UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 10‑K

FOR ANNUAL AND TRANSITION REPORTS PURSUANT TO

SECTIONS 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

(Mark One)

[x]    ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(D) OF THE SECURITIES EXCHANGE ACT OF 1934 FOR THE FISCAL YEAR ENDED DECEMBER 31, 2017

or

[  ]   TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 FOR THE TRANSITION PERIOD FROM            TO

Commission file number 000‑24389

VASCO Data Security International, Inc.

(Exact Name of Registrant as Specified in Its Charter)

121 West Wacker Drive, Suite 2050

Chicago, Illinois 60601

(Address of Principal Executive Offices)(Zip Code)

Registrant’s telephone number, including area code:

312-766-4001

Securities registered pursuant to Section 12(b) of the Act:

Securities registered pursuant to Section 12(g) of the Act:

None

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined by Rule 405 of the Securities Act.   Yes              No    X  

Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the act.   Yes              No    X  

Indicate by check mark whether the registrant: (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.   Yes     X        No           

Indicate by check mark whether the registrant has submitted electronically and posted on its corporate Web site, if any, every Interactive Data File required to be submitted and posted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit and post such files).   Yes     X        No           

Indicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K is not contained herein, and will not be contained, to the best of registrant’s knowledge, in definitive proxy or information statements incorporated by reference in Part III of this Form 10‑K or any amendment to this Form 10‑K. [  ]

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See definition of “large accelerated filer,” “accelerated filer”, “smaller reporting company”, and “emerging growth company” in Rule 12b‑2 of the Exchange Act.

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards pursuant to Section 13(a) of the Exchange Act. [ ]

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b‑2 of the Exchange Act).   Yes              No    X  

As of June 30, 2017, the aggregate market value of voting and non-voting common equity (based upon the last sale price of the common stock as reported on the NASDAQ Capital Market on June 30, 2017) held by non-affiliates of the registrant was $441,357,597 at $14.35 per share.

As of February 22, 2018, there were 40,160,900 shares of common stock outstanding.

DOCUMENTS INCORPORATED BY REFERENCE

Certain sections of the registrant’s Notice of Annual Meeting of Stockholders and Proxy Statement for its 2018 Annual Meeting of Stockholders are incorporated by reference into Part III of this report.

TABLE OF CONTENTS

This report contains trademarks of VASCO Data Security International, Inc. and its subsidiaries, which include VASCO, the VASCO “V” design, DIGIPASS, VACMAN, IDENTIKEY, Cronto, and eSignLive.

Cautionary Statement for Purposes of the Safe Harbor Provisions of the Private Securities Litigation Reform Act of 1995

This Annual Report on Form 10‑K, including Management’s Discussion and Analysis of Financial Condition and Results of Operations and Quantitative and Qualitative Disclosures About Market Risk contains forward-looking statements within the meaning of Section 21E of the Securities Exchange Act of 1934, as amended and Section 27A of the Securities Act of 1933, as amended concerning, among other things, our expectations regarding the prospects of, and developments and business strategies for, VASCO and our operations, including the development and marketing of certain new products and services and the anticipated future growth in certain markets in which we currently market and sell our products and services or anticipate selling and marketing our products or services in the future. These forward-looking statements (1) are identified by use of terms and phrases such as “expect”, “believe”, “will”, “anticipate”, “emerging”, “intend”, “plan”, “could”, “may”, “estimate”, “should”, “objective”, “goal”, “possible”, “potential”, “projected”, and similar words and expressions, but such words and phrases are not the exclusive means of identifying them, and (2) are subject to risks and uncertainties and represent our present expectations or beliefs concerning future events. VASCO cautions that the forward-looking statements are qualified by important factors that could cause actual results to differ materially from those in the forward-looking statements. These additional risks, uncertainties and other factors have been described in greater detail in this Annual Report on Form 10‑K and include, but are not limited to, (a) risks of general market conditions, including currency fluctuations and the uncertainties resulting from turmoil in world economic and financial markets, (b) risks inherent to the computer and network security industry, including rapidly changing technology, evolving industry standards, increasingly sophisticated hacking attempts, increasing numbers of patent infringement claims, changes in customer requirements, price competitive bidding, and changing government regulations, and (c)  risks specific to VASCO, including demand for our products and services, competition from more established firms and others, pressures on price levels and our historical dependence on relatively few products, certain suppliers and certain key customers. These risks, uncertainties and other factors include VASCO’s ability to integrate eSignLive into the global business of VASCO successfully and the amount of time and expense spent and incurred in connection with the integration; the risk that the revenue synergies, cost savings and other economic benefits that VASCO anticipates as a result of this acquisition are not fully realized or take longer to realize than expected. Thus, the results that we actually achieve may differ materially from any anticipated results included in, or implied by these statements. Except for our ongoing obligations to disclose material information as required by the U.S. federal securities laws, we do not have any obligations or intention to release publicly any revisions to any forward-looking statements to reflect events or circumstances in the future or to reflect the occurrence of unanticipated events.

Unless otherwise noted, references in this Annual Report on Form 10‑K to “VASCO”, “company”, “we”, “our”, and “us” refer to VASCO Data Security International, Inc. and its subsidiaries.

PART I

Item 1 - Business

VASCO Data Security International, Inc. was incorporated in the State of Delaware in 1997 and is the successor to VASCO Corp., a Delaware corporation. Our principal executive offices are located at 121 West Wacker Drive, Suite 2050, Chicago, Illinois 60601; the telephone number at that address is 312 766 4001. Our international headquarters in Europe is located at World-Wide Business Center, Balz-Zimmermannstrasse 7, CH-8152, Glattbrugg, Switzerland; the phone number at this location is +41 43 555 3500. Our principal operations offices in Europe are located at Romeinsesteenweg 564C, Strombeek-Bever 1853, Belgium and the telephone number at that address is +34 2 609 9700. Unless otherwise noted, references in this Annual Report on Form 10-K to “VASCO”, “company”, “we”, “our”, and “us” refer to VASCO Data Security International, Inc. and its subsidiaries.

Additional information on the company, our products and services and our results, including the company’s annual report on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, and amendments to those reports filed with the Securities and Exchange Commission (the “SEC”) are available, free of charge, on our website at https://www.vasco.com. You may also read and copy any materials we file with the SEC at the SEC’s Public Reference Room at 100 F Street, NE, Washington, DC 20549. You may obtain information on the operation of the Public Reference Room by calling the SEC at 1-800-SEC-0330. Our reports are filed electronically with the SEC and are also available on the SEC’s website (https://www.sec.gov).

Overview

We design, develop and market digital solutions for identity, security, and business productivity that protect and facilitate transactions online, via mobile devices, and in-person. We are a global leader in providing anti-fraud and digital transaction management solutions to financial institutions and other businesses. Our solutions secure access to online accounts, data, assets, and applications for global enterprises; provide tools for application developers to easily integrate security functions into their web-based and mobile applications; and facilitate digital transactions involving the signing, sending, and managing of documents. Our core technologies, multi-factor authentication and transaction signing, strengthen the process of preventing hacking attacks against online and mobile transactions to allow companies to transact business safely with remote customers.

We offer cloud based and on premises solutions using both open standards and proprietary technologies. Some of our proprietary technologies are patented. Our products and services are used for authentication, fraud mitigation, e-signing transactions and documents, and identity management in Business-to-Business (“B2B”), Business-to-Employee (“B2E”) and Business-to-Consumer (“B2C”) environments. Our target market is business processes using electronic interface, particularly the Internet, where there is risk of unauthorized access. Our products can increase security associated with accessing business processes, reduce losses from unauthorized access, and minimize the cost of the process by automating activities previously performed manually.

Online and mobile application owners and publishers benefit from our expertise in multi-factor authentication, document signing, transaction signing, application security, and in mitigating hacking attacks. Our convenient and proven security solutions enable frictionless and trusted interactions between businesses, employees, and consumers across a variety of online and mobile platforms.

Our newest product offerings enhance our library of mobile application security solutions, expand our risk-based anti-fraud capabilities, and deliver broad-based signature capabilities that enable secure and simple digitized business transactions.

Our growth strategy includes:

Industry Background

The number of people using the internet via computers, tablets, and smartphones continues to grow at a rapid pace. Consumers are embracing online and mobile transactions and banking in increasing numbers. Organizations of all types have an increasing number of employees and business partners accessing protected resources from remote locations. New business paradigms such as these introduce new security risks for participants, especially banks, merchants, and other online and mobile service providers. Large and powerful criminal hacking organizations are launching more sophisticated hacking attacks with greater frequency. The criminal activities of private and state-sponsored hacking organizations have driven an increased need for security solutions and expansion of regulations requiring improved security measures to protect against hacking attacks and breaches. Several governments worldwide have recognized the risk associated with using user name and password access for internet and mobile applications and have issued specific recommendations advocating multi-factor authentication for enhanced online and mobile banking security. We anticipate this trend may continue.

We believe there are no reliable measurements of the total industry size or the industry growth rate for our security and eSignature products and services. However, we believe the market for authentication, anti-fraud and eSignature solutions will continue to grow driven by new government regulations, growing awareness of the impact of cyber-crime, and growth in electronic commerce. The issues driving growth are global however, the rate of adoption in each country is a function of culture, competitive position, economic conditions and use of technology.

Our Background

Our predecessor company, VASCO Corp., entered the data security business in 1991 through the acquisition of a controlling interest in ThumbScan, Inc., which we renamed as VASCO Data Security, Inc.

In 1996, we expanded our computer security business by acquiring Lintel Security NV/SA, a Belgian corporation, which included assets associated with the development of security tokens and security technologies for personal computers and computer networks. Also in 1996, we acquired Digipass NV/SA, a Belgian corporation, which was also a developer of security tokens and security technologies. In 1997, the acquired entity was renamed VASCO Data Security NV/SA.

In 1997, VASCO Data Security International, Inc. was incorporated and in 1998, we completed a registered exchange offer with the holders of the outstanding securities of VASCO Corp.

In 2006, we opened our international headquarters in Zurich, Switzerland.

In 2013, we acquired Cronto Limited (“CRONTO”), a provider of secure visual transaction authentication solutions for online banking.

In 2014, we acquired Risk IDS, a provider of risk analysis solutions to the banking community.

In November 2015, we acquired Silanis Technology Inc., a leading provider of electronic signature (eSignature) and digital transaction solutions used to sign, send and manage documents. The solution is sold under the eSignLive™ name and is trusted by many of the largest banks, insurers and government agencies.

Including our predecessor company, VASCO Corp., we have engaged in fifteen acquisitions and two dispositions.

Our Products and Services

DIGIPASS for Apps and DIGIPASS for Mobile

Our DIGIPASS Software authenticators, DIGIPASS for Apps and DIGIPASS for Mobile are designed to provide our customers with increased security for access to their mobile applications and networks without having to carry a standalone hardware device. DIGIPASS software authenticators balance the need for stronger mobile application security with the demands for user convenience by delivering comprehensive, built-in security for mobile applications, combined with a frictionless, “hands-free” authentication and e-signing experience for mobile users.

DIGIPASS for Apps is a comprehensive software development kit (SDK) that allows application developers to natively integrate security features including geolocation, device identification, jailbreak and root detection, fingerprint and face recognition, one-time password delivery via PUSH notification, and electronic signing, among others. Through a comprehensive library of APIs, application developers can extend and strengthen application security, deliver enhanced convenience to their application users, and streamline application deployment and lifecycle management processes.

DIGIPASS for Mobile is a user-friendly and secure mobile authenticator that operates as a discrete mobile application. It includes many of the features of DIGIPASS for Apps and can easily be tailored to meet the needs of any authentication process. It can be customized and deployed rapidly without extensive technical support ensuring strong security with compelling value.

IDENTIKEY Risk Manager

IDENTIKEY Risk Manager (IRM) is a comprehensive anti-fraud solution designed to help banks and other users improve the manner and speed of detecting fraud across multiple channels. It enables banks and financial institutions to take a proactive approach to fraud prevention, while making the experience frictionless for end users. IRM uses analytic techniques such as neural network implementations to score real-time transaction activity. Cross-channel prebuilt rules complement this score and allow fraud experts to make decisions on alerts or link to automated business processes such as step-up authentication. This solution can be implemented in combination with DIGIPASS for Apps to provide integrated trust with minimal impact on the end user experience. These products are targeted at banks, transaction processors, and ATM operations.

Application Shielding with RASP

VASCO’s application shielding with Runtime Application Self-Protection (RASP), neutralizes the threat of sophisticated attacks on mobile apps. It can mitigate malicious app activities before they interfere with the normal operation of the app and expose sensitive user data. This solution also provides code obfuscation and anti-tampering to stop hackers from debugging and reverse-engineering applications, ultimately reducing the risk of rogue apps.

eSignLive eSignature

eSignLive supports a broad range of eSignature requirements from simple to complex, and from the occasional electronic contract to the processing tens of thousands of transactions. eSignLive provides multiple deployment options including public cloud, private cloud, or on-premises, without compromising security or functionality. eSignLive is also available in a FedRAMP SaaS-level compliant cloud, allowing U.S. government agencies to implement eSignatures in the cloud and meet GSA security requirements.

Customers can configure eSignLive end-user to reinforce their brand for a seamless signing experience. Each step of the eSignature workflow can be customized, from authentication to e-document distribution. eSignLive can be

used across multiple devices, including laptop, mobile phone, or tablet, contributing to high levels of user adoption and satisfaction.

eSignLive provides the most comprehensive and secure electronic evidence for the strongest legal protection by capturing both document and process-level evidence. This reduces the time and cost of gathering evidence and demonstrating legal and regulatory compliance. eSignLive electronic signature capabilities can be a critical component of the customer onboarding process for mobile applications providing a secure and user friendly way to capture customer signatures.

eSignLive eVault Manager

eVault Manager is a secure, web-based platform that provides mortgage lenders, auto financers, equipment lessors and other financial services organizations the means to store, assign and service electronic mortgage notes and secured loans and leases. The solution enables fully electronic, straight-through processing of mortgages and other secured loans and leases, from origination to retirement. After being electronically signed with eSignLive or another system, the authoritative copy of an eMortgage note or e-chattel paper is deposited in an eVault and protected throughout its lifecycle.

eVault Manager can be deployed in a public cloud, private cloud or on-premise. It maintains a single authoritative copy that is unique and identifiable; securely manages the transfer of assignment and location; ensures records cannot be altered, except as permitted; provides secure access and authorization control; includes an administration console for managing, pooling, searching and auditing electronic records; and supports vault-to-vault transfers and secure output to paper.

VACMAN

Our VACMAN product line incorporates a range of strong authentication utilities and solutions designed to allow organizations to add DIGIPASS strong authentication into their existing networks and applications. VACMAN solutions integrate with the most popular hardware and software and once integrated, become largely transparent to users, minimizing rollout and support issues. VACMAN encompasses multiple authentication technologies (passwords, dynamic password technologies, certificates, and biometrics) and allows use of any combination of those technologies simultaneously.

VACMAN enables customers to administer a high level of access control and allows them to match the level of authentication security used with the risk associated with each user of their application. Customers simply add fields to their existing user databases to describe the authentication technology used, and, if applicable, the unique DIGIPASS assigned to each end user of their application. VACMAN requires only a few days to implement in most systems and supports all DIGIPASS functionality. Once linked to an application, VACMAN automatically handles login requests from any user authorized to have a DIGIPASS.

DIGIPASS Hardware Authenticators

We offer a wide variety of DIGIPASS authenticators, each of which has its own distinct characteristics to meet the needs of our customers. All models of the DIGIPASS family are designed to work together so customers can switch devices without changes to their existing infrastructure. Our hardware DIGIPASS models range from simple one-button devices to devices that include more secure technologies, such as public key infrastructure (“PKI”).

With the acquisition of CRONTO in May 2013, VASCO added visual cryptography to its product portfolio. Sensitive transaction data is captured in a cryptogram that consists of a matrix of colored dots. By scanning the image with a hardware or software authenticator, the data contained in the cryptogram is decrypted and the transaction details are presented to the user for verification providing a highly secure method of visual transaction signing with maximum user convenience.

Many DIGIPASS hardware authenticators combine the benefits of traditional password authenticators (authentication and digital signatures) with smart card readers. Together, they bring portability to smart cards and allow the use of secure time-based algorithms.

DIGIPASS hardware technology is designed to support authentication and digital signatures for applications running on desktop PCs, laptops, tablets, and smart phones.

IDENTIKEY Authentication Server

IDENTIKEY Authentication Server is a centralized authentication server that supports the deployment, use, and administration of DIGIPASS strong user authentication. It is based on VASCO’s core VACMAN technology. IDENTIKEY is also available as a stand-alone appliance and as a virtual appliance.

Intellectual Property and Proprietary Rights and Licenses

We rely on a combination of patent, copyright, trademark, design and trade secret laws, as well as employee and third-party non-disclosure agreements to protect our proprietary rights. In particular, we hold several patents in the U.S. and in other countries, which cover multiple aspects of our technology. These patents expire between 2019 and 2035. In addition to the issued patents, we also have several patent applications pending in the U.S., Europe and other countries. The majority of our issued and pending patents cover our DIGIPASS product line. We believe these patents to be valuable property rights and we rely on the strength of our patents and on trade secret law to protect our proprietary technology. We furthermore have registrations for most of our trademarks in most of the markets where we sell the corresponding products and services and registrations of the designs of many of our hardware products primarily in the EU and China. To the extent that we believe our intellectual property rights are being infringed upon, we intend to assert vigorously our intellectual property rights, including but not limited to, pursuing all available legal remedies.

Research and Development

Our research and development efforts historically have been, and will continue to be, concentrated on product enhancement, new technology development, and related new product introductions. We employ a team of full-time engineers and, from time to time, also engage independent engineering firms to conduct non-strategic product development efforts on our behalf. For fiscal years ended December 31, 2017, 2016, and 2015, we incurred expenses of $23.1 million, $23.2 million, and $17.5 million, respectively, for research and development.

Production

Our security hardware DIGIPASS products are manufactured by third party manufacturers pursuant to purchase orders that we issue. Our hardware DIGIPASS products are made primarily from commercially available electronic components purchased globally. Our software products are produced in-house.

Hardware DIGIPASS products utilize commercially available programmable microprocessors purchased from several suppliers. The microprocessors are the most important components of our security authenticators that are not commodity items readily available on the open market. Some microprocessors are single sourced. Orders of microprocessors generally require a lead-time of 12-16 weeks. We attempt to maintain a sufficient inventory of all parts to handle short-term increases in orders.

Large orders that would significantly deplete our inventory are typically required to be placed with more than twelve weeks of lead-time, allowing us to make appropriate arrangements with our suppliers. We purchase microprocessors and arrange for shipment to third parties for assembly and testing in accordance with our design specifications. The majority of our DIGIPASS products are manufactured by four independent vendors domiciled in Hong Kong and Macau with production facilities in mainland China. Purchases are made on a volume purchase order basis. We supply product test equipment at the point of assembly. We maintain a local team in China to conduct quality control and quality assurance procedures. Periodic visits are conducted by our personnel for quality management, assembly process review, and supplier relations.

Competition

The market for computer and network security solutions is very competitive and, like most technology-driven markets, is subject to rapid change and constantly evolving products and services. Our anti-fraud products are designed to allow authorized users access to a computing environment or application, in some cases using patented technology, as a replacement for or supplement to a static password. Although certain of our security technologies are patented, there are other organizations that offer anti-fraud solutions that compete with us for market share. Our main competitors in our anti-fraud markets are Gemalto and RSA Security, a subsidiary of Dell Technologies. There are many other companies, such as Kobil Systems, Symantec, and Early Warning that offer competing authentication hardware, software and services that range from simple locking mechanisms to sophisticated encryption technologies. In addition to these companies, we face competition from many small authentication solution providers, many of whom offer new technologies and niche solutions such as biometric or behavioral analysis. We believe that competition in this market is likely to intensify as a result of increasing demand for security products. Our primary competitors for electronic signature solutions include DocuSign and Adobe Systems. Both companies are significantly larger than us. In addition to these companies, there are dozens of smaller and regional providers of electronic signing solutions.

We believe that the principal competitive factors affecting the market for computer and network security products as well as electronic signatures include the strength and effectiveness of the solution, technical features, ease of use, quality and reliability, customer service and support, brand recognition, customer base, distribution channels, and the total cost of ownership of the solution. Although we believe that our products currently compete favorably with respect to such factors, there can be no assurance that we can maintain our competitive position against current and potential competitors.

Some of our present and potential competitors have significantly greater financial, technical, marketing, purchasing, and other resources. As a result, they may be able to respond more quickly to new or emerging technologies and changes in customer requirements, or to devote greater resources to the development, promotion and sale of products, or to deliver competitive products at a lower end-user price. Current and potential competitors have established or may establish cooperative relationships among themselves or with third parties to increase the ability of their products to address the needs of our prospective customers. It is possible that new competitors or alliances may emerge and rapidly acquire significant market share. Accordingly, we have forged, and will continue to forge, