual Report on Form 10-K for a breakdown of revenue, gross profit and long-lived assets between the U.S. and other regions.
Government Regulation
As a global cybersecurity and digital agreements company with operations and customers in multiple jurisdictions worldwide, we are subject to complex, evolving, and increasingly stringent global laws and regulations. Also, because banking and financial services is our largest industry target market, the regulations affecting our customers in this area, such as the European Union Digital Operations Resilience Act, have a significant indirect effect on our business. Similar regulatory dynamics occur in the other primary markets where we have customers, such as healthcare and government. In addition, since we have significant operations in Europe, we are subject to many European Union laws concerning privacy, data, cybersecurity, and sustainability, which have been and may continue to be costly to comply with. Additional proposed or newly enacted legislation or regulatory requirements could also materially affect our business. Please see Item IA, Risk Factors, for additional information.
Human Capital
OneSpan is powered by a team of 602 employees, consisting of 336 employees in the Americas, 231 employees in EMEA (which includes Europe, the Middle East, and Africa), and 35 employees in the Asia Pacific region as of December 31, 2025. 108 of those employees were in cost of goods sold, 167 in sales and marketing, 239 in research and development, and 88 in general and administrative.
We understand that achieving our business objectives will depend primarily on the skills, creativity, and determination of our people. To that end, we strive to create an environment that will attract, retain and develop talented people who are motivated to find opportunities and create new possibilities for our customers, for themselves and their teams, and for OneSpan. To achieve this goal, we focus on the areas described below.
Competitive Compensation and Benefits. We seek to provide our employees with competitive and fair compensation and benefit offerings, and use market benchmarks to ensure external competitiveness while maintaining equity within the organization. We tie incentive compensation to business performance and provide a range of health, wellness, family leave, savings, retirement, and time-off benefits for our employees, which vary based on local regulations and norms.
Engagement. We seek input from our employees regularly through a variety of channels, including informal interactions, regular one-to-one meetings between managers and employees, department meetings, quarterly virtual all-company meetings and employee engagement surveys. This input helps us assess our progress in promoting an environment where employees are engaged, productive, and have a strong sense of belonging. We also use employee feedback to identify areas where we can do better and expect our managers to actively work to improve those areas.
7
Hybrid Workplace Policy. For our employees who live near one of our offices, local office leadership designates the number of days per week employees generally come to the office in person, which ranges from two or three times per week in certain locations, to five days per week in others. For locations that are not five days per week in the office, for the rest of the week employees may work either remotely or from their local office. We believe this approach maintains the flexibility of remote work while also providing a regular opportunity for in-person interactions to collaborate, innovate, and build relationships with colleagues.
Workplace Environment and Access to Talent. With 602 employees around the world and customers in more than 120 countries, we believe that our business benefits from a workplace that includes employees with a range of perspectives, experience, backgrounds and cultures. We work with a variety of job sites and candidate application platforms to increase our access to a broad pool of potential employees. We also monitor the composition of our workforce by gender on an ongoing basis in order to make sure we are accessing and retaining a wide range of available talent. As of December 31, 2025, approximately 30% of our total employees and 30% of our employees at a manager level and above identified as female, and 69% and 70%, respectively, identified as male.
Training and Talent Development. We promote and support employee development, compliance and organizational effectiveness by providing professional development and compliance training. All of our employees take a required annual training on the following topics: our code of conduct and ethics; cybersecurity; and preventing harassment and discrimination. In addition, we make a variety of external professional development courses and tailored in-house trainings available to our employees.
Feedback, Coaching and Career Development. We believe regular feedback is an important component of employee development. Our managers provide ongoing feedback and performance coaching to their direct reports in regular one-to-one meetings, and are also encouraged to solicit their teams’ feedback on their own performance. We have also adopted a career ladder program tailored for our research and development employees. The goal of this program is to set out a structured and supportive career development framework that fosters continuous learning, skill development, and career advancement.
Employee Recognition. We recognize our employees for driving business results, exemplifying our company values, extraordinary efforts on specific projects, and long tenure with the company. We believe that these recognition programs help drive strong employee performance and promote a positive working environment.
Community Outreach. We encourage employee volunteerism in the communities where we live and work by providing each employee with one paid day off each year to participate in volunteer activities of their choice. In addition, our main office locations regularly participate in events such as food, pet supply and holiday children’s toy drives.
Monitoring Employee Turnover. We monitor voluntary turnover and total attrition, as a whole and by tenure, region, and by job family. Total attrition captures all reasons employees leave, including voluntary turnover and involuntary turnover due to job eliminations or performance reasons, whereas voluntary turnover is limited to elective departures by employees. Our voluntary turnover across our global employee base in 2025 was 5.8%, which we believe is low compared to global voluntary turnover rates in the technology industry. Our total attrition in 2025 was 9.3%.
Commitment to Well-Being and Human Rights, Near and Far. We maintain a variety of policies and procedures to promote positive workplace conduct and employee well-being within OneSpan, and human rights beyond, including a code of conduct and ethics, a compliance concern reporting hotline, anti-discrimination and equal opportunity policies, a stress and burnout awareness training program, human rights and anti-trafficking policies, and a supplier code of conduct.
Corporate Information
Our predecessor company, VASCO Corp., entered the data security business in 1991 through the acquisition of a controlling interest in ThumbScan, Inc., which we renamed VASCO Data Security, Inc. In 1997, VASCO Data Security International, Inc. was incorporated and in 1998, we completed a registered exchange offer with the holders of the outstanding securities of VASCO Corp., thereby becoming a publicly traded company. In May 2018, VASCO Data Security International, Inc., our publicly traded parent company, changed its name to OneSpan Inc.
8
Including our predecessor companies, we have completed 18 acquisitions and two dispositions since our inception, including the 2013 acquisition of Cronto Limited, a provider of secure visual transaction authentication solutions for online banking, and the 2015 acquisition of Silanis Technology Inc., a provider of e-signature and digital transaction solutions which we now market and sell under the OneSpan Sign name. More recently, we acquired Nok Nok Labs, a provider of passwordless software authentication, in June 2025, and in December 2025, we entered into a definitive agreement to acquire Build38, a provider of mobile application protection software. The proposed acquisition of Build38 is subject to customary closing conditions.
Our principal executive offices are located at 1 Marina Park Drive, Unit 1410, Boston, MA 02210.
“OneSpan” and other trademarks, trade names or service marks of OneSpan Inc. or its subsidiaries appearing in this Annual Report on Form 10-K are the property of OneSpan Inc. or its applicable subsidiary. This Annual Report on Form 10-K may contain additional trade names, trademarks and service marks of others, which are the property of their respective owners. Solely for convenience, trademarks and trade names referred to in this Annual Report on Form 10-K may appear without the ® or ™ symbols.
Available Information
We maintain an Internet website at www.onespan.com. The information on, or that can be accessed through, our website is not incorporated by reference into this Annual Report on Form 10-K and should not be considered to be a part of this Annual Report on Form 10-K. Our website address is included in this Annual Report on Form 10-K as inactive textual reference only. Our reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934, as amended (the "Exchange Act"), including our Annual Reports on Form 10-K, our Quarterly Reports on Form 10-Q and our Current Reports on Form 8-K, and amendments to those reports, are accessible through our website, free of charge, as soon as reasonably practicable after these reports are filed electronically with, or otherwise furnished to, the SEC. We also make available on our website the charters of our audit committee, compensation committee and nominating and corporate governance committee, as well as our corporate governance guidelines and our code of business conduct and ethics.
Information about our Executive Officers
The following sets forth certain information with regard to each of our executive officers. There are no family relationships between any of the executive officers, and there is no arrangement or understanding between any executive officer and any other person pursuant to which the executive officer was selected.
VICTOR LIMONGELLI — Mr. Limongelli was appointed as OneSpan’s Chief Executive Officer and President in July 2024 after joining the Company in January 2024 as its Interim Chief Executive Officer. Prior to joining OneSpan, Mr. Limongelli most recently served as Chief Executive Officer at BQE Software, Inc., a privately held SaaS company providing billing, accounting, and similar functionality to professional services firms, from September 2021 to April 2023. From April 2018 to August 2021, he served as Chief Executive Officer of MobileCause, Inc., a private equity-backed SaaS company focused on fundraising and donor engagement for nonprofits, and from November 2015 to April 2018, he was initially Chairman of the Board and then Chief Executive Officer of AccessData Group, a privately held security software company. From May 2003 through November 2014, Mr. Limongelli held a number of executive positions with Guidance Software, Inc., a publicly traded security software company, including over 9 years as President and 7 years as its Chief Executive Officer. He received an A.B. from Dartmouth College and a J.D. from Columbia University. Mr. Limongelli is 59 years old.
JORGE MARTELL — Mr. Martell has served as OneSpan’s Chief Financial Officer since September 2022 and as its principal accounting officer since December 2023. From July 2016 to September 2022, he served as Chief Financial Officer and Treasurer and from April 2015 to July 2016 as Vice President of Finance, Corporate Controller, at Extreme Reach Inc., a private-equity owned omnichannel creative logistics company for brand advertising, where he played an integral role in optimizing the company’s balance sheet and in executing the company’s growth strategy through global M&A, prior to its acquisition by another private equity firm. From September 2012 to March 2015, Mr. Martell was Treasurer and Assistant Corporate Controller at Sapient Corporation, a technology company, where he led its global revenue organization, execution of its M&A financial strategy, and global treasury organization prior to its acquisition by Publicis Groupe. Earlier in his career, he held leadership roles at ABM Industries, Inc., a provider of facilities management solutions, and at KPMG LLP, a public accounting firm. Mr. Martell received a B.S. from the Institute of Technology and Higher Studies of Monterrey, Mexico. Mr. Martell is 47 years old.
9
ASHISH JAIN— Mr. Jain joined OneSpan in December 2024 as its Chief Technology Officer. Prior to that, Mr. Jain was Chief Product Officer and Chief Technology Officer at Arkose Labs, an enterprise fraud management and account security company, from March 2021 to June 2024. At Arkose, he led the development of the company's bot mitigation platform to help address consumer fraud and identity challenges for large enterprises. From August 2018 to March 2021, he served as Head of Identity at eBay, a global commerce marketplace provider, where he led the global engineering team to build the identity, risk, and trust platform to support onboarding, authentication, KYC, fraud and abuse protection for eBay’s customers and third-party developers. From June 2011 through August 2018, Mr. Jain held product management roles at VMWare, a virtualization and cloud computing software provider, most recently as Vice President, Workspace One/Digital Workspace. Earlier in his career, he held various product management and engineering roles at a number of technology companies, including PayPal, Ping Identity, and BEA Systems. Mr. Jain received a Bachelor of Engineering degree from BITS, Pilani, India, and an MBA from the University of Denver’s Daniels College of Business. Mr. Jain is 53 years old.
LARA MATAAC — Ms. Mataac has served as OneSpan’s General Counsel, Chief Compliance Officer and Secretary since June 2022. From April 2021 to June 2022, Ms. Mataac was General Counsel at Constant Contact, Inc., a provider of cloud-based online marketing solutions, where she led the legal and compliance team during a period of transition after the company’s spinout from Endurance International Group (EIG) in February 2021. Before Constant Contact, Ms. Mataac was at EIG, a provider of cloud-based web presence and online marketing solutions, from February 2013 through March 2021, most recently as Deputy General Counsel. Before EIG, Ms. Mataac was corporate legal director at Bottomline Technologies, a software company. Earlier in her career, she practiced corporate law at the firms Wilmer Cutler Pickering Hale & Dorr LLP and Fenwick & West LLP. Ms. Mataac received a B.A. from Wellesley College and a J.D. from Stanford University. Ms. Mataac is 49 years old.
Item 1A - Risk Factors
Risk Factors Summary
Risk Factors Summary
Our business is subject to numerous risks and uncertainties, including those highlighted in the section titled “Risk Factors” immediately following this Risk Factors Summary. These summary risks provide an overview of many of the risks we are exposed to in the normal course of our business, some of which have manifested and any of which may occur in the future. As a result, the following summary risks do not contain all of the information that may be important to you, and you should read them together with the more detailed discussion of risks set forth following this section under the heading “Risk Factors,” and with the other information in this Annual Report on Form 10-K. Additional risks beyond those summary risks discussed below, in “Risk Factors” or elsewhere in this Annual Report on Form 10-K, could have an adverse effect on our business, results of operations, financial condition or prospects, and could cause the trading price of our common stock to decline. Our business, results of operations, financial condition or prospects could also be harmed by risks and uncertainties not currently known to us or that we currently do not believe are material. Consistent with the foregoing, we are exposed to a variety of risks, including the following significant risks:
•We may encounter challenges in achieving our revenue growth objectives.
•Acquisitions or other strategic transactions, such as our planned acquisition of Build38, may not achieve the intended benefits and could disrupt our operations.
•If our new product offerings and product enhancements do not keep pace with the needs of our customers or do not achieve sufficient customer acceptance, our competitive position and financial results will be negatively impacted.
•A significant portion of our sales are to a limited number of customers. The loss of substantial sales to any one of them could have an adverse effect on revenues and profits.
•The markets we serve are highly competitive, which may negatively affect our ability to add new customers, retain existing customers and grow our business.
•If we are not able to enhance our brand recognition and maintain our brand reputation, our business may be adversely affected.
•Security breaches or cyberattacks could expose us to significant liability, cause our business and reputation to suffer and harm our competitive position.
•We face a number of risks associated with our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue.
•Our Digipass authenticator business has a complex global supply chain and is dependent on a limited number of suppliers for certain components, such that supply chain disruptions could materially impact our operations. Our Digipass business may also experience inventory-related losses.
10
•The sales cycle for our products is often long, and we may incur substantial expenses for sales that do not occur when anticipated or at all.
•Real or perceived malfunctions and errors in our products could result in warranty and product liability risks and economic and reputational damages.
•If we are unable to retain key employees and successfully hire and train qualified new employees, we may be unable to achieve our business objectives.
•Our financial results may fluctuate from period to period, making it difficult to project future results. If we fail to meet the expectations of securities analysts or investors, the price of our common stock could decline.
•We may be unable to maintain or increase our level of profitability.
•The credit agreement for our revolving credit facility contains financial covenants and various other restrictions and requirements that could limit our operational flexibility and adversely affect our financial condition and results of operations if we are unable to comply with them.
•We depend on third-party hosting providers and other technology vendors, as well as our own infrastructure, to provide our products and solutions to our customers in a timely manner. Interruptions or delays in performance of our products and solutions could result in customer dissatisfaction, damage to our reputation, loss of customers, and a reduction in revenue.
•Our success depends in part on establishing and maintaining relationships with other companies to distribute our technology and products or to incorporate their technology into our products and services, or vice versa.
•Consolidations, failures and other developments in the banking and financial services industry may adversely impact our revenue.
•U.S. trade policy or foreign policy developments could have a material adverse impact on our business.
•We may be subject to legal proceedings and/or liability for a variety of claims, including intellectual property disputes, labor and employment issues, commercial disagreements, securities law violations and other matters. These proceedings may be costly, subject us to significant liability, limit our ability to use certain technologies, increase our costs of doing business or otherwise adversely affect our business and operating results.
•We are subject to numerous laws, regulations and customer and product certification requirements governing the design, production, distribution, sale, use, and availability of our products. Any failure to comply with these laws, regulations and requirements could result in unanticipated costs and other negative impacts, and could have a materially adverse effect on our business, results of operations and financial condition.
Risk Factors
Our business involves significant risks, some of which are described below. You should carefully consider the following risks, some of which have manifested and any of which may occur in the future, together with all of the other information in this Annual Report on Form 10-K, including in the preceding Risk Factors Summary, and our consolidated financial statements and the related notes included elsewhere in this Annual Report on Form 10-K before making an investment decision with respect to any of our securities.
Risks Related to our Business and Industry
We may encounter challenges in achieving our revenue growth objectives.
Our total revenue for 2025 was approximately the same as our total revenue for 2024. We are aiming to grow our revenue in both Cybersecurity and Digital Agreements going forward; however, this may be challenging. We expect revenue from our Digipass authenticator tokens to decrease modestly on a year-over-year basis in 2026, consistent with trends over the past decade as our banking customers have generally moved toward “mobile-first” authentication (authentication solutions delivered through a software application on a mobile device), especially for consumer banking. We will therefore need to grow our revenue relatively more in the software component of our Cybersecurity division and in our Digital Agreements division to compensate for the anticipated decline in hardware. We are enhancing our software solutions through strategic acquisitions, including our acquisition of Nok Nok Labs in June 2025 and our entry into a definitive agreement to acquire Build38 in December 2025, and targeted additional investments in software product development; however, these efforts may not yield the additional software revenue we seek for various reasons, such as competition, delays and challenges in integrating acquisitions or developing products that meet our customers’ needs, long sales cycles, lack of brand awareness, general economic conditions, and other risks described in these Risk Factors. If we are unable to grow our revenue as planned, we may also be unable to maintain or increase our profitability.
Acquisitions or other strategic transactions, such as our planned acquisition of Build38, may not achieve the intended benefits and could disrupt our operations.
11
To remain competitive, we have in the past and may in the future acquire additional businesses, products or technologies or make investments in, or enter into joint ventures or similar transactions with, third parties. In 2025, we acquired Nok Nok Labs, a provider of FIDO passwordless software authentication solutions, and made a strategic investment in ThreatFabric Holding B.V., a provider of fraud detection, mobile threat intelligence, and malware defense solutions. In December 2025, we signed a definitive agreement to acquire Build38, a provider of mobile application protection software. The proposed Build38 acquisition is subject to customary closing conditions and is currently expected to close in March 2026. Acquisitions and other strategic transactions such as these involve numerous risks, including the following:
•Delays in completing acquisitions, or failure to complete planned acquisitions, due to longer than anticipated regulatory clearance processes or other unexpected challenges;
•Difficulties or delays in integrating the acquired businesses, which could prevent us from realizing the anticipated benefits of acquisitions;
•Challenges in successfully cross-selling acquired products to our existing customer base, or in cross-selling our products to the acquired company’s customer base;
•Delays or reductions in customer purchases for OneSpan and/or the company we acquired due to customer uncertainty about continuity and effectiveness of service from either company;
•Difficulties in supporting and, where applicable, migrating acquired customers to our platforms, which could cause customer churn, unanticipated costs, and damage to our reputation;
•Disruption of our ongoing business and diversion of management and other resources from existing operations;
•Constraints on our liquidity in the event that we use cash or incur debt to fund a significant acquisition, or dilution to existing stockholders in the event we issue equity securities as part of the consideration for such an acquisition;
•Assumption of debt or other actual or contingent liabilities of the acquired company, including litigation risk;
•Differences in corporate culture, compliance protocols, and risk management practices between us and acquired companies;
•Potential loss of the key employees of an acquired business;
•Potential loss of partners of OneSpan or an acquired business due to the actual or perceived impact of the acquisition;
•Difficulties associated with governance, management, and control matters in majority or minority investments or joint ventures;
•Unforeseen or undisclosed liabilities or challenges associated with the companies, businesses, or technologies we acquire;
•Adverse tax consequences, including exposure of our entire business to taxation in additional jurisdictions; and
•Accounting effects, including potential impairment charges and requirements that we record acquired deferred revenue at fair value.
Any of these risks could result in acquisitions or other strategic transactions failing to achieve their intended objectives and/or disrupting our business.
We also review our product portfolio from time to time for contributions to our objectives and alignment with our strategy, and we may pursue divestiture activities as a result of these reviews. However, we may not be successful in separating any underperforming or non-strategic assets, and gains or losses on any divestiture of, or lost operating income from, such assets may adversely affect our results of operations. Divestitures could also expose us to unanticipated liabilities or result in ongoing obligations, including transition service obligations and indemnity obligations.
If our new product offerings and product enhancements do not keep pace with the needs of our customers or do not achieve sufficient customer acceptance, our competitive position and financial results will be negatively impacted.
Technological changes occur rapidly in our industry and development of new products and features is critical to maintain and grow our revenue. Our ability to attract and retain customers will depend in part upon our ability to enhance our current products and develop innovative new solutions to distinguish us from the competition and to meet customers’ changing needs. For instance, we believe that our bank and financial institution customers, who account for a majority of our revenue, may increasingly move away from multi-factor authentication methods and toward passkeys that use the FIDO2 passwordless authentication standard. If we are unable to provide our customers with high quality and innovative passkey solutions, or if we otherwise do not anticipate or adapt to changing technology, industry standards or customer requirements on a timely basis, our competitive position and financial results will be negatively impacted.
12
Product developments and technology innovations by others may adversely affect our competitive position. The introduction by our competitors of products embodying new technologies or the emergence of new industry standards could render our existing products obsolete and unmarketable. For example, if our competitors are able to more quickly and effectively integrate technologies such as generative artificial intelligence into their products, our competitive position may suffer. In addition, AI may reduce barriers to entry in our markets by allowing new entrants to rapidly and cost-effectively create competitive and potentially disruptive software solutions.
We spend substantial amounts of time and money to research and develop new offerings and enhanced versions of our existing offerings in order to meet our customers’ rapidly evolving needs. When we develop a new offering or an enhanced version of an existing offering, we typically incur expenses and expend resources upfront to market, promote and sell the new offering. Therefore, when we develop or acquire new or enhanced offerings, their introduction must achieve high levels of market acceptance in order to justify the amount of our investment in developing and bringing them to market. In the past, we have determined that certain product initiatives we initially believed were promising did not warrant further investment, and incurred non-cash impairment charges as a result. If future new product initiatives do not garner widespread customer adoption and implementation, we may incur future non-cash charges and our business may be adversely affected.
A significant portion of our sales are to a limited number of customers. The loss of substantial sales to any one of them could have an adverse effect on revenues and profits.
We derive a substantial portion of our revenue from a limited number of customers. The loss of substantial sales to any one of them could adversely affect our operations and results. In 2025, 2024, and 2023, our top 10 largest customers contributed 18%, 20%, and 22%, respectively, of our total worldwide revenue.
The markets we serve are highly competitive, which may negatively affect our ability to add new customers, retain existing customers and grow our business.
The markets for cybersecurity and digital agreements solutions are very competitive and, like most technology-driven markets, are subject to rapid change and constantly evolving solutions and services. Competition in these markets may intensify further as advances in AI enable rapid, low-cost development of software applications.
The authentication products in our Cybersecurity division are designed to allow authorized users access to digital business processes, in some cases using patented technology. Our main competitors in our authentication market are Gemalto, a subsidiary of Thales Group, Yubico and RSA Security. There are also many other companies in adjacent areas, such as MDM, threat protection, and IAM, that offer competing services. In addition to these companies, we face competition from many small authentication solution providers, many of whom offer new technologies and niche solutions such as biometric or risk and behavioral analysis. We believe that competition in this market may to intensify as a result of increasing demand for security products.
Our primary competitors for electronic signature solutions in our Digital Agreements division are DocuSign and Adobe Systems. Both companies are significantly larger than us. In addition to these companies, there are numerous smaller and regional or niche providers of electronic signing solutions.
Some of our present and potential competitors have significantly greater brand awareness and financial, technical, marketing, purchasing, and other resources than we do. As a result, they may be able to respond more quickly to new or emerging technologies and changes in customer requirements, devote greater resources to the development, promotion and sale of products, or deliver competitive products at a lower end-user price than we do. These factors have made it more difficult for us to compete successfully and may continue to do so, which could negatively affect our business.
If we are not able to enhance our brand recognition and maintain our brand reputation, our business may be adversely affected.
We believe that enhancing our brand recognition is important to our efforts to attract new customers and channel partners, and that our relative lack of brand awareness has made it more challenging to acquire new customers. Our brand recognition and reputation are dependent upon numerous factors, including:
•our marketing efforts;
•our ability to continue to offer high quality, innovative and reliable products;
13
•our ability to maintain customer satisfaction with our products;
•our ability to be responsive to customer concerns and provide high quality customer support, training and professional services;
•any misuse or perceived misuse of our products;
•positive or negative publicity, including through reviews by industry analysts;
•our ability to prevent or quickly react to any cyberattack on our information technology systems or security breach of or related to our software; and
•litigation or regulatory-related developments.
Improving our brand recognition is likely to require significant additional expenditures and may not be successful or yield increased revenues. If we do not successfully enhance our brand and maintain our reputation, we may continue to have difficulties attracting new customers, including due to reduced pricing power relative to competitors with stronger brands, and we could lose customers or renewals, which would adversely affect our business.
Security breaches or cyberattacks could expose us to significant liability, cause our business and reputation to suffer and harm our competitive position.
Our corporate infrastructure stores and processes our sensitive, proprietary and other confidential information (including information related to finance, technology, employees, marketing, sales, etc.) which is used daily in our operations. In addition, our solutions involve the transmission and processing of our customers' confidential, proprietary, personal and sensitive information. We have legal and contractual obligations to protect the confidentiality and appropriate use of customer data. Because we are a digital agreements and cybersecurity company, and because the majority of our customers are banks and other financial institutions, which are frequent targets of cyberattacks, we may be an attractive target for cyber attackers or other data thieves.
High-profile cyberattacks and security breaches have increased in recent years, with the potential for such acts heightened because of the widespread adoption of remote working and the increase in sophisticated cyberattack methods, including the use of artificial intelligence to launch automated, accelerated and enhanced cyberattacks. Because techniques used to obtain unauthorized access or to sabotage systems are constantly evolving, change frequently and often are not recognized until launched against a specific target, we may be unable to anticipate these techniques or to implement adequate preventative measures. As we seek to increase our client base and expand awareness of our brand, we may become a greater target for third parties seeking to compromise our security systems and we anticipate that hacking attempts and cyberattacks will increase in the future.
Artificial intelligence technologies introduce evolving industry‑wide risks, including model manipulation, data poisoning, deceptive AI‑generated content, and rapidly expanding regulatory requirements. For OneSpan, the use of AI within security operations and product‑related processes may create vulnerabilities if systems are improperly designed, supervised, or governed, potentially resulting in unauthorized access, incorrect automated actions, exposure of confidential information, or operational failures. Despite policies governing AI usage, lifecycle risk management, and oversight, failures in design, monitoring, or compliance—as well as errors or misuse of AI‑enabled capabilities—could impair our security posture, reduce threat‑detection effectiveness, harm customer trust, or expose OneSpan to legal, regulatory, and reputational consequences.
We have experienced several security incidents in the past, none of which have been material to date. However, it is possible that we may experience a material event in the future. While we have established teams, processes and strategies to protect our assets, we may not always succeed in preventing or repelling unauthorized access to our systems. We also may face delays in detecting or otherwise responding to cybersecurity incidents or other breaches.
Additionally, we use third-party service providers for certain services involving data storage or transmission, such as SaaS, cloud computing, and internet infrastructure and bandwidth. These providers face various cybersecurity threats and may experience cybersecurity incidents or other security breaches. For example, the recent Salesloft, Inc. Drift data breach impacted hundreds of Salesforce.com customers worldwide. Although OneSpan was among the affected customers, the incident did not compromise our products and had minimal impact on our business, but it is possible that future third-party incidents may be more harmful to us.
14
Despite our security measures, our IT systems and infrastructure may be vulnerable to attacks. Threats to IT security can take a variety of forms. Individuals and groups of malicious actors and sophisticated organizations, including state-sponsored organizations or nation-states, continuously attempt to compromise systems using tactics, techniques, and procedures such as phishing attacks, malicious software, exploiting hardware or software vulnerabilities, social engineering, and coordinated attacks like distributed denial of service or other coordinated attacks. If account security controls are not effectively implemented or maintained, unauthorized access to confidential or sensitive information could occur.
Security incidents may have a number of negative consequences to us, including the following: requiring us to expend significant capital and other resources to alleviate the incidents and to improve our security technologies; impairing our ability to provide services to our customers and protect the privacy of their data delaying product development efforts; compromising confidential or technical business information or personal data; harming our reputation or competitive position; resulting in theft or misuse of our intellectual property or other assets; and exposing us to substantial litigation expenses and damages, indemnity and other contractual obligations, government fines and penalties, mitigation expenses, costs for remediation and incentives offered to affected parties, including customers, other business partners and employees, in an effort to maintain business relationships after an incident. We continually invest in strengthening our information technology systems and implementing robust security measures to protect critical and sensitive assets. Our cybersecurity program includes regular security awareness training for employees and key contractors, emphasizing best practices and emerging threats. These efforts are designed to reduce the likelihood of an attack and ensure preparedness to respond effectively to any security breach.
Despite these measures, we may not be able to anticipate or prevent all attacks. In the event of an actual or perceived security breach, confidence in our security practices and products could be diminished, resulting in loss of customers and sales, impairment of our operations, significant liabilities, reputational harm, and a negative impact on our business and financial condition.
We face a number of risks associated with our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue.
In 2025, 2024 and 2023, we generated approximately 79%, 83% and 83% of our revenue and incurred approximately 54%, 59% and 58% of our operating expenses outside of the U.S., respectively. A severe economic decline in any of our major foreign markets could adversely affect our results of operations and financial condition.
In addition to exposures to changes in the economic conditions of our major foreign markets, we are subject to a number of risks related to our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue. These include:
•geopolitical conflicts and related economic or political instability, including tensions or conflicts between the U.S. and other countries or regions, particularly China and the European Union, over territorial and sovereignty matters (including those related to Taiwan, Hong Kong, and Greenland), tariffs and trade, or U.S. foreign policy;
•increased management, infrastructure and legal costs associated with having international operations;
•costs of compliance with foreign legal and regulatory requirements, including, but not limited to data privacy, data protection and data security regulations and sustainability reporting requirements and the risks and costs of non-compliance;
•costs of compliance with U.S. laws and regulations for foreign operations, including the U.S. Foreign Corrupt Practices Act ("FCPA"), import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell or provide our solutions in certain foreign markets, and the risks and costs of non-compliance;
•heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements;
•costs of compliance with multiple and possibly overlapping tax structures, and related potential adverse tax impacts;
•risks of reliance on channel partners for sales in some countries;
•differing technology standards in certain international markets;
•the uncertainty and limitation of protection for intellectual property rights in some countries;
•greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;
15
•difficulties and costs of staffing and managing international operations, including maintaining internal controls and challenges in closing or restructuring such operations;
•difficulty in providing support and training to customers in certain international locations;
•management communication and integration problems resulting from cultural and linguistic differences and geographic dispersion;
•foreign currency exchange rate fluctuations;
•adverse tax burdens and foreign exchange controls that could make it difficult to repatriate earnings and cash; and
•increased exposure to climate change, natural disasters, armed conflict, terrorism, epidemics, or pandemics and other health crises.
Our business, including the sales of our products and professional services by us and our channel partners, may be subject to foreign governmental regulations, which vary substantially from country to country and change from time to time. Our failure, or the failure by our channel partners, to comply with these regulations could adversely affect our business. Further, in some foreign countries, it may be more common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable to us. Violations of laws or internal policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our products and could have a material adverse effect on our business and results of operations. If we are unable to successfully manage the challenges of international expansion and operations, our business and operating results could be adversely affected.
Our Digipass authenticator business has a complex global supply chain and is dependent on a limited number of suppliers for certain components, such that supply chain disruptions could materially impact our operations. Our Digipass business may also experience inventory-related losses.
In the event that the supply of components or finished products for our Digipass authenticator business is interrupted or relations with any of our principal component vendors or contract manufacturers is terminated, there could be increased costs and considerable delay in finding suitable replacement sources for components or alternative manufacturers for our hardware products. Our Digipass authentication devices are currently assembled at several facilities located in mainland China and one facility in Romania. The importation of these products from China and Romania exposes us to the possibility of product supply disruption and increased costs in the event of changes in the policies of the Chinese, Romanian or EU governments, political unrest, natural disasters, extreme weather or unstable economic conditions in China, Romania or the EU, or developments in China, Romania, the U.S. or the EU that are adverse to trade, including threatened or actual military conflict or enactment of tariffs or other protectionist legislation. We have experienced supply chain disruption in the past as a result of China’s COVID-related policies and extreme heatwaves and drought affecting southern China, both of which affected our China-based contract manufacturers. We may experience similar disruptions again due to numerous factors, including tariffs and trade disputes, geopolitical tensions, armed conflict, pandemics or other public health threats, and natural disasters and extreme weather, which may occur more frequently due to climate change. These factors have in the past, and may in the future, cause delays in our fulfillment of customer orders, which may in turn delay our recognition of revenue from such orders or cause customers not to place orders or to seek alternative suppliers.
To mitigate the risks associated with our China-based contract manufacturing facilities, we regularly evaluate alternative manufacturing and supply arrangements, such as moving some of the Digipass manufacturing currently done in China to Romania or to other locations. It is possible that such a transition, if it occurred, would cause a disruption in our Digipass manufacturing operations. Regardless of whether we undertake such a transition, supply chain disruptions or related cost increases affecting our Digipass devices could have a material adverse impact on our business.
Under some circumstances, we may purchase multiple years’ supply of parts for our Digipass authenticator devices based on internal forecasts of demand, anticipated supply chain constraints, or other reasons. To meet customers’ demands for accelerated delivery of product, we sometimes produce finished product for existing customers before we receive the executed order from the customer. Should our forecasts of future demand be inaccurate or if we produce product that is never ordered, we could incur substantial losses related to the realization of our inventory.
The sales cycle for our products is often long, and we may incur substantial expenses for sales that do not occur when anticipated or at all.
16
The sales cycle for our products, which is the period of time between the identification of a potential customer and completion of the sale, is typically lengthy and subject to a number of significant risks over which we have little control.
A typical sales cycle in the financial services market is often 9 to 18 months long. We often need to spend significant time and resources to better educate and familiarize these potential customers with the value proposition of our products and solutions. Purchasing decisions for our products and services may be subject to delays due to a number of factors, many of which are outside of our control, such as:
•Time required for a prospective customer to recognize the need for our products;
•Effectiveness of our salesforce;
•Changes to regulatory requirements;
•The complexity of contracts with certain large business customers;
•The significant expense of some of our products and systems;
•Customer budgeting and procurement processes;
•Economic and other factors impacting customer budgets; and
•Customer evaluation, testing and approval process.
The timing of sales with our enterprise customers and related revenue recognition is difficult to predict because of the length and unpredictability of the sales cycle for these customers. As our operating expenses are based on anticipated revenue levels, a small fluctuation in the timing of sales can cause our operating results to vary significantly between periods. In addition, during the sales cycle, we expend significant time and money on sales and marketing and contract negotiation activities, which may not result in a sale.
Real or perceived malfunctions and errors in our products could result in warranty and product liability risks and economic and reputational damages.
Our products are inherently complex and may malfunction or contain undetected errors or defects when first introduced or as new versions are released. We have experienced these malfunctions and errors or defects in connection with new products and product upgrades, and we expect that these malfunctions, errors and defects will continue to be found from time to time in new or enhanced products. Malfunctions and defects may make our products vulnerable to attacks, prevent vulnerability detection, result in system instability or latency-related delays, or temporarily impact our customers' environments. These problems may result in a breach of a legal obligation or may cause physical harm or damage which could result in tort or warranty claims against us. We seek to reduce the risk of these losses by using qualified engineers in the design, manufacturing and testing of our hardware products, utilizing proper development, testing, and scanning of our software solutions (including SaaS), attempting to negotiate warranty disclaimers and liability limitation clauses in our sales agreements, and maintaining customary insurance coverage. However, these measures may ultimately prove ineffective in limiting our liability for damages.
In addition to any monetary liability for the failure of our products, a publicly known defect or perceived defect in our products could lead to customers delaying or withholding payments, regulatory audits, diverting the attention of our key personnel, an adverse impact on the market’s perception of us and our products, and negative effects on our reputation and the demand for our products.
If we are unable to retain key employees and successfully hire and train qualified new employees, we may be unable to achieve our business objectives.
Our ability to successfully attain our business objectives will depend significantly on our ability to retain and motivate key employees and attract qualified new hires. We face intense competition for these employees from numerous technology, software and other companies, many of whom have greater resources than we do, and our employees are generally employed on an at-will basis, which means that they could terminate their employment with us at any time. The temporary or permanent loss of the services of our CEO, other members of senior management or other key employees for any reason could significantly delay or prevent the achievement of our objectives and harm our business, financial condition and results of operations. Further, the loss of key employees, particularly those in senior management roles, could be negatively perceived in the capital markets, which could reduce the market value of our securities.
Difficulties retaining, motivating and attracting qualified employees could have an adverse effect on our ability to achieve our business objectives and, as a result, our ability to compete could decrease and our financial results could be adversely affected. In addition, even if we are able to identify and recruit a sufficient number of new hires, these new hires will require significant training before they achieve full productivity, particularly in the case of sales employees.
17
Our financial results may fluctuate from period to period, making it difficult to project future results. If we fail to meet the expectations of securities analysts or investors, the price of our common stock could decline.
Our revenue and results of operations have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including:
•The size, timing, and payment terms of significant orders, and any unexpected delay or cancellation of such orders;
•The variability of revenue realized from individual customers, as their buying patterns can vary significantly from period to period and are affected by the individual solutions purchased and the structure of the contract;
•Larger customers delaying renewal of their subscriptions or failing to renew at all;
•Changes in customer budgets;
•The effectiveness of our sales and marketing programs, including our ability to hire, train and retain our sales personnel;
•Changes in pricing by competitors;
•New product announcements or introductions by competitors;
•Technological changes in the market for our products, including the adoption of new technologies and standards;
•Our ability to develop, introduce and market new products and product enhancements on a timely basis;
•Market and customer acceptance of any new products and product enhancements that we introduce;
•Network outages, security breaches, technical difficulties or interruptions affecting our products;
•With respect to our Digipass business, component costs and availability;
•Seasonality in our business;
•Changes in foreign currency exchange rates;
•General economic and political conditions, as well as economic conditions specifically affecting industries in which our customers operate; and
•Other events or factors, including those resulting from pandemics, war and other geopolitical conflicts, natural disasters, incidents of terrorism or responses to these events.
Any one of these or other factors discussed elsewhere in this Annual Report on Form 10-K, or the cumulative effect of a combination of these factors, may result in fluctuations in our financial results, which may cause us to miss our guidance and analyst expectations and cause the price of our common stock to decline.
We may be unable to maintain or increase our level of profitability.
Over our approximately 30-year operating history, we have operated at a loss for many of those years, including for the year ended December 31, 2023, for which we reported a net loss of $29.8 million. Although we were profitable in 2024 and 2025, we may not be able to maintain or increase our level of profitability. We intend to continue to incur significant expenses to maintain, develop and enhance our products and solutions, improve our infrastructure and technology, and grow our customer base. These efforts may be costlier than we expect, and we may not be able to increase our revenue enough to offset our increased operating expenses. We may incur significant losses in the future for a number of reasons, including the other risks described herein, and experience unforeseen expenses, difficulties, complications and delays and other unknown events. If we are unable to achieve and sustain profitability, the value of our business and common stock may significantly decrease.
The credit agreement for our revolving credit facility contains financial covenants and various other restrictions and requirements that could limit our operational flexibility and adversely affect our financial condition and results of operations if we are unable to comply with them.
On June 23, 2025, we entered into the Credit Agreement with MUFG, as administrative agent, swingline lender and letter of credit issuer, and other lenders party thereto. The Credit Agreement provides for a $100.0 million revolving credit facility with a $10.0 million letter of credit sublimit and a $10.0 million swingline loan sublimit. It also provides that we may, with the agreement of the lenders and/or new lenders and subject to certain conditions and limitations, add one or more incremental revolving facilities to increase commitments under the credit facility in an aggregate amount not to exceed the greater of (x) $100.0 million and (y) 100% of Consolidated EBITDA (as defined in the Credit Agreement) for the four consecutive fiscal quarters most recently ended for which financial statements have been delivered pursuant to the terms of the Credit Agreement.
18
The proceeds of borrowings under the Credit Agreement may be used for general corporate purposes. We may borrow, repay and reborrow funds under the revolving credit facility until its maturity on June 23, 2030. As of December 31, 2025, we had outstanding letters of credit of $0.4 million and no borrowings outstanding under the Credit Agreement. Refer to Note 12, Debt in the Notes to Consolidated Financial Statements in Item 8 of Part II of this Annual Report on Form 10-K for further details on the Credit Agreement.
The Credit Agreement contains certain customary representations and warranties, affirmative and negative covenants, minimum net leverage and interest coverage ratios that we must maintain, and other requirements. Subject to limited exceptions, the Credit Agreement restricts our ability to, among other things:
•incur additional indebtedness;
•incur liens upon our property;
•make prepayments or repurchases of subordinated debt;
•make certain amendments to subordinated debt agreements or our certificate of incorporation or bylaws;
•consolidate, merge, dissolve, or sell or otherwise dispose of all or substantially all of our assets;
•make certain investments or acquisitions or dispositions of assets;
•enter into certain sale and leaseback transactions;
•pay more than a specified amount of dividends on or make other distributions in respect of our capital stock or make other restricted payments; and
•enter into certain transactions with affiliates.
These negative covenants may prevent us from taking actions that we believe would be in the best interests of our business and may make it difficult for us to execute our business strategy successfully or effectively compete with companies that are not similarly restricted.
The Credit Agreement contains customary events of default relating to, among other things, payment defaults, breach of covenants, cross defaults to material indebtedness, bankruptcy-related defaults, judgment defaults, and the occurrence of certain change of control events. If an event of default occurs and is not cured or waived, the lenders under the Credit Agreement will be entitled to take various actions, including the termination of commitments and the acceleration of amounts due under the Credit Agreement in addition to charging default interest. If we are unable to repay our indebtedness, the lenders under our credit facility could proceed against the collateral securing the indebtedness, which would be likely to have a material adverse effect on our financial condition and results of operations. Additionally, any event of default may be a disclosable event and may be perceived negatively. Such perception could adversely affect the market price for our common stock and our ability to obtain financing in the future.
We depend on third-party hosting providers and other technology vendors, as well as our own infrastructure, to provide our products and solutions to our customers in a timely manner. Interruptions or delays in performance of our products and solutions could result in customer dissatisfaction, damage to our reputation, loss of customers, and reduction in revenue.
We outsource portions of our cloud infrastructure to third-party hosting providers, principally Amazon Web Services, ("AWS"). We also outsource components of our services to third-party technology vendors who host their products in the cloud. Customers of our products need to be able to access our platform at any time, without interruption or degradation of performance. AWS and other third-party hosting providers run their own platforms that we access, and we are therefore vulnerable to service interruptions on these third-party platforms, as well as to service interruptions affecting our own infrastructure and our third-party technology vendors. We have experienced interruptions, delays and outages in service and availability from time to time due to a variety of factors impacting our third-party hosting providers, our own infrastructure or other vendors, and we expect to experience these types of incidents in the future.
19
If our products or platform are unavailable or our users are otherwise unable to use our products within a reasonable amount of time or at all, then our business, results of operations and financial condition could be adversely affected. In some instances, we may not be able to identify the cause or causes of these performance problems within a period of time acceptable to our customers. It may become increasingly difficult to maintain and improve our platform performance, especially during peak usage times, as our products become more complex and the usage of our products increases. We have in the past and may in the future experience capacity constraints that affect our product performance and cause us to miss our service level agreements with our customers. These capacity constraints can be due to a number of causes, including technical failures, natural disasters, fraud or security attacks. To the extent that we do not effectively address capacity constraints, either through our own infrastructure, our current third-party providers or alternative providers of cloud infrastructure, our business, results of operations and financial condition may be adversely affected. In addition, any changes in service levels from our third-party hosting providers or other cloud-based technology vendors may adversely affect our ability to meet our customers' requirements.
Our third-party hosting providers have no obligations to renew their agreements with us on commercially reasonable terms or at all, and the agreements governing these relationships can generally be terminated by either party with limited notice. Access to hosting services may also be restricted by the provider at any time, with no or limited notice. Although we expect that we could receive similar services from other third parties, if any of our arrangements with AWS or other third-party hosting providers are terminated, we could experience interruptions on our platform and in our ability to make our platform available to customers, as well as downtime, delays and additional expenses in arranging alternative cloud infrastructure services.
It is also possible that our customers and potential customers would hold us accountable for any breach of security affecting infrastructure of our third-party hosting providers. We may incur significant liability from those customers and from third parties with respect to any such breach, and we may not be able to recover a material portion of our liabilities to our customers and third parties from our hosting providers in the event of any breach affecting their systems.
Any of the above circumstances or events may harm our reputation, cause customers to stop using our products, impair our ability to increase revenue from existing customers, impair our ability to grow our customer base, subject us to financial penalties and liabilities under our service level agreements and otherwise harm our business, results of operations and financial condition.
Our success depends in part on establishing and maintaining relationships with other companies to distribute our technology and products or to incorporate their technology into our products and services, or vice versa.
Part of our business strategy is to enter into partnerships and other cooperative arrangements with third parties. We are regularly involved in cooperative efforts with respect to the incorporation of our products into products of others and vice versa, research and development efforts, and marketing, distributor and reseller arrangements. These relationships are generally non-exclusive, and some of our partners also have cooperative relationships with certain of our competitors or offer some products and services that are competitive with ours. If we lose third-party relationships, if these relationships are not commercially successful, or if we are unable to enter into third-party relationships on commercially reasonable terms in the future, our business could be negatively impacted.
SaaS offerings, which involve various risks, constitute an important part of our business.
We expect that our SaaS offerings will constitute an increasingly important part of our business. As a result, we must continue to evolve our processes to meet a number of regulatory, intellectual property, contractual, service, and security compliance challenges. These challenges include: compliance with licenses for open-source and third-party software embedded in our SaaS offerings; maintaining compliance with global export control, privacy, data security, and resiliency regulations (including the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the EU General Data Protection Regulation ("GDPR"), the EU Digital Operational Resilience Act ("DORA"), and the Directive on Measures for a High Common Level of Cybersecurity Across the Union (EU) 2022/2555 (known as NIS2)); supporting contractual requirements that our customers impose on us due to their own legal obligations, such as compliance with DORA; protecting our products from external threats, including AI-driven attacks; maintaining continuous service levels and data security practices expected by our customers; and preventing inappropriate use of our products.
20
In addition to using our internal resources, we also utilize third-party resources to deliver SaaS offerings, such as third-party data hosting vendors. The failure of a third-party provider to prevent service disruptions, data losses or security breaches may require us to issue credits or refunds or to indemnify or otherwise be liable to customers or third parties for damages that may occur. Additionally, if these third-party providers fail to deliver on their obligations, our reputation could be damaged, and our customers could lose confidence in us and our ability to maintain and expand our SaaS offerings. Finally, our SaaS offerings must be designed to operate at significant transaction volumes. When combined with third-party software and hosting infrastructure, our SaaS offerings may not perform as designed, which could lead to service disruptions and associated damages.
Failure to maintain high-quality customer support could have a material adverse effect on our business.
Our business relies on our customers’ satisfaction with the technical and customer support and professional services we provide to support our products. If we fail to provide customer and technical support services that are high-quality, responsive, and able to promptly resolve issues that our customers encounter with our products and services, then they may elect not to purchase or renew subscription licenses or may otherwise reduce or discontinue their business relationship with us. Maintaining high-quality customer support can be costly, and therefore we have adopted, and expect to continue to adopt, online self-help tools and AI-enabled customer service technology. These types of tools may not always provide the service levels our customers expect, particularly when they are first adopted. This could result in loss of revenue and damage to our reputation, which could have an adverse effect on our business.
Failure to effectively manage our product and service lifecycles could harm our business.
As part of the natural lifecycle of our products and services, we periodically inform customers that products or services have reached their end of life or end of availability and will no longer be supported or receive updates and security patches. Failure to effectively manage our product and service lifecycles could lead to customer dissatisfaction and contractual liabilities, which could adversely affect our business and operating results. In addition, the failure to generate new revenue to replace and/or expand the revenue realized from discontinued products or services could adversely affect our business and operating results.
We are subject to foreign currency exchange rate fluctuations, which could adversely affect our financial condition and results of operations.
Because a significant number of our principal customers are located outside the United States, we expect that international sales will continue to generate a significant portion of our total revenue. We are subject to foreign exchange fluctuations and risks because the majority of our product costs are denominated in U.S. dollars, whereas a significant portion of the sales and expenses of our foreign operating subsidiaries are denominated in various foreign currencies. A decrease in the value of any of these foreign currencies relative to the U.S. dollar could adversely affect our revenue and profitability in U.S. dollars of our products sold in these markets. Furthermore, a strengthening of the U.S. dollar could increase the cost in local currency of our products and services to customers outside the United States, which could adversely affect our business, results of operations, financial condition and cash flows.
The exchange rate between the U.S. dollar and foreign currencies has fluctuated in recent years and may fluctuate substantially in the future. Although foreign exchange impact was not significant to our 2023, 2024 or 2025 results, it could adversely affect our results for 2026 and beyond. We do not currently use forward contracts or other hedging strategies such as options or foreign exchange swaps to mitigate our exposure to foreign currency fluctuations.
Consolidations, failures and other developments in the banking and financial services industry may adversely impact our revenue.
21
Mergers, acquisitions, and personnel changes at key banks and financial services organizations have the potential to adversely affect our business, financial condition, cash flows, and results of operations. A majority of our revenue is derived from customers in the banking and financial services industry, making us susceptible to consolidation in, or contraction of, the number of participating institutions within that industry. In addition, other factors affecting the banking and financial services industry, such as economic and credit conditions or additional regulations, may create uncertainty or financial pressures that cause our customers or potential customers to adopt cost reduction measures or reduce capital spending, resulting in longer sales cycles, deferrals or delays in purchases of our products, delays in paying our accounts receivable, and increased price competition, any of which could negatively impact our revenue. Furthermore, if customers respond to a negative or unpredictable economic climate by consolidating with other banks or financial institutions, it could reduce the number of our current and/or potential customers.
U.S. trade policy or foreign policy developments could have a material adverse impact on our business.
Our Digipass authentication devices are assembled by third-party manufacturers located in China and Romania, using components from suppliers in a wide range of geographic locations, including China. The U.S. presidential administration has imposed new or additional tariffs on foreign goods, including tariffs on certain Chinese imports. Although sales to U.S. customers account for a small portion of our Digipass sales, these tariffs could negatively impact our financial results. In some cases, we may not be able to pass the cost of the tariffs to our customers, which would negatively affect our profit margin. Even if we can pass on these costs, the tariffs and the economic uncertainty they cause may discourage customers from placing Digipass orders or lead them to decrease or delay such orders. Additional expansion of or increases to tariffs would exacerbate these impacts. Although we are planning measures to mitigate the potential impact of the China tariffs on our business, including moving more of our Digipass production to Romania or to other locations, these measures are unlikely to fully offset the impact, particularly since the U.S. has also imposed new tariffs on members of the European Union and other countries.
In addition, in response to tariffs or geopolitical actions by the U.S., other countries have implemented, or may implement in the future, retaliatory tariffs, other protective measures, or sanctions impacting U.S. companies and goods. Political tensions as a result of trade and foreign policies could reduce trade volume, investment, technological exchange, and other economic activities between major international economies, resulting in a material adverse effect on global economic conditions and the stability of global financial markets, which could in turn have a material adverse impact on our business and financial condition.
If our goodwill or intangible assets become impaired, we may be required to record a significant charge to earnings.
We review our goodwill and intangible assets for impairment when events or changes in circumstances indicate the carrying value may not be recoverable. Goodwill is required to be tested for impairment at least annually. At December 31, 2025, we had goodwill and intangible assets with a net book value of $113.6 million primarily related to our acquisitions. An adverse change in market conditions, particularly if such change has the effect of changing one of our critical assumptions or estimates, could result in a change to the estimation of fair value that could result in an impairment charge to our goodwill or intangible assets.
The revenue recognition treatment of SaaS subscriptions and term subscription licenses for on-premises software may make it more challenging to accurately assess our operating results and the condition of our business.
Approximately 64% of our total revenue for the year ended December 31, 2025 was attributable to our SaaS and on-premises term subscription contracts, and the revenue recognition treatment of both of these types of contracts under applicable accounting rules may make it more difficult for investors to accurately assess our operating results and the condition of our business.
22
We recognize SaaS subscription revenue ratably over the term of each of our contracts, which are typically one year in length but may be up to three years or longer. As a result, much of our SaaS revenue in a particular quarter is generated from the recognition of revenue from SaaS contracts we entered during previous periods, which can make it more challenging to assess the current state of our business. For instance, a shortfall in demand for our SaaS solutions or a decline in new or renewed SaaS contracts in any one quarter may not significantly reduce our revenue for that quarter (and may therefore not be apparent from our financial statements for that quarter), but could negatively affect our revenue in future quarters. In addition, the SaaS-based model of our Digital Agreements division makes it difficult for us to rapidly increase our Digital Agreements revenue through additional sales contracts in any period, since revenue from new customers is recognized over the applicable term of their contracts.
We recognize revenue from on-premises term subscription contracts upon delivery of the software to the customer, which is the latter of when the customer receives the ability to access the software or when they are legally allowed to use the software. Maintenance revenue associated with these contracts is recognized ratably over the term of their agreements, which typically range from one to five years in length. Although on-premises subscription contracts may have a term of up to five years, we generally recognize most of the revenue (the revenue associated with the license component of the contract) soon after the contract becomes effective. This can result in uneven revenue from quarter to quarter depending upon the number and timing of term licenses we sign, and results in a particular quarter provide minimal visibility into our performance in future periods.
In addition, our sales arrangements often include multiple elements, including hardware, services, software, maintenance and support, which complicates their treatment under the accounting rules and can result in further variations in the timing of revenue recognition. In addition, if applicable accounting standards or practices change, or if the judgments or estimates we use when applying existing standards prove to be incorrect, our financial results may be adversely affected.
We could be subject to additional tax liabilities, and our ability to use our net operating losses may be limited.
We are subject to U.S. federal, state, local and sales taxes in the United States and foreign income taxes, withholding taxes and transaction taxes in numerous foreign jurisdictions. Significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. During the ordinary course of business, there are many activities and transactions for which the ultimate tax determination is uncertain and the relevant taxing authorities may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. In addition, our tax obligations and effective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes to our operating structure (including a currently in-process revenue of our intellectual property structure), by changes in foreign currency exchange rates, or by changes in the valuation of our deferred tax assets and liabilities. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, sales taxes and value-added taxes against us. Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period for which a determination is made.
At December 31, 2025 we had U.S. federal, U.S. state, foreign, and Canadian provincial net operating losses ("NOLs") of $6.6 million, $52.3 million, $32.6 million, and $23.2 million, respectively, available to offset future taxable income, some of which begin to expire in 2032. A lack of future taxable income would adversely affect our ability to utilize these NOLs before they expire. Also, certain NOLs have limitations on the amount that can be utilized each year.
23
In addition, under the provisions of the Internal Revenue Code of 1986, as amended (the "Internal Revenue Code"), substantial changes in our ownership may limit the amount of pre-change NOLs and other tax attributes that can be utilized annually in the future to offset taxable income. Section 382 of the Internal Revenue Code imposes limitations on a company’s ability to use its NOLs if one or more stockholders or groups of stockholders that own at least 5% of the company’s stock increase their ownership by more than 50 percentage points over their lowest ownership percentage within a rolling three-year period. Similar rules may apply under state tax laws. Based upon an analysis as of December 31, 2024, we determined that we do not expect these limitations to materially impair our ability to use our NOLs prior to expiration. However, if changes in our ownership occurred after such date, or occur in the future, our ability to use our NOLs may be further limited. Subsequent statutory or regulatory changes in respect of the utilization of NOLs for federal or state purposes, such as suspensions on the use of NOLs or limitations on the deductibility of NOLs carried forward, or other unforeseen reasons, may result in our existing NOLs expiring or otherwise being unavailable to offset future income tax liabilities. For these reasons, we may not be able to utilize a material portion of the NOLs, even if we achieve profitability.
Provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.
Our agreements with customers, solution partners and channel partners generally include provisions under which we agree to indemnify them for losses suffered or incurred as a result of claims of intellectual property infringement and, in some cases, for damages caused by us to property or persons or for other damages. These indemnification obligations may extend to claims arising from the use of third-party software, open-source components, or emerging novel legal theories, including those related to data usage or AI. In the past, we worked with a customer at our expense to resolve a claim brought against the customer related to our technology, and we may be required to indemnify customers for similar claims in the future. Defending such claims, regardless of their merit, could be costly and time-consuming, divert management attention and harm our reputation, and any resulting expense or liabilities may not be fully covered by insurance.
We also make certain representations and warranties and incur obligations under our contracts in the ordinary course of business, including for items related to data security, data privacy, and regulatory compliance. Our customers increasingly seek heightened contractual protections including broader indemnification obligations or higher liability caps, particularly in the event of data security incidents, privacy breaches, or regulatory non-compliance. Although we normally contractually limit our liability with respect to such representations, warranties and other contractual obligations, we may still incur substantial liability related to them. Not all of our potential losses under our contracts are covered by insurance policies, and such coverage may be subject to coverage limits or exclusions, which could increase the impact of any such loss should it occur. Large indemnity payments or damages resulting from our contractual obligations could harm our business, operating results and financial condition.
Any failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.
Our success is dependent, in part, upon protecting our proprietary technology. We rely on a combination of patents, copyrights, trademarks, service marks, trade secret laws and contractual provisions in an effort to establish and protect our proprietary rights. However, the steps we take to protect our intellectual property may be inadequate. While we have been issued patents in the U.S. and other countries and have additional patent applications pending, we may be unable to obtain patent protection for the technology covered in our patent applications. In addition, any patents issued in the future may not provide us with competitive advantages or may be successfully challenged by third parties. Any of our patents, trademarks or other intellectual property rights may be challenged or circumvented by others or invalidated through administrative process or litigation. There can be no guarantee that others will not independently develop similar products, duplicate any of our products or design around our patents. Furthermore, legal standards relating to the validity, enforceability and scope of protection of intellectual property rights are uncertain. Despite our precautions, it may be possible for unauthorized third parties to copy our products and use information that we regard as proprietary to create products and solutions that compete with ours. Some license provisions protecting against unauthorized use, copying, transfer and disclosure of our products may be unenforceable under the laws of jurisdictions outside the U.S. To the extent we expand our international activities, our exposure to unauthorized copying and use of our products and proprietary information may increase.
24
We enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with parties with whom we have strategic relationships and business alliances. These agreements may not be effective in controlling access to and distribution of our products and proprietary information. Further, these agreements do not prevent our competitors or partners from independently developing technologies that are substantially equivalent or superior to our products and solutions.
In order to protect our intellectual property rights, we may be required to spend significant resources to monitor and protect and enforce these rights, including through litigation. Litigation brought to protect and enforce our intellectual property rights could be costly, time-consuming and distracting to management and could result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Our inability to protect our proprietary technology against unauthorized copying or use, as well as any costly litigation or diversion of our management’s attention and resources, could delay further sales or the implementation of our products and solutions, impair the functionality of our products and solutions, delay introductions of new solutions, result in our substituting inferior or more costly technologies into our products and solutions or injure our reputation. We will not be able to protect our intellectual property if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property. Moreover, policing unauthorized use of our technologies, trade secrets and intellectual property may be difficult, expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the U.S. and where mechanisms for enforcement of intellectual property rights may be weak. If we fail to adequately protect our intellectual property and proprietary rights, our business, operating results and financial condition could be adversely affected.
We may be subject to legal proceedings and/or liability for a variety of claims, including intellectual property disputes, labor and employment issues, commercial disagreements, securities law violations and other matters. These proceedings may be costly, subject us to significant liability, limit our ability to use certain technologies, increase our costs of doing business or otherwise adversely affect our business and operating results.
From time to time, we are involved as a party or an indemnitor in disputes or regulatory inquiries. These may include alleged claims, lawsuits and proceedings regarding intellectual property disputes, labor and employment issues, commercial disagreements, securities law violations and other matters. In particular, companies in the software industry are often required to defend against litigation or claims based on allegations of infringement or other violations of intellectual property rights. In certain instances, we have received claims that we have infringed the intellectual property rights of others, including claims regarding patents, copyrights, and trademarks. Because of constant technological change in the markets in which we compete, the extensive patent coverage of existing technologies, and the rapid rate of issuance of new patents, it is possible that the number of these claims may grow. Such claims sometimes involve patent holding companies or other adverse patent owners that have no relevant product revenue and against which our own patents may therefore provide little or no deterrence. In addition, former employers of our former, current, or future employees may assert claims that such employees have improperly disclosed to us the confidential or proprietary information of these former employers. If we are not successful in defending such claims, we could be required to stop selling our products, delay shipments, redesign our products, pay monetary amounts as damages, enter into royalty or licensing arrangements (which may not be available to us on commercially reasonable terms), or satisfy indemnification obligations to our customers, any of which could have a material adverse effect on our business.
Regardless of the merits or ultimate outcome of any claims that have been or may be brought against us or that we may bring against others, lawsuits are time-consuming and expensive to resolve, divert management’s time and attention, and could harm our reputation. Although we carry general liability and other forms of insurance, our insurance may not cover potential claims that arise or may not be adequate to indemnify us for all liability that may be imposed. We may also determine that the most cost-effective way to resolve a dispute is to enter into a settlement agreement. Litigation is inherently unpredictable and we cannot predict the timing, nature, controversy or outcome of lawsuits, and it is possible that litigation could have an adverse effect on our business, operating results or financial condition.
We use open-source software in our products, which could subject us to litigation or other actions.
25
We use open-source software in our products and solutions. Any use of open-source software may expose us to greater risks than the use of commercial software because open-source licensors generally do not provide warranties or controls on the functionality or origin of the software. Any use of open-source software may involve security risks, making it easier for hackers and other third parties to determine how to compromise our platform. From time to time, there have been claims challenging the ownership of open-source software against companies that incorporate open-source software into their products. As a result, we could be subject to lawsuits by parties claiming ownership of what we believe to be open-source software. Litigation could be costly for us to defend, have a negative effect on our operating results and financial condition or require us to devote additional research and development resources to change our products. In addition, if we were to combine our proprietary software products with open-source software in a certain manner, we could, under certain of the open-source licenses, be required to release the source code of our proprietary software products. If we inappropriately use or incorporate open-source software subject to certain types of open-source licenses that challenge the proprietary nature of our software products, we may be required to re-engineer our products, discontinue the sale of our products and solutions or take other remedial actions.
In addition, as we increasingly use of generative AI coding tools to assist in software development, these tools may introduce similar or heightened risks. For example, AI-generated snippets of code could inadvertently include open-source components subject to restrictive licenses or that infringe third-party intellectual property rights. If such risks materialize, we could face legal claims, be required to modify or replace portions of our code, or incur additional compliance costs.
There is significant government regulation of technology imports and exports. If we cannot meet the requirements of applicable regulations, we may be prohibited from exporting some of our products, which could negatively impact our revenue.
Our international sales and operations are subject to risks such as the imposition of government controls, new or changed export license requirements, restrictions on the export of critical technology, trade restrictions and changes in tariffs. If we are unable to obtain regulatory approvals on a timely basis, our business may be impacted. Certain of our products are subject to export controls under U.S. law including the U.S. Export Administration Regulations, U.S. Customs regulations, and various economic and trade sanctions administered by the U.S. Treasury Department’s Office of Foreign Assets Control. The list of products and countries for which export approval is required, and the regulatory policies with respect thereto, may be revised from time to time and our inability to obtain required approvals under these regulations could materially and adversely affect our ability to make international sales. Additionally, we may be negatively affected if our third-party technology partners fail to obtain proper licenses and permits for the import and export of their products. We maintain trade control compliance requirements for our partners; however, we cannot guarantee that our partners will comply with these requirements. Violations of export control and international trade laws could result in penalties, fines, adverse reputational consequences, and other materially adverse consequences. In the past, we voluntarily disclosed a trade control matter to the U.S. government. Although this matter was closed during 2019 with no fines, penalties, or finding of wrongdoing, similar issues could arise in the future. In addition, future changes in government regulation of technology imports and exports, including tariffs and other protective measures that have been or may be imposed by the current U.S. presidential administration, could negatively affect our business.
We employ cryptographic technology in our authentication products. If the codes used in our cryptographic technology are eventually broken or become subject to additional government regulation, our technology and products may become less effective, which would have a material adverse effect on our business.
A portion of our products are based on cryptographic technology. With cryptographic technology, a user is given a key that is required to encrypt and decode messages. The security afforded by this technology depends on the integrity of a user’s key and in part on the application of algorithms, which are advanced mathematical factoring equations. These codes may eventually be broken or become subject to government regulation regarding their use, which would render our technology and products less effective. The occurrence of any one of the following could result in a decline in demand for our technology and products, which would have a material adverse effect on our business:
•Any significant advance in techniques for attacking cryptographic systems, including the development of an easy factoring method or faster, more powerful computers, such as quantum computing;
•Publicity of the successful decoding of cryptographic messages or the misappropriation of keys; and
•Increased government regulation limiting the use, scope or strength of cryptography.
26
International and domestic laws and regulations relating to data privacy, protection, access, sharing, portability and use could have a material adverse impact on our results of operations.
Our business is subject to a rapidly expanding and increasingly complex set of international, federal, state, and local laws and regulations governing the collection, use, access, sharing, transfer, portability, interoperability, and other processing and use of data worldwide. Globally, virtually every jurisdiction in which we operate has established its own data security, privacy, and broader data governance frameworks with which we must comply, including regimes that regulate data access and sharing rights, data portability and interoperability, restrictions on use and commercialization, and obligations imposed on cloud and other data processing services. We collect, transmit, store, and otherwise process (on our systems and on our third-party partners’ systems) our customers’, their end users, and our employees’ data that includes personal data subject to these international and domestic privacy, data protection, and data governance laws and regulations. Failure to comply, or a perceived failure to comply, with these requirements could subject us to enhanced regulatory and customer monitoring, audits, and related expenses, restrict our ability to deliver or enhance our services, limit our ability to use data, expose us to regulatory enforcement actions, litigation and fines, and harm our reputation and customer relationships.
For example, in the European Economic Area (“EEA”), we are subject to Regulation (EU) 2016/679 (the General Data Protection Regulation or “GDPR”) and related national implementing laws. The GDPR is wide-ranging in scope and imposes numerous requirements on companies that process personal data, including requirements relating to lawful basis for processing, transparency, data subject rights, security safeguards, breach notification, accountability, and the oversight of third-party processors. Certain categories of data, including biometric and other sensitive data are subject to heightened requirements. In addition, the GDPR permits data protection authorities to impose corrective measures and/or administrative fines of up to the greater of 20 million Euros or four percent of global annual revenues, and allows data subjects to seek judicial remedies and compensation. Moreover, the EU Data Act (Regulation (EU) 2023/2854) establishes new rules governing access to, sharing of, and switching of data generated by connected products and related services, including mandatory data access rights for users and restrictions on contractual and technical barriers to data portability. The Data Act may require us to modify product design, data architectures, commercial terms, and cloud or data processing arrangements, and could limit our ability to monetize or control certain data assets. Although we have implemented policies, technical measures, and contractual safeguards designed to support compliance, the interpretation and enforcement of GDPR and the EU Data Act obligations continue to evolve and may differ across EEA member states. As a result, there can be no assurance that our compliance measures will not be challenged by regulators, courts, or other parties, which could result in investigations, fines, restrictions on processing or data sharing activities, or civil claims.
Our operations also depend on the ability of companies to transfer personal data across borders, including from the EEA to the United States and other jurisdictions. While the European Commission has adopted an adequacy decision for the EU-U.S. Data Privacy Framework, the long-term availability and scope of this and other transfer mechanisms remain subject to legal, regulatory, and political uncertainty. We rely on multiple transfer tools, including standard contractual clauses and supplementary measures, to support international data flows. If existing transfer mechanisms are invalidated, restricted, or require additional safeguards, we may be required to restructure data flows, localize certain processing activities, or implement new technical and contractual controls. These changes could increase operational complexity and costs, delay service delivery, limit product functionality, and expose us to regulatory scrutiny during transition periods. Beyond the GDPR, there are privacy, data security, and data governance laws in a growing number of countries around the world. For example, other jurisdictions such as Brazil, Canada, and the United Kingdom have enacted privacy and data protection laws and regulations that impose similar restrictions and obligations on products and services we sell and that otherwise may impact our ability to conduct our business activities.
In the United States, we are subject to a fragmented and expanding regulatory landscape at both the federal and state levels. Federal data privacy and security enforcement continues to evolve, and although the current federal regulatory environment is expected to shift toward more traditional and narrower enforcement priorities, our company remains exposed to potential actions by federal agencies such as the FTC under existing privacy laws, especially in the area of processing biometrics and other sensitive data. At the state level, comprehensive privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020, and other similar statutes adopted by more than a dozen other states, impose varying obligations and grant enhanced enforcement powers, and in some cases, private rights of action. In addition, certain state laws regulate specific categories of information, such as biometric or health-related information. This patchwork of requirements increases compliance costs, audit and reporting obligations, litigation, fine and penalty exposure, and the risk that we may be subject to inconsistent or conflicting legal standards.
27
Several jurisdictions impose particularly stringent requirements on the processing of biometric data. Laws such as the Illinois Biometric Information Privacy Act, Québec's Act respecting the protection of personal data in the private sector, and other similar laws regulate the collection, use, safeguarding, storage, governance, transparency and disclosure of biometric identifiers and information. Many of these laws also require informed consent, and provide for statutory damages and private rights of action. Because some of our SaaS solutions support identity verification, authentication, fraud prevention, and similar use cases that may involve biometric identifiers processed on behalf of customers, we may face heightened regulatory scrutiny and litigation risk.
A substantial portion of our activities as a SaaS solution provider involves processing personal data on behalf of our customers in our capacity as a data processor. As a data processor acting on behalf of our customers, we collect, transmit, store, and process a wide range of data, including personal data and biometric information from individuals worldwide. This data is handled both on our systems and those of our third-party partners, increasing the complexity of compliance and the potential impact of any failure or perceived failure by us or our third-party partners to meet applicable legal, contractual, or security standards. Adapting to these requirements may entail significant operational changes, including revising data processing and storage practices, enhancing data security measures, implementing data access and sharing controls, enabling data portability and interoperability features, ensuring transparent communication with data subjects about their rights and our data handling practices, and it may impact our business activities, including our relationships with business partners and the marketing and distribution of our products.
Additionally, our products may increasingly incorporate advanced analytics, automation, and AI-enabled features. The regulatory landscape governing the use of automated decision-making, AI systems, and data-driven technologies is evolving rapidly, with increasing convergence between privacy, data protection, consumer protection, and AI-specific regulatory regimes. New or emerging requirements may restrict how we design, deploy, or market certain features, require additional transparency or governance measures, or increase the risk of regulatory enforcement and legal claims related to data use, transparency and accountability.
We work to comply with all applicable international and domestic privacy, data protection, and data governance laws and regulations; however, these laws and regulations vary greatly from jurisdiction to jurisdiction, change rapidly, and are subject to interpretation, all of which leads to uncertainty in their applicability. Compliance may increase costs and require that we modify existing products, delay or limit the rollout of new features, increase investment in technical and organizational safeguards, renegotiate contractual arrangements with customers or partners, and dedicate significant legal, compliance, and engineering resources. Any actual, alleged or perceived failure to comply with applicable data-related laws and regulations, our processes and policies, contractual provisions, or an actual or suspected data privacy or information security incident could result in serious consequences for us. These consequences may include enforcement actions, audits, investigations, prosecutions, fines, penalties, debarment, litigation, contractual liability, loss of customer trust, reputational harm, and overall material adverse effects on our business, results of operations, and financial condition.
We must comply with the requirements of being a public company, including developing and maintaining proper and effective disclosure controls and procedures and internal control over financial reporting. Any failure to comply with these requirements may adversely affect investor confidence in our company and, as a result, the value of our common stock.
As a public company, we are subject to the reporting requirements of the Securities Exchange Act of 1934, as amended, the Sarbanes-Oxley Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act, the listing requirements of Nasdaq and other applicable securities rules and regulations that impose various requirements on public companies. Our management and other personnel devote a substantial amount of time to compliance with these requirements and such compliance requires significant ongoing legal, accounting and financial reporting costs.
The Sarbanes-Oxley Act requires that we maintain effective disclosure controls and procedures and internal control over financial reporting and furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting on an annual basis. This assessment includes disclosure of any material weaknesses identified by our management in our internal control over financial reporting. We are also required to have our independent registered public accounting firm issue an opinion annually on the effectiveness of our internal control over financial reporting. During the evaluation and testing process, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal control over financial reporting is effective.
28
We have identified a material weakness in the past and it is possible that other material weaknesses, or significant deficiencies, in our internal controls will be identified in the future. Failure to maintain effective controls or implement new or improved controls could result in significant deficiencies or material weaknesses, affect management evaluations and auditor attestations regarding the effectiveness of our internal controls, failure to meet periodic reporting obligations, and material misstatements in our financial statements. Any material misstatement of our financial statements may result in a restatement, loss of investor and customer confidence, a decline in the market price of our common stock, and potential sanctions or investigations by Nasdaq, the SEC or other regulatory authorities. Failure to remedy any material weakness in our internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.
Our business in certain countries and transactions with foreign governments increase the risks associated with our international activities.
We are subject to anti-corruption laws in the jurisdictions in which we operate, including the FCPA, the U.K. Bribery Act, and other similar laws that prohibit improper payments or offers of payments to foreign governments and their officials and political parties by U.S. and other business entities for the purpose of obtaining or retaining business. We have operations, deal with and make sales to governmental or quasi-governmental customers in countries known to experience corruption, particularly certain countries in the Middle East, Africa, Asia and South and Central America. Our activities in these countries create the risk of unauthorized payments or offers of payments by one of our employees, consultants, sales agents or channel partners that could be in violation of various laws, including the FCPA and the U.K. Bribery Act, even though these parties are not always subject to our control. While we have implemented policies and training that mandate compliance with these anti-corruption laws, we cannot guarantee that these policies and procedures will prevent reckless or criminal acts committed by our employees, consultants, sales agents or channel partners. Violations of these laws may result in materially significant diversion of management’s resources as well as significant investigation and outside counsel expense. Violations of these laws may also result in severe criminal or civil sanctions, including suspension or debarment from government contracting, and we may be subject to other liabilities which could disrupt our business and result in a materially adverse effect on our reputation, business, results of operations, and financial condition.
We are subject to numerous laws, regulations and customer and product certification requirements governing the design, production, distribution, sale and use of our products. Any failure to comply with these laws, regulations and requirements could result in unanticipated costs and other negative impacts, and could have a materially adverse effect on our business, results of operations, and financial condition.
We are subject to global legal, regulatory, and customer compliance requirements that span many different areas. For example, we are subject to the Directive on Measures for a High Common Level of Cybersecurity Across the Union (EU) 2022/2555 (known as NIS2), which introduces a common cybersecurity framework that imposes stringent security and cybersecurity incident reporting obligations on organizations operating in the European Union. Our ability to comply with these requirements, including enhanced reporting obligations, risk management process, and network security standards, may require additional investment in technology, personnel, and training. Non-compliance with NIS2 could result in significant penalties, legal liabilities, reputational damage, and operational disruptions.
In addition, as an information communication technology provider to financial entities in the European Union, we are affected by the Regulation on Digital Operational Resilience for the Financial Sector (EU) 2022/2554 (known as DORA). DORA imposes significant obligations on our financial entity customers to ensure their third-party technology vendors, such as OneSpan, protect against disruptions in their products or services that could affect important or critical financial services in the EU. In order to meet their own compliance obligations under DORA, our customers are imposing additional contractual requirements on OneSpan to ensure the security, continuity, and resilience of our products and services, increase oversight of our critical third-party service providers, and undergo additional audits, all of which may require significant investment in technology, personnel, and training. If we fail to meet DORA’s requirements, our financial entity customers could be negatively impacted, and we could incur liabilities, suspension or termination of our products and services, reputational damage, loss of competitive positioning, and potential loss of business. Furthermore, evolving interpretations of DORA or additional regulatory updates could lead to unexpected compliance challenges and costs.
29
Our Digipass authenticator devices are subject to a variety of laws applicable to electronic devices, such as the EU Regulation on the Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH), the EU Restriction on the Use of Hazardous Substances Directive (the RoHS Directive), the EU Waste Electrical and Electronic Equipment Directive (the WEE Directive) and “conflict minerals” regulations that require us to perform supply chain due diligence to determine the sources and origin of certain minerals used in our devices. We expect to incur ongoing costs associated with complying with these requirements, and may be subject to reputational damage, fines, penalties or loss of customers if we fail to comply. These requirements may also affect pricing, sourcing and availability of materials used to produce our Digipass devices. Our products, including our Digipass authenticators, may also require various industry certifications, including certifications under the Federal Information Processing Standards (FIPS) and from industry standards organizations such as the FIDO Alliance. Failure to obtain these certifications in a timely manner could harm our business.
Efforts to manage and mitigate climate change, pollution, biodiversity loss, human rights violations in corporate supply chains, and other environmental and social impacts have produced significant regulatory and legislative efforts on a global basis, a trend we expect to continue. We anticipate that new laws and regulations in this area will result in added compliance requirements and increased costs for us and our suppliers, which could result in a significant negative impact on our ability to operate profitably. In particular, we expect to become subject to several complex and costly new EU sustainability laws over the next five years, including laws addressing sustainable product design and packaging. In addition, many of our customers are also subject to significant new environmental and climate-related regulations or stakeholder pressure, which may affect their purchasing decisions in ways unfavorable to us. For instance, customers who purchase our Digipass authenticator devices sometimes inquire about the environmental impact of the devices, and customers who are especially focused on carbon footprint or waste minimization may choose software-based authentication methods rather than physical authentication devices. Finally, disclosures we may be required to make with respect to climate change, pollution or other environmental or social impacts may damage our reputation and have an adverse impact on our business.
We sell products and services to U.S. federal, state and local governments as well as foreign government entities. Risks associated with selling our products and services to government entities include compliance with complex procurement regulations and government-specific contractual requirements that may vary from our standard terms and conditions, longer sales cycles that are not easy to predict, and varying government funding and budgeting processes. Selling to these entities is expensive and time-consuming and often requires significant up-front effort and expense. We have processes in place to aid in compliance with applicable government contracting requirements; however, it is difficult to be certain that compliance has been achieved. Non-compliance with government entity requirements may result in significant material risk to the Company including debarment, reputational loss, and financial and business losses.
New laws and regulations and changes to current laws and regulations are always possible and, in some cases they may be introduced with little or no time to bring related products into compliance. Furthermore, our products are used by customers to assist with achieving compliance with laws and regulations that apply to their industry. Our failure to comply with laws and regulations and to adapt to our customers’ needs may prevent us from selling our products in a certain country or to a particular customer. In addition, these laws, regulations, and requirements may increase our cost of supplying the products by forcing us to redesign existing products, change manufacturing practices, or to use more expensive designs or components. In these cases, we may experience unexpected disruptions in our ability to supply customers with products, or we may incur unexpected costs or operational complexities to bring products into compliance, and we may experience lowered customer demand. This could have an adverse effect on our revenues, gross profit margins and results of operations and increase the volatility of our financial results.
We may require additional capital to support our business objectives, and this capital might not be available on acceptable terms, if at all.
30
We expect that our existing cash and cash equivalents and borrowing capacity under our Credit Agreement will be sufficient to meet our anticipated cash needs for working capital and capital expenditures for at least the next 12 months. Our estimate as to how long we expect our cash and cash equivalents to be able to fund our operations is based on assumptions that may prove to be wrong, and we could use our available capital resources sooner than we currently expect. Further, changing circumstances, some of which may be beyond our control, could cause us to consume capital significantly faster than we currently anticipate, and we may need to seek additional funds sooner than planned. We intend to continue to make investments to support our business objectives and may require additional funds to achieve our objectives and respond to business challenges, including the need to develop new features or enhance our products, improve our operating infrastructure or acquire complementary businesses and technologies. Accordingly, we may need to engage in expanded or additional debt financings or equity financings to secure additional funds. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences and privileges superior to those of holders of our common stock.
General economic conditions and geopolitical events have resulted in significant volatility in global financial markets in recent years. If this volatility persists or becomes more pronounced, we could experience an inability to access additional capital, which could in the future negatively affect our capacity for certain corporate development transactions or our ability to make other important, opportunistic investments. In addition, market volatility, high levels of inflation and interest rate fluctuations may increase our cost of financing or restrict our access to potential sources of future liquidity. Adequate additional financing may not be available to us on acceptable terms, or at all. If we are unable to obtain adequate financing or financing on terms satisfactory to us when we require it, our ability to continue to support our business objectives and to respond to business challenges could be significantly impaired, and our business may be adversely affected.
Risks Related to Ownership of Our Common Stock
Our stock price has been and will likely continue to be volatile.
The market price of our common stock has been and may continue to be highly volatile and may fluctuate substantially as a result of a variety of factors, including those described in this “Risk Factors” section, many of which are beyond our control and may not be related to our operating performance. Factors that could cause fluctuations in the market price of our common stock include the following:
•Actual or anticipated fluctuations in our quarterly or annual operating results;
•Variance in our financial performance from our own financial guidance or from expectations of securities analysts;
•The trading volume of our common stock;
•Failure of securities analysts to maintain coverage of our company or changes in financial estimates by any securities analysts who follow our company;
•Changes in market valuations of other technology companies;
•Announcements by us or our competitors of significant technical innovations, contracts, acquisitions, strategic partnerships, joint ventures or capital commitments;
•Our involvement in any litigation or investigations by regulators;
•Our sale of our common stock or other securities in the future;
•Sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders;
•Repurchases pursuant to board-authorized share repurchase programs, or announcements of the inception or discontinuation of any such program;
•Increases or decreases in the dividend amount paid under our quarterly dividend program announced in December 2024, the modification or discontinuation of such program, or other changes in our capital allocation strategy;
•Mergers, acquisitions, or divestitures;
•Short sales, hedging and other derivative transactions involving our capital stock;
•Additions or departures of any of our key personnel;
•Changing legal or regulatory developments;
•The inclusion or exclusion of our stock in ETFs, indices and other benchmarks, and changes made to related methodologies;
•Reactions by investors to uncertainties in the world economy, the global geopolitical environment, and financial markets.
31
In recent years, the stock markets have experienced price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies due to, among other factors, the actions of market participants or other actions outside of our control, including market volatility caused by geopolitical events, and general economic developments. These fluctuations have often been unrelated or disproportionate to the operating performance of those companies. Broad market and industry fluctuations, as well as general economic, political, regulatory and market conditions, may negatively impact the market price of our common stock. In the past, companies that have experienced volatility in the market price of their securities have been subject to securities class action litigation. We have been the target of this type of litigation in the past, and may be targeted again the future, which could result in substantial costs and divert our management’s attention.
A small group of shareholders control a substantial amount of our common stock and could promote, delay or prevent a change of control.
A small number of shareholders control a significant amount of our outstanding common stock, as follows (based on the number of our shares of common stock outstanding as of December 31, 2025 and the most recent Schedule 13G or Schedule 13G/A filing made by each of these parties): Blackrock, Inc. holds approximately 9.9% of our outstanding common stock; Vanguard Group Holdings holds approximately 9.3%; Legal & General Group Plc holds approximately 5.9%; and Ameriprise Financial, Inc. holds approximately 5.4%. This concentration of ownership may have the effect of a small number of investors promoting, discouraging, delaying or preventing a change in control and may also have an adverse effect on the market price of our common stock.
Certain provisions of our charter and of Delaware law make a takeover of our Company more difficult.
Our corporate charter and Delaware law contain provisions, such as a class of authorized but unissued preferred stock which may be issued by our board of directors without stockholder approval that might enable our management to resist a takeover of our Company. Delaware law also limits business combinations with interested stockholders. These provisions might discourage, delay or prevent a change in control or a change in our management. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors and take other corporate actions. The existence of these provisions could limit the price that investors might be willing to pay in the future for shares of our common stock.
Future issuances of blank check preferred stock may reduce voting power of common stock and may have anti-takeover effects that could prevent a change in control.
Our corporate charter authorizes the issuance of up to 500,000 shares of preferred stock with such designations, rights, powers and preferences as may be determined from time to time by our board of directors, including such dividend, liquidation, conversion, voting or other rights, powers and preferences as may be determined from time to time by the board of directors without further stockholder approval.
The issuance of preferred stock could adversely affect the voting power or other rights of the holders of common stock. In addition, the authorized shares of preferred stock and common stock could be utilized, under certain circumstances, as a method of discouraging, delaying or preventing a change in control.
Our business could be adversely affected as a result of actions of activist stockholders.
Although we strive to maintain constructive, ongoing communications with all of our stockholders, and welcome their views and opinions with the goal of enhancing value for all of our stockholders, our stockholders have in the past, and may from time to time in the future, engage in proxy solicitations, advance stockholder proposals or otherwise attempt to effect changes at or acquire control of the Company. Campaigns by stockholders to effect changes at publicly traded companies are sometimes led by investors seeking to increase short-term stockholder value through actions such as stock repurchases or sales of assets or the entire company. Responding to proxy contests and other actions by activist stockholders can be costly and time-consuming and could divert the attention of our board of directors and senior management from the management of our operations and the pursuit of our business strategy. We cannot predict whether additional proxy contests or related matters will occur in the future and the time and cost associated with such matters.
32
Any perceived uncertainties as to our future direction and control, our ability to execute on our strategy or changes to the composition of our board of directors or senior management team arising from proposals by activist stockholders or a proxy contest could lead to the perception of a change in the direction of our business or instability that may be exploited by our competitors and/or other activist stockholders, result in the loss of customers or potential business opportunities, and make it more difficult to pursue our strategic initiatives or attract and retain qualified employees and business partners, any of which could have an adverse effect on our business, financial condition and operating results.
General Risks
Economic uncertainties or downturns could materially adversely affect our business.
Negative economic conditions, including conditions resulting from changes in foreign currency rates, changes in interest rates, gross domestic product growth, financial and credit market fluctuations, inflation, political turmoil, geopolitical tensions, tariffs, international trade disputes, natural catastrophes, regional and global conflicts, natural disasters, and terrorist attacks, could cause a decrease in business investments, including spending on information technology, and negatively affect the performance of our business. If global or regional economic and financial market conditions remain uncertain and/or weak for an extended period of time, any of the following factors, among others, could have a material adverse effect on our financial condition and results of operations:
•slower consumer or business spending may result in reduced demand for our products and services, reduced orders from customers, order cancellations, lower revenues, increased inventories, and lower gross margins;
•volatility in global markets, tariffs or international trade disputes, and fluctuations in exchange rates for foreign currencies could negatively impact our reported financial results and condition;
•restructurings, reorganizations, consolidations and other corporate events could affect our customers’ budgets and buying cycles, particularly in the banking and financial services industry, where we have particular exposure due to the majority of our customers being banks and financial institutions;
•if our customers experience declining revenues, or experience difficulty obtaining financing in the capital and credit markets to purchase our products and services, this could result in reduced orders, longer sales cycles, order cancellations, inability of customers to timely meet their payment obligations to us, extended payment terms, higher accounts receivable, reduced cash flows, greater expense associated with collection efforts and increased bad debt expense;
•severe financial difficulty experienced by our customers (such as the mid-market bank failures that occurred in 2023) may cause them to become insolvent or cease business operations, which could reduce sales, cash collections and revenue streams;
•volatility in the prices for materials and components we use in our Digipass products could have a material adverse effect on our costs, gross margins, and profitability; and
•any difficulty or inability on the part of manufacturers of our products or other participants in our supply chain in obtaining sufficient financing to purchase raw materials or to finance general working capital needs may result in delays or non-delivery of shipments of our products.
Furthermore, in an adverse economic environment there is a risk that customers may delay their orders until the economic conditions improve. If a significant number of orders are delayed for an indefinite period of time, our revenue and cash receipts may not be sufficient to meet the operating needs of the business. If this is the case, we may need to significantly reduce our workforce, sell certain of our assets, enter into strategic relationships or business combinations, discontinue some or all of our operations, or take other similar restructuring actions. While we expect that these actions would result in a reduction of recurring costs, they also may result in a reduction of recurring revenue and cash receipts. It is also likely that we would incur substantial non-recurring costs to implement one or more of these restructuring actions.
Catastrophic events may disrupt our business.
Our business operations are subject to interruption by natural disasters, including extreme weather related to the effects of climate change, and other catastrophic events such as fire, floods, power loss, telecommunications failure, cyberattack, war or terrorist attack, or epidemic or pandemic. To the extent such events impact our facilities or off-premises or third-party infrastructure, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our software development, lengthy interruptions in our services, breaches of data security and loss of critical data, all of which could have an adverse effect on our future operating results.
33
Item 1B - Unresolved Staff Comments
None.
Item 1C - Cybersecurity
Risk Management and Strategy
As a cloud-based digital agreements and identity and authentication security solutions provider servicing customers in regulated industries, cybersecurity risk management is an important part of our identity. We maintain an enterprise cybersecurity risk management program designed to assess, identify, and manage material cybersecurity risks within our corporate information security environment and the systems we develop and operate for the benefit of our customers. Our cybersecurity risk management program is based upon best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and the International Organization for Standardization (“ISO”) 27001 Information Security Management System Requirements.
Policies and Training. We maintain security policies, standards, and processes that apply across our operations and that are approved by management, communicated to our personnel, and reviewed on an annual basis. We provide a global security awareness education program that includes mandatory security and privacy awareness training for all personnel, regular phishing identification exercises, focused training opportunities for particular roles, and incident response training for key individuals.
Risk Assessment and Safeguards. We conduct regular assessments of risks and vulnerabilities to the confidentiality, integrity, and availability of data in our systems, and we implement safeguards to reduce these risks and vulnerabilities to a reasonable and appropriate level. For internal information systems and assets, we conduct regular internal reviews, employ continuous security monitoring, and conduct periodic independent reviews of the key components of our security program. For customer-facing products and services, in addition to internal reviews and testing, we undergo external reviews and penetration testing using an independent third party provider . Our cloud platforms for SaaS solutions are audited annually by external independent auditors who review our platforms against the Service Organization Controls (“SOC”) 2 and ISO 27001, 27017 and 27018 standards, and some of our Digital Agreement products are available on a FedRAMP compliant platform. Some of our products are certified under specific technical standards or industry guidelines, such as FIPS 140-2 and FIDO. Our Digipass authentication fulfillment services are also audited annually by external independent auditors against the SOC 2 standard. We conduct self-assessment activities for those standards or regulations that are not covered by the external auditors, such as the General Data Protection Regulation in Europe. Additionally, we periodically engage third party consultants to assist with identifying, assessing, and/or managing cybersecurity threats.
Incident Management. We have a documented incident response plan for identifying and responding to cybersecurity incidents that focuses on isolating, containing, mitigating, and eradicating the threat as quickly as possible. In the event of a cybersecurity incident, we will follow a documented incident escalation procedure. For a discussion of whether any cybersecurity risks have or are likely to materially affect us, please see 1A, Risk Factors, for a discussion of identified cybersecurity risks.
Third Party Risk Management. Our vendor security risk management program covers vendors that require connectivity to our systems or access to confidential information. We utilize a trust intelligence platform for managing data privacy and data governance which includes third party risk management. Security reviews are performed periodically, based on vendor criticality, to identify potential security issues with the vendor systems or practices. New vendor contracts are reviewed by our legal and security teams, as appropriate, to confirm that security and data protection are appropriately addressed.
Material Cybersecurity Incidents. While we have experienced several security incidents in the past, we have not experienced any material cybersecurity incidents for the fiscal year ended December 31, 2025. We do not believe that there are currently any known risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company or our business strategy, results of operations or financial condition.
34
Governance
Item 2 - Properties
OneSpan is headquartered in Boston, Massachusetts and has operations in Austria, Australia, Belgium, Canada, China, France, Japan, The Netherlands, Singapore, Switzerland, the United Arab Emirates, the United Kingdom, and the United States of America. Our European operational headquarters is in Brussels, Belgium; our primary global research and development center is in Montreal, Canada; and our Digipass authenticator logistics facility is located in Erembodegem, Belgium. We conduct sales and marketing, customer support, and general and administrative activities from various locations around the world.
Each of our properties support the operations of our two business divisions, which are our reportable operating segments: Cybersecurity and Digital Agreements.
All of our properties are leased. We believe that our facilities are adequate for our current needs and that suitable additional or substitute space will be available as needed to accommodate expansion of our operations.
Item 3 - Legal Proceedings
We are subject to certain legal proceedings and claims incidental to the operations of our business. We are also subject to certain other legal proceedings and claims that have arisen in the ordinary course of business that have not been fully adjudicated. We currently do not anticipate that these matters, if resolved against us, will have a material adverse impact on our financial results or financial condition.
For further information regarding our legal proceedings and claims, see Note 19, Commitments and Contingencies, included in the notes to consolidated financial statements in Part IV of this Annual Report on Form 10-K.
Item 4 - Mine Safety Disclosures
Not applicable.
35
PART II
Item 5 - Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
Our common stock, par value $0.001 per share, trades on the Nasdaq Capital Market under the symbol OSPN. On February 19, 2026, there were 77 registered holders of our common stock.
Dividends
On February 26, 2026, the Company's board of directors declared a quarterly cash dividend as part of our recurring quarterly dividend program that we announced in December 2024. A cash dividend of $0.13 per share will be paid on March 27, 2026 to shareholders of record as of the close of business on March 13, 2026.
Recent Sales of Unregistered Securities
None
Issuer Purchases of Equity Securities
The following table provides information about purchases by the Company of its shares of common stock during the fourth quarter of 2025:
Period | Total Number of Shares Purchased (1) | Average Price Paid per Share | Total Number of Shares Purchased as Part of Publicly Announced Plans or Programs (1) | Maximum Dollar Value of Shares that May Yet Be Purchased Under the Plans or Programs (1) | ||||||||||||||||||||||
| October 1, 2025 through October 31, 2025 | — | $ | — | — | $ | 43,702,420 | ||||||||||||||||||||
| November 1, 2025 through November 30, 2025 | 423,867 | $ | 12.08 | 423,867 | $ | 38,582,107 | ||||||||||||||||||||
| December 1, 2025 through December 31, 2025 | 134,766 | $ | 12.21 | 134,766 | $ | 36,936,614 | ||||||||||||||||||||
(1) On May 9, 2024, the board of directors terminated the stock repurchase program adopted on May 11, 2022 and adopted a new stock repurchase program under which the Company is authorized to repurchase up to $50.0 million of our issued and outstanding shares of common stock. Share purchases under the program will take place in open market transactions, privately negotiated transactions or tender offers, and may be made from time to time depending on market conditions, share price, trading volume, and other factors. The timing of the repurchases and the amount of stock repurchased in each transaction is subject to our sole discretion and will depend upon market and business conditions, applicable legal and credit requirements, and other corporate considerations. The authorization is effective until May 9, 2026 unless the total amount has been used or authorization has been cancelled.
Stock Performance Graph
The Stock Performance Graph below compares the cumulative total return through December 31, 2025 assuming reinvestment of dividends, by an investor who invested $100.00 on December 31, 2020, in each of (i) our common stock, (ii) the Nasdaq Computer Index, (iii) the Russell 2000 Index, and (iv) the Standard Industrial Code Index 3577 – Computer Peripheral Equipment, NEC. The stock price performance shown on the graph below is not necessarily indicative of future price performance.
This graph shall not be deemed "soliciting material" or be deemed "filed" for purposes of Section 18 of the Exchange Act or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any of our filings under the Securities Act of 1933, as amended (the "Securities Act"), whether made before or after the date hereof and irrespective of any general incorporation language in any such filing.
36
| 12/30/2020 | 12/30/2021 | 12/31/2022 | 12/31/2023 | 12/31/2024 | 12/31/2025 | |||||||||||||||
| OneSpan Inc. | $ | 100.00 | $ | 81.87 | $ | 54.10 | $ | 51.82 | $ | 89.62 | $ | 64.05 | ||||||||
| NASDAQ Computer Index | $ | 100.00 | $ | 137.86 | $ | 88.54 | $ | 147.39 | $ | 200.98 | $ | 258.44 | ||||||||
| Russell 2000 Index | $ | 100.00 | $ | 114.82 | $ | 91.35 | $ | 106.82 | $ | 119.14 | $ | 134.40 | ||||||||
| 3577 - Computer Peripheral Equipment, NEC | $ | 100.00 | $ | 158.70 | $ | 112.91 | $ | 184.58 | $ | 235.96 | $ | 226.80 | ||||||||
Item 6.
[Reserved]
Item 7 - Management’s Discussion and Analysis of Financial Condition and Results of Operations (in thousands, except head count, ratios, time periods and percentages)
The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our financial statements and related notes appearing elsewhere in this Annual Report on Form 10-K. In addition to historical financial information, the following discussion may contain predictions, estimates and other forward-looking statements that involve a number of risks and uncertainties, including those discussed under Item 1A, Risk Factors and elsewhere in this Form 10-K. These risks could cause our actual results to differ materially from any future performance suggested below. Please see “Cautionary Note Regarding Forward Looking Statements” at the beginning of this Form 10-K.
For a comparison of our results of operations for the fiscal years ended December 31, 2024 and 2023, see “Part II, Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations” of our Annual Report on Form 10-K for the year ended December 31, 2023, filed on March 6, 2024.
37
Overview
OneSpan helps organizations build secure, seamless, and trusted digital experiences through two solution portfolios: Cybersecurity and Digital Agreements. Our cybersecurity solutions protect identities, secure mobile apps, and safeguard access through advanced high-assurance authentication, threat intelligence, fraud prevention, and mobile app protection, defending users, devices, and applications against sophisticated attacks. Our digital agreement solutions streamline agreement workflows with secure e-signatures, identity verification, and smart digital forms, built to enable speed, compliance and exceptional customer experiences. Trusted by leading global enterprises, including more than 60% of the world’s 100 largest banks, OneSpan processes over a hundred million digital agreements and billions of secure authentication transactions across more than 120 countries each year.
We offer our products primarily through a subscription licensing model and provide multiple deployment options, including cloud-based and on-premises solutions. Our solutions are sold worldwide through our direct sales force, as well as through distributors, resellers, systems integrators, and original equipment manufacturers.
We report our financial results under the following two business divisions, which are our reportable operating segments: Cybersecurity and Digital Agreements.
•Cybersecurity. Cybersecurity, formerly Security Solutions, consists of our broad portfolio of software products, software development kits ("SDKs") and Digipass authenticator devices that are used to build applications designed to defend against attacks on digital transactions across online environments, devices, and applications. The software products and SDKs included in the Cybersecurity segment are delivered through on-premises and cloud-based deployment models and include standards-based authentication technologies such as Fast Identity Online ("FIDO") authentication and passkeys, multi-factor authentication, transaction signing solutions and mobile application security.
•Digital Agreements. Digital Agreements consists of solutions that enable our clients to secure and automate business processes associated with their digital agreement and customer transaction lifecycles that require consent, non-repudiation and compliance. These solutions, which are cloud-based, include OneSpan Sign e-signature, OneSpan Notary, and OneSpan Identity Verification.
Beginning in mid-2023 and through the third quarter of 2024, our focus was on adjusting our cost structure to enable both business divisions to operate profitably. These cost optimization efforts were a major factor in the overall business returning to operating profitability in the fourth quarter of 2023. The subsequent increase in profitability, combined with high levels of cash generation, enabled us to return approximately $31.6 million to shareholders in 2025 in the form of quarterly dividends and share repurchases. Beginning in the fourth quarter of 2024 and continuing through 2025, we continued to operate profitably while taking a number of important steps to generate future revenue growth:
•In December 2024, we hired a new Chief Technology Officer, Ashish Jain, to lead our research and development efforts.
•In June 2025, we acquired Nok Nok Labs, a provider of passwordless software authentication solutions, which brought S3, a leading FIDO software product, to our product portfolio. This acquisition provides OneSpan's customers with a wider range of flexible, adaptable authentication options. See Note 6, Business Acquisitions, for additional information.
•In June 2025, we entered into the Credit Agreement with MUFG and other lenders party thereto. The Credit Agreement provides for a $100.0 million revolving credit facility with a $10.0 million letter of credit sublimit and a $10.0 million swingline loan sublimit. The proceeds of borrowings under the Credit Agreement may be used for general corporate purposes. We may borrow, repay and reborrow funds under the revolving credit facility until its maturity on June 23, 2030. See Note 12, Debt, for additional information.
•In October 2025, we announced a strategic investment in, and partnership with, ThreatFabric Holding B.V., a Dutch company that provides mobile threat intelligence, malware risk detection, and behavioral analytics, to further enhance the value we offer by providing fraud detection solutions to our customers. See Note 2, Summary of Significant Accounting Policies, for additional information.
•In December 2025, we hired a new Chief Revenue Officer, Shaun Bierweiler, to lead our go-to-market efforts, and to drive growth and customer success.
38
•Later in December 2025, we entered into a definitive agreement to acquire Build38, a leader in next-generation mobile application protection solutions, to extend our investment in advanced mobile security technologies. See Note 6, Business Acquisitions, for additional information.
Our efforts to broaden and strengthen our product offerings are driven in part by a secular shift away from physical authentication devices such as our Digipass tokens. Because consumers increasingly interact with their banks through their mobile devices rather than desktop computers, they are more likely to prefer authentication methods that enable secure, convenient access to mobile banking apps without the need for a physical device. In response to this trend, our bank and financial institution customers have increasingly adopted a “mobile first” approach to consumer authentication that prioritizes the mobile user experience over traditional desktop experiences. This approach has resulted in a reduction of Digipass hardware authenticator sales and an increase in sales of software authentication licenses delivered through software applications on mobile devices. Due largely to the mobile first trend, our revenue from Digipass devices declined from 78% of our revenue in 2015 to 20% of our revenue in 2025. Although we plan to continue to invest in our Digipass authenticators, including our newer FIDO2 Digipass devices, as an important component of our broad authentication solution portfolio, we are focused on driving revenue growth in higher–margin software solutions, both through further expansion of our Cybersecurity software solutions and through continued growth in our Digital Agreements division.
Restructuring Plan
In 2021 and 2022, our board of directors approved cost reduction actions designed to advance our operating model, streamline our business, improve efficiency, and enhance our capital resources.
In August 3, 2023, our board of directors approved further cost reduction actions (the "2023 Actions"). In connection with the 2023 Actions, we have incurred restructuring charges, most of which relate to employee transition and severance payments and employee benefits, with a significantly smaller amount of charges relating to vendor contract termination and rationalization actions. We terminated our restructuring plan as of December 31, 2025, as we substantially completed all of the workforce reductions and vendor contract termination and rationalization actions planned as part of the 2023 Actions from 2023 through 2025.
As part of the restructuring plan (including the 2023 Actions), we reduced headcount by eliminating approximately 345 positions. We incurred severance and related benefits costs, recorded in “Restructuring and other related charges” in the consolidated statements of operations for the years ended December 31, 2025, 2024 and 2023.
Recent Developments
On February 26, 2026, our board of directors declared a quarterly cash dividend as part of our recurring quarterly dividend program announced in December 2024. A cash dividend of $0.13 per share, which represents a year-over-year increase of 8.3%, will be paid on March 27, 2026 to shareholders of record as of the close of business on March 13, 2026. The declaration and payment of future dividends is subject to the sole discretion of the board.
Components of Operating Results
Revenue
We generate revenue from the sale of our subscriptions, maintenance and support, professional services, and Digipass hardware products. We believe comparison of revenues between periods is heavily influenced by the timing of orders and shipments reflecting the transactional nature of significant parts of our business.
•Product and license revenue. Product and license revenue includes Digipass hardware products and software licenses, which are provided on a perpetual or term basis subscription model.
•Service and other revenue. Service and other revenue includes solutions that are provided on a cloud-based subscription model, maintenance and support, and professional services.
Cost of Goods Sold
Our total cost of goods sold consists of cost of product and license revenue and cost of service and other revenue. We expect our cost of goods sold to increase in absolute dollars as our business grows, although it may fluctuate as a percentage of total revenue from period to period.
39
•Cost of product and license revenue. Cost of product and license revenue primarily consists of direct product and license costs, including personnel costs, production costs, freight, and inventory write-off adjustments for discontinued products and services.
•Cost of service and other revenue. Cost of service and other revenue primarily consists of costs related to cloud subscription solutions, including personnel and equipment costs, depreciation, amortization, and personnel costs of employees providing professional services and maintenance and support.
Gross Profit
Gross profit is revenue net of the cost of goods sold. Gross profit as a percentage of total revenue, or gross margin, has been and will continue to be affected by a variety of factors, including our average selling price, manufacturing costs, the mix of products sold, and the mix of revenue among products, subscriptions and services. We expect our gross margins to fluctuate over time depending on these factors.
Operating Expenses
Our operating expenses are generally based on anticipated revenue levels and fixed over short periods of time. As a result, small variations in revenue may cause significant variations in the period-to-period comparisons of operating income or operating income as a percentage of revenue.
Generally, the most significant factor driving our operating expenses is headcount. Direct compensation and benefit plan expenses generally represent between 50% and 60% of our operating expenses. In addition, a number of other expense categories are directly related to headcount. We attempt to manage our headcount within the context of the economic environments in which we operate, restructuring activities, and the investments we believe we need to make for our infrastructure to support future growth and for our products to remain competitive.
Historically, operating expenses have been impacted by changes in foreign exchange rates. We estimate the change in currency rates in 2025 compared to 2024 resulted in an increase in operating expenses of $1.3 million in 2025.
The comparison of operating expenses can also be impacted significantly by costs related to our share-based and long-term incentive plans. In 2025, 2024, and 2023, operating expenses included $11.3 million, $9.2 million, and $14.6 million, respectively, of expenses related to share-based and long-term incentive plans. Long-term incentive plan compensation expense consists of share-based incentives and an immaterial amount of cash-based incentives.
•Sales and marketing. Sales and marketing expenses consist primarily of personnel costs, commissions and bonuses, trade shows, marketing programs and other marketing activities, travel, outside consulting costs, and long-term incentive compensation. Our sales and marketing expenses may fluctuate as a percentage of total revenue.
•Research and development. Research and development expenses consist primarily of personnel costs (net of capitalized software costs), bonuses, and long-term incentive compensation. Our research and development expenses may fluctuate as a percentage of total revenue.
•General and administrative. General and administrative expenses consist primarily of personnel costs, bonuses, legal, consulting and other professional fees, transaction related expenses, and long-term incentive compensation. Our general and administrative expenses may fluctuate as a percentage of total revenue.
•Amortization of intangible assets. Acquired intangible assets are amortized over their respective amortization periods and are periodically evaluated for impairment or changes in estimated useful life.
•Restructuring and other related charges. Restructuring and other related charges consists of employee costs which include severance, retention pay, and related benefits incurred in connection with headcount reductions as part of our restructuring plan, including the 2023 Actions; real estate rationalization costs incurred to optimize our real estate footprint, which include lease contract termination costs, asset impairment charges, and lease right-of-use asset and lease liability write-off gains or losses; product and services optimization costs incurred to advance our operating model, which include write-offs of capitalized software assets no longer in use; write-offs of acquired blockchain technology and related capitalized software due to the discontinuation of incremental development investments in this technology and related commercial efforts; and vendor rationalization costs for contractually committed services that we are no longer utilizing. We terminated our restructuring plan as of December 31, 2025, as we substantially completed all of the workforce reductions and vendor contract termination and rationalization actions planned as part of the 2023 Actions in 2023 through 2025.
40
Segment Results
Segment operating income (loss) consists of the revenue generated by a segment, less the direct costs of revenue, sales and marketing, research and development and amortization and any impairment charges that are incurred directly by a segment. Unallocated corporate costs include general and administrative expense and other company-wide costs that are not attributable to a particular segment. Financial results by operating segment are included below under Results of Operations. As of December 31, 2024, we adopted ASU 2023-07, Segment Reporting (Topic 280) to improve reportable segment disclosure requirements, primarily through enhanced disclosures about significant segment expenses. See Note 3, Segment Information, for additional information.
Interest Income, Net
Interest income, net, consists of income earned on our cash equivalents, which are invested in short-term instruments at current market rates. Interest expense is primarily related to the amortization of debt issuance costs associated with our credit facilities.
Other Expense, Net
Other expense, net, primarily includes exchange gains (losses) on transactions that are denominated in currencies other than our subsidiaries’ functional currencies, subsidies received from foreign governments in support of our research and development in those countries, and other miscellaneous non-operational expenses.
Income Taxes
Our effective tax rate reflects our global structure related to the ownership of our intellectual property (“IP”). Our IP in our Cybersecurity division is owned by our U.S. subsidiaries. The e-signature IP in our Digital Agreements division is owned by a subsidiary in Canada. These subsidiaries have entered into agreements with most of the other OneSpan entities under which those other entities provide services to the IP owners on a cost plus basis. In addition, many of our OneSpan entities operate as distributors for all of our OneSpan products. Under this structure, the earnings of our service provider and distributor subsidiaries are relatively constant. These subsidiaries tend to be in jurisdictions with higher effective tax rates. Fluctuations in earnings flow to the IP owners.
We record changes in valuation allowance against deferred tax assets that, based on management’s assessment, are considered not to be more likely than not to be realized. The decrease in the valuation allowance in 2025 and 2024 reflects a change in management's assessment of our ability to use existing deferred tax assets, including NOLs and credits and other carryforwards, due to an increase in the operating profit and the intra-entity asset transfer of certain intellectual property ("IP Transfer") discussed in Note 14, Income Taxes.
Management assesses the need for a valuation allowance on a regular basis, weighing all positive and negative evidence to determine whether a deferred tax asset will be fully or partially realized. In evaluating the realizability of deferred tax assets, significant pieces of negative evidence such as 3-year cumulative losses are considered. Management also reviews reversal patterns of temporary differences to determine if the Company would have sufficient taxable income due to the reversal of temporary differences to support the realization of deferred tax assets. Management continues to maintain a valuation allowance against certain deferred tax assets in jurisdictions where assets are not more likely than not to be realized. For all other remaining deferred tax assets, management believes it is still more likely than not that the results of future operations will generate sufficient taxable income to realize the deferred tax assets.
As of December 31, 2025, we adopted ASU 2023-09, Income Taxes (Topic 740) – Improvements to Income Tax Disclosures, which is intended to enhance the transparency and decision usefulness of income tax disclosures. See Note 14, Income Taxes, for additional information.
Impact of Currency Fluctuations
In 2025 and 2024, we generated approximately 79% and 83%, of our revenue and incurred approximately 54% and 59% of our operating expenses outside of the U.S., respectively. As a result, changes in currency exchange rates, especially the Euro exchange rate and the Canadian dollar exchange rate, can have a significant impact on our revenue and operating expenses.
41
While the majority of our revenue is generated outside of the U.S., a significant amount of our revenue earned during the year ended December 31, 2025 was denominated in U.S. dollars. In 2025, approximately 57% of our revenue was denominated in U.S. dollars, 40% was denominated in Euros and 3% was denominated in other currencies. In 2024, approximately 55% of our revenue was denominated in U.S. dollars, 41% was denominated in Euros and 4% was denominated in other currencies.
In general, to minimize the net impact of currency fluctuations on operating income, we attempt to denominate an amount of billings in a currency such that it would provide a natural hedge against the operating expenses being incurred in that currency. We expect that changes in currency rates may impact our future results if we are unable to match amounts of revenue with our operating expenses in the same currency. If the amount of our revenue in Europe denominated in Euros continues as it is now or declines, we may not be able to fully balance the exposures of currency exchange rates on revenue and operating expenses.
The financial position and the results of operations of our foreign subsidiaries, with the exception of our subsidiaries in Switzerland, Singapore and Canada, are measured using the local currency as the functional currency. The functional currency for our subsidiaries in Switzerland, Singapore and Canada is the U.S. dollar. Accordingly, assets and liabilities are translated into U.S. dollars using current exchange rates as of the balance sheet date. Revenues and expenses are translated at average exchange rates prevailing during the year. Translation adjustments arising from differences in exchange rates generated comprehensive loss of $7.4 million in 2025 and a comprehensive gain of $3.3 million in 2024. These amounts are included as a separate component of stockholders’ equity.
Gains and losses resulting from foreign currency transactions are included in the consolidated statements of operations in other expense, net. Foreign exchange transaction losses aggregated $1.6 million and $0.9 million for the years ended December 31, 2025 and 2024, respectively.
Results of Operations
The following table sets forth information about the Company's two operating segments, for the periods indicated, and selected segment and consolidated operating results. Unallocated corporate costs include costs related to administrative functions that are performed in a centralized manner that are not attributable to a particular segment.
| Year Ended December 31, 2025 | |||||||||||||||||||||||
| (In thousands) | Cybersecurity | Digital Agreements | Corporate and Other | Total | |||||||||||||||||||
Revenue | $ | 177,688 | $ | 65,492 | $ | — | $ | 243,180 | |||||||||||||||
| Cost of goods sold | 45,373 | 18,453 | — | 63,826 | |||||||||||||||||||
| Gross profit | 132,315 | 47,039 | — | 179,354 | |||||||||||||||||||
| Gross margin | 74% | 72% | * | 74% | |||||||||||||||||||
| Sales and marketing | 29,752 | 13,885 | 3,313 | 46,950 | |||||||||||||||||||
| Research and development | 21,559 | 11,711 | 886 | 34,156 | |||||||||||||||||||
| Other segment items (2)(4) | 999 | 5,482 | 43,321 | 49,802 | |||||||||||||||||||
| Operating income (loss) (3)(5) | 80,005 | 15,961 | (47,520) | 48,446 | |||||||||||||||||||
Interest income, net | — | — | 1,985 | ||||||||||||||||||||
| Other expense, net | — | — | — | (1,069) | |||||||||||||||||||
| Income before income taxes | 49,362 | ||||||||||||||||||||||
| Benefit from income taxes | (23,542) | ||||||||||||||||||||||
| Net income | $ | 72,904 | |||||||||||||||||||||
42
| Year Ended December 31, 2024 | |||||||||||||||||||||||
| (In thousands) | Cybersecurity | Digital Agreements | Corporate and Other | Total | |||||||||||||||||||
Revenue | $ | 182,187 | $ | 60,992 | $ | — | $ | 243,179 | |||||||||||||||
| Cost of goods sold | 49,319 | 19,281 | 3 | 68,603 | |||||||||||||||||||
| Gross profit (1) | 132,868 | 41,711 | (3) | 174,576 | |||||||||||||||||||
| Gross margin | 73% | 68% | * | 72% | |||||||||||||||||||
| Sales and marketing | 24,684 | 15,658 | 4,204 | 44,546 | |||||||||||||||||||
| Research and development | 16,132 | 16,117 | 174 | 32,423 | |||||||||||||||||||
| Other segment items (2)(4) | 1,990 | 4,321 | 46,491 | 52,802 | |||||||||||||||||||
| Operating (loss) income (3)(5) | 90,062 | 5,615 | (50,872) | 44,805 | |||||||||||||||||||
Interest income, net | 1,807 | ||||||||||||||||||||||
| Other expense, net | (125) | ||||||||||||||||||||||
| Income before income taxes | $ | 46,487 | |||||||||||||||||||||
| Benefit from income taxes | $ | (10,595) | |||||||||||||||||||||
| Net income | $ | 57,082 | |||||||||||||||||||||
* Percentage not meaningful
(1) Digital Agreements gross profit includes an intangible asset write-off of $0.8 million and an internal capitalized software write-off of $0.7 million for the year ended December 31, 2024 (see Note 8, Intangible Assets, net and Note 9, Property and Equipment, net).
(2) Cybersecurity other segment items includes general and administrative expense, restructuring and other related charges, and amortization of intangibles for the years ended December 31, 2025 and 2024.
(3) Cybersecurity operating income includes $1.3 million and $0.9 million of total amortization and depreciation expense for the years ended December 31, 2025 and 2024, respectively.
Cybersecurity operating income includes $0.3 million and $2.0 million of restructuring and other related charges for the years ended December 31, 2025 and 2024, respectively.
(4) Digital Agreements other segment items includes general and administrative expense, restructuring and other related charges, and amortization of intangibles for the years ended December 31, 2025 and 2024.
(5) Digital Agreements operating income includes $7.5 million and $6.2 million of total amortization and depreciation for the years ended December 31, 2025 and 2024, respectively.
Digital Agreements operating income includes $1.0 million and $1.7 million of restructuring and other related charges for the years ended December 31, 2025 and 2024, respectively.
Revenue by products and services allocated to the segments for the years ended December 31, 2025 and 2024 is as follows:
43
| Years Ended December 31, | |||||||||||||||||||||||
| 2025 | 2024 | ||||||||||||||||||||||
| (In thousands) | Cybersecurity | Digital Agreements | Cybersecurity | Digital Agreements | |||||||||||||||||||
| Subscription | $ | 90,929 | $ | 65,199 | $ | 80,555 | $ | 58,848 | |||||||||||||||
| Maintenance and support | 34,736 | 90 | 38,342 | 1,736 | |||||||||||||||||||
Professional services and other | 2,916 | 203 | 4,439 | 408 | |||||||||||||||||||
| Hardware products | 49,107 | — | 58,851 | — | |||||||||||||||||||
| Total Revenue | $ | 177,688 | $ | 65,492 | $ | 182,187 | $ | 60,992 | |||||||||||||||
For the year ended December 31, 2025, total revenue was flat compared to the year ended December 31, 2024. Changes in foreign exchange rates as compared to the same period in 2024 favorably impacted total revenue by approximately $3.7 million.
Additional information on our revenue by segment follows.
•Cybersecurity revenue decreased $4.5 million, or approximately 2%, during the year ended December 31, 2025 compared to the year ended December 31, 2024. This decrease was primarily attributable to lower volumes of hardware devices sold due to the mobile-first trend, and to a lesser extent, lower perpetual-based maintenance and professional services revenues due to our transition to term licenses and cloud subscription license models and the sunsetting of our Dealflo solution. The decrease was partially offset by higher term license subscription revenues, primarily from existing customers, increased cloud subscription revenue, and revenue from customers acquired in our acquisition of Nok Nok Labs. Changes in foreign exchange rates compared to the same period in 2024 favorably impacted Cybersecurity revenue by $3.5 million.
•Digital Agreements revenue increased $4.5 million, or approximately 7%, during the year ended December 31, 2025 compared to the year ended December 31, 2024. The increase in Digital Agreements revenue was primarily attributable to higher cloud subscription revenue from existing customer expansions and, to a lesser extent, customers new to OneSpan ("new logos") and overages, partially offset by lower term-based maintenance revenue due to our transition to cloud subscription licenses. Changes in foreign exchange rates as compared to the same period in 2024 favorably impacted Digital Agreements revenue by $0.2 million.
Revenue by Geographic Regions: We classify our sales by customer location in three geographic regions: 1) EMEA, which includes Europe, Middle East and Africa; 2) the Americas, which includes North, Central, and South America; and 3) Asia Pacific (APAC), which also includes Australia and New Zealand. The breakdown of revenue in each of our major geographic areas was as follows:
| Years Ended December 31, | |||||||||||||||||||||||
| (In thousands, except percentages) | 2025 | 2024 | Change ($) | Change (%) | |||||||||||||||||||
| Revenue | |||||||||||||||||||||||
| EMEA | $ | 102,604 | $ | 108,555 | $ | (5,951) | (5) | % | |||||||||||||||
| Americas | 95,709 | 86,803 | 8,906 | 10 | % | ||||||||||||||||||
| APAC | 44,867 | 47,821 | (2,954) | (6) | % | ||||||||||||||||||
| Total revenue | $ | 243,180 | $ | 243,179 | $ | 1 | — | % | |||||||||||||||
| % of Total Revenue | |||||||||||||||||||||||
| EMEA | 42 | % | 44 | % | |||||||||||||||||||
| Americas | 39 | % | 36 | % | |||||||||||||||||||
| APAC | 19 | % | 20 | % | |||||||||||||||||||
44
For the year ended December 31, 2025, revenue generated in EMEA was $6.0 million, or 5%, lower than the same period in 2024, primarily due to lower hardware volumes attributed to the mobile-first trend and end-of-life products, partially offset by an increase in revenue from mobile application security products.
For the year ended December 31, 2025, revenue generated in the Americas was $8.9 million, or 10%, higher than the same period in 2024, primarily due to an increase in revenue from software authentication products and Digital Agreements revenue.
For the year ended December 31, 2025, revenue generated in APAC was $3.0 million, or 6%, lower than the same period in 2024, primarily attributable to lower hardware volumes and a decrease in revenue from software authentication products, partially offset by an increase in revenue from mobile application security products.
Cost of Goods Sold, Gross Profit and Gross Margin
The following table presents costs of goods sold for our products and services for the years ended December 31, 2025 and 2024:
| Years Ended December 31, | |||||||||||||||||||||||
| (In thousands, except percentages) | 2025 | 2024 | Change ($) | Change (%) | |||||||||||||||||||
| Cost of goods sold | |||||||||||||||||||||||
| Product and license | $ | 32,130 | $ | 36,732 | $ | (4,602) | (13) | % | |||||||||||||||
| Services and other | 31,696 | 31,871 | (175) | (1) | % | ||||||||||||||||||
| Total cost of goods sold | $ | 63,826 | $ | 68,603 | $ | (4,777) | (7) | % | |||||||||||||||
| Gross profit | $ | 179,354 | $ | 174,576 | $ | 4,778 | 3 | % | |||||||||||||||
| Gross margin | |||||||||||||||||||||||
| Product and license | 75 | % | 72 | % | |||||||||||||||||||
| Services and other | 72 | % | 71 | % | |||||||||||||||||||
| Total gross margin | 74 | % | 72 | % | |||||||||||||||||||
The cost of product and license revenue decreased $4.6 million or 13% for the year ended December 31, 2025 compared to the year ended December 31, 2024. The decrease in cost of product and license revenue was primarily driven by lower hardware revenue and hardware costs, partially offset by higher third-party license costs.
The cost of services and other revenue decreased $0.2 million or 1% for the year ended December 31, 2025, compared to the year ended December 31, 2024. This was due to the impact of our 2024 write-off of costs associated with our decision to discontinue investment in blockchain technology (see Note 8, Intangible Assets - net) (the "2024 write-off") and lower cloud platform costs in 2025.
Gross profit increased $4.8 million, or 3% for the year ended December 31, 2025 compared to the year ended December 31, 2024. Total gross margin was 74% for the year ended December 31, 2025, compared to 72% for the year ended December 31, 2024. The change was primarily driven by an increase in software revenue and decrease in hardware revenue, and the prior year impact of the 2024 write-off.
The majority of our inventory purchases are denominated in U.S. dollars. Our sales are denominated in various currencies, including the Euro. The impact of changes in currency rates are estimated to have had a unfavorable impact on overall cost of goods sold of less than $0.1 million for the year ended December 31, 2025. Had currency rates in 2025 been equal to rates in the comparable period of 2024, the gross profit margin would have been less than 1 percentage point lower for the year ended December 31, 2025.
Additional information on our gross profit by segment follows.
45
•Cybersecurity gross profit decreased $0.6 million for the year ended December 31, 2025 compared to the prior year. Cybersecurity gross margin was 74% and 73% for the years ended December 31, 2025 and 2024, respectively. The increase in the gross margin of 1% was due to an increase in higher-margin hardware revenue, despite lower overall hardware revenue, due to favorable hardware product and customer mix partially offset by slightly lower margins in software revenue, despite higher overall software revenue, primarily due to incremental third party costs.
•Digital Agreements gross profit increased $5.3 million, or approximately 13%, for the year ended December 31, 2025 compared to the prior year. Digital Agreements gross margin for the years ended December 31, 2025 and 2024 was 72% and 68%, respectively. The increase in gross profit and gross margin was driven by higher cloud subscription revenue, lower cloud platform costs, and the prior year impact of the 2024 write-off.
Operating Expenses
For the year ended December 31, 2025, operating expenses increased by $1.1 million, or 1%, compared to the year ended December 31, 2024. Changes in foreign exchange rates unfavorably impacted operating expenses by approximately $1.3 million as compared to the year ended December 31, 2024.
The following table presents the breakout of operating expenses by category as of December 31, 2025 and 2024:
| Years Ended December 31, | |||||||||||||||||||||||
| (In thousands, except percentages) | 2025 | 2024 | Change ($) | Change (%) | |||||||||||||||||||
| Operating costs | |||||||||||||||||||||||
| Sales and marketing | $ | 46,950 | $ | 44,546 | $ | 2,404 | 5 | % | |||||||||||||||
| Research and development | 34,156 | 32,423 | 1,733 | 5 | % | ||||||||||||||||||
| General and administrative | 45,693 | 46,007 | (314) | (1) | % | ||||||||||||||||||
| Restructuring and other related charges | 1,628 | 4,444 | (2,816) | (63) | % | ||||||||||||||||||
| Amortization of intangible assets | 2,481 | 2,351 | 130 | 6 | % | ||||||||||||||||||
| Total operating costs | $ | 130,908 | $ | 129,771 | $ | 1,137 | 1 | % | |||||||||||||||
Sales and Marketing Expenses
Sales and marketing expenses increased $2.4 million, or 5%, for the year ended December 31, 2025 compared to the year ended December 31, 2024. The increase was driven primarily by higher employee compensation costs, which included increases in salaries, benefits and commission as a result of headcount additions, including the acquisition of Nok Nok Labs. This increase was partially offset by decreased software licensing costs and lead generation costs due to rationalization efforts.
Average full-time sales and marketing employee headcount for year ended December 31, 2025 was 165, compared to 161 for year ended December 31, 2024.
Research and Development Expenses
Research and development expenses increased $1.7 million, or 5%, for the year ended December 31, 2025 compared to the year ended December 31, 2024. The increase in expense for the period was primarily driven by higher compensation and related benefit costs, including the acquisition of Nok Nok Labs, and lower internal software capitalization costs in 2025 compared to 2024.
Average full-time research and development employee headcount for the year ended December 31, 2025 was 232, compared to 234 for year ended December 31, 2024.
46
General and Administrative Expenses
General and administrative expenses decreased $0.3 million, or 1%, for the year ended December 31, 2025 compared to the year ended December 31, 2024. This decrease was largely driven by lower employee compensation costs, which included a decrease in salaries, payroll taxes, and related benefits as a result of lower headcount as well as lower bonus accruals, partially offset by by increased stock-based compensation expense and higher external advisor costs in 2025 compared to the prior year.
Average full-time general and administrative employee headcount for the year ended December 31, 2025 was 87, compared to 100 for the year ended December 31, 2024.
Restructuring and Other Related Charges
Restructuring and Other Related Charges
Restructuring and other related charges were $1.6 million for the year ended December 31, 2025, compared to $4.4 million for the year ended December 31, 2024, a decrease of $2.8 million or 63%. The year-over-year decrease was largely due to minimal headcount reductions, vendor rationalization and capitalized software write-off costs in 2025 compared to 2024.
Amortization of Intangible Assets
Amortization of intangible assets was $2.5 million and $2.4 million for years ended December 31, 2025 and 2024, respectively. The increase in 2025 as compared to 2024 relates to increased amortization from the intangible assets associated with the acquisition of Nok Nok Labs.
Segment Operating Income
Information on our operating income by segment follows.
•Cybersecurity: For the year ended December 31, 2025, Cybersecurity operating income was $80.0 million, which was $10.1 million, or 11%, lower than the prior year. This decrease was largely due to higher sales and marketing expenses and research and development expenses, including employee compensation and external advisor expenses, partially offset by lower restructuring costs.
•Digital Agreements: Operating income for the year ended December 31, 2025 was $16.0 million, compared to $5.6 million in the prior year. The increase was driven by higher gross profit as discussed in the gross profit section above and lower operating expenses primarily due to lower employee compensation costs.
Interest Income, net
| Years Ended December 31, | |||||||||||||||||||||||
| (In thousands, except percentages) | 2025 | 2024 | Change ($) | Change (%) | |||||||||||||||||||
| Interest income, net | $ | 1,985 | $ | 1,807 | $ | 178 | 10% | ||||||||||||||||
Interest income, net, was $2.0 million for the year ended December 31, 2025, compared to $1.8 million for the year ended December 31, 2024. The increase in interest income was due to higher average excess cash invested in the period compared to the prior year period, partially offset by interest charges related to the Credit Agreement in 2025.
Other Expense, Net
| Years Ended December 31, | |||||||||||||||||||||||
| (In thousands, except percentages) | 2025 | 2024 | Change ($) | Change (%) | |||||||||||||||||||
| Other expense, net | $ | (1,069) | $ | (125) | $ | (944) | 755% | ||||||||||||||||
Other expense, net, includes the net impact of subsidies received from foreign governments in support of our research and development in those countries, exchange gains (losses) on transactions that are denominated in currencies other than our subsidiaries’ functional currencies, and other miscellaneous non-operational, non-recurring income and expenses.
47
For the year ended December 31, 2025, other expense, net was $1.1 million, compared to $0.1 million for the year ended December 31, 2024. The change was largely driven by increased foreign exchange transaction losses in 2025 compared to foreign exchange transaction losses in 2024, as well as lower income from foreign government subsidies.
Benefit from income taxes
| Years Ended December 31, | |||||||||||||||||||||||
| (In thousands, except percentages) | 2025 | 2024 | Change ($) | Change (%) | |||||||||||||||||||
Benefit for income taxes | $ | 23,542 | $ | 10,595 | $ | 12,947 | 122% | ||||||||||||||||
We recorded income tax benefits of $23.5 million and $10.6 million for the years ended December 31, 2025 and 2024, respectively. The income tax benefit recorded for the year ended December 31, 2025 was primarily attributable to the release of valuation allowance for our Canadian entity, offset by income tax provision expense on profits. The income tax benefit recorded for the year ended December 31, 2024 was primarily attributable to a worthless stock deduction for our investment in one of our wholly owned subsidiaries, the release of valuation allowance for our U.S. entity, and the income tax benefit attributable to the IP Transfer, offset by income tax expense attributable to an increase in income before taxes. See Note 14, Income Taxes for additional information.
Loss Carryforwards Available
At December 31, 2025, we have gross deferred tax assets of $51.8 million resulting from U.S. federal, foreign and state NOL carryforwards of $129.9 million and other foreign deductible carryforwards of $144.2 million. At December 31, 2025, we have a valuation allowance of $1.7 million against deferred tax assets related to certain carryforwards. See Note 14, Income Taxes, for additional information.
Key Business Metrics and Non-GAAP Financial Measures
In our quarterly earnings press releases and conference calls, we discuss the below key metrics and financial measures that are not calculated according to generally accepted accounting principles (“GAAP”). These metrics and non-GAAP financial measures help us monitor and evaluate the effectiveness of our operations and evaluate period-to-period comparisons. Management believes that these metrics and non-GAAP financial measures help illustrate underlying trends in our business. We use these metrics and non-GAAP financial measures to establish budgets and operational goals (communicated internally and externally), manage our business and evaluate our performance. We also believe that both management and investors benefit from referring to these metrics and non-GAAP financial measures as supplemental information in assessing our performance and when planning, forecasting, and analyzing future periods. We believe these metrics and non-GAAP financial measures are useful to investors both because they allow for greater transparency with respect to financial measures used by management in their financial and operational decision-making and also because they are used by investors and the analyst community to help evaluate the health of our business.
Annual Recurring Revenue
We use annual recurring revenue ("ARR") as an approximate measure to monitor the revenue growth of our recurring business. ARR represents the annualized value of the active portion of SaaS, term-based license, and maintenance and support contracts at the end of the reporting period. For term-based license arrangements, the amount included in ARR is consistent with the amount that we invoice the customer annually for the term-based license transaction. A customer with a one-year term-based license contract will be invoiced for the total value of the contract at the beginning of the contractual term, while a customer with a multi-year term-based license contract will be invoiced for each annual period at the beginning of each year of the contract. For contracts that include annual values that increase over time because there are additional deliverables in subsequent periods, we include in ARR only the annualized value of components of the contract that are considered active as of the date of the ARR calculation. We do not include the future committed increases in the contract value as of the date of the ARR calculation.
We consider a contract to be active from when the product or service contractual term commences (the “start date”) until the right to use the product or service ends (the “expiration date”). Even if the contract with the customer is executed before the start date, the contract will not count toward ARR until the customer's right to receive the benefit of the products or services has commenced.
48
To the extent that we are negotiating a renewal with a customer within 90 days after the expiration of a recurring contract, we continue to include that revenue in ARR if we are actively in discussions with the customer for a new recurring contract or renewal and the customer has not notified us of an intention not to renew. We exclude from the calculation of ARR renewal contracts that are more than 90 days after their expiration date, even if we are continuing to negotiate a renewal at that time.
ARR is not calculated based on recognized or unearned revenue and there is no direct relationship between revenue recognized in accordance with Accounting Standards Codification (“ASC”) Topic 606, Revenue from Contracts with Customers, and the Company’s ARR business metric. We believe ARR is a valuable operating measure to assess the health of our SaaS, term-based license, and maintenance and support contracts because it illustrates our customer recurring contracts as of the measurement date. ARR is not a forecast of future revenue, which can be impacted by contract start and end dates and renewal rates, and does not include revenue from perpetual licenses, purchases of Digipass authenticators, training, professional services or other sources of revenue that are not deemed to be recurring in nature.
ARR does not have any standardized meaning and is therefore unlikely to be comparable to similarly titled measures presented by other companies. ARR should be viewed independently of revenue and deferred revenue as ARR is an operating metric and is not intended to be combined with or replace these items. Investors should consider our ARR operating measure only in conjunction with our GAAP financial results.
At December 31, 2025, we reported ARR of $186.9 million, which was 11% higher than 2024 ARR of $167.7 million. 2025 ARR included the contribution from our acquisition of Nok Nok Labs, which closed on June 4, 2025. Changes in foreign exchange rates during the year ended December 31, 2025 as compared to the prior year positively impacted ARR by approximately $0.6 million. ARR growth was primarily driven by an increase in subscription contracts and new logos, partially offset by the sunsetting of our on-premises e-signature and Dealflo solutions.
Net Retention Rate
Net Retention Rate ("NRR") is defined as the approximate year-over-year percentage growth in ARR from the same set of customers at the end of the prior year period. It measures the Company’s ability to increase revenue across our existing customer base through expanded use of our platform, offset by customers whose subscription contracts with us are not renewed or renew at a lower amount. The Company’s ability to drive growth and generate incremental revenue depends, in part, on our ability to maintain and grow our relationships with customers. NRR is an important way in which we track our performance in this area.
We reported NRR of 104% and 106% at December 31, 2025 and 2024, respectively. The year-over-year change in NRR was primarily due to a decrease in contracts that increased in value and to a lesser extent, an increase in contracts that decreased in value, or contracted, partially offset by a reduction in churned contracts.
Adjusted EBITDA
We define Adjusted EBITDA as net income before interest, taxes, depreciation, amortization, long-term incentive compensation and related payroll tax expense, restructuring and other related charges, and certain non-recurring items, including acquisition related costs, rebranding costs, and non-routine shareholder matters. Adjusted EBITDA is a non-GAAP financial metric. We use Adjusted EBITDA as a simplified measure of performance for use in communicating our performance to investors and analysts and for comparisons to other companies within our industry. As a performance measure, we believe that Adjusted EBITDA presents a view of our operating results that is most closely related to serving our customers. By excluding interest, taxes, depreciation, amortization, long-term incentive compensation and related payroll tax expense, restructuring costs and other related costs, and certain other non-recurring items, we are able to evaluate performance without considering decisions that, in most cases, are not directly related to meeting our customers’ requirements and were either made in prior periods (e.g., depreciation, amortization, long-term incentive compensation and related payroll tax expense, non-routine shareholder matters), deal with the structure or financing of the business (e.g., interest, one-time strategic action costs, restructuring costs, impairment charges) or reflect the application of regulations that are outside of the control of our management team (e.g., taxes). In addition, removing the impact of these items helps us compare our core business performance with that of our competitors.
49
Non-GAAP financial metrics such as Adjusted EBITDA are not measures of performance under GAAP and should not be considered in isolation or as alternatives or substitutes for the most directly comparable financial measures calculated in accordance with GAAP, but, rather, should be considered together with our consolidated financial statements, which are prepared in accordance with GAAP and included in Part IV, Item 15, Exhibits and Financial Statement Schedules.
The following table reconciles net income as reported on our consolidated statements of operations to non-GAAP Adjusted EBITDA:
| Years Ended December 31, | ||||||||||||||
| (In thousands) | 2025 | 2024 | ||||||||||||
| Net income | $ | 72,904 | $ | 57,082 | ||||||||||
| Interest income, net | (1,985) | (1,807) | ||||||||||||
| Benefit from income taxes | (23,542) | (10,595) | ||||||||||||
| Depreciation and amortization of intangible assets (1) | 10,070 | 8,364 | ||||||||||||
| Long-term incentive compensation and related payroll tax expense (2) | 12,231 | 10,043 | ||||||||||||
| Restructuring and other related charges (3) | 2,057 | 6,063 | ||||||||||||
| Other non-recurring items (4) | 5,914 | 4,223 | ||||||||||||
| Adjusted EBITDA | $ | 77,649 | $ | 73,373 | ||||||||||
(1) Includes cost of sales depreciation and amortization expense directly related to delivering cloud subscription revenue of $5.6 million and $3.4 million for the years ended December 31, 2025 and 2024, respectively. Costs are recorded in “Services and other cost of goods sold” on the consolidated statements of operations.
(2) Long-term incentive compensation and related payroll tax expense includes share-based compensation and related payroll tax expense, and cash incentive grants awarded to employees located in jurisdictions where we do not issue share-based compensation due to tax, regulatory or similar reasons. The expense associated with these cash incentive grants was immaterial for the years ended December 31, 2025 and 2024, respectively.
Starting January 1, 2025, employer payroll taxes related to employee stock-based award transactions are included in long-term incentive compensation and related payroll tax expense. Prior period amounts have been adjusted to reflect these changes. We are excluding these payroll taxes from Adjusted EBITDA results since they are tied to the timing and size of the vesting of the underlying stock-based awards and the price of our common stock at the time of vesting, which may vary from period to period independent of our operating performance. Employer payroll taxes related to employee stock-based award transactions amounted to $1.0 million and $0.9 million for the years ended December 31, 2025 and 2024, respectively.
(3) Includes write-offs of property and equipment, net, of $0.7 million for the year ended December 31, 2025. Includes write-offs of intangible assets and property and equipment, net, of $0.8 million and $1.0 million, respectively, for the year ended December 31, 2024. Costs are recorded in "Services and other costs of good sold" and "Restructuring and other related charges," respectively, on the consolidated statements of operations.
(4) For the year ended December 31, 2025, other non-recurring items consist of $5.9 million of fees related to non-recurring projects, including transaction costs related to acquisition projects. For the year ended December 31, 2024, other non-recurring items consisted of $4.2 million of fees related to non-recurring projects.
Adjusted EBITDA increased during the year ended December 31, 2025 compared to 2024, primarily due to lower costs of goods sold, partially offset by increased sales and marketing and research and development expenses. Year-over-year changes in foreign exchange rates favorably impacted Adjusted EBITDA by approximately $0.1 million for the year ended December 31, 2025.
Please see further discussion in Item 7, Management's Discussion and Analysis of Financial Condition and Results of Operations for an analysis of the components of net income (loss) in the consolidated statements of operations for the years ended December 31, 2025 and 2024, and additional detail regarding items excluded from Adjusted EBITDA.
50
Liquidity and Capital Resources
As of December 31, 2025 and 2024, we had cash and cash equivalents balances of $70.5 million and $83.2 million, respectively. Our cash and cash equivalents balance included money market funds as of December 31, 2025 and money market funds and U.S. treasury bills with maturities at acquisition of less than three months as of December 31, 2024.
We were party to lease agreements that required letters of credit and guarantees to secure the obligations and a cash guarantee with a payroll vendor which totaled $0.2 million at December 31, 2024. Our restricted cash at December 31, 2024 related to letters of credit that were recorded as "Other assets" on the consolidated balance sheet as its requirement was for a period greater than 12 months. This balance is no longer on the consolidated balance sheet as of December 31, 2025 as the restricted cash was replaced by a bank guarantee in conjunction with the Credit Agreement.
As of December 31, 2025, we held $50.3 million of cash and cash equivalents in subsidiaries outside of the United States. Of that amount, $49.5 million is not subject to repatriation restrictions, but may be subject to taxes upon repatriation.
We expect that our existing cash and cash equivalents will be sufficient to meet our anticipated cash needs for working capital and capital expenditures for at least the next 12 months.
Our cash flows are as follows:
| Years Ended December 31, | |||||||||||
| (In thousands) | 2025 | 2024 | |||||||||
| Cash provided by (used in): | |||||||||||
| Operating activities | $ | 59,454 | $ | 55,667 | |||||||
| Investing activities | $ | (35,584) | $ | (9,305) | |||||||
| Financing activities | $ | (38,420) | $ | (5,244) | |||||||
| Effect of foreign exchange rate changes on cash and cash equivalents | $ | 1,718 | $ | (1,317) | |||||||
Operating Activities
Cash provided by (used in) operating activities is primarily comprised of net income (loss), as adjusted for non-cash items, and changes in operating assets and liabilities. Non-cash adjustments consist primarily of allowance for credit losses, amortization of intangible assets, deferred taxes, depreciation of property and equipment, and share-based compensation. We expect cash inflows from operating activities to be affected by increases or decreases in sales and timing of collections. Our primary uses of cash from operating activities have been for personnel and vendor costs. We expect cash outflows from operating activities to be affected by changes in personnel costs and the payments of expenditures.
For the year ended December 31, 2025, $59.5 million of cash was provided by operating activities. This was primarily driven by an increase in operating income for the period as a result of improved gross margins, restructuring and cost savings initiatives partially offset by an increase in deal transaction costs. For the year ended December 31, 2024, $55.7 million of cash was provided by operating activities.
Investing Activities
The changes in cash flows from investing activities primarily relate to timing of purchases of property and equipment, capitalized software activities, and activity in connection with acquisitions and an equity investment. We expect to continue to purchase property and equipment to support the growth of our business as well as to continue to invest in our infrastructure, and we may also make additional acquisitions and equity investments.
For the year ended December 31, 2025 cash of $35.6 million was used in investing activities, compared to cash of $9.3 million used in investing activities during the year ended December 31, 2024. Cash used in investing activities primarily consisted of cash paid for the acquisition of Nok Nok Labs, the equity investment in ThreatFabric and additions to property and equipment.
51
Financing Activities
The changes in cash flows from financing activities primarily relate to the purchases of common stock under our share repurchase program, dividend payments, and tax payments for restricted stock issuances.
For the year ended December 31, 2025, net cash used in financing activities was $38.4 million, which was attributable to dividends paid, cash paid for share repurchases, tax payments for stock issuances, and payment of debt issuance costs.
For the year ended December 31, 2024, net cash used in financing activities was $5.2 million, which consisted primarily of $5.0 million of tax payments for restricted stock issuances and cash paid for the holdback component of our acquisition of substantially all of the assets of the ProvenDB business of Southbank Software Pty Ltd. in February 2023.
Off-Balance Sheet Arrangements
We have no off-balance sheet arrangements.
Contractual Obligations and Commitments
As of December 31, 2025, we have unrecognized purchase obligations of $11.9 million for software agreements related to the administration of our business which range from 1 to 3 years.
As of December 31, 2025, we have operating lease obligations of $8.4 million which will expire in the next 1 to 8 years. The operating lease obligations do not include common area maintenance charges or real estate taxes under our operating leases, for which we are also obligated. These charges are generally not fixed and can fluctuate from year to year.
Critical Accounting Policies and Estimates
Management’s Discussion and Analysis of Financial Condition and Results of Operations discusses our consolidated financial statements, which have been prepared in accordance with accounting principles generally accepted in the U.S. The preparation of these financial statements requires management to make estimates and assumptions that affect the reported amounts of assets and liabilities and the disclosure of contingent assets and liabilities at the date of the consolidated financial statements and the reported amounts of revenue and expenses during the reporting period.
On an on-going basis, management evaluates its estimates and judgments, including those related to bad debts, net realizable value of inventory and intangible assets. Management bases its estimates and judgments on historical experience and on various other factors that are believed to be reasonable under the circumstances, the results of which form the basis for making judgments about the carrying values of assets and liabilities that are not readily apparent from other sources. Actual results may differ from these estimates under different assumptions or conditions. Management believes the following critical accounting policies affect significant judgments and estimates used in the preparation of its consolidated financial statements.
Revenue Recognition
We record revenue in accordance with ASC Topic 606, Revenue from Contracts with Customers. We determine revenue recognition through the following steps:
•Identification of the contract, or contracts, with a customer;
•Identification of the performance obligations in the contract;
•Determination of the transaction price;
•Allocation of the transaction price to the performance obligations in the contract; and
•Recognition of revenue when, or as, we satisfy a performance obligation.
52
Revenues are recognized when control of the promised goods or services is transferred to our customers, in an amount that reflects the consideration we expect to be entitled to in exchange for those products or services, which excludes any sales incentives and amounts collected on behalf of third parties. Taxes assessed by a governmental authority that are both imposed on and concurrent with a specific revenue-producing transaction, that are collected by us from a customer, are excluded from revenue. Shipping and handling costs associated with outbound freight before control over a product has transferred to a customer are accounted for as a fulfillment cost and are included in "Cost of goods sold".
Nature of Goods and Services
We derive our revenues primarily from product and license revenue, which includes hardware products and on-premises subscription revenue, and services and other, which is inclusive of cloud subscription revenue, maintenance and support, and professional services.
Subscription: Subscription includes cloud and on-premises subscription revenue.
We generate cloud subscription revenues from our Cybersecurity and Digital Agreements cloud service offerings. Our standard customer arrangements do not provide the customer with the right to take possession of the software supporting the cloud-based application service at any time. As such, these arrangements are considered service contracts and revenue is recognized ratably over the service period of the contract. Customer payments are normally in advance for annual service.
Revenue from the sale of on-premises subscription revenue is recorded upon delivery which is the latter of when the customer receives the ability to access the software or when they are legally allowed to use the software. No significant obligations or contingencies exist with regard to delivery, customer acceptance or rights of return at the time revenue is recognized. We offer term licenses for on-premises subscription revenue ranging from one to five years in length. For term licenses, payments are either on installment or in advance. In limited circumstances, we integrate third-party software solutions into our software products. We have determined that, consistent with our conclusion under prior revenue recognition rules, generally we act as the principal with respect to the satisfaction of the related performance obligation and record the corresponding revenue on a gross basis from these transactions. For transactions in which we do not act as the principal, we recognize revenue on a net basis. The fees owed to the third parties are recognized as a component of cost of goods sold when the revenue is recognized.
In addition, we also offer annual or multi-year customer support subscription services, whereby customers can buy different levels of customer support packages for an annual recurring subscription fee.
Maintenance and support: Maintenance and support agreements generally call for us to provide software updates and technical support, respectively, to customers. The annual fee for maintenance and technical support is recognized ratably over the term of the maintenance and support agreement as this is the period the services are delivered. Customer payments are normally in advance for annual service.
Professional services and other revenue: Professional services revenues are primarily comprised of implementing, automating and extending business processes, technology infrastructure, and software applications. Professional services revenues are recognized over time as services are rendered, usually over a period of time that is generally less than 12 months. Most projects are performed on a time and materials basis while a portion of revenues is derived from projects performed on a fixed fee. For time and material contracts, revenues are generally recognized and invoiced by multiplying the number of hours expended in the performance of the contract by the contractual hourly rates. For fixed fee contracts, revenues are generally recognized using an input method based on the ratio of hours expended to total estimated hours to complete the services. Customer payments normally correspond with delivery.
Hardware products: Revenue from the sale of security hardware is recorded upon shipment, which is the point at which control of the goods are transferred and the completion of the performance obligations, unless there are specific terms that would suggest control is transferred at a later date (e.g. delivery). No significant obligations or contingencies typically exist with regard to delivery, customer acceptance or rights of return at the time revenue is recognized. Customer invoices and subsequent payments normally correspond with delivery.
Multiple-Element Arrangements
In our typical multiple-element arrangement, the primary deliverables include:
53
1.A client component (i.e. an item that is used by the person being authenticated in the form of either a new standalone hardware device or software that is downloaded onto a device that the customer already owns);
2.Server system software that is installed on the customer’s systems (i.e., software on the server system that verifies the identity of the person being authenticated) or licenses for additional users on the server system software if the server system software had been installed previously; and
3.Post contract support in the form of maintenance on the server system software or support.
Our multiple-element arrangements may also include other items that are usually delivered prior to the recognition of any revenue and are incidental to the overall transaction such as initialization of the hardware device, customization of the hardware device itself or the packaging in which it is delivered, deployment services where we deliver the device to our customer’s end-use customer or employee and, in some limited cases, professional services to assist with the initial implementation of a new customer.
Significant Judgments
We enter into contracts to deliver a combination of hardware devices, software licenses, subscriptions, maintenance and support and, in some situations, professional services. We evaluate the nature of the goods or services promised in these arrangements to identify the distinct performance obligations. Determining whether products and services are considered distinct performance obligations that should be accounted for separately versus together may require significant judgment depending on the terms and conditions of the respective customer arrangement. When a hardware client device and licenses to server software are sold in a contract, they are treated as a single performance obligation because the software license is deemed to be a component of the hardware that is integral to the functionality of the hardware that is used by our customers for identity authentication. When a software client device is sold in a contract server software, the licenses are considered a single performance obligation to deliver the authentication solution to the customer. In either of these types of arrangements, maintenance and support and professional services are typically distinct separate performance obligations from the hardware or software solutions. Our contracts to deliver subscription services typically do not include multiple performance obligations; however, in certain limited cases customers may purchase professional services that are distinct performance obligations.
For contracts that contain multiple performance obligations, the transaction price is allocated to the separate performance obligations based on their estimated relative standalone selling price. Judgment is required to determine the stand-alone selling price (“SSP”) of each distinct performance obligation. We determine SSP for maintenance and support, based on observable inputs; specifically, the range of prices charged to customers to renew annual maintenance and support contracts. In instances where SSP is not directly observable, and when we sell at a highly variable price range, such as for transactions involving software licenses or subscriptions, we determine the SSP for those performance obligations using the residual approach.
Income Taxes
As a global company, we calculate and provide for income taxes in each tax jurisdiction in which we operate. The provision for income taxes includes the amounts payable or refundable for the current year, the effect of deferred taxes and impacts from uncertain tax positions. Our provision for income taxes is significantly affected by shifts in the geographic mix of our pre-tax earnings across tax jurisdictions, changes in valuation allowance, changes in tax laws and regulations, and tax planning opportunities available in each tax jurisdiction.
Deferred tax assets and liabilities are recognized for the expected future tax consequences of temporary differences between the financial statement and tax bases of our assets and liabilities and for operating losses and tax credit carryforwards. Deferred tax assets and liabilities are measured using enacted tax rates that will apply to taxable income in the years in which those differences are expected to be recovered or settled. Valuation allowances are established for deferred tax assets when it is more likely than not that a tax benefit will not be realized. We recognize the effect of a change in tax rates on deferred tax assets and liabilities and in income in the period that includes the enactment date.
54
We recognize tax benefits for tax positions that are more likely than not to be sustained upon examination by tax authorities. The amount recognized is measured as the largest amount of benefit that is greater than 50 percent likely to be realized upon ultimate settlement. Unrecognized tax benefits are tax benefits claimed in our income tax returns that do not meet these recognition and measurement standards. Assumptions, judgments, and the use of estimates are required in determining whether the “more-likely-than-not” standard has been met when developing the provision for income taxes.
We recognize the tax impact of including certain foreign earnings in U.S. taxable income as a period cost. We have recognized deferred income taxes for local country income and withholding taxes that could be incurred on distributions of non-U.S. earnings because we do not plan to indefinitely reinvest such earnings.
We monitor for changes in tax laws and reflect the impacts of tax law changes in the period of enactment.
Recently Issued Accounting Pronouncements
For information regarding our new accounting pronouncements, see Note 2, Summary of Significant Accounting Policies, in the notes to consolidated financial statements included in Part IV, Item 15, Exhibits and Financial Statements Schedules.
Item 7A - Quantitative and Qualitative Disclosures about Market Risk (In thousands)
Foreign Currency Exchange Risk – In 2025, we generated approximately 79% of our revenue outside the United States, primarily in Europe, Latin America and Asia Pacific. A significant portion of our business operations is transacted in foreign currencies. As a result, we have exposure to foreign exchange fluctuations. We are affected by both foreign currency translation and transaction adjustments. Translation adjustments result from the conversion of the foreign subsidiaries’ balance sheets and income statements to U.S. dollars at year-end exchange rates and weighted average exchange rates, respectively. Translation adjustments resulting from this process are recorded directly into stockholders’ equity. Transaction adjustments result from currency exchange movements when one of our companies transacts business in a currency that differs from its local currency. These adjustments are recorded as gains or losses in our consolidated statements of operations. Our business transactions are spread across numerous countries and currencies. As noted in Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations above, we attempt to minimize the net impact of currency on operating earnings by denominating an amount of billings in a currency such that it would provide a natural hedge against the operating expenses being incurred in that currency. We do not believe that an immediate 10% increase or decrease in the relative value of the U.S. dollar to other currencies would have a material effect on our operating results.
Interest Rate Risk – We have minimal interest rate risk. We had no debt outstanding at December 31, 2025. Our cash and cash equivalents are invested in short-term instruments at current market rates. The effect of a hypothetical one percentage point increase or decrease would not have a material impact on our consolidated financial statements.
Item 8 - Financial Statements and Supplementary Data
The information in response to this item is included in our consolidated financial statements, together with the report thereon of KPMG LLP, in Item 15, Exhibits and Financial Statement Schedules.
Item 9 - Changes in and Disagreements with Accountants on Accounting and Financial Disclosure
None.
Item 9A - Controls and Procedures
Evaluation of Disclosure Controls and Procedures
Our management, with the participation of our Chief Executive Officer (our principal executive officer) and Chief Financial Officer (our principal financial officer), has evaluated the effectiveness of our disclosure controls and procedures (as defined in Rules 13a-15(e) and 15d-15(e) under the Securities Exchange Act of 1934 as amended (the "Exchange Act")) as of December 31, 2025.
55
Based upon that evaluation, our Chief Executive Officer and Chief Financial Officer have concluded that our disclosure controls and procedures were effective as of December 31, 2025, to provide reasonable assurance that the information required to be disclosed by us in reports filed under the Exchange Act, is recorded, processed, summarized and reported within the time period specified in the rules and forms of the SEC, and is accumulated and communicated to management, including our principal executive officer and principal financial officer, as appropriate, to allow timely decisions regarding required disclosure.
Management’s Annual Report on Internal Control over Financial Reporting
The management of OneSpan Inc. is responsible for establishing and maintaining adequate internal control over financial reporting (as defined in Rule 13a-15(f) and 15d-15(f) promulgated under the Exchange Act ). Management, led by our Chief Executive Officer and Chief Financial Officer, assessed the effectiveness of our internal control over financial reporting based upon the criteria set forth in the Internal Control Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO") in Internal Control—Integrated Framework (2013).
Management has concluded that its internal control over financial reporting was effective as of December 31, 2025 to provide reasonable assurance regarding the reliability of our financial reporting and the preparation of financial statements in accordance with U.S. GAAP.
KPMG LLP, an independent registered public accounting firm, has audited the effectiveness of our internal control over financial reporting as of December 31, 2025, included on page F-2 of this Annual Report on Form 10-K.
Changes in Internal Control over Financial Reporting
There were no changes in our internal control over financial reporting (as that term is defined in Rule 13a-15(f) and 15d-15(f) under the Exchange Act) during the quarter ended December 31, 2025, that have materially affected, or are reasonably likely to materially affect, our internal control over financial reporting.
Limitations on the Effectiveness of Controls
Management believes that our disclosure controls and procedures and internal control over financial reporting are designed to provide reasonable assurance of achieving their objectives and are effective at the reasonable assurance level. However, our management does not expect that our disclosure controls and procedures or our internal control over financial reporting will prevent all errors and all fraud. A control system, no matter how well designed and operated, can provide only reasonable, not absolute, assurance that the objectives of the control system are met. Because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that all control issues and instances of fraud, if any, have been detected. Additionally, controls can be circumvented by the individual acts of some persons, by collusion of two or more people or by management override of the controls. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies and procedures may deteriorate.
Item 9B - Other Information
Director and Officer Trading Arrangements
None of our directors or executive officers adopted terminated
Item 9C - Disclosure Regarding Foreign Jurisdictions that Prevent Inspections
Not applicable.
56
PART III
Item 10 - Directors, Executive Officers and Corporate Governance
All information in response to this Item, other than the required information on executive officers and the required information under Regulation S-K Items 406 and 408, is incorporated by reference to the “Information regarding our Board of Directors” and, if applicable, “Delinquent Section 16(a) Reports” sections of OneSpan’s Proxy Statement to be filed with the SEC for the 2026 Annual Meeting of Stockholders. The required information on executive officers is set forth in Part I of this Form 10-K under the heading "Information about our Executive Officers."
We have adopted a written code of business conduct and ethics that applies to our directors, officers, and employees, including our principal executive officer, principal financial officer, principal accounting officer or controller, or persons performing similar functions. A copy of the code is posted on the Corporate Governance section of our website, which is located at www.onespan.com. If we make any substantive amendments to, or grant any waivers from, the code of business conduct and ethics for any officer or director, we will disclose the nature of such amendment or waiver on our website pursuant to the disclosure requirements of Item 5.05 of Form 8-K. We will provide any person, without charge, a copy of our code of conduct and ethics upon written request, which may be mailed to Corporate Secretary, OneSpan Inc.,1 Marina Park Drive, Unit 1410, Boston, Massachusetts, 02210.
We have adopted an insider trading policy that governs the purchase, sale and/or other dispositions of Company securities by our directors, officers, employees, designated consultants and contractors, and other covered persons. We believe our insider trading policy is reasonably designed to promote compliance with insider trading laws, rules, regulations and Nasdaq listing standards. A copy of our insider trading policy is filed as Exhibit 19 to this Form 10-K. In addition, the Company does not engage in transactions in Company securities while in possession of material nonpublic information concerning the Company or its securities.
Item 11 - Executive Compensation
The information in response to this Item is incorporated by reference to the “Executive Compensation” and "Director Compensation" sections of OneSpan’s Proxy Statement (except for the section titled "Executive Compensation - Pay versus Performance") to be filed with the SEC for the 2026 Annual Meeting of Stockholders.
Item 12 - Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters
The information in response to this Item is incorporated by reference to the “Security Ownership of Certain Beneficial Owners, Directors and Management” and “Equity Compensation Plan Information” sections of OneSpan’s Proxy Statement to be filed with the SEC for the 2026 Annual Meeting of Stockholders.
Item 13 - Certain Relationships and Related Transactions, and Director Independence
The information in response to this Item is incorporated by reference to the “Information regarding our Board of Directors” and “Transactions with Related Persons” sections of OneSpan’s Proxy Statement to be filed with the SEC for the 2026 Annual Meeting of Stockholders.
Item 14 - Principal Accounting Fees and Services
The information in response to this Item is incorporated by reference to the “Fees Paid to Independent Registered Public Accounting Firm for 2025 and 2024” section of OneSpan’s Proxy Statement to be filed with the SEC for the 2026 Annual Meeting of Stockholders.
57
PART IV
Item 15 - Exhibits and Financial Statement Schedules
(a)The following documents are filed as part of this Annual Report on Form 10-K.
(1)The following consolidated financial statements and notes thereto, and the related independent auditors’ report, are included on pages F-1 through F-42 of this Annual Report on Form 10-K:
Report of Independent Registered Public Accounting Firm
Consolidated Balance Sheets as of December 31, 2025 and 2024
Consolidated Statements of Operations for the Years Ended December 31, 2025, 2024 and 2023
Consolidated Statements of Comprehensive Income (Loss) for the Years Ended December 31, 2025, 2024 and 2023
Consolidated Statements of Stockholders’ Equity for the Years Ended December 31, 2025, 2024 and 2023
Consolidated Statements of Cash Flows for the Years Ended December 31, 2025, 2024 and 2023
Notes to Consolidated Financial Statements
(2)All other financial statement schedules are omitted because such schedules are not required or the information required has been presented in the aforementioned consolidated financial statements.
(3)The following exhibits are filed with this Annual Report on Form 10-K or incorporated by reference as set forth at the end of the list of exhibits:
| Exhibit Number | Description | |||||||
| 3.1 | Certificate of Incorporation of the Registrant, as amended (Incorporated by Reference to Exhibit 3.1 to the Registrant’s Form 10-Q filed August 4, 2022) | |||||||
| 3.2 | Amended and Restated Bylaws of Registrant, effective as of January 30, 2023. (Incorporated by Reference to Exhibit 3.1 to the Registrant’s Form 8-K filed on February 1, 2023) | |||||||
| 4.1 | Specimen of Registrant’s Common Stock Certificate. (Incorporated by Reference to the Registrant’s Registration Statement on Form S-4, as amended (Registration No. 333-35563), originally filed on September 12, 1997.) | |||||||
| 4.2 | Description of Securities Registered under Section 12 of the Securities Exchange Act of 1934 (Incorporated by Reference to Exhibit 4.2 to the Registrant's Form 10-K filed March 6, 2024) | |||||||
| 10.1 | Credit Agreement, dated as of June 23, 2025, by and among OneSpan Inc., as Borrower, certain subsidiaries of OneSpan Inc., as Guarantors, the Lenders party thereto, and MUFG Bank, Ltd., as Administrative Agent, Swingline Lender and letter of credit Issuer (Incorporated by Reference to Exhibit 10.1 to the Registrant’s Form 8-K filed on June 23, 2025) | |||||||
| 10.2* | Employment Agreement dated July 31, 2024 between the Registrant and Victor Limongelli (Incorporated by Reference to Exhibit 10.1 to the Registrant's Form 10-K filed February 27, 2025) | |||||||
58
| Exhibit Number | Description | |||||||
| 10.3* | Letter Agreement dated October 22, 2024 between the Company and Victor Limongelli ((Incorporated by Reference to Exhibit 10.1 to the Registrant’s Form 10-Q filed October 30, 2024) | |||||||
| 10.4* | Special PSU Agreement dated July 31, 2024 between the Registrant and Victor Limongelli (Incorporated by Reference to Exhibit 10.1 to the Registrant’s Form 8-K filed August 1, 2024) | |||||||
| 10.5* | Employment Agreement between the Registrant and Jorge Martell (Incorporated by Reference to Exhibit 10.1 to the Registrant’s Form 10-Q filed November 1, 2022) | |||||||
| 10.6* | Employment Agreement between the Registrant and Lara Mataac (Incorporated by Reference to Exhibit 10.3 to the Registrant’s Form 10-K filed February 28, 2023) | |||||||
| 10.7* | Employment Agreement dated December 16, 2024 between the Registrant and Ashish Jain (Incorporated by Reference to Exhibit 10.1 to the Registrant's Form 10-K filed February 27, 2025) | |||||||
| 10.8* | 2025 Management Incentive Plan of the Registrant (Incorporated by Reference to Exhibit 10.1 to the Registrant’s Form 10-Q filed May 1, 2025) | |||||||
| 10.9* | OneSpan Inc. Amended and Restated 2019 Omnibus Incentive Plan (Incorporated by Reference to Exhibit 10.1 to the Registrant’s Form 10-Q filed August 5, 2025) | |||||||
| 10.10* | Form of Director and Officer Indemnification Agreement (Incorporated by Reference to Exhibit 10.1 to the Registrant’s Form 10-K filed February 28, 2023) | |||||||
| 10.11* | Form of 2025 Time-Based RSU Agreement (Executive) under the Registrant’s 2019 Omnibus Incentive Plan (Incorporated by Reference to Exhibit 10.2 to the Registrant’s Form 10-Q filed May 1, 2025) | |||||||
| 10.12* | Form of 2025 Performance-Based RSU Agreement under the Registrant’s 2019 Omnibus Incentive Plan (Incorporated by Reference to Exhibit 10.2 to the Registrant’s Form 10-Q filed May 1, 2025) | |||||||
| 10.13* | Form of 2025 Time-Based RSU Agreement (General) under the Registrant’s 2019 Omnibus Incentive Plan (Incorporated by Reference to Exhibit 10.2 to the Registrant’s Form 10-Q filed May 1, 2025) | |||||||
10.14* | Form of 2024 Performance-Based RSU Agreement under the Registrant’s 2019 Omnibus Incentive Plan (Incorporated by Reference to Exhibit 10.1 to the Registrant’s Form 10-Q filed August 1, 2024) | |||||||
| 10.15* | Form of 2024 Time-Based RSU Agreement (Executive) under the Registrant’s 2019 Omnibus Incentive Plan (Incorporated by Reference to Exhibit 10.2 to the Registrant’s Form 10-Q filed August 1, 2024) | |||||||
| 10.16* | Form of 2023 Time-Based RSU Agreement (Executive) under the Registrant’s 2019 Omnibus Incentive Plan (Incorporated by Reference to Exhibit 10.8 to the Registrant's Form 10-K filed March 6, 2024) | |||||||
| 10.17* | Form of 2022 Time-Based RSU Agreement (Executive) under the Registrant’s 2019 Omnibus Incentive Plan (Incorporated by Reference to the Registrant's Form 10-Q filed November 1, 2022) | |||||||
| 10.18* | Form of Time-Based Deferred RSU Agreement for Non-Employee Directors of the Registrant (Incorporated by Reference to Exhibit 4.10 to the Registrant’s Form 10-K filed March 16, 2020) | |||||||
59
| Exhibit Number | Description | |||||||
| 19 | Insider Trading Policy, dated March 11, 2024 (Incorporated by Reference to Exhibit 10.1 to the Registrant's Form 10-K filed February 27, 2025) | |||||||
| 21 | Subsidiaries of Registrant | |||||||
| 23 | Consent of KPMG LLP | |||||||
| 31.1 | Rule 13a-14(a)/15d-14(a) Certification of Principal Executive Officer pursuant to Section 302 of the Sarbanes-Oxley Act of 2002, dated February 26, 2026 | |||||||
| 31.2 | Rule 13a-14(a)/15d-14(a) Certification of Principal Financial Officer pursuant to Section 302 of the Sarbanes-Oxley Act of 2002, dated February 26, 2026 | |||||||
| 32.1 | Section 1350 Certification of Principal Executive Officer pursuant to Section 906 of the Sarbanes-Oxley Act of 2002, dated February 26, 2026 | |||||||
| 32.2 | Section 1350 Certification of Principal Financial Officer pursuant to Section 906 of the Sarbanes-Oxley Act of 2002, dated February 26, 2026 | |||||||
| 97 | Dodd-Frank Compensation Recovery Policy (Incorporated by Reference to Exhibit 97 to the Registrant’s Form 10-K filed March 6, 2024) | |||||||
| 101.INS | XBRL Instance Document – the instance document does not appear in the Interactive Data File because its XBRL tags are embedded within the Inline XBRL document | |||||||
| 101.SCH | XBRL Taxonomy Extension Schema Document | |||||||
| 101.CAL | XBRL Taxonomy Extension Calculation Linkbase Document | |||||||
| 101.LAB | XBRL Taxonomy Extension Label Linkbase Document | |||||||
| 101.PRE | XBRL Taxonomy Extension Presentation Linkbase Document | |||||||
| 101.DEF | XBRL Taxonomy Extension Definition Linkbase Document | |||||||
| 104 | Cover page Interactive Data File (formatted as inline XBRL with applicable taxonomy extension information contained in Exhibit 101) | |||||||
___________________________
*Compensatory plan or management contract.
OneSpan Inc. will furnish any of the above exhibits to stockholders upon written request addressed to the Secretary at the address given on the cover page of this Form 10-K.
60
OneSpan Inc.
INDEX TO FINANCIAL STATEMENTS AND SCHEDULE
| Financial Statements | |||||
Report of Independent Registered Public Accounting Firm | F-2 | ||||
Consolidated Balance Sheets as of December 31, 2025 and 2024 | F-4 | ||||
Consolidated Statements of Operations for the Years Ended December 31, 2025, 2024 and 2023 | F-5 | ||||
Consolidated Statements of Comprehensive Income (Loss) for the Years Ended December 31, 2025, 2024 and 2023 | F-6 | ||||
Consolidated Statements of Stockholders’ Equity for the Years Ended December 31, 2025, 2024 and 2023 | F-7 | ||||
Consolidated Statements of Cash Flows for the Years Ended December 31, 2025, 2024 and 2023 | F-8 | ||||
Notes to Consolidated Financial Statements | F-9 | ||||
All other financial statement schedules are omitted because they are not applicable or the required information is shown in the consolidated financial statements or notes thereto.
F-1
Report of Independent Registered Public Accounting Firm
To the Stockholders and Board of Directors
OneSpan Inc.:
Opinions on the Consolidated Financial Statements and Internal Control Over Financial Reporting
We have audited the accompanying consolidated balance sheets of OneSpan Inc. and subsidiaries (the Company) as of December 31, 2025 and 2024, the related consolidated statements of operations, comprehensive income (loss), stockholders’ equity, and cash flows for each of the years in the three-year period ended December 31, 2025, and the related notes (collectively, the consolidated financial statements). We also have audited the Company’s internal control over financial reporting as of December 31, 2025, based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission.
In our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the financial position of the Company as of December 31, 2025 and 2024, and the results of its operations and its cash flows for each of the years in the three-year period ended December 31, 2025, in conformity with U.S. generally accepted accounting principles. Also in our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 2025 based on criteria established in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission.
Basis for Opinions
The Company’s management is responsible for these consolidated financial statements, for maintaining effective internal control over financial reporting, and for its assessment of the effectiveness of internal control over financial reporting, included in the accompanying Management's Annual Report on Internal Control over Financial Reporting. Our responsibility is to express an opinion on the Company’s consolidated financial statements and an opinion on the Company’s internal control over financial reporting based on our audits. We are a public accounting firm registered with the Public Company Accounting Oversight Board (United States) (PCAOB) and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audits to obtain reasonable assurance about whether the consolidated financial statements are free of material misstatement, whether due to error or fraud, and whether effective internal control over financial reporting was maintained in all material respects.
Our audits of the consolidated financial statements included performing procedures to assess the risks of material misstatement of the consolidated financial statements, whether due to error or fraud, and performing procedures that respond to those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the consolidated financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the consolidated financial statements. Our audit of internal control over financial reporting included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our audits also included performing such other procedures as we considered necessary in the circumstances. We believe that our audits provide a reasonable basis for our opinions.
Definition and Limitations of Internal Control Over Financial Reporting
Definition and Limitations of Internal Control Over Financial Reporting
A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.
F-2
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
Critical Audit Matter
The critical audit matter communicated below is a matter arising from the current period audit of the consolidated financial statements that was communicated or required to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the consolidated financial statements and (2) involved our especially challenging, subjective, or complex judgments. The communication of a critical audit matter does not alter in any way our opinion on the consolidated financial statements, taken as a whole, and we are not, by communicating the critical audit matter below, providing a separate opinion on the critical audit matter or on the accounts or disclosures to which it relates.
Identification of performance obligations in contracts containing multiple goods and services
As discussed in Notes 2 and 4 to the consolidated financial statements, the Company enters into contracts to deliver a combination of hardware devices, software licenses, subscriptions, maintenance and support and, in some situations, professional services. The Company evaluates the nature of the goods and services promised in these arrangements to identify the distinct performance obligations. The Company recognized total revenue of $243 million, a portion of which related to contracts containing multiple performance obligations, for the year ended December 31, 2025. We identified the evaluation of the Company’s identification of performance obligations in contracts containing multiple goods and services as a critical audit matter. Specifically, complex auditor judgment was required to evaluate the Company's identification of performance obligations in such contracts, including for contracts with new customers or contracts that were amended with existing customers.
The following are the primary procedures we performed to address this critical audit matter. We evaluated the design and tested the operating effectiveness of certain internal controls related to the Company’s revenue recognition process. This included controls related to the identification of performance obligations and evaluation of terms and conditions present in individual contracts containing multiple goods and services. We tested a selection of contracts, including contracts with new customers and contracts that were amended with existing customers, by obtaining and reading the underlying contract and accounting analysis to evaluate the Company’s identification of performance obligations. Specifically, we evaluated the completeness and accuracy of the Company’s identification of terms and conditions that were unique to the selected contracts and the Company’s determination of the impact of those terms and conditions on revenue recognition.
The following are the primary procedures we performed to address this critical audit matter. We evaluated the design and tested the operating effectiveness of certain internal controls related to the Company’s revenue recognition process. This included controls related to the identification of performance obligations and evaluation of terms and conditions present in individual contracts containing multiple goods and services. We tested a selection of contracts, including contracts with new customers and contracts that were amended with existing customers, by obtaining and reading the underlying contract and accounting analysis to evaluate the Company’s identification of performance obligations. Specifically, we evaluated the completeness and accuracy of the Company’s identification of terms and conditions that were unique to the selected contracts and the Company’s determination of the impact of those terms and conditions on revenue recognition.
/s/ KPMG LLP
We have served as the Company’s auditor since 1996.
Chicago, Illinois
February 26, 2026
F-3
OneSpan Inc.
CONSOLIDATED BALANCE SHEETS
(In thousands, except per share data)
| December 31, | |||||||||||
| 2025 | 2024 | ||||||||||
| ASSETS | |||||||||||
| Current assets | |||||||||||
| Cash and cash equivalents | $ | $ | |||||||||
Accounts receivable, net of allowances of $ | |||||||||||
| Inventories, net | |||||||||||
| Prepaid expenses | |||||||||||
| Contract assets | |||||||||||
| Other current assets | |||||||||||
| Total current assets | |||||||||||
| Property and equipment, net | |||||||||||
| Operating lease right-of-use assets | |||||||||||
| Goodwill | |||||||||||
| Intangible assets, net of accumulated amortization | |||||||||||
| Deferred tax asset | |||||||||||
| Equity investment | |||||||||||
| Other assets | |||||||||||
| Total assets | $ | $ | |||||||||
| LIABILITIES AND STOCKHOLDERS' EQUITY | |||||||||||
| Current liabilities | |||||||||||
| Accounts payable | $ | $ | |||||||||
| Deferred revenue | |||||||||||
| Accrued wages and payroll taxes | |||||||||||
| Short-term income taxes payable | |||||||||||
| Dividend payable | |||||||||||
| Other accrued expenses | |||||||||||
| Deferred compensation | |||||||||||
| Total current liabilities | |||||||||||
| Long-term deferred revenue | |||||||||||
| Long-term lease liabilities | |||||||||||
| Deferred tax liability | |||||||||||
| Other long-term liabilities | |||||||||||
| Total liabilities | |||||||||||
| Commitments and contingencies | |||||||||||
| Stockholders' equity | |||||||||||
Preferred stock: | |||||||||||
Common stock: $ | |||||||||||
| Additional paid-in capital | |||||||||||
Treasury stock, at cost, | ( | ( | |||||||||
| Retained earnings | |||||||||||
| Accumulated other comprehensive loss | ( | ( | |||||||||
| Total stockholders' equity | |||||||||||
| Total liabilities and stockholders' equity | $ | $ | |||||||||
See accompanying notes to consolidated financial statements.
F-4
OneSpan Inc.
CONSOLIDATED STATEMENTS OF OPERATIONS
(in thousands, except per share data)
| Years Ended December 31, | |||||||||||||||||
| 2025 | 2024 | 2023 | |||||||||||||||
| Revenue | |||||||||||||||||
| Product and license | $ | $ | $ | ||||||||||||||
| Services and other | |||||||||||||||||
| Total revenue | |||||||||||||||||
| Cost of goods sold | |||||||||||||||||
| Product and license | |||||||||||||||||
| Services and other | |||||||||||||||||
| Total cost of goods sold | |||||||||||||||||
| Gross profit | |||||||||||||||||
| Operating costs | |||||||||||||||||
| Sales and marketing | |||||||||||||||||
| Research and development | |||||||||||||||||
| General and administrative | |||||||||||||||||
| Restructuring and other related charges | |||||||||||||||||
| Amortization of intangible assets | |||||||||||||||||
| Total operating costs | |||||||||||||||||
| Operating income (loss) | ( | ||||||||||||||||
| Interest income, net | |||||||||||||||||
| Other expense, net | ( | ( | ( | ||||||||||||||
| Income (loss) before income taxes | ( | ||||||||||||||||
| (Benefit) provision for income taxes | ( | ( | |||||||||||||||
| Net income (loss) | $ | $ | $ | ( | |||||||||||||
| Net income (loss) per share | |||||||||||||||||
| Basic | $ | $ | $ | ( | |||||||||||||
| Diluted | $ | $ | $ | ( | |||||||||||||
| Weighted average common shares outstanding | |||||||||||||||||
| Basic | |||||||||||||||||
| Diluted | |||||||||||||||||
See accompanying notes to consolidated financial statements.
F-5
OneSpan Inc.
CONSOLIDATED STATEMENTS OF COMPREHENSIVE INCOME (LOSS)
(In thousands)
| Years Ended December 31, | |||||||||||||||||
| 2025 | 2024 | 2023 | |||||||||||||||
| Net income (loss) | $ | $ | $ | ( | |||||||||||||
| Other comprehensive income (loss) | |||||||||||||||||
| Cumulative translation adjustment, net of tax | ( | ||||||||||||||||
| Pension adjustment, net of tax | ( | ||||||||||||||||
| Unrealized gain on available-for-sale securities | |||||||||||||||||
| Comprehensive income (loss) | $ | $ | $ | ( | |||||||||||||
See accompanying notes to consolidated financial statements.
F-6
OneSpan Inc.
CONSOLIDATED STATEMENTS OF STOCKHOLDERS’ EQUITY
(In thousands)
| Common Stock | Treasury - Common Stock | Additional Paid-In Capital | Retained Earnings | Accumulated Other Comprehensive Income (Loss) | Total Stockholders Equity | |||||||||||||||||||||||||||||||||||||||||||||
| Description | Shares | Amount | Shares | Amount | ||||||||||||||||||||||||||||||||||||||||||||||
| Balance at December 31, 2022 | $ | $ | ( | $ | $ | $ | ( | $ | ||||||||||||||||||||||||||||||||||||||||||
| Net loss | — | — | — | — | — | ( | — | ( | ||||||||||||||||||||||||||||||||||||||||||
| Foreign currency translation adjustment, net of tax | — | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||||||||||
| Share-based compensation | — | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||||||||||
| Vesting of restricted stock awards | — | — | — | — | — | — | — | |||||||||||||||||||||||||||||||||||||||||||
| Tax payments for stock issuances | ( | — | — | — | ( | — | — | ( | ||||||||||||||||||||||||||||||||||||||||||
| Unrealized gain (loss) on available-for-sale securities | — | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||||||||||
| Share repurchases | ( | ( | ( | — | — | ( | ||||||||||||||||||||||||||||||||||||||||||||
| Pension adjustment, net of tax | — | — | — | — | — | — | ( | ( | ||||||||||||||||||||||||||||||||||||||||||
| Balance at December 31, 2023 | $ | $ | ( | $ | $ | $ | ( | $ | ||||||||||||||||||||||||||||||||||||||||||
| Net income | — | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||||||||||
| Foreign currency translation adjustment, net of tax | — | — | — | — | — | — | ( | ( | ||||||||||||||||||||||||||||||||||||||||||
| Share-based compensation | — | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||||||||||
| Vesting of restricted stock awards | — | — | — | — | — | — | — | |||||||||||||||||||||||||||||||||||||||||||
| Tax payments for stock issuances | ( | — | — | — | ( | — | — | ( | ||||||||||||||||||||||||||||||||||||||||||
| Excise tax on share repurchases | ( | — | — | ( | ||||||||||||||||||||||||||||||||||||||||||||||
Dividends declared ($ | — | — | — | — | — | ( | — | ( | ||||||||||||||||||||||||||||||||||||||||||
| Pension adjustment, net of tax | — | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||||||||||
| Balance at December 31, 2024 | $ | $ | ( | $ | $ | $ | ( | $ | ||||||||||||||||||||||||||||||||||||||||||
| Net income | — | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||||||||||
| Foreign currency translation adjustment, net of tax | — | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||||||||||
| Share-based compensation | — | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||||||||||
| Vesting of restricted stock awards | — | — | — | — | — | — | — | |||||||||||||||||||||||||||||||||||||||||||
| Tax payments for stock issuances | ( | — | — | — | ( | — | — | ( | ||||||||||||||||||||||||||||||||||||||||||
| Share repurchases, net of excise tax | ( | ( | ( | — | — | — | ( | |||||||||||||||||||||||||||||||||||||||||||
Dividends declared ($ | — | — | — | — | — | ( | — | ( | ||||||||||||||||||||||||||||||||||||||||||
| Pension adjustment, net of tax | — | — | — | — | — | — | ||||||||||||||||||||||||||||||||||||||||||||
| Balance at December 31, 2025 | $ | $ | ( | $ | $ | $ | ( | $ | ||||||||||||||||||||||||||||||||||||||||||
See accompanying notes to consolidated financial statements.
F-7
OneSpan Inc.
CONSOLIDATED STATEMENTS OF CASH FLOWS
(In thousands)
| Years Ended December 31, | |||||||||||||||||
| 2025 | 2024 | 2023 | |||||||||||||||
| Cash flows from operating activities: | |||||||||||||||||
| Net income (loss) | $ | $ | $ | ( | |||||||||||||
| Adjustments to reconcile net income (loss) from operations to net cash used in operations: | |||||||||||||||||
| Depreciation and amortization of intangible assets | |||||||||||||||||
| Loss on disposal of asset | |||||||||||||||||
| Write-off of intangible assets | |||||||||||||||||
| Write-off of property and equipment, net | |||||||||||||||||
| Impairment of inventories, net | |||||||||||||||||
| Deferred tax (benefit) expense | ( | ( | |||||||||||||||
| Share-based compensation | |||||||||||||||||
| Provision for credit losses | |||||||||||||||||
| Changes in operating assets and liabilities, net of impact of acquisition: | |||||||||||||||||
| Accounts receivable | |||||||||||||||||
| Inventories, net | ( | ||||||||||||||||
| Contract assets | ( | ( | ( | ||||||||||||||
| Accounts payable | ( | ( | ( | ||||||||||||||
| Income taxes payable | ( | ( | |||||||||||||||
| Accrued expenses | ( | ( | |||||||||||||||
| Deferred compensation | ( | ( | |||||||||||||||
| Deferred revenue | ( | ( | |||||||||||||||
| Other assets and liabilities | ( | ( | ( | ||||||||||||||
| Net cash provided by (used in) operating activities | ( | ||||||||||||||||
| Cash flows from investing activities: | |||||||||||||||||
| Maturities of short-term investments | |||||||||||||||||
| Additions to property and equipment | ( | ( | ( | ||||||||||||||
| Equity investment | ( | ||||||||||||||||
| Additions to intangible assets | ( | ( | ( | ||||||||||||||
| Cash paid for acquisition of business | ( | ( | |||||||||||||||
| Net cash used in investing activities | ( | ( | ( | ||||||||||||||
| Cash flows from financing activities: | |||||||||||||||||
| Contingent payment related to acquisition | ( | ||||||||||||||||
| Payments of deferred finance costs | ( | ||||||||||||||||
| Dividends paid | ( | ||||||||||||||||
| Repurchase of common stock, net of excise tax | ( | ( | ( | ||||||||||||||
| Tax payments for restricted stock issuances | ( | ( | ( | ||||||||||||||
| Net cash used in financing activities | ( | ( | ( | ||||||||||||||
| Effect of exchange rate changes on cash | ( | ||||||||||||||||
| Net (decrease) increase in cash | ( | ( | |||||||||||||||
| Cash, cash equivalents, and restricted cash, beginning of period | |||||||||||||||||
| Cash, cash equivalents, and restricted cash, end of period | $ | $ | $ | ||||||||||||||
| Supplemental cash flow disclosures: | |||||||||||||||||
| Cash paid for income taxes, net of refunds | $ | $ | $ | ||||||||||||||
| Supplemental disclosure of noncash financing information: | |||||||||||||||||
| Cash dividend declared, but not yet paid | $ | $ | $ | ||||||||||||||
See accompanying notes to consolidated financial statements.
F-8
OneSpan Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
Unless otherwise noted, references in this Annual Report on Form 10-K to “OneSpan” and “Company” refer to OneSpan Inc. and its subsidiaries.
Note 1 – Description of the Company and Basis of Presentation
Description of the Company
OneSpan helps organizations build secure, seamless, and trusted digital experiences through two solution portfolios: Cybersecurity and Digital Agreements. Our cybersecurity solutions protect identities, secure mobile apps, and safeguard access through advanced high-assurance authentication, threat intelligence, fraud prevention, and mobile app protection, defending users, devices, and applications against sophisticated attacks. Our digital agreement solutions streamline agreement workflows with secure e-signatures, identity verification, and smart digital forms, built to enable speed, compliance and exceptional customer experiences. Trusted by leading global enterprises, including more than 60 % of the world’s 100 largest banks, OneSpan processes over a hundred million digital agreements and billions of secure authentication transactions across more than 120 countries each year. OneSpan has operations in Austria, Australia, Belgium, Canada, China, France, Japan, The Netherlands, Singapore, Switzerland, the United Arab Emirates, the United Kingdom (U.K.), and the United States (U.S.).
Business Developments
The Company's two 31.6 million to shareholders in 2025 in the form of quarterly dividends and share repurchases. Beginning in the fourth quarter of 2024 and continuing through 2025, the Company continued to operate profitably while taking a number of important steps to generate future revenue growth, including: the hiring of a Chief Technology Officer in December 2024; the acquisition of Nok Nok Labs, Inc. ("Nok Nok Labs") in June 2025; a strategic investment in ThreatFabric Holding B.V. ("ThreatFabric") in October 2025; and the hiring of a Chief Revenue Officer and the entry into a definitive agreement for the acquisition of Build38 GmbH ("Build 38") in December 2025.
The Company's efforts to broaden and strengthen its product offerings are driven in part by a secular shift away from physical authentication devices such as Digipass tokens. Because consumers increasingly interact with their banks through their mobile devices rather than desktop computers, they are more likely to prefer authentication methods that enable secure, convenient access to mobile banking apps without the need for a physical device. In response to this trend, the Company's bank and financial institution customers have increasingly adopted a “mobile first” approach to consumer authentication that prioritizes the mobile user experience over traditional desktop experiences. This approach has resulted in a reduction of Digipass hardware authenticator sales and an increase in sales of software authentication licenses delivered through software applications on mobile devices. The Company plans to continue to invest in Digipass authenticators, including its newer FIDO2 Digipass devices, as an important component of its broad authentication solution portfolio. The Company is focused on driving revenue growth in higher–margin software solutions, both through further expansion of its Cybersecurity software solutions and through continued growth in its Digital Agreements division.
Dividends
During the year ended December 31, 2025, the Company paid a quarterly cash dividend as part of a recurring quarterly dividend program. The quarterly cash dividend of $0.12
Basis of Presentation
Principles of Consolidation
The consolidated financial statements include the accounts of OneSpan Inc. and its wholly owned subsidiaries. Intercompany accounts and transactions have been eliminated in consolidation.
Use of Estimates
The preparation of financial statements in conformity with U.S. GAAP requires management to make estimates and assumptions that affect the reported amounts of assets and liabilities and disclosure of contingent assets and liabilities at the date of the financial statements and the reported amounts of revenue and expenses during the reporting period.
Note 2 – Summary of Significant Accounting Policies
Cash and Cash Equivalents and Restricted Cash
Cash and cash equivalents are stated at cost plus accrued interest, which approximates fair value. Cash equivalents are high-quality short-term money market instruments and commercial paper with maturities at acquisition of three months or less. Cash and cash equivalents are held by a number of U.S. and non-U.S. commercial banks and money market investment funds.
The Company was a party to lease agreements that required letters of credit to secure the obligations, which totaled $0.2 million as of December 31, 2024. The restricted cash at December 31, 2024 related to letters of credit that were recorded as "Other assets" on the consolidated balance sheet as its requirement was for a period greater than 12 months. This balance is no longer on the consolidated balance sheet as of December 31, 2025 as the restricted cash was replaced by a bank guarantee in conjunction with the Credit Agreement.
Credit Losses
Reasonable assurance of collection is a requirement for revenue recognition. Credit limit adjustments for existing customers may result from the periodic review of outstanding accounts receivable. The Company records trade accounts receivable at invoice values, which are generally equal to fair value.
In accordance with accounting standards update ("ASU") No. 2016-13, the Company evaluates its allowance based on expected losses rather than incurred losses, which is known as the current expected credit loss (“CECL”) model. The allowance is determined using the loss rate approach and is measured on a collective (pool) basis when similar risk characteristics exist. Where financial instruments do not share risk characteristics, they are evaluated on an individual basis. The allowance is based on relevant available information, from internal and external sources, relating to past events, current conditions, and reasonable and supportable forecasts.
F-10
Fair Value of Financial Instruments
Inventories, net
Inventories, consisting principally of hardware and component parts, are stated at the lower of cost or net realizable value. Cost is determined using the first-in-first-out (FIFO) method. The Company writes down inventory when it appears that the carrying cost of the inventory may not be recovered through subsequent sale of the inventory. The Company analyzes the quantity of inventory on hand, the quantity sold in the past year, the anticipated sales volume in the form of sales to new customers as well as sales to previous customers, the expected sales price and the cost of making the sale when evaluating the valuation of inventory.
Property and Equipment, net
Property and equipment, net, is stated at cost less accumulated depreciation. Depreciation is computed using the straight-line method over the estimated useful lives of the related assets ranging from to ten years . Leasehold improvements are depreciated over the lesser of the remaining lease term or ten years . Additions and improvements are capitalized, while expenditures for maintenance and repairs are charged to operations as incurred. Gains or losses resulting from sales or retirements are recorded as incurred, at which time related costs and accumulated depreciation are removed from the accounts.
Leases
The Company determines if an arrangement is a lease at inception. All of the Company's leases are classified as operating leases. Operating lease right-of-use ("ROU") assets and operating lease liabilities are recognized based on the present value of lease payments over the lease term at commencement date. Operating lease ROU assets are comprised of the lease liability plus prepaid rents and are reduced by lease incentives. The Company recognizes lease expense for operating leases on a straight-line basis over the lease term.
Long-Lived and Intangible Assets, net
Finite-lived intangible assets include proprietary technology, customer relationships, and other intangible assets. Intangible assets, other than certain patents and trademarks with indefinite lives, are amortized over the useful life, which range from to seven years for proprietary technology, to twelve years for customer relationships, and to twenty years for patents and trademarks. Intangible assets arising from business combinations, such as acquired technology, customer relationships, and other intangible assets, are originally recorded at fair value.
F-11
Long-lived assets, including property, plant and equipment, operating lease right-of-use assets, finite-lived intangible assets being amortized and capitalized software costs for internal use, are reviewed for impairment whenever events or changes in circumstances indicate that the carrying amount of the long-lived asset group may not be recoverable. An impairment loss shall be recognized if the carrying amount of a long-lived asset group exceeds the sum of the undiscounted cash flows expected to result from the use and eventual disposition of the asset. If it is determined that an impairment loss has occurred, the loss is measured as the amount by which the carrying amount of the long-lived asset group exceeds its fair value. Long-lived assets held for sale are reported at the lower of carrying value or fair value less cost to sell.
Goodwill
Goodwill represents the excess of purchase price over the fair value of net identifiable assets acquired in a business combination. The Company assesses the impairment of goodwill annually or whenever events or changes in circumstances indicate that the carrying value may not be recoverable. The annual impairment test date is October 1.
The Company’s impairment assessment begins with a qualitative assessment to determine whether it is more likely than not that the fair value of a reporting unit is less than its carrying value. The qualitative assessment includes comparing the overall financial performance of the reporting unit against the planned results. Additionally, the reporting unit’s fair value is assessed in light of certain events and circumstances, including macroeconomic conditions, industry and market considerations, cost factors, and other relevant entity and reporting unit specific events. The selection and assessment of qualitative factors used to determine whether it is more likely than not that the fair value of a reporting unit exceeds the carrying value involves significant judgments. If it is determined under the qualitative assessment that it is more likely than not that the fair value of a reporting unit is less than its carrying value, then the estimated fair value of the reporting unit is compared with its carrying value. An impairment charge is recognized for the amount by which the carrying amount exceeds the reporting unit’s fair value.
Equity Investment
On October 3, 2025, the Company purchased a 15 % equity interest in ThreatFabric Holding B.V. ("ThreatFabric") for $11.7 million. The Company also incurred $0.1 million of transaction costs which were capitalized and included in the initial investment balances. ThreatFabric is a Dutch company that provides mobile threat intelligence, malware risk detection, and behavioral analytics.
The Company applies the cost method of accounting to its non-marketable equity investment in ThreatFabric under ASC 321, Investments - Equity Securities. Equity investments without readily determinable fair values are generally classified as non-marketable equity securities. These investments are carried at cost, less any impairment, plus or minus changes resulting from observable price changes in orderly transactions for the identical or a similar investment of the same issuer. Under the cost method of accounting, the Company performs a qualitative assessment at each reporting period to determine if an investment is impaired. If an impairment exists, the investment is written down to its fair value. All gains and losses, realized and unrealized, are recognized in Other expense, net on the consolidated statements of operations. There were no investment impairments for the year ended December 31, 2025.
Other Accrued Expenses
Other accrued expenses consist of the following:
| December 31, | |||||||||||
| (In thousands) | 2025 | 2024 | |||||||||
| Current operating lease liabilities | $ | $ | |||||||||
| Accrued sales tax and VAT | |||||||||||
| Acquisition hold back | |||||||||||
| Other accrued expenses | |||||||||||
| Accrued professional fees | |||||||||||
| Total | $ | $ | |||||||||
F-12
Share Repurchase Program
On May 9, 2024, the board of directors terminated the stock repurchase program adopted on May 11, 2022 and adopted a new stock repurchase program under which the Company is authorized to repurchase up to $50.0 million of its issued and outstanding shares of common stock. Share purchases under the program will take place in open market transactions, privately negotiated transactions or tender offers, and may be made from time to time depending on market conditions, share price, trading volume, and other factors. The timing of the repurchases and the amount of stock repurchased in each transaction is subject to OneSpan’s sole discretion and will depend upon market and business conditions, applicable legal and credit requirements and other corporate considerations. The authorization is effective until May 9, 2026 unless the total amount has been used or the repurchase program is terminated by the board of directors. The Company repurchased 1,006,376 shares of its issued and outstanding common shares pursuant to this program in the year ended December 31, 2025. The average purchase price paid for these shares was $12.99 , or an aggregate cost of approximately $13.1 million. As of December 31, 2025, approximately $36.9 million remained available for potential future repurchases under the repurchase program. The Company did not repurchase any shares under this plan during the year ended December 31, 2024.
Revenue Recognition
The Company records revenue in accordance with ASC Topic 606, Revenue from Contracts with Customers. It determines revenue recognition through the following steps:
•Identification of the contract, or contracts, with a customer;
•Identification of the performance obligations in the contract;
•Determination of the transaction price;
•Allocation of the transaction price to the performance obligations in the contract; and
•Recognition of revenue when, or as, we satisfy a performance obligation.
Revenues are recognized when control of the promised goods or services is transferred to the Company's customers in an amount that reflects the consideration we expect to be entitled to in exchange for those products or services, which excludes any sales incentives and amounts collected on behalf of third parties. Taxes assessed by a governmental authority that are both imposed on and concurrent with a specific revenue-producing transaction, that are collected by the Company from a customer, are excluded from revenue. Shipping and handling costs associated with outbound freight before control over a product has transferred to a customer are accounted for as a fulfillment cost and are included in Cost of goods sold.
Nature of Goods and Services
The Company derives its revenues primarily from product and license revenue, which includes hardware products and on-premises subscription revenue, and services and other, which is inclusive of cloud subscription revenue, maintenance and support, and professional services.
Subscription: Subscription includes cloud and on-premises subscription revenue.
Cloud subscription revenues are generated from the Company's Cybersecurity and Digital Agreements service offerings. Standard customer arrangements do not provide the customer with the right to take possession of the software supporting the cloud-based application service at any time. As such, these arrangements are considered service contracts and revenue is recognized ratably over the service period of the contract. Customer payments are normally in advance for annual service.
F-13
Revenue from the sale of on-premises subscription revenue is recorded upon delivery which is the later of when the customer receives the ability to access the software or when they are legally allowed to use the software. No significant obligations or contingencies exist with regard to delivery, customer acceptance or rights of return at the time revenue is recognized. The Company offers term licenses for on-premises subscription revenue ranging from to five years in length. For term licenses, payments are either on installment or in advance. In limited circumstances, the Company integrates third-party software solutions into its software products. The Company has determined that, consistent with its conclusion under prior revenue recognition rules, the Company acts as the principal with respect to the satisfaction of the related performance obligation and records the corresponding revenue on a gross basis from these transactions. The fees owed to the third parties are recognized as a component of cost of goods sold when the revenue is recognized. For transactions in which the Company does not act as the principal, the Company recognizes revenue on a net basis which is immaterial for the years ended December 31, 2025, 2024, and 2023.
Maintenance and support: Maintenance and support agreements generally call for the Company to provide software updates and technical support to customers. The annual fee for maintenance and support is recognized ratably over the term of the maintenance and support agreement as this is the period the services are delivered. Customer payments are normally in advance for annual service.
Professional services and other revenue: Professional services revenues are primarily comprised of implementing, automating and extending business processes, technology infrastructure, and software applications. Professional services revenues are recognized over time as services are rendered, usually over a period of time that is generally less than 12 months, most of which, are derived from projects performed on a fixed fee. For fixed fee contracts, revenues are generally recognized using an input method based on the ratio of hours expended to total estimated hours to complete the services. Customer payments normally correspond with delivery. Professional services and other includes perpetual software licenses revenue, which was immaterial 1 % of total revenue for the year ended December 31, 2023. Perpetual licenses grant the customer unlimited access to the software.
Hardware products: Revenue from the sale of security hardware is recorded upon shipment, which is the point at which control of the goods are transferred and the performance obligations are completed, unless there are specific terms that would suggest control is transferred at a later date (e.g. delivery). No significant obligations or contingencies typically exist with regard to delivery, customer acceptance or rights of return at the time revenue is recognized. Customer invoices and subsequent payments normally correspond with delivery.
Multiple-Element Arrangements
In the Company's typical multiple-element arrangement, the primary deliverables include:
1.A client component (i.e. an item that is used by the person being authenticated in the form of either a new standalone hardware device or software that is downloaded onto a device that the customer already owns);
2.Server system software that is installed on the customer’s systems (i.e. software on the server system that verifies the identity of the person being authenticated) or licenses for additional users on the server system software if the server system software had been installed previously; and
3.Post contract support in the form of maintenance on the server system software or support.
The Company's multiple-element arrangements may also include other items that are usually delivered prior to the recognition of any revenue and are incidental to the overall transaction such as initialization of the hardware device, customization of the hardware device itself or the packaging in which it is delivered, deployment services where the Company delivers the device to its customer’s end-use customer or employee and, in some limited cases, professional services to assist with the initial implementation of a new customer.
F-14
For contracts that contain multiple performance obligations, the transaction price is allocated to the separate performance obligations based on their estimated relative standalone selling price. Judgment is required to determine the stand-alone selling price (“SSP”) of each distinct performance obligation. We determine SSP for maintenance and support based on observable inputs; specifically, the range of prices charged to customers to renew annual maintenance and support contracts. In instances where SSP is not directly observable, and when we sell at a highly variable price range, such as for transactions involving cloud and on-premise subscription-based licenses or hardware, we determine the SSP for those performance obligations using the residual approach.
Significant Judgments
The Company enters into contracts to deliver a combination of hardware devices, software licenses, subscriptions, maintenance and support and, in some situations, professional services. The Company evaluates the nature of the goods or services promised in these arrangements to identify the distinct performance obligations. Determining whether products and services are considered distinct performance obligations that should be accounted for separately versus together may require significant judgment depending on the terms and conditions of the respective customer arrangement. When a hardware client device and licenses to server software are sold in a contract, they are treated as a single performance obligation because the software license is deemed to be a component of the hardware that is integral to the functionality of the hardware that is used by customers for identity authentication. When a software client device is sold in a contract server software, the licenses are considered a single performance obligation to deliver the authentication solution to the customer. In either of these types of arrangements, maintenance and support and professional services are typically distinct separate performance obligations from the hardware or software solutions. Contracts to deliver subscription services typically do not include multiple performance obligations; however, in certain limited cases customers may purchase professional services that are distinct performance obligations.
Cost of Goods Sold
Cost of goods sold related to product and license include direct product costs and direct costs, including personnel costs, production costs, and freight costs. Cost of goods sold related to service and other revenues are primarily costs related to cloud subscription solutions, including personnel, equipment costs, and capitalized software costs and internal professional services and maintenance support.
Sales and Marketing
Research and Development Costs
Research and development expenses primarily include payroll and payroll-related costs for employees who are directly associated with the internal-use software projects, external direct costs of materials and services costs while developing the software. Capitalized software costs are included in “Property and equipment, net” on the consolidated balance sheets and are depreciated using the straight-line method over the estimated life of three years . Capitalization of such costs ceases when the project is substantially complete and ready for its intended purpose. Costs incurred during the preliminary project and post-implementation stages, as well as software maintenance and training costs, are expensed in the period in which they are incurred. Other costs for research and development, principally the design and development of hardware, and the design and development of software prior to the determination of technological feasibility, are also expensed as incurred on a project-by-project basis.
F-15
Share-Based Compensation
The Company has share-based employee compensation plans, described in Note 15, Share Compensation Plans. ASC 718, Stock Compensation, requires the Company to estimate the fair value of restricted stock granted to employees, directors and others to record compensation expense equal to the estimated fair value. Compensation expense is recorded on a straight-line basis over the vesting period for time-based awards, and performance and market-based awards with cliff vesting provisions and on a graded basis for performance and market-based awards with graded vesting provisions. Forfeitures are recorded as incurred.
Retirement Benefits
The Company records annual expenses relating to defined benefit pension plans based on calculations which include various actuarial assumptions, including discount rates, assumed asset rates of return, compensation increases, and turnover rates. The Company reviews its actuarial assumptions on an annual basis and makes modifications to the assumptions based on current rates and trends. The effects of gains, losses, and prior service costs and credits are amortized over the average service life. The funded status, or projected benefit obligation less plan assets, for each plan, is reflected in the consolidated financial statements using a December 31 measurement date.
Other Expense, net
Income Taxes
The Company calculates and provides for income taxes in each tax jurisdiction in which it operates. The provision for income taxes includes the amounts payable or refundable for the current year, the effect of deferred taxes and impacts from uncertain tax positions. The Company’s provision for income taxes is significantly affected by shifts in the geographic mix of its pre-tax earnings across tax jurisdictions, changes in valuation allowance, changes in tax laws and regulations, and tax planning opportunities available in each tax jurisdiction.
Deferred tax assets and liabilities are recognized for the expected future tax consequences of temporary differences between the financial statement and tax bases of the Company's assets and liabilities and for operating losses and tax credit carryforwards. Deferred tax assets and liabilities are measured using enacted tax rates that will apply to taxable income in the years in which those differences are expected to be recovered or settled. Valuation allowances are established for deferred tax assets when it is more likely than not that a tax benefit will not be realized. The Company recognizes the effect of a change in tax rates on deferred tax assets and liabilities and in income in the period that includes the enactment date.
The Company recognizes tax benefits for tax positions that are more likely than not to be sustained upon examination by tax authorities. The amount recognized is measured as the largest amount of benefit that is greater than 50 percent likely to be realized upon ultimate settlement. Unrecognized tax benefits are tax benefits claimed in the Company's income tax returns that do not meet these recognition and measurement standards. Assumptions, judgments, and the use of estimates are required in determining whether the “more-likely-than-not” standard has been met when developing the provision for income taxes.
The Company recognizes the tax impact of including certain foreign earnings in U.S. taxable income as a period cost. The Company has recognized deferred income taxes for local country income and withholding taxes that could be incurred on distributions of non-U.S. earnings because management does not plan to indefinitely reinvest such earnings.
F-16
Recently Issued Accounting Pronouncements
From time to time, new accounting pronouncements are issued by the Financial Accounting Standards Board (FASB) or other standard setting bodies that are adopted by the Company as of the specified effective date.
In December 2023, the FASB issued ASU 2023-09, Income Taxes (Topic 740) – Improvements to Income Tax Disclosures, which is intended to enhance the transparency and decision usefulness of income tax disclosures. Public business entities are required to adopt for annual fiscal periods beginning after December 15, 2024 and early adoption is permitted. The Company adopted the standard effective December 31, 2025 (see Note 14, Income Taxes).
In November 2024, the FASB issued ASU 2024-03, Comprehensive Income (Topic 220) – Disaggregation of Income Statement Expenses, to improve financial reporting by requiring disclosures in the notes to financial statements about specific types of expenses included in the expense captions presented on the face of the statement of operations. The requirements of the ASU are effective for annual reporting periods beginning after December 15, 2026, and for interim reporting periods beginning after December 15, 2027, with early adoption permitted. The requirements are able to be applied prospectively with the option for retrospective application. The Company is evaluating the impact the adoption of this guidance will have on its consolidated financial statements and related disclosures.
Note 3 – Segment Information
Segments are defined as components of a company that engage in business activities from which they may earn revenues and incur expenses, and for which separate financial information is available and is evaluated regularly by the chief operating decision maker ("CODM") in deciding how to allocate resources and in assessing performance. The Company’s CODM is its Chief Executive Officer. The Company's reportable segments are divisions that offer different products and services and are as follows:
•Cybersecurity. Cybersecurity, formerly Security Solutions, consists of our broad portfolio of software products, software development kits ("SDKs") and Digipass authenticator devices that are used to build applications designed to defend against attacks on digital transactions across online environments, devices, and applications. The software products and SDKs included in the Cybersecurity segment are delivered through on-premises and cloud-based deployment models and include standards-based authentication technologies such as Fast Identity Online ("FIDO") authentication and passkeys, multi-factor authentication, transaction signing solutions and mobile application security.
•Digital Agreements. Digital Agreements consists of solutions that enable our clients to secure and automate business processes associated with their digital agreement and customer transaction lifecycles that require consent, non-repudiation and compliance. These solutions, which are cloud-based, include OneSpan Sign e-signature, OneSpan Notary, and OneSpan Identity Verification.
The CODM evaluates performance for both reportable segments based on segment revenue, gross margins and operating income (loss). When using these metrics, the CODM considers forecast-to-actual variances on a quarterly basis when making decisions about the allocation of operating and capital resources to each segment. The CODM also uses these metrics for evaluating pricing strategy to assess the performance of each segment by comparing the results of each segment with one another and in determining the compensation of certain employees.
F-17
Segment operating income (loss) consists of the revenues generated by a segment, less the direct costs of revenue, sales and marketing expenses, research and development expenses, general and administrative expenses, restructuring and other related charges, and amortization of intangible assets expense that are incurred directly by a segment. Sales and marketing and research and development expenses were determined to be significant segment expenses. Unallocated corporate costs include costs related to administrative functions that are performed in a centralized manner that are not attributable to a particular segment. The accounting policies of both reportable segments are the same as those described in Note 2, Summary of Significant Accounting Policies.
Prior to 2023, the Company allocated certain cost of goods sold and operating expenses to its two
The tables below set forth information about the Company’s operating segments for the years ended December 31, 2025, 2024, and 2023, along with the items necessary to reconcile the segment information to the totals reported in the accompanying consolidated financial statements.
| Year Ended December 31, 2025 | |||||||||||||||||||||||
| (In thousands) | Cybersecurity | Digital Agreements | Corporate and Other | Total | |||||||||||||||||||
Revenue | $ | $ | $ | $ | |||||||||||||||||||
| Cost of goods sold | |||||||||||||||||||||||
| Gross profit | |||||||||||||||||||||||
| Gross margin | * | ||||||||||||||||||||||
| Sales and marketing | |||||||||||||||||||||||
| Research and development | |||||||||||||||||||||||
| Other segment items (2)(4) | |||||||||||||||||||||||
| Operating income (loss) (3)(5) | ( | ||||||||||||||||||||||
Interest income, net | |||||||||||||||||||||||
| Other expense, net | ( | ||||||||||||||||||||||
| Income before income taxes | $ | ||||||||||||||||||||||
| Year Ended December 31, 2024 | |||||||||||||||||||||||
| (In thousands) | Cybersecurity | Digital Agreements | Corporate and Other | Total | |||||||||||||||||||
Revenue | $ | $ | $ | $ | |||||||||||||||||||
| Cost of goods sold | |||||||||||||||||||||||
| Gross profit (1) | ( | ||||||||||||||||||||||
| Gross margin | * | ||||||||||||||||||||||
| Sales and marketing | |||||||||||||||||||||||
| Research and development | |||||||||||||||||||||||
| Other segment items (2)(4) | |||||||||||||||||||||||
| Operating (loss) income (3)(5) | ( | ||||||||||||||||||||||
Interest income, net | |||||||||||||||||||||||
| Other expense, net | ( | ||||||||||||||||||||||
| Income before income taxes | $ | ||||||||||||||||||||||
F-18
| Year Ended December 31, 2023 | |||||||||||||||||||||||
| (In thousands) | Cybersecurity | Digital Agreements | Corporate and Other | Total | |||||||||||||||||||
Revenue | $ | $ | $ | $ | |||||||||||||||||||
| Cost of goods sold | |||||||||||||||||||||||
Gross profit | ( | ||||||||||||||||||||||
| Gross margin | * | ||||||||||||||||||||||
| Sales and marketing | |||||||||||||||||||||||
| Research and development | |||||||||||||||||||||||
| Other segment items (2)(4) | |||||||||||||||||||||||
| Operating income (loss) (3)(5) | ( | ( | ( | ||||||||||||||||||||
Interest income, net | |||||||||||||||||||||||
| Other expense, net | ( | ||||||||||||||||||||||
Income (loss) before income taxes | $ | ( | |||||||||||||||||||||
* Percentage not meaningful
(1) Digital Agreements gross profit includes an intangible asset write-off of $0.8 million and an internal capitalized software write-off of $0.7 million for the year ended December 31, 2024 (see Note 8, Intangible Assets, net and Note 9, Property and Equipment, net).
(2) Cybersecurity other segment items includes general and administrative expense, restructuring and other related charges, and amortization of intangibles for the years ended December 31, 2025, 2024, and 2023.
(3) Cybersecurity operating income includes $1.3 million, $0.9 million, and $0 of total amortization and depreciation expense for the years ended December 31, 2025, 2024, and 2023, respectively.
Cybersecurity operating income includes $0.3 million, $2.0 million, and $5.5 million of restructuring and other related charges for the years ended December 31, 2025, 2024, and 2023, respectively.
(4) Digital Agreements other segment items includes general and administrative expense, restructuring and other related charges, and amortization of intangibles for the years ended December 31, 2025, 2024, and 2023.
(5) Digital Agreements operating income includes $7.5 million, $6.2 million, and $3.7 million of total amortization and depreciation for the years ended December 31, 2025, 2024, and 2023, respectively.
Digital Agreements operating income includes $1.0 million, $1.7 million, and $3.7 million of restructuring and other related charges for the years ended December 31, 2025, 2024, and 2023, respectively.
The following tables illustrate the disaggregation of revenues by category and services, including a reconciliation of the disaggregated revenues to revenues from the Company's two
| Years Ended December 31, | |||||||||||||||||||||||||||||||||||
| 2025 | 2024 | 2023 | |||||||||||||||||||||||||||||||||
| (In thousands) | Cybersecurity | Digital Agreements | Cybersecurity | Digital Agreements | Cybersecurity | Digital Agreements | |||||||||||||||||||||||||||||
| Subscription | $ | $ | $ | $ | $ | $ | |||||||||||||||||||||||||||||
| Maintenance and support | |||||||||||||||||||||||||||||||||||
| Professional services and other | |||||||||||||||||||||||||||||||||||
| Hardware products | |||||||||||||||||||||||||||||||||||
| Total Revenue | $ | $ | $ | $ | $ | $ | |||||||||||||||||||||||||||||
F-19
Asset information by segment is not reported to or reviewed by the CODM to allocate resources, and therefore, the Company has not disclosed asset information for the segments.
Note 4 – Revenue
Disaggregation of Revenues
The following tables present the Company's revenues disaggregated by major products and services, geographical region and timing of revenue recognition.
Revenue by major products and services
| Years Ended December 31, | |||||||||||||||||
| (In thousands) | 2025 | 2024 | 2023 | ||||||||||||||
| Subscription | $ | $ | $ | ||||||||||||||
| Maintenance and support | |||||||||||||||||
| Professional services and other | |||||||||||||||||
| Hardware products | |||||||||||||||||
| Total Revenue | $ | $ | $ | ||||||||||||||
Revenue by location of customer for the years ended December 31, 2025, 2024, and 2023
| Years Ended December 31, | |||||||||||||||||
| (In thousands, except percentages) | 2025 | 2024 | 2023 | ||||||||||||||
| EMEA | $ | $ | $ | ||||||||||||||
| Americas | |||||||||||||||||
| APAC | |||||||||||||||||
| Total revenue | $ | $ | $ | ||||||||||||||
| % of Total Revenue | |||||||||||||||||
| EMEA | % | % | % | ||||||||||||||
| Americas | % | % | % | ||||||||||||||
| APAC | % | % | % | ||||||||||||||
Timing of revenue recognition
| Years Ended December 31, | |||||||||||||||||
| (In thousands) | 2025 | 2024 | 2023 | ||||||||||||||
| Products and Licenses transferred at a point in time | $ | $ | $ | ||||||||||||||
| Services transferred over time | |||||||||||||||||
| Total Revenue | $ | $ | $ | ||||||||||||||
F-20
Contract balances
The following table provides information about receivables, contract assets and contract liabilities from contracts with customers as of December 31, 2025 and 2024:
| (In thousands) | December 31, | ||||||||||
| 2025 | 2024 | ||||||||||
| Receivables, inclusive of trade and unbilled | $ | $ | |||||||||
| Contract Assets (current and non-current) | $ | $ | |||||||||
| Contract Liabilities (deferred revenue current and non-current) | $ | $ | |||||||||
Contract assets relate primarily to multi-year term license arrangements and the remaining contractual billings. These contract assets are transferred to receivables when the right to billing occurs over a 2 - to 5 -year period. The contract liabilities primarily relate to the advance consideration received from customers for subscription and maintenance services. Revenue is recognized for these services over time.
As a practical expedient, the Company does not adjust the promised amount of consideration for the effects of a significant financing component when it is expected, at contract inception, that the period between the Company's transfer of a promised product or service to a customer and when the customer pays for that product or service will be one year or less. Extended payment terms are not typically included in contracts with customers.
Revenue recognized during the year ended December 31, 2025 included $66.1 million that was included on the December 31, 2024 consolidated balance sheet in contract liabilities.
Transaction price allocated to the remaining performance obligations
Remaining performance obligations represent the revenue that is expected to be recognized in future periods related to performance obligations that are unsatisfied, or partially unsatisfied, as of the end of the period. The following table includes estimated revenue expected to be recognized in the future related to performance obligations that are unsatisfied (or partially unsatisfied) as of December 31, 2025:
| (In thousands) | 2026 | 2027 | 2028 | Beyond 2028 | Total | ||||||||||||||||||||||||
| Future revenue related to current unsatisfied performance obligations | $ | $ | $ | $ | $ | ||||||||||||||||||||||||
The Company applies practical expedients and does not disclose information about remaining performance obligations (a) that have original expected durations of one year or less, or (b) where revenue is recognized as invoiced.
Costs of obtaining a contract
The Company incurs incremental costs related to commissions, which can be directly tied to obtaining a contract. The Company capitalizes commissions associated with certain new contracts and amortizes the costs over a period of up to seven years , which is the determined benefit period based on the estimated customer relationship period or customer benefit period. The Company determined the period of benefit by taking into consideration the customer contracts, its technology and other factors, including customer attrition. Commissions and amortization expense are included in “Sales and marketing” expense in the consolidated statements of operations.
Applying the practical expedient, the Company recognizes the incremental costs of obtaining contracts as an expense when incurred if the amortization period for the assets that the Company otherwise would have recognized is one year or less. These costs are included in the “Sales and marketing” caption in the consolidated statements of operations.
The following tables provide information related to the capitalized costs and amortization recognized in the current and prior period within "Other current assets" and "Other assets" on the consolidated balance sheets:
F-21
| December 31, | |||||||||||
| (In thousands) | 2025 | 2024 | |||||||||
| Capitalized costs to obtain contracts, current | $ | $ | |||||||||
| Capitalized costs to obtain contracts, non-current | $ | $ | |||||||||
| (In thousands) | Years Ended December 31, | ||||||||||
| 2025 | 2024 | ||||||||||
| Amortization of capitalized costs to obtain contracts | $ | $ | |||||||||
Note 5 – Inventories, net
Inventories, net, are comprised of the following as of December 31, 2025 and 2024:
| December 31, | |||||||||||
| (In thousands) | 2025 | 2024 | |||||||||
| Component parts | $ | $ | |||||||||
| Work-in-process and finished goods | |||||||||||
| Total | $ | $ | |||||||||
Note 6 - Business Acquisitions
Nok Nok Labs Acquisition
On June 4, 2025, the Company acquired Nok Nok Labs pursuant to a merger agreement (the "Merger Agreement") that resulted in the Company purchasing all of the outstanding equity interests of Nok Nok Labs. Nok Nok Labs is a leading provider of passwordless software authentication solutions that use FIDO (Fast IDentity Online) authentication protocols. The technology acquired in the acquisition is expected to provide OneSpan's customers with a wider range of flexible, adaptable authentication options. The acquisition was accounted for as a business combination in accordance with ASC 805, Business Combinations, using the acquisition method of accounting. Under this method, the Company recognized the identifiable assets acquired and liabilities assumed at their fair values as of the acquisition date.
Pursuant to the terms of the Merger Agreement, the total purchase consideration for the acquisition was $19.2 million, consisting of $14.7 million in cash consideration paid, $1.8 million in cash acquired, and $2.7 million in deferred consideration. The $2.7 million (the "Holdback Amount") has been held back as security for potential indemnity claims made by the Company. Any unused portion of the Holdback Amount will be released to Nok Nok Labs security holders 18 months after the acquisition date. The Company incurred transaction related expenses of $1.1 million in connection with the acquisition of Nok Nok Labs, which expenses are included in general and administrative expenses on the consolidated statement of operations for the year ended December 31, 2025.
Nok Nok Labs is allocated entirely to the Company's Cybersecurity reportable operating segment. The following table summarizes the fair values of the assets acquired and liabilities assumed:
F-22
| (In thousands) | Final Opening Balance Sheet | ||||
| Fair value of assets acquired and liabilities assumed: | |||||
| Cash and cash equivalents | $ | ||||
| Accounts receivable, net | |||||
| Prepaid expenses | |||||
| Property and equipment, net | |||||
| Other assets | |||||
| Operating lease right-of-use assets | |||||
| Developed technology | |||||
| Customer relationships | |||||
| Goodwill | |||||
| Deferred tax asset, net of valuation allowance | |||||
| Accounts payable | ( | ||||
| Other accrued expenses | ( | ||||
| Short-term lease liabilities | ( | ||||
| Deferred revenue | ( | ||||
| State income tax liability | ( | ||||
| Deferred tax liability | ( | ||||
| Total net assets acquired | $ | ||||
| Total consideration | $ | ||||
| Hold back | ( | ||||
| Cash acquired | ( | ||||
| Cash paid for acquisition of business, net of cash acquired | $ | ||||
The fair value of the acquired accounts receivable approximates the carrying value due to the short-term nature of the expected timeframe to collect the amounts due to the Company and the contractual cash flows expected to be collected related to these receivables.
As part of the purchase price allocation, the Company determined intangible assets were developed technology and customer relationships. The fair value of the intangible assets was estimated using a market approach. The estimated useful lives over which intangible assets will be amortized are as follows: developed technology (6 years) and customer relationships (5 years).
The excess of the provisional purchase price over the estimated fair value of the tangible and intangible assets acquired and liabilities assumed has been recorded as goodwill. The acquisition resulted in recorded goodwill attributable to expected growth opportunities, potential synergies from combining the acquired business into the Company’s existing businesses and an assembled workforce. Goodwill is not expected to be deductible for tax purposes.
Deferred revenue was recorded under ASC 606 in accordance with ASU 2021-08, Business Combinations (Topic 805), Accounting for Contract Assets and Contract Liabilities from Contracts with Customers; therefore, a reduction in deferred revenues related to the estimated fair values of the acquired deferred revenues was not required.
The consolidated financial statements for the year ended December 31, 2025 include the results of operations related to the Nok Nok Labs acquisition from the June 4, 2025 acquisition date through December 31, 2025.
The financial impact of this acquisition was not material to the consolidated financial statements, and therefore, the Company has not presented pro forma results of operations for the acquisition. Furthermore, revenue and net income from Nok Nok Labs have not been separately presented for the year ended December 31, 2025 as they were immaterial to the Company's overall revenue and net income for the period.
F-23
Planned Build38 GmbH Acquisition
On December 23, 2025, the Company's subsidiary, OneSpan Europe N.V., entered into an agreement to acquire all outstanding shares of Build38 GmbH ("Build38") for $38.8 million, subject to customary closing purchase price adjustments and an 18-month holdback arrangement. Build38 is a leader in next-generation mobile application protection solutions and will extend the Company's investment in advanced mobile security technologies. The planned acquisition is expected to enhance OneSpan’s App Shielding offering by adding SDK-based security solutions that integrate in-app, cloud, and AI technologies. These enhancements will provide businesses with strong protection against the growing wave of attacks targeting the mobile channel, as well as critical intelligence and telemetry on the mobile devices where the applications are deployed. The planned transaction is currently expected to close by March 2026, subject to customary closing conditions.
Proven DB Acquisition
On February 22, 2023, the Company acquired substantially all of the assets of the ProvenDB business of Southbank Software Pty Ltd. ("ProvenDB") under the terms of an asset purchase agreement. Pursuant to the terms of the asset purchase agreement, the total consideration for the acquisition was $2.0 million, of which $1.8 million was paid in cash at closing. The remaining $0.2 million was held back as security for any indemnity claims made by the Company. If no indemnity claims are made by the Company this amount is required to be paid to the seller 12 months after the acquisition date. The Company paid the full amount of $0.2 million to the seller in February 2024.
ProvenDB is a developer of secure storage that leverages blockchain technology in order to prevent data tampering or alteration of documents. The technology acquired in the acquisition was expected to provide a foundational architecture for future blockchain-based digital solutions, including secure storage, and was allocated entirely to the Digital Agreements reportable operating segment.
Note 7 – Goodwill
The following table presents the changes in goodwill for the years ended December 31, 2024 and 2025:
(In thousands) | Cybersecurity | Digital Agreements | Total | |||||||||||||||||
| Net balance at January 1, 2024 | $ | $ | $ | |||||||||||||||||
| Net foreign currency translation | ( | ( | ( | |||||||||||||||||
| Net balance at December 31, 2024 | ||||||||||||||||||||
| Acquisition during the period (1) | ||||||||||||||||||||
| Net foreign currency translation | ||||||||||||||||||||
| Net balance at December 31, 2025 | $ | $ | $ | |||||||||||||||||
F-24
Note 8 – Intangible Assets, net
Intangible assets, net as of December 31, 2025 and 2024 consist of the following:
| December 31, | |||||||||||||||||||||||||||||
| 2025 | 2024 | ||||||||||||||||||||||||||||
| (In thousands) | Useful Life (in years) | Gross Carrying Amount | Accumulated Amortization | Gross Carrying Amount | Accumulated Amortization | ||||||||||||||||||||||||
| Acquired technology | $ | $ | ( | $ | $ | ( | |||||||||||||||||||||||
| Customer relationships | ( | ( | |||||||||||||||||||||||||||
| Patents and trademarks | ( | ( | |||||||||||||||||||||||||||
| Total | $ | $ | ( | $ | $ | ( | |||||||||||||||||||||||
Amortization expense was $2.8 million, $2.6 million, and $2.8 million for the years ended December 31, 2025, 2024, and 2023, respectively. Amortization expense includes cost of sales amortization expense directly related to delivering cloud subscription revenue of $0.3 million, $0.2 million, and $0.4 million for the years ended December 31, 2025, 2024 and 2023, respectively. Costs are recorded in "Services and other cost of goods sold" on the consolidated statements of operations.
Certain intangible assets are denominated in local currencies and are subject to currency fluctuations.
In connection with the continued execution of cost reductions, during the quarter ended June 30, 2024, the Company decided to stop any incremental development investments supporting its previously acquired blockchain technology and related commercial efforts (see Note 20, Restructuring and Other Related Charges). This asset contributed no revenue as it was still in its investment stage. As a result, the Company wrote-off $0.8 million associated with the remaining unamortized value of this intangible asset in "Services and other cost of goods sold" on the consolidated statement of operations for the year ended December 31, 2024.
There were no additional write-offs or impairments of intangible assets recorded during the years ended December 31, 2025, 2024, and 2023.
The estimated future amortization expense of intangible assets as of December 31, 2025, is as follows:
| 2026 | $ | ||||
| 2027 | |||||
| 2028 | |||||
| 2029 | |||||
| 2030 | |||||
| Thereafter | |||||
| Subject to amortization | |||||
| Trademarks | |||||
| Total intangible assets | $ | ||||
F-25
Note 9 – Property and Equipment, net
The following table presents the major classes of property and equipment, net, as of December 31, 2025 and 2024:
| December 31, | |||||||||||||||||
| (In thousands) | Useful Life (in years) | 2025 | 2024 | ||||||||||||||
| Office equipment and software | $ | $ | |||||||||||||||
| Leasehold improvements | |||||||||||||||||
| Furniture and fixtures | |||||||||||||||||
| Capitalized software | |||||||||||||||||
| Total | |||||||||||||||||
| Accumulated depreciation | ( | ( | |||||||||||||||
| Property and equipment, net | $ | $ | |||||||||||||||
Depreciation expense was $7.3 million, $5.8 million, and $3.7 million for the years ended December 31, 2025, 2024, and 2023, respectively. Depreciation expense includes cost of sales depreciation expense directly related to delivering cloud subscription revenue of $5.2 million, $3.1 million, and $1.1 million for the years ended December 31, 2025, 2024, and 2023, respectively. Costs are recorded in "Services and other cost of goods sold" on the consolidated statements of operations.
During the year ended December 31, 2025, the Company recorded a write-off of $0.7 million for capitalized labor, of which $0.3 million was recognized in "Services and other cost of goods sold" on the consolidated statements of operations for the year ended December 31, 2025. The remaining write-off amount of $0.4 million was recognized in "Restructuring and other related charges" on the consolidated statements of operations for the year ended December 31, 2025.
In connection with the continued execution of cost reductions, the Company decided to stop any incremental development investments supporting its previous acquired blockchain technology and related commercial efforts. As a result, the Company wrote-off the internal capitalized software used to build out connection points for its blockchain technology and its e-signature product (see Note 20, Restructuring and Other Related Charges). The total write-off amounted to $1.0 million within property and equipment, net, of which $0.7 million was recognized in "Services and other cost of goods sold" on the consolidated statement of operations for the year ended December 31, 2024. The remaining write-off amount of $0.3 million was recognized in "Restructuring and other related charges" on the consolidated statement of operations for the year ended December 31, 2024.
Note 10 – Fair Value Measurements
The fair values of cash equivalents, accounts receivables, and accounts payable approximate their carrying amounts due to their short duration. The fair value hierarchy is based on inputs to valuation techniques that are used to measure fair value that are either observable or unobservable. Observable inputs reflect assumptions market participants would use in pricing an asset or liability based on market data obtained from independent sources while unobservable inputs reflect a reporting entity’s pricing base upon its own market assumptions.
The estimated fair value of financial instruments has been determined by using available market information and appropriate valuation methodologies, as defined in ASC 820, Fair Value Measurements. The fair value hierarchy consists of the following three levels:
•Level 1 – Inputs are quoted prices in active markets for identical assets or liabilities.
•Level 2 – Inputs are quoted prices for similar assets or liabilities in an active market, quoted prices for identical or similar assets or liabilities in markets that are not active, inputs other than quoted prices that are observable and market-corroborated inputs which are derived primarily from or corroborated by observable market data.
•Level 3 – Inputs are derived from valuation techniques in which one or more significant inputs or value drivers are unobservable.
F-26
The following tables summarize the Company’s financial assets by level in the fair value hierarchy, which are measured at fair value on a recurring basis, as of December 31, 2025 and 2024:
| Fair Value Measurement at Reporting Date Using | |||||||||||||||||||||||
| (In thousands) | December 31, 2025 | Quoted Prices in Active Markets for Identical Assets (Level 1) | Significant Other Observable Inputs (Level 2) | Significant Unobservable Inputs (Level 3) | |||||||||||||||||||
| Assets: | |||||||||||||||||||||||
| Money Market Funds | $ | $ | $ | $ | |||||||||||||||||||
| Fair Value Measurement at Reporting Date Using | |||||||||||||||||||||||
| (In thousands) | December 31, 2024 | Quoted Prices in Active Markets for Identical Assets (Level 1) | Significant Other Observable Inputs (Level 2) | Significant Unobservable Inputs (Level 3) | |||||||||||||||||||
| Assets: | |||||||||||||||||||||||
| U.S. Treasury Notes | $ | $ | |||||||||||||||||||||
| Money Market Funds | $ | $ | $ | $ | |||||||||||||||||||
The Company did not
Note 11 – Allowance for Credit Losses
The following table presents the changes in the allowance for credit losses during the years ended December 31, 2024 and 2025:
| (In thousands) | |||||
| Balance at January 1, 2024 | $ | ||||
| Provision | |||||
| Write-offs | ( | ||||
| Balance at December 31, 2024 | |||||
| Provision | |||||
| Write-offs | ( | ||||
| Balance at December 31, 2025 | $ | ||||
Note 12 – Debt
On June 23, 2025, the Company entered into a $100.0 million credit agreement (the “Credit Agreement") with MUFG Bank, Ltd ("MUFG"), as administrative agent, swingline lender and letter of credit issuer, and other lenders party thereto. The Credit Agreement provides for a $100.0 million revolving credit facility with a $10.0 million letter of credit sublimit and a $10.0 million swingline loan sublimit. As of December 31, 2025, the Company had outstanding letters of credit of $0.4 million and no borrowings outstanding under the Credit Agreement. Any outstanding letters of credit reduce the availability of funds to borrow.
F-27
The proceeds of borrowings under the Credit Agreement may be used for general corporate purposes. The Company may borrow, repay and reborrow funds under the revolving credit facility until its maturity on June 23, 2030. Revolving loans may be prepaid by the Company, subject to notice and minimum threshold requirements, without penalty or premium, subject to customary breakage costs. The Company is required to pay a commitment fee on the daily unused amount of the revolving credit facility commitments ranging from 0.25 % to 0.30 % per annum, depending on its consolidated net leverage ratio.
At the Company's election, borrowings under the credit facility will bear interest at either (i) the base rate, defined as the highest of (a) the MUFG prime rate, (b) the federal funds rate plus 0.50 %, and (c) term SOFR plus 1.00 %, in each case, subject to a 1.00 % floor, (ii) the term SOFR rate, (iii) the alternative currency daily rate, or (iv) the alternative currency term rate, in each case, plus the applicable rate. The applicable rate varies based on the Company's consolidated net leverage ratio and will range from 1.00 % to 1.50 % for base rate loans and 2.00 % to 2.50 % for term SOFR and alternative currency loans. With respect to term SOFR and alternative currency term rate loans, the Company may elect an interest period of one (1), three (3) or six (6) months.
The Credit Agreement also provides that the Company may, with the agreement of the lenders and/or new lenders and subject to certain conditions and limitations, add one or more incremental revolving facilities to increase commitments under the credit facility in an aggregate amount not to exceed the greater of (x) $100.0 million and (y) 100 % of Consolidated EBITDA (as defined in the Credit Agreement) for the four consecutive fiscal quarters most recently ended for which financial statements have been delivered pursuant to the terms of the Credit Agreement.
All of the Company's obligations under the Credit Agreement are secured by a first-priority lien and security interest in substantially all of the Company's tangible and intangible assets. The material subsidiaries of OneSpan Inc., subject to certain exclusions, have guaranteed the obligations under the Credit Agreement and granted a lien and pledge, as applicable, on substantially all of their tangible and intangible property to secure the obligations under the Credit Agreement.
The Credit Agreement contains certain representations and warranties, affirmative covenants, negative covenants and conditions that are customarily required for similar financings. The negative covenants include limitations on indebtedness, liens, investments, fundamental changes, asset dispositions, restricted payments and transactions with affiliates, as well as financial covenants that require the maintenance of (i) a consolidated net leverage ratio (as defined in the Credit Agreement) of not more than 3.25 to 1.00 at any time during any period of four consecutive fiscal quarters, subject to certain exceptions and (ii) a minimum consolidated interest coverage ratio (as defined in the Credit Agreement) of not less than 3.00 to 1.00 as of the end of any fiscal quarter.
The Company capitalized $1.9 million of lender and third-party debt issuance costs incurred in connection with the Credit Agreement and will amortize these costs to interest expense over the term of the revolving credit facility. For the year ended December 31, 2025, the amortization of debt issuance costs was $0.2 million. As of December 31, 2025, the current portion of the debt issuance costs were $0.4 million and are included in the "Other current assets" line in the consolidated balance sheets and the non-current portion of the debt issuance costs were $1.3 million and are included in the "Other assets" line in the consolidated balance sheets.
Note 13 – Leases
The Company leases certain real estate and automobiles, which are classified as operating leases. The real estate leases have remaining lease terms of to eight years . Automobile leases have a remaining lease term of to five years .
Some of the Company's leases include options to renew, with renewal terms that can extend the lease from to five years . The exercise of a lease renewal option typically occurs at the discretion of both parties. Certain leases include options to purchase the leased property at fair value. For purposes of calculating operating lease liabilities, lease terms are deemed not to include options to extend the lease termination until it is reasonably certain that the Company will exercise that option.
F-28
Operating lease cost details for the years ended December 31, 2025, 2024, and 2023 are as follows:
| Years Ended December 31, | |||||||||||||||||
| (In thousands) | 2025 | 2024 | 2023 | ||||||||||||||
| Building rent | $ | $ | $ | ||||||||||||||
| Automobile rentals | |||||||||||||||||
| Total net operating lease costs | $ | $ | $ | ||||||||||||||
Short-term lease costs and variable lease costs recognized during the years ended December 31, 2025, 2024, and 2023 are immaterial.
Supplemental consolidated balance sheet information related to operating leases as of December 31, 2025 and 2024 is as follows:
| December 31, | |||||||||||
| (In thousands) | 2025 | 2024 | |||||||||
| Leases | |||||||||||
| Assets | $ | $ | |||||||||
| Operating lease right-of-use assets | $ | $ | |||||||||
| Liabilities | |||||||||||
| Current | |||||||||||
| $ | $ | ||||||||||
| Non-current | |||||||||||
| Total lease liabilities | $ | $ | |||||||||
As of December 31, 2025 and 2024, the weighted average remaining lease term for operating leases is 4.5 years and 5.2 years, respectively, and the weighted-average discount rate for operating leases is 6
Supplemental consolidated cash flow information related to leases is as follows:
| Years Ended December 31, | |||||||||||||||||
| (In thousands) | 2025 | 2024 | 2023 | ||||||||||||||
| Supplemental cash flow and other information related to leases: | |||||||||||||||||
| Operating cash payments from operating leases | $ | $ | $ | ||||||||||||||
| ROU assets obtained in exchange for new operating lease liabilities | $ | $ | $ | ||||||||||||||
In October 2023, the Company signed a lease agreement to lease new office space in Brussels. The lease agreement consisted of a nine year lease and commenced in the second quarter of 2024.
As part of its multiyear restructuring plan (see Note 20, Restructuring and Other Related Charges), the Company vacated its Chicago office space and abandoned the underlying leases during June 2023. The Company accrued a $1.4 million early lease termination fee, which is reflected in "Restructuring and other related charges" on the consolidated statements of operations for the year ended December 31, 2023. The underlying lease right-of-use asset and lease liability for the Chicago leased office space were written off, and a $0.3 million gain related to rent concessions and tenant improvement allowances was recorded in "Restructuring and other related charges" on the consolidated statements of operations for the year ended December 31, 2023. In August 2024, the Company finalized its early termination agreement with the landlord to terminate and release any further obligations for either party.
F-29
In September 2023, the Company vacated its former Brussels office and terminated the lease as of September 30, 2023. The Company accrued a $0.3 million early lease termination fee, which is reflected in "Restructuring and other related charges" on the consolidated statements of operations for the year ended December 31, 2023. The underlying lease right-of-use asset and lease liability for the Brussels leased office space were written off, and a $0.1 million loss related to rent concessions and tenant improvement allowances was recorded in "Restructuring and other related charges" on the consolidated statements of operations for the year ended December 31, 2023.
Maturities of the Company's operating leases as of December 31, 2025 are as follows:
| (In thousands) | |||||
| 2026 | $ | ||||
| 2027 | |||||
| 2028 | |||||
| 2029 | |||||
| 2030 | |||||
| Thereafter | |||||
| Less: imputed interest | ( | ||||
| Total lease liabilities | $ | ||||
Note 14 – Income Taxes
Income (loss) before income taxes was generated in the following jurisdictions:
| Years Ended December 31, | |||||||||||||||||
| (In thousands) | 2025 | 2024 | 2023 | ||||||||||||||
| U.S. | $ | $ | $ | ( | |||||||||||||
| Non-U.S. | ( | ||||||||||||||||
| Total | $ | $ | $ | ( | |||||||||||||
For the years ended December 31, 2025 and 2024, domestic income excludes intercompany dividend income of $63.5 million and $8.6 million, respectively. For the year ended December 31, 2023, there was no intercompany dividend included in domestic income. The (benefit) provision for income taxes consists of the following:
| Years Ended December 31, | |||||||||||||||||
| (In thousands) | 2025 | 2024 | 2023 | ||||||||||||||
| Current: | |||||||||||||||||
| Federal | $ | ( | $ | $ | |||||||||||||
| State | |||||||||||||||||
| Foreign | |||||||||||||||||
| Total current | |||||||||||||||||
| Deferred: | |||||||||||||||||
| Federal | ( | ||||||||||||||||
| State | ( | ( | ( | ||||||||||||||
| Foreign | ( | ( | |||||||||||||||
| Total deferred | ( | ( | ( | ||||||||||||||
| Total | $ | ( | $ | ( | $ | ||||||||||||
For 2025, 2024, and 2023, the Company's U.S. federal statutory rate was 21
F-30
The differences between the income tax (benefit) and provisions computed using the statutory federal income tax rate and the (benefit) provisions for income taxes reported in the consolidated statements of operations are as follows:
| (In thousands, except percentages) | December 31, 2025 | |||||||
| US federal statutory income tax rate | $ | % | ||||||
| Domestic state and local income taxes, net of federal effect (a) | % | |||||||
| Domestic federal | ||||||||
| Tax credits | ||||||||
| Foreign tax credits | ( | ( | % | |||||
| Other credits | ( | ( | % | |||||
| Nontaxable and non deductible items | ||||||||
| Acquisition expenses | % | |||||||
| Other | % | |||||||
| Cross-border tax laws | ||||||||
| Global intangible low-taxed income | % | |||||||
| Foreign-derived intangible income | ( | ( | % | |||||
| Subpart F income | ( | ( | % | |||||
| Other | % | |||||||
| Changes in tax laws or rates enacted in current period | % | |||||||
| Changes in valuation allowances | % | |||||||
| Other | ( | ( | % | |||||
| Foreign tax effects | ||||||||
| Canada | ||||||||
| Research credits | ( | ( | % | |||||
| Provincial tax change in valuation allowance | ( | ( | % | |||||
| Changes in valuation allowance | ( | ( | % | |||||
| Other | ( | ( | % | |||||
| United Kingdom | ||||||||
| Changes in valuation allowance | ( | ( | % | |||||
| Other | % | |||||||
| Other foreign jurisdictions | % | |||||||
| Changes in unrecognized tax benefits | % | |||||||
| Total | $ | ( | ( | % | ||||
(a) State taxes in California, Illinois, and Massachusetts made up the majority of the tax effect in this category.
F-31
| Years Ended December 31, | ||||||||||||||
| (In thousands) | 2024 | 2023 | ||||||||||||
| Expected tax at statutory rate | $ | $ | ( | |||||||||||
| Foreign taxes at other rates | ( | ( | ||||||||||||
| Valuation allowance changes | ( | |||||||||||||
| Global intangible low-taxed income inclusion | ||||||||||||||
| State income taxes, net of federal benefit | ( | ( | ||||||||||||
| Research credits | ( | ( | ||||||||||||
| Worthless stock deduction | ( | |||||||||||||
| Disallowed expenses and other | ( | |||||||||||||
| Total | $ | ( | $ | |||||||||||
The Company's release of the valuation allowance for the year ended December 31, 2025 was primarily attributable to Canada and resulted from a reassessment of the realizability of its deferred tax assets based on sufficient positive evidence, including recent and projected future taxable income, and including the impact of cost reduction actions. Based on this review, the Company determined that it is more likely than not that deferred tax assets are realizable and therefore reversed the valuation allowance in Canada during the year.
The Company's release of its valuation allowance in the year ended December 31, 2024 was partly due to the IP transfer discussed below, the cybersecurity division cost reduction actions, recent cumulative pretax income, and projections of future income. Based on a review of this evidence, the Company determined that there was sufficient positive evidence that it is more likely than not that certain deferred tax assets are realizable and therefore released a portion of the valuation allowance during the year.
During 2024, the Company completed an intra-entity asset transfer of certain intellectual property (“IP Transfer”) to the U.S., which was classified as an arm’s length transaction at fair value pursuant to the asset transfer agreement. The fair value of the IP asset was a non-recurring fair value measurement. With the assistance of a third-party valuation specialist, the fair value of the IP was determined using the income method, which reflects the Company's assumptions regarding projected revenue, earnings before interest and taxes and a discount rate. The assumptions used in the estimation of the IP asset involved Level 3 inputs of the fair value hierarchy. The tax deduction amortization related to the IP asset will be recognized in future periods over the next fifteen years.
The transaction resulted in a step-up of tax-deductible basis driven by the fair value of the IP Transfer, and accordingly, created a temporary difference where the tax basis exceeded the financial statement basis of such intangible asset, which resulted in the recognition of a discrete tax benefit of $3.7 million. The tax-deductible amortization related to the transferred IP rights will be recognized in future periods. The deferred tax asset and the tax benefit were measured based on the enacted tax rates expected to apply in the years the asset is expected to be realized. The Company expects to realize the deferred tax asset resulting from the IP Transfer and will assess the realizability of the deferred tax asset quarterly.
The Company recorded an income tax benefit related to a worthless stock deduction for the Company’s investment in one of its wholly owned subsidiaries. The worthless stock deduction was $60.2 million, resulting in an estimated tax benefit of $12.6 million.
In addition, the Company received a favorable response in connection with its Mutual Agreement Procedure ("MAP") request related to a Belgium audit concluded in 2020. The Company recorded a net tax benefit of $1.2 million during the year ended December 31, 2024 in connection with the MAP request.
The Company's policy is to record interest and penalties on income taxes as income tax expense. The Company recorded no expense or benefit in 2025 and a benefit of $0.2 million in 2024, and an expense of less than $0.1 million in 2023.
F-32
Significant components of the Company's deferred tax assets and liabilities as of December 31, 2025 and 2024, are as follows:
| December 31, | |||||||||||
| (In thousands) | 2025 | 2024 | |||||||||
| Deferred tax assets: | |||||||||||
| Stock and long-term compensation plans | $ | $ | |||||||||
| Foreign NOL & other carryforwards | |||||||||||
| U.S. and state NOL carryforwards | |||||||||||
| Deferred revenue | |||||||||||
| Pension liability | |||||||||||
| Intangible assets | |||||||||||
| Lease liability | |||||||||||
| Capitalized research and development | |||||||||||
| Accrued expenses and other | |||||||||||
| Total gross deferred tax assets | |||||||||||
| Less: Valuation allowance | ( | ( | |||||||||
| Net deferred income tax assets | $ | $ | |||||||||
| Deferred tax liabilities: | |||||||||||
| Tax on unremitted foreign earnings | $ | $ | |||||||||
| Right of use asset | |||||||||||
| Depreciation and amortization | |||||||||||
| Tax on credits | |||||||||||
| Contract acquisition costs | |||||||||||
| Deferred tax liabilities | $ | $ | |||||||||
| Net deferred tax assets | $ | $ | |||||||||
Deferred tax assets and liabilities are netted by tax jurisdiction.
The valuation allowance against the net deferred tax assets as of December 31, 2025 and 2024 was $1.7 million and $37.2 million, respectively.
The Company recorded changes in valuation allowance of $35.5 million and $10.5 million, during the years ended December 31, 2025 and 2024, respectively, against deferred tax assets that, based on the Company's assessment are considered not to be more likely than not to be realized. See above regarding the decrease in the valuation allowance in 2025 and 2024.
The Company assesses the need for a valuation allowance on a regular basis, weighing all positive and negative evidence to determine whether a deferred tax asset will be fully or partially realized. In evaluating the realizability of deferred tax assets, significant pieces of negative evidence such as 3-year cumulative losses are considered. The Company also reviews reversal patterns of temporary differences to determine if the Company would have sufficient taxable income due to the reversal of temporary differences to support the realization of deferred tax assets. In 2023, the Company continued to maintain a valuation allowance against certain deferred tax assets in jurisdictions where assets are not more likely than not to be realized. In 2025 and 2024, the Company reversed the valuation allowance in certain jurisdictions based on an assessment of the ability to utilize the deferred tax assets. For all other remaining deferred tax assets, the Company believes it is still more likely than not that the results of future operations or tax planning strategies will generate sufficient taxable income to realize the deferred tax assets.
F-33
At December 31, 2025, the Company had gross federal, foreign and state net operating loss (NOL) carryforwards and other foreign deductible carryforwards as shown in the following table:
| (In thousands) | Carryforward | Expiration | |||||||||
| NOL Carryforward | |||||||||||
| Canada | $ | ||||||||||
| United States | |||||||||||
| United States | None | ||||||||||
| Other foreign | None | ||||||||||
| Canada province | |||||||||||
| U.S. states | |||||||||||
| $ | |||||||||||
| Other Carryforwards | |||||||||||
| United States credit | $ | ||||||||||
| Canada | None | ||||||||||
| Canada province | None | ||||||||||
| Capital loss | None | ||||||||||
| Canada credits | |||||||||||
| Canada province credits | |||||||||||
| $ | |||||||||||
| $ | |||||||||||
ASC 740, Income Taxes sets a “more-likely-than-not” criterion for recognizing the tax benefit of uncertain tax positions. As of December 31, 2025, 2024, and 2023, the Company had no
The Company files income tax returns in the U.S. federal jurisdiction and in many state and foreign jurisdictions, and is subject to examination of its income tax returns by the IRS and other tax authorities.
The Company believes that an adequate provision has been made for any adjustments that may result from tax examinations. However, the outcome of tax audits cannot be predicted with certainty. If any issues addressed in the Company's tax audits are resolved in a manner not consistent with the Company's expectations, there could be a requirement to adjust the provision for income taxes in the period such resolution occurs. There are no unrecognized tax benefits as of December 31, 2025 that, if recognized, would affect the effective tax rate.
The Company's primary tax jurisdictions and the earliest tax year subject to audit are presented in the following table.
| Australia | |||||
| Austria | |||||
| Belgium | |||||
| Canada | |||||
| Netherlands | |||||
| Singapore | |||||
| Switzerland | |||||
| United Kingdom | |||||
| United States | |||||
The Company's tax payments, net of refunds, were as follows:
F-34
| (In thousands) | 2025 | |||||||
| Federal | $ | |||||||
| State and local | ||||||||
| Foreign | ||||||||
| Belgium | ||||||||
| Switzerland | ||||||||
| Zurich, Switzerland | ||||||||
| Other | ||||||||
| Total | $ | |||||||
Note 15 – Share Compensation Plans
The Company has a share-based compensation plan, the OneSpan Inc. 2019 Omnibus Incentive Plan (“Plan”), under which the board of directors may grant share-based awards including restricted stock units (RSUs) and performance restricted stock units (PSUs).
The Plan may provide performance incentives to employees and non-employee directors, consultants and other key persons of the Company. The plan is administered by the Management Development and Compensation Committee (the "Compensation Committee") of the board of directors and is intended to be a non-qualified plan.
As of December 31, 2025, the remaining number of shares allowed to be issued under the Plan was approximately 2.1 million shares of the Company’s common stock, representing 6 % of the issued and outstanding shares of the Company as of such date.
The following table presents share-based compensation expense and other long-term incentive plan compensation expense for the years ended December 31, 2025, 2024, and 2023.
| Years Ended December 31, | |||||||||||||||||
| (In thousands) | 2025 | 2024 | 2023 | ||||||||||||||
| Share-based compensation | $ | $ | $ | ||||||||||||||
| Other long-term incentive plan compensation (1) | |||||||||||||||||
| Total compensation | $ | $ | $ | ||||||||||||||
Time-Based Restricted Stock Units
Under the OneSpan Inc. 2019 Omnibus Incentive Plan, the Company grants non-employee directors and certain eligible employees RSUs that settle in Company stock. RSUs granted to non-employee directors vest on the first anniversary date of the grant and have a deferred delivery feature whereby they are not delivered until resignation or upon a change in control of the Company. RSUs granted to employees vest over to four years in equal annual or semi-annual installments in the initial year and thereafter in semi-annual installments. Shares are subject to forfeiture if the service period is not met. Compensation expense for time-based restricted stock unit awards was $7.5 million, $6.9 million, and $10.9 million for 2025, 2024, and 2023, respectively, and the related tax benefit was $1.6 million, $1.3 million, and $0.5 million, respectively. The following table summarizes the time-based restricted stock activity for the year ended December 31, 2025:
F-35
| (Sharecounts in thousands) | Shares | Weighted- average remaining term (years) | Weighted- average grant date fair value | ||||||||||||||
| Unearned, January 1, 2025 | $ | ||||||||||||||||
| Shares vested | ( | ||||||||||||||||
| Shares awarded | |||||||||||||||||
| Shares forfeited | ( | ||||||||||||||||
| Unearned, December 31, 2025 | $ | ||||||||||||||||
The unamortized future compensation expense for time-based restricted stock awards was $6.9 million at December 31, 2025.
Performance-Based Restricted Stock Units settled in stock
Performance-based restricted stock units granted to executive officers and certain other employees were subject to achievement of one year performance criteria established by the Board of Directors. Under certain grants, shares related to one year targets are earned upon fulfillment of the performance criteria as determined by the Compensation Committee and vest upon completion of the requisite service period. Shares are subject to forfeiture if the performance criteria and the service period are not met.
The restricted stock units subject to achievement of future performance criteria awarded during the year ended December 31, 2025 will be earned if the performance criteria are met at the end of the one-year performance period and the subsequent service period is also met.
Compensation expense related to performance-based restricted stock unit awards in 2025, 2024, and 2023 was $1.9 million, $1.4 million, and $2.8 million, respectively. Tax benefit related to the compensation expense was $0.2 million, $0.2 million, and less than $0.1 million for 2025, 2024, and 2023, respectively.
The following table summarizes activity related to unvested performance restricted stock shares during 2025:
| (Sharecounts in thousands) | Total Unvested Shares | Weighted- average remaining term (years) | Weighted- average grant date fair value | ||||||||||||||
| Unearned, January 1, 2025 | $ | ||||||||||||||||
| Shares vested | ( | ||||||||||||||||
| Shares awarded | |||||||||||||||||
| Shares forfeited | ( | ||||||||||||||||
| Unearned, December 31, 2025 | $ | ||||||||||||||||
Unamortized future compensation expense for performance-based restricted stock was $1.2 million at December 31, 2025.
Market-Based Restricted Stock Units settled in stock
Market-based restricted stock units granted to executive officers were subject to achievement of up to four years of market-based performance criteria established by the board of directors. Shares are subject to forfeiture if the performance criteria and service period are not met. Compensation expense for market-based restricted stock unit awards in 2025, 2024, and 2023 was $1.8 million, $0.7 million, and $0.6 million, respectively. The related tax benefit was less than $0.1
F-36
The following table summarizes activity related to unvested market and service restricted stock units settled in stock:
| (Sharecounts in thousands) | Shares | Weighted- average remaining term (years) | Weighted- average grant date fair value | ||||||||||||||
| Unearned, January 1, 2025 | $ | ||||||||||||||||
| Shares vested | ( | ||||||||||||||||
| Shares awarded | |||||||||||||||||
| Shares forfeited | ( | ||||||||||||||||
| Unearned, December 31, 2025 | $ | ||||||||||||||||
Unamortized future compensation expense for market-based restricted stock was $1.5 million at December 31, 2025.
Note 16 – Earnings per Common Share
Basic earnings per share is based on the weighted average number of shares outstanding and excludes the dilutive effect of common stock equivalents. Diluted earnings per share is based on the weighted average number of shares outstanding and includes the dilutive effect of common stock equivalents to the extent they are not anti-dilutive. Because the Company was in a net loss position for the year ended December 31, 2023, diluted net loss per share for this period excludes the effects of all common stock equivalents, which are anti-dilutive.
A reconciliation of the shares included in the basic and fully diluted earnings per share calculations is as follows:
| Years Ended December 31, | |||||||||||||||||
| (In thousands, except per share data) | 2025 | 2024 | 2023 | ||||||||||||||
| Net income (loss) | $ | $ | $ | ( | |||||||||||||
| Weighted average common shares outstanding: | |||||||||||||||||
| Basic | |||||||||||||||||
| Incremental shares with dilutive effect: | |||||||||||||||||
| Restricted stock awards | |||||||||||||||||
| Diluted | |||||||||||||||||
| Net income (loss) per share: | |||||||||||||||||
| Basic | $ | $ | $ | ( | |||||||||||||
| Diluted | $ | $ | $ | ( | |||||||||||||
Note 17 – Employee Benefit Plans
U.S. Plan
The Company maintains a defined contribution pension plan for U.S. employees established pursuant to Section 401(k) of the Internal Revenue Code. The plan allows voluntary employee contributions and discretionary employer contributions. For the years ended December 31, 2025, 2024, and 2023, the Company expensed employer-match contributions of $0.5 million, $0.2 million, and $0.6 million, respectively.
Non-U.S. Plans
The Company is subject to national mandatory pension systems and other compulsory plans, or makes contributions to social pension funds based on local regulations. When the Company's obligation is limited to the payment of the contribution into these plans or funds, the recognition of such liabilities is not required.
F-37
In addition, the Company has, in some countries, defined benefit plans consisting of final retirement salary and committed pension payments.
In Switzerland, the pension plan is a cash balance plan where contributions are expressed as a percentage of the pensionable salary. Contributions to Swiss plans are paid by the employees and the employer. The pension plan guarantees the amount accrued on the members’ savings accounts, as well as a minimum interest on those savings accounts. The plan assets are held in guaranteed investment contracts.
The Company also maintains a pension plan for Belgian employees, in compliance with Belgian law. Contributions to Belgium plans are paid by the employees and the employer. Certain features of the plans require them to be categorized as defined benefit plans under ASC 715 due to Belgian social legislation, which prescribes a minimum annual return of 1.8% for all contributions made prior to 2025 and a minimum annual return of 2.5% for all contribution made from 2025 onward. The plan assets are held in guaranteed investment contracts.
The Company also includes a liability related to obligations to provide retirement benefits to employees who retire from the Company’s French subsidiary, as required by law. Per French regulations, each employee is entitled to a lump sum payment upon retirement based on years of service and salary at retirement. Benefit rights vest upon the statutory retirement age of 65. The obligation recorded represents the present value of amounts the Company expects to pay.
Components of net periodic pension cost included in earnings:
| Years Ended December 31, | |||||||||||||||||
| (In thousands) | 2025 | 2024 | 2023 | ||||||||||||||
| Service cost (gross) | $ | $ | $ | ||||||||||||||
| ( | ( | ( | |||||||||||||||
| ( | ( | ( | |||||||||||||||
| Net periodic pension cost | $ | $ | $ | ||||||||||||||
The net unfunded status of the Non-U.S. pension plans as of December 31, 2025 and 2024, is as follows:
| December 31, | |||||||||||
| (In thousands) | 2025 | 2024 | |||||||||
| Fair value of plan assets | $ | $ | |||||||||
| Projected benefit obligation | ( | ( | |||||||||
| Net unfunded benefit obligation | $ | ( | $ | ( | |||||||
Net unfunded benefit obligation is recorded as other long-term liabilities in the consolidated balance sheets.
The change in the fair value of plan assets is as follows:
| Years Ended December 31, | |||||||||||
| (In thousands) | 2025 | 2024 | |||||||||
| Fair value of plan assets at January 1 | $ | $ | |||||||||
| Employee contributions | |||||||||||
| Actual return on plan assets | |||||||||||
| Benefits (paid), net of transfers | ( | ( | |||||||||
| Employer contributions | |||||||||||
| Foreign exchange adjustment | ( | ||||||||||
| Fair value of plan assets at December 31 | $ | $ | |||||||||
F-38
The change in benefit obligations is as follows:
| Years Ended December 31, | |||||||||||
| (In thousands) | 2025 | 2024 | |||||||||
| Benefit obligations at January 1 | $ | $ | |||||||||
| Gross service cost | |||||||||||
| Interest cost | |||||||||||
| Employee contributions | |||||||||||
| Actuarial (gains)/losses | ( | ( | |||||||||
| Benefits (paid), net of transfers | ( | ( | |||||||||
| Curtailments & settlements | ( | ||||||||||
| Foreign exchange adjustment | ( | ||||||||||
| Benefit obligations at December 31 | $ | $ | |||||||||
The increase in benefit obligations at December 31, 2025 compared to December 31, 2024 was primarily driven by lower benefits paid and the strengthening of the Euro and Swiss Franc currencies.
The Company's investment policy meets the responsibility under local social legislation and aligns plan assets with liabilities, while minimizing risk. For the years ended December 31, 2025 and 2024, plan assets are invested in guaranteed investment contracts. Fair value of guaranteed investment contracts is surrender value. Fair value for the year ended December 31, 2025 was determined using Level 3 inputs as defined by ASC 820, Fair Value Measurements. Changes in plan assets are attributable to benefit payments and contributions as the Company has not actively traded assets during the years ended December 31, 2025 and 2024.
Other
The accumulated benefit obligation for the plans were $18.2 million and $15.6 million as of December 31, 2025 and 2024, respectively.
The Company expects to pay approximately $0.7 million of contributions over the next twelve months.
The amounts reclassified out of other comprehensive income during the years ended December 31, 2025, 2024, and 2023 were not material.
Actuarial Assumptions
Certain actuarial assumptions such as the discount rate and the long-term rate of return on plan assets have a significant effect on the amounts reported for net periodic cost and the benefit obligation. The assumed discount rates reflect the prevailing market rates of a universe of high-quality, non-callable, corporate bonds currently available that, if the obligation were settled at the measurement date, would provide the necessary future cash flows to pay the benefit obligation when due. In determining the long-term return on plan assets, the Company considers long-term rates of return of comparable low risk investments, such as Euro AA bonds.
The following range of assumptions between all plans were utilized in the pension calculations:
| December 31, | |||||||||||||||||||||||
| 2025 | 2024 | ||||||||||||||||||||||
| (%) | |||||||||||||||||||||||
| Discount rates | - | - | |||||||||||||||||||||
| Inflation | - | - | |||||||||||||||||||||
| Expected return on plan assets | - | - | |||||||||||||||||||||
| Rate of salary increases | - | - | |||||||||||||||||||||
F-39
Projected future pension benefits as of December 31, 2025 (in thousands):
| (In thousands) | |||||
| 2026 | $ | ||||
| 2027 | $ | ||||
| 2028 | $ | ||||
| 2029 | $ | ||||
| 2030 | $ | ||||
| 2031 - 2034 | $ | ||||
Note 18 – Geographic, Customer and Supplier Information
The Company classifies sales by customers’ locations in three geographic regions: 1) EMEA, which includes Europe, the Middle East, and Africa; 2) the Americas, which includes North, Central, and South America; and 3) Asia Pacific, which also includes Australia and New Zealand.
| (In thousands) | ||||||||||||||||||||||||||
| Europe, Middle East, Africa (EMEA) | Americas | Asia Pacific | Total | |||||||||||||||||||||||
| 2025 | ||||||||||||||||||||||||||
| Revenue | $ | $ | $ | $ | ||||||||||||||||||||||
| Long-lived assets | $ | $ | $ | $ | ||||||||||||||||||||||
| 2024 | ||||||||||||||||||||||||||
| Revenue | $ | $ | $ | $ | ||||||||||||||||||||||
| Long-lived assets | $ | $ | $ | $ | ||||||||||||||||||||||
| 2023 | ||||||||||||||||||||||||||
| Revenue | $ | $ | $ | $ | ||||||||||||||||||||||
| Long-lived assets | $ | $ | $ | $ | ||||||||||||||||||||||
Note 19 – Commitments and Contingencies
The Company leases office space and automobiles under operating lease agreements. See Note 13, Leases, for future minimum rental payments required under non-cancelable leases.
At December 31, 2025, the Company has purchase obligations of $11.9 million for other software agreements related to the administration of the Company's business which range from 1 to 3 years.
The Company is subject to certain legal proceedings and claims incidental to the operations of its business. The Company is also subject to certain other legal proceedings and claims that have arisen in the ordinary course of business and that have not been fully adjudicated. The Company currently does not anticipate that these matters, if resolved against the Company, will have a material adverse impact on its financial results or financial condition.
The Company accrues loss contingencies when losses become probable and are reasonably estimable. If the reasonable estimate of the loss is a range and no amount within the range is a better estimate, the minimum amount of the range is recorded as a liability. As of December 31, 2025, the Company has recorded an accrual of $0.3 million for loss contingencies related to all probable losses where a reasonable estimate could be made.
F-40
The Company does not accrue for contingent losses that, in the judgment of the Company, are considered to be reasonably possible, but not probable. Although the Company intends to defend its legal matters vigorously, the ultimate outcome of these matters is uncertain. However, the Company does not expect the potential losses, if any, to have a material adverse impact on its operating results, cash flows, or financial condition. As of December 31, 2025, the Company does not have any reasonably possible losses for which an estimate can be made.
Note 20 – Restructuring and Other Related Charges
In 2021 and 2022, the Company's board of directors approved cost reduction actions (the "Restructuring Plan") designed to streamline its business and improve efficiency. On August 3, 2023, the board approved further cost reduction actions (the "2023 Actions") to seek to drive higher levels of Adjusted EBITDA while maintaining the Company's long-term growth potential. The Company completed its restructuring charges in connection with the 2023 Actions as of December 31, 2025. The costs incurred consist primarily of charges related to employee transition and severance payments, with a significantly smaller amount of charges relating to vendor contract termination and rationalization actions.
In connection with the Restructuring Plan (including the 2023 Actions), the Company recorded a total of $2.1 million in restructuring charges during the year ended December 31, 2025, of which $0.5 million is recorded in "Services and other cost of goods sold" in the consolidated statements of operations for the year ended December 31, 2025 and $1.6 million is recorded in “Restructuring and other related charges” in the consolidated statement of operations for the years ended December 31, 2025. The Company recorded $6.0 million and $17.3 million for the years ended December 31, 2024 and 2023, respectively, in "Restructuring and other related charges" in the consolidated statements of operations.
The main categories of charges are in the following areas:
•Employee costs – include severance, related benefits, and retention pay costs incurred as a result of eliminating positions in certain areas of the Company. For the years ended December 31, 2025, 2024, and 2023, severance-related costs were $1.2 million, $4.0 million, and $11.7 million, respectively. In total, there were approximately 345 employees, across multiple functions, whose positions were made redundant. The $0.6 million current portion of the restructuring liability at December 31, 2025 is included in "Accrued wages and payroll taxes" in the consolidated balance sheet and is expected to be paid within the next 12 months.
•Real estate rationalization costs – includes costs to align the real estate footprint with the Company’s needs. During 2023, the Company vacated its Chicago and former Brussels office spaces, which resulted in the abandonment and termination of the underlying leases. In August 2024, the Company finalized its early termination agreement with the Chicago office landlord to terminate and release any further obligations for either party. As of December 31, 2024, the Company accrued contract termination fees of $0.5 million for the Chicago office, which are included in "Current lease liabilities" in the consolidated balance sheet and which was paid in January 2025. In conjunction with the abandonment of the Chicago and former Brussels office leases in 2023, the underlying right-of-use assets and lease liabilities were written off and a $0.3 million gain and $0.1 million loss, respectively, were recorded related to rent concessions and tenant improvement allowances for restructuring. The Company wrote off $0.7 million and $0.6 million of fixed assets in its Chicago and Brussels leased office space, respectively (See Note 9, Property and Equipment, net). During 2023, the Company terminated its Brussels warehouse lease, effective July 31, 2024, and incurred settlement costs associated with the lease termination.
F-41
•Product and services optimization costs – includes costs to discontinue products and services that are no longer advancing the Company's operating model. During the year ended December 31, 2025, the Company recorded a write-off of $0.7 million for capitalized labor, of which $0.3 million was recognized in "Services and other cost of goods sold" on the consolidated statements of operations for the year ended December 31, 2025. The remaining write-off amount of $0.4 million was recognized in "Restructuring and other related charges" on the consolidated statements of operations for the year ended December 31, 2025. The Company made the decision to stop any incremental development investments supporting its previously acquired blockchain technology, and related commercial efforts. As a result, the Company wrote off the related acquired technology and previously capitalized software. The Company recorded a $0.8 million write-off of intangible assets in "Services and other costs of goods sold" on the consolidated statements of operations for the year ended December 31, 2024 (see Note 8, Intangible Assets, net). For capitalized software, the Company recorded a write-off of $1.0 million of property and equipment, net, of which $0.7 million was recognized in "Services and other costs of goods sold" on the consolidated statements of operations for the year ended December 31, 2024 (see Note 9, Property and Equipment, net). The remaining write-off amount of $0.3 million was recognized in "Restructuring and other related charges" on the consolidated statements of operations for the year ended December 31, 2024. During 2023, the Company made the decision to discontinue investments in its Digipass CX product and incurred $1.5 million of write-offs for capitalized software. The charges are recorded in "Restructuring and other related charges" on the consolidated statement of operations for the year ended December 31, 2024 (see Note 9, Property and Equipment, net).
•Vendor rationalization costs – includes costs for contractually committed services the Company is no longer utilizing. For the years ended December 31, 2025, 2024 and 2023, these costs totaled $0.1 million, $0.2 million, and $1.2 million are included in "Restructuring and other related charges" on the consolidated statements of operations.
The table below sets forth the changes in the carrying amount of the restructuring charge liability for the years ended December 31, 2024 and 2025.
| (In thousands) | Employee Costs | Real Estate Rationalization | Total | |||||||||||||||||
| Balance as of January 1, 2024 | $ | $ | $ | |||||||||||||||||
| Additions | ||||||||||||||||||||
| Payments | ( | ( | ( | |||||||||||||||||
| Balance as of December 31, 2024 | ||||||||||||||||||||
| Additions | ||||||||||||||||||||
| Payments | ( | ( | ( | |||||||||||||||||
| Balance as of December 31, 2025 | $ | $ | $ | |||||||||||||||||
Note 21 – Subsequent Events
F-42
SIGNATURES
Pursuant to the requirements of Section 13 or 15(d) of the Securities Exchange Act of 1934, the Registrant has duly caused this Report to be signed on its behalf by the undersigned, thereunto duly authorized
February 26, 2026
| OneSpan Inc. | |||||
| /s/ Victor Limongelli | |||||
| Victor Limongelli | |||||
President and Chief Executive Officer | |||||
(Principal Executive Officer) | |||||
POWER OF ATTORNEY
Each of the undersigned, in his or her capacity as an officer or director, or both, as the case may be, of OneSpan Inc. does hereby appoint Victor Limongelli and Jorge Martell, and each of them severally, his or her true and lawful attorneys or attorney to execute in his or her name, place and stead, in his or her capacity as director or officer, or both, as the case may be, this Annual Report on Form 10-K for the fiscal year ended December 31, 2025 and any and all amendments thereto and to file the same with all exhibits thereto and other documents in connection therewith with the Securities and Exchange Commission. Each of said attorneys shall have power to act hereunder with or without the other attorney and shall have full power and authority to do and perform in the name and on behalf of each of said directors or officers, or both, as the case may be, every act whatsoever requisite or necessary to be done in the premises, as fully and to all intents and purposes as to which each of said officers or directors, or both, as the case may be, might or could do in person, hereby ratifying and confirming all that said attorneys or attorney may lawfully do or cause to be done by virtue hereof.
Pursuant to the requirements of the Securities Exchange Act of 1934, this report has been signed below by the following persons on behalf of the registrant and in the capacities and on the dates indicated.
| SIGNATURE | TITLE | DATE | ||||||||||||
| /s/ Victor Limongelli | President and Chief Executive Officer | February 26, 2026 | ||||||||||||
| Victor Limongelli | (Principal Executive Officer) | |||||||||||||
| /s/ Jorge Martell | Chief Financial Officer and Treasurer | February 26, 2026 | ||||||||||||
| Jorge Martell | (Principal Financial and Accounting Officer) | |||||||||||||
| /s/ Garry Capers | Chairman | February 26, 2026 | ||||||||||||
| Garry Capers | ||||||||||||||
| /s/ Marc D. Boroditsky | Director | February 26, 2026 | ||||||||||||
| Marc D. Boroditsky | ||||||||||||||
| /s/ Sarika Garg | Director | February 26, 2026 | ||||||||||||
| Sarika Garg | ||||||||||||||
| /s/ Marianne Johnson | Director | February 26, 2026 | ||||||||||||
| Marianne Johnson | ||||||||||||||
| /s/ Michael McConnell | Director | February 26, 2026 | ||||||||||||
| Michael McConnell | ||||||||||||||
| /s/ Alfred Nietzel | Director | February 26, 2026 | ||||||||||||
| Alfred Nietzel | ||||||||||||||
| /s/ Marc Zenner | Director | February 26, 2026 | ||||||||||||
| Marc Zenner | ||||||||||||||
FAQ
What are OneSpan (OSPN)'s main business segments and focus areas?
OneSpan operates through two segments: Cybersecurity and Digital Agreements. Cybersecurity covers authentication, fraud prevention, and mobile app protection, while Digital Agreements provides e-signatures, notary tools, and identity verification to secure end-to-end digital workflows for global financial institutions and enterprises.
How is OneSpan (OSPN) shifting its revenue mix away from hardware?
OneSpan is moving from Digipass hardware tokens toward higher-margin software. Digipass devices fell from 78% of revenue in 2015 to 20% in 2025, as customers adopt mobile-first, software-based authentication and the company invests in cloud, passwordless, and digital agreement solutions.
What strategic deals did OneSpan (OSPN) complete or announce in 2025?
In 2025, OneSpan acquired Nok Nok Labs for passwordless authentication, agreed to buy Build38 for mobile app protection, and made a strategic investment in ThreatFabric, a mobile threat intelligence provider, strengthening its cybersecurity portfolio and mobile-centric security capabilities.
How much capital did OneSpan (OSPN) return to shareholders in 2025?
OneSpan returned approximately $31.6 million to shareholders in 2025 through quarterly dividends and share repurchases. This capital return followed cost optimization efforts that restored operating profitability and supported ongoing investments in software-led cybersecurity and digital agreement growth initiatives.
What is OneSpan (OSPN)'s credit facility and why is it important?
In June 2025, OneSpan entered a $100.0 million revolving credit agreement with MUFG and others, maturing in 2030. The facility, which includes letter-of-credit and swingline sublimits, provides flexible funding for general corporate purposes and potential future strategic investments or acquisitions.
How concentrated is OneSpan (OSPN)'s customer base?
OneSpan’s revenue is concentrated among larger accounts. Its top 10 customers generated 18% of total revenue in 2025, versus 20% in 2024 and 22% in 2023, largely within global financial institutions that rely on the company’s authentication and digital agreement solutions.
What human capital metrics did OneSpan (OSPN) report for 2025?
As of December 31, 2025, OneSpan had 602 employees worldwide, with about 30% of staff and 30% of managers identifying as female. The company reported 5.8% voluntary turnover and 9.3% total attrition, emphasizing hybrid work, development programs, and global diversity.
Onespan Inc
NASDAQ:OSPN
OSPN Rankings
OSPN Latest News
OSPN Latest SEC Filings
Feb 26, 2026
[8-K] OneSpan Inc. Reports Material Event
Feb 24, 2026
[Form 4] OneSpan Inc. Insider Trading Activity
Feb 24, 2026
[Form 4] OneSpan Inc. Insider Trading Activity
Feb 20, 2026
[Form 4] OneSpan Inc. Insider Trading Activity
Feb 20, 2026
[Form 4] OneSpan Inc. Insider Trading Activity
OSPN Stock Data
432.37M
37.15M
Software - Infrastructure
Services-computer Integrated Systems Design
United States
BOSTON