OneSpan Inc.

Good day, and thank you for standing by. Welcome to the Q1 2026 OneSpan earnings conference call. At this time, all participants are in a listen-only mode. After the speaker's presentation, there will be a question and answer session. To ask a question during the session, you will need to press star 11 on your telephone. You will then hear an automated message advising your hand is raised. To withdraw your question, please press star 11 again. please be advised that today's conference is being recorded. I would now like to hand the conference over to your first speaker today, Joe Maxa, VP of Investor Relations. Please go ahead.

Thank you, Operator.

Hello, everyone, and thank you for joining the OneSpan First Quarter 2026 Earnings Conference Call. This call is being webcast and can be accessed on the investor relations section of OneSpan's website at investors.onespan.com. Joining me on the call today is Victor Lomonduli, our Chief Executive Officer, and Jorge Martel, our Chief Financial Officer. This afternoon, after market close, OneSpan issued a press release announcing results for our first quarter of 2026. To access a copy of the press release and other investor information, please visit our website. Following our prepared comments today, we will open the call for questions. Please note that statements made during this conference call that relate to future plans, events, or performance, including the outlook for full year 2026 and other long-term financial targets, are forward-looking statements. These statements involve risks and uncertainties and are based on current assumptions. Consequently, actual results could differ materially from the expectations expressed in these forward-looking statements. I direct your attention to today's press release and the company's filings with the U.S. Securities and Exchange Commission for a discussion of such risks and uncertainties. Also note that financial measures that may be discussed on this call are expressed on a non-GAAP basis and have been adjusted from this related GAAP financial measure. We have provided an explanation for and reconciliations of these non-GAAP financial measures to the most directly comparable GAAP financial measures in the earnings press release and in the investor presentation available on our website. In addition, please note that all growth rates discussed on this call refer to a year-over-year basis unless otherwise indicated. The date of this conference call is April 30th, 2026. Any forward-looking statements and related assumptions are made as of this date. Except as required by law, we undertake no obligation to update these statements as a result of new information or future events or for any other reason. I will now turn the call to Victor.

Thank you, Joe. Hello, everyone. Thank you for joining us today. We had a good first quarter with strong profitability and solid revenue growth. Indeed, subscription revenue grew 8% year over year, and our adjusted EBITDA margin was 32%. I'm also happy to report that notwithstanding the doom and gloom you might hear about software, our gross revenue retention increased again in Q1, reaching 90% for the company as a whole and 94% for our digital agreements business. We also generated healthy cash flows and we returned capital to shareholders via share buybacks, which have totaled approximately 1.5 million shares for more than $18 million over the past three quarters, and via an increased quarterly dividend as well. Before reviewing our results in more detail, I'd like to provide an update on our investments and how we are positioning the company for stronger growth over time. First, in Q1, we completed the acquisition of Build 38, which brings a fantastic team to OneSpan with deep expertise in mobile threats and mobile application protection and provides customers with telemetry to help them understand the attacks targeting their mobile applications and the environment in which they operate. Keep in mind that the vast majority of consumer banking is now conducted through mobile banking applications, making this a critical attack surface for banks to protect. We now offer post-compilation application protection, sometimes called post-compilation wrapping, as well as an SDK-based approach through which customers can build in application protection and the telemetry necessary for visibility into the threat environment and overall operating environment. With the addition of Build38's capabilities, I am happy to report that we now offer a comprehensive set of leading mobile application security technologies across the app-shielding landscape. Second, I want to update you on the acquisition we completed last year of Knock Knock Labs, the pioneer of the FIDO Alliance and of passwordless authentication. A fabulous team from Knock Knock joined our company, And together, we have grown that business materially, with ARR having increased about 20% in less than 10 months since closing. And it has broadened our product set as well. We now have the broadest B2B2C authentication offering, both hardware and software, cloud and on-prem, and OTP and FIDO. Third, we continue to invest in internal research and development. In our digital agreements business, we continue to make strides towards our goal of delivering secure, seamless agreement workflows, purpose-built for the financial services industry, combining white-label capabilities with embedded security, compliance, and identity assurance across the e-signature journey. We're also planning to integrate AI-driven capabilities to provide deeper insights, streamline decision-making, and further simplify integration into our customers' existing environments. Last but not least, I want to reiterate that neither our digital agreements business nor our cybersecurity business has seat-based licensing as the primary revenue model. In cybersecurity, we sell to our customers based on the number of their end users and not based on the number of their employees or seats. Our licenses are tied to the number of consumers using strong authentication or app shielding solutions. Similarly, in digital agreements, the vast majority of our business, about 97%, is priced based on the number of expected e-signature transactions or documents, rather than customer, employee counts, or user counts. Turning to our results, As mentioned, we started the year with a strong first quarter. We generated $21 million of adjusted EBITDA in the quarter for 32% of revenue. We ended the first quarter with annual recurring revenue of $192 million, up 14% year over year, inclusive of the uplift from the two acquisitions in the past year. This strong ARR growth continues a positive trend as ARR is now up 24% since March 31st, 2024. Total revenue grew 4% to $66 million, driven by 11% growth in digital agreements, which had another strong quarter, and 2% growth in cybersecurity. Subscription revenue in digital agreements grew 11%, driven by demand for e-signatures, while subscription revenue in cybersecurity grew about 6.5%, reflecting growth in cloud authentication, passwordless authentication, and app shielding. Both business units were solidly profitable at the division level. Overall, the company generated $28 million in cash from operations during the quarter. Our board remains committed to a balanced capital allocation strategy that considers shareholder returns, organic investment, and targeted M&A. In the first quarter, we invested nearly $35 million to acquire Build 38 and returned more than $10 million to shareholders through dividends and share repurchases, following nearly $32 million returned in 2025. The Board has approved a quarterly dividend of 13 cents per share to be paid in the current quarter and will continue to evaluate additional share repurchase opportunities. In summary, we serve a diverse global customer base, and we deliver comprehensive offerings in strong B2B2C authentication, app shielding, and e-signatures. We are investing internally and through targeted M&A to strengthen our portfolio and go-to-market execution. and we continue to make solid progress in building a stronger foundation for growth. We remain committed to maintaining strong profitability, cash generation, and returning capital to shareholders. With that, I'll turn the call over to Jorge.

Thanks, Victor, and good afternoon, everyone. I'm pleased to report another strong quarter and continued progress in building a solid foundation for future growth. I'm particularly excited about our acquisition of Bill 38, which strengthens our mobile application security offering and enhances our ability to protect customers and their customers from increasingly sophisticated AI-driven threats. We acquired Bill 38 on February 27, and as such, our first quarter results include just over one month of Bill 38's financial contribution. Before turning to our Q1 results, I'd like to briefly highlight a change we made this quarter to how we present revenue by operating segment. To better align with how we manage the business and our strategic focus on growing recurring revenues, we now include term maintenance revenue within subscription revenue. As a result, subscription revenue now consists primarily of term licenses for on-prem software, the related maintenance and support revenue, and SaaS revenue. In addition, maintenance revenue associated with perpetual licenses and professional services is now presented together, better reflecting the continued evolution of our business away from perpetual license arrangements. These changes are presentation only and have no impact on total revenue, operating income or cash flows, and prior period results have been updated for comparability. Additional details are included in the revenue tables in today's press release, our Form 10-Q, and the investor presentation on our website. With that context, let me turn to our first quarter results. Annual recurrent revenue, or ARR, increased 14.1% year-over-year to $192.1 million, inclusive of the two acquisitions. Our net retention rate was 105%, benefiting from customer expansion contracts. ARR also benefited from new customer additions and M&A. First quarter revenue was $65.9 million, an increase of 4.1% compared to last year's Q1, driven by 5.8% growth in software and services revenues. partially offset by a 4.3% decline in hardware revenue. Continuing a long-term declining trend, in Q1, hardware comprised only 16% of our overall revenue. Subscription revenue grew 8.2% to $52.7 million and accounted for 80% of total revenue. Gross margin was approximately 74%, consistent with the prior year period. I'll provide additional detail on these metrics as I review each business division in a couple minutes. First quarter gap operating income was $14.8 million, compared to $17.2 million in Q1 of last year. The year-over-year decline in operating income primarily reflects increased operating costs related to the acquisition of NOCNOC and Bill 38, including headcount and non-recurring acquisition-related consulting costs, as well as certain costs related to organic investments, partially offset by lower share-based compensation expenses. Gap net income per share was $0.30 compared to $0.37 a year ago. Non-gap net income per share was $0.39 compared to $0.45 in prior year period. First quarter adjusted EBITDA and adjusted EBITDA margin was $21 million and 31.9% compared to 23 million and 36.4% in the first quarter of last year. Turning to our cybersecurity division. Cybersecurity ARR grew 16.5% year over year to 124.6 million. Again, inclusive of the two acquisitions in the past year. First quarter revenue increased 1.7% to 48.5 million. Subscription revenue grew 6.6% to $35.3 million, driven by customer expansions, new logos, and M&A, partially offset by lower multi-year term license revenue. Hardware revenue declined 4.3%, which was less than expected due to the earlier than anticipated delivery of certain customer shipments. As expected, perpetual maintenance and services revenue decline as we continue to transition legacy perpetual contracts to term-based arrangements. Gross margin for the cybersecurity division was 74% compared to 76% in the prior year quarter, primarily reflecting incremental third-party license costs as well as subscription and professional services costs. Operating income was $20.8 million, or 43% of revenue, compared to $24.2 million, or 51% of revenue in last year's Q1, driven by increased operating expenses from the acquisitions, the incremental cost of revenues just discussed, higher non-recurring acquisition-related consulting costs, and increased investments. Now turning to digital agreements, ARR grew 9.9% year-over-year to $67.5 million. First quarter revenue grew 11.2% to $17.4 million, driven by expansion of renewal contracts, new customer additions, and overage fees. Growth margin improved to 72.5%, up from 70.3% in the prior year period, reflecting higher revenues and greater efficiency in our cloud infrastructure costs. Operating income was $5.3 million, or 30.4% of revenue, compared to $3.4 million, or 21.5% in the same period last year, driven by revenue growth, higher gross margins, and a modest decline in operating expenses. Turning to our balance sheet. We ended the first quarter with $49.8 million in cash and cash equivalents, compared to $70.5 million at the end of 2025. We generated $28.2 million in operating cash flows during the quarter. Uses of cash included $5 million for our quarterly dividend, $5.4 million to repurchase approximately 510,000 shares of common stock, $34.6 million related to the built 38 acquisition, and $2.6 million in capital software development costs, among other things. We ended the quarter with no long-term debt. Geographically, revenue in the first quarter of 2026 was 43% for EMEA, 38% from the Americas, 19% from Asia Pacific, compared to 49%, 33%, and 18% from the same regions in the first quarter of 2025, respectively. Year-over-year changes reflect growth in digital agreements and cybersecurity software revenue in the Americas, lower cybersecurity hardware and software revenue in the media, and increased hardware revenue in Asia Pacific. Now turning to some modeling notes and our outlook. We are pleased with our first quarter results and the progress we've made in positioning the company for long-term growth. We are affirming our full year 2026 guidance for revenue and adjusted EBITDA, and we are raising our guidance for ARR. we expect continued growth in software and services revenue, driven by solid performance in digital agreements and moderate growth in cybersecurity. In cybersecurity, we anticipate a second quarter ARR headwind of approximately $3 million from two contracts not expected to renew. In both cases, the customer is not a bank or a financial institution, And the majority of that total is from a customer moving to passwordless authentication with a decision taken a year ago before we had acquired Knock Knock Maps. Indeed, this reinforces our belief that adding Knock Knock to our product portfolio was the right strategic move as we expect passwordless authentication to only grow going forward. As such, we expect ARR to grow in the second half of the year, with most of that growth occurring in the fourth quarter. Finally, we also expect the secular shift away from consumer banking hardware tokens to continue. For the full year 2026, we expect total revenue to be in the range of $244 to $249 million. We expect software and services revenue to be in the range of 201 to $204 million. We expect hardware revenue to be in the range of 43 to $45 million. We expect ARR to be in the range of 194 to $198 million as compared to our previous guidance range of 192 to $196 million. and we expect adjusted EBITDA in the range of $64 to $68 million. That concludes my remarks. I will now turn the call back to Victor.

Thanks, Jorge. To recap, we delivered a strong first quarter, and over the past year, we have better positioned the company to deliver value to customers and create value for shareholders. While we know there is more work ahead, that one good quarter does not make an excellent year, we are encouraged by the progress we have made. Jorge and I will now be happy to take your questions.

Thank you. At this time, we will conduct the question and answer session. We kindly request that each participant ask one question and one follow-up question. You may recue if you have more questions. As a reminder, please mute your line when not speaking. To ask a question, you will need to press star 1-1 on your telephone and wait for your name to be announced. To withdraw your questions, please press star 1-1 again. Please stand by while we compile the Q&A roster. Our first question comes from the line of Eric Seppager of B. Riley Securities. Your line is now open.

Yeah, thanks for taking the questions. First off, When will we start to realize some of the returns that you're making in the operations over the course of 2026? When can we anticipate some acceleration in top line? And do you have a timeframe when you can get back to a rule of 40, delivering on the rule of 40?

Yeah, thanks, Eric. I think before getting to the exact timeline for the Rule of 40, it's important to highlight the progress we've made. If you look at where we were on the Rule of 40 metrics in 2023, I believe the number was 12 on a combined basis, not for one of the metrics. And for the most recent quarter, we're at 36 and 32 last year. So we've definitely made progress. I don't want to pin an exact date on when we'll be at exactly 40, But we're making progress. You see it in our ARR growth. You see it in our subscription growth. Of course, for quite a long time, we've had a consumer banking token decline. And you saw hardware decline again year over year. It's now only 16% of our revenue. We feel like we've made some good progress. We've added some real key functionality to our product set. And we're investing in go-to-market as well to continue to try to drive that subscription growth and try to drive the ARR forward.

Okay, thank you.

Thank you. Our next question comes from the line of Rudy Kessinger of D.A. Davidson. Your line is now open.

Hey, great. Thanks for taking my questions. First one for me on ARR, just so we can kind of try to get to an organic ARR growth rate. What was the knock-knock ARR and O38 ARR as of the end of Q1?

Hey Rudy, thanks for the question. So as of the end of Q1, Novnost ARR was 9.7 million, which is an increase from the 8.1 that we acquired already nine months ago, which we feel pretty good about. And Victor alluded to that 20% growth over the last nine and change months, nine-ish months. The Bill 38 ARR that we acquired was 2.8 million, Rudy. So combined, it's about 10.9, call it 11. And so when you look at

know ar growth organic um you know it's about seven seven percent seven eight percent got it that's super helpful and the growth on on knock knock is good to see obviously you lap that next quarter um as far as organic goes um and then second question for me obviously just given your guys um significant amia you know mix i'm curious what impacts if any maybe it's on the quarter or you're seeing in current you know, deal conversations just given the conflict in the Middle East right now.

Yeah, thanks, Rudy. The Middle East itself, well, the Gulf region itself is a small part of our business, only about 4% of revenue. And, you know, we're obviously keeping an eye on it, like many, many people are. For Europe, I think you'll see in the geographic mix, or Jorge talked about the geographic mix, EMEA is a little bit of a smaller region. portion compared to uh growth in the americas part of that strategic we do think uh we're under indexed to north america when it comes to security in particular so we feel like we're going to grow faster in north america than we had in the past and also the da business has been doing well and that's largely a north american business overall we're optimistic i would say about emea and cautiously watching the Middle East situation. It's helpful. Thank you, guys.

Thank you. Our next question comes from the line of Gray Powell of BTIG. Your line is now open.

Oh, great. Thanks for taking the questions. I just had a couple here. So it's good to hear the commentary on knock-knock. Where are you seeing the strongest pull with Knock Knock within your installed base? And then just like when a customer decides to take the product set, just how should we think of the upsell opportunity?

Knock Knock, I think, is an upsell opportunity because people are going to move to passwordless over the coming years. So having that capability is a core part of our offering. So some of that is customer retention. We talked about GRR in the first quarter. It was at a very strong level, 94% for DA, but 88% for security, cybersecurity. So higher than it had been in quite a while. And there's also opportunity to get new customers with Knock Knock's offering. As passwordless becomes more and more prevalent, having a super strong offering, having the board seat on the FIDO Alliance, having the history with FIDO, that Knock Knock had brings a lot to the table. Geographically, we have seen it so far be stronger in North America with strength in Japan as well, but we expect it to grow in Europe, ultimately to grow in Latin America and all the world. In five years, everyone will use passkeys and passwords will seem outdated.

Okay, that's really helpful. And then... I just want to make sure I'm thinking about Build 38 correctly. So, I mean, it makes perfect sense on how it can make your existing products better. And this might be a dumb question, but what was the acquisition's main purpose? Is it simply to make you more competitive on the authentication side and to make your existing stuff more compelling? Or is it going to ultimately result in another SKU that you can sell to customers and therefore something else that can generate revenue?

it broadens the offering. So if you think about what our app shielding offering was, first of all, it was through a partner. We had a long partnership in that realm that was successful. But that offering was what is called a wrapping. So you build the application, and then after it's compiled, there's a wrapper or protection put around the app. And it's useful. It locks attacks, but it doesn't give you as much information about what type of attacks are coming in, what the operating environment is, and the BUILD38 approach is different. It has an SDK-based implementation where the protection is built into the app and it enables telemetry back from the applications. Remember, they don't control the devices. These are all consumer devices that are using mobile banking apps. It gives them lots of information about the devices themselves. and about what attacks are happening. So that has all kinds of implications to broaden the cybersecurity solution that we're offering customers.

Understood. Thank you very much.

Thank you. Our next question comes from the line of Anya Soderstrom of Sidoti. Your line is now open.

Hi, thank you for taking my question. Just curious, the contracts that are not renewing in second quarter, how big of a shortfall is that? And can you just sort of double click on what gives you confidence in raising the ARR guidance?

Sure. We've seen good progress with ARR. Those two accounts, I mean, one of them's about $2 million, right? That decision was taken A year ago, for them to move to passwordless, this is a great, it just underscores why the Knock Knock acquisition was important for us. We did not have an offering at the time. So we didn't have the opportunity to even compete effectively as they moved to passwordless. We do now. Unfortunately, that decision had already been taken. So in the short run, we're going to have a little bit of a a hit as mentioned to ARR, but we do feel good about the growth that we've seen so far, the pipeline. And, you know, we do have seasonality in our business. We close a lot more business in Q4 than we do in the summer, typically in most years. So we think most of that ARR kind of reinvigoration will happen in the latter part of the year, say September through December.

Okay, thank you. And now when you have Knock Knock, do you feel you're getting better attention since you're having that offering?

Well, it's hard to put a precise quantification on it, but if you look at the growth in our GRR, I think we are positioned better with our customers. Instead of having technology that maybe a few years ago someone would have viewed as dated, We have up-to-date market-leading technology in critical areas. So that helps customers feel that they should stick with you, that you're going to be a long-term solution, and we've seen our GRR go up. I don't think it's only as a result of that because our renewals team has done a great job. We've done better engagement with customers as well, but I think it certainly helps.

Okay. Thank you. That was all for me.

Thank you.

Thank you. Our next question comes from the line of Eric Sepiger of B. Reilly Securities. Your line is now open.

Yeah, thanks. A follow-up here. Of your FIDO2 customers, how many of them are buying both the Knock Knock backend software as well as the tokens?

To date, not too many. It's the knock knock, of course, did not have a token business. So most of them are pure software customers. And that's another area that I think as we look ahead, we have an opportunity to do better in. It's something that we're hoping can blunt the decline in the consumer banking tokens as we move forward. Having that broad offering does give flexibility to customers if they have a portion of their workforce that they want to have hardware authentication for. We can offer that without them needing to go to somebody else to a hardware-only vendor, as an example. But to date, we haven't had a ton of cross-sell on that. It is an opportunity rather than a material contributor at the moment.

Is it a synergistic sale where you're able to provide any kind of advantage by using an end-to-end solution, or is it just simply standards-based and therefore there's no end-to-end benefit?

Well, the knock-knock offering has advantages. Of course, it is an open protocol, a FIDO protocol, but the knock-knock solution has Additional technology built in to enable device binding of keys, which financial institutions like a lot, not to get too much into the weeds, but synced keys synced to Google or other cloud providers can sometimes make banks nervous. And a knock-knock offering has the ability to have device-bound keys so that they're not synced on the software side. On the hardware side, it is, again, it's an open protocol, so they could buy hardware from someone else. It is advantageous in having the same vendor. We do very nice branding on the devices, which we have history having done that with banks for many, many years. So to the extent that they like that, it's an appealing offering. But again, open protocol, so It's not, there's not a vendor lock-in situation when it comes to hardware.

Very good. Thank you.

Thank you. Our next question comes from the line of Catherine Trevenick of Rosenblatt. Your line is now open.

Yeah, thanks for taking my question. Now with subscription revenue roughly 80% of total, and you have a good track record, or it seems like digital agreements and the cybersecurity subscription is growing. Can you kind of lay out a plan for, you know, will it always be 80%, 85%? I mean, what's going to happen with the hardware, you think, over the next 12 months? Because I know it's been lumpy, and there's obviously some changes, and just kind of lay out a roadmap. Thank you.

So let me just talk about the underlying business trends. The consumer banking tokens we expect to continue to decline. We don't think they'll go to zero. We think there'll be some portion of consumers in Europe and Asia that are using tokens to authenticate because they're doing web banking and they're not doing their banking through a mobile banking app. You ask banks, a lot of them will say 80% of their traffic is now through their mobile app versus laptops or desktops. The hardware piece, the part that could offset that ongoing decline that's been going on for over a decade is the FIDO2 security piece. If we can get that piece to grow, we could offset that growth and keep the hardware business at a stable rate. Of course, most of our focus, most of our attention is on growing the subscription, growing the ARR, and driving value that way. Jorge, I don't know if you want to add anything on modeling that would be helpful.

Yeah, so, you know, I think for purposes of 26 gathering, you know, we, we didn't change our guide for, for hardware, you know, where he goes in 2728, you know, nobody, nobody has crystal ball, I think they have some input on that, you know, is obviously still in secular decline, but to a big point, we don't think it's going to go to zero, right, there's going to be even corporate banking is still done you know, through a hardware token is the safest way to do providers transactions, signing things of that nature. And so there will be, you know, specifically, you know, a pool in the, a target sort of customer base that will continue to use that device, right? Hardware tokens. So, you know, kind of cannot add more to what you said, Vic, other than, you know, hopefully stabilize this and find a new baseline soon.

All right. Thank you very much. Sorry to keep asking that question, but keep coming up. Bye-bye.

Thank you. Thank you. This concludes the question and answer session. I would now like to turn it back to Joe Maxa for closing remarks.

Thanks for joining today, everyone. We look forward to talking with you again next quarter. Have a great evening.

Thank you for your participation in today's conference. This does conclude the program. You may now disconnect.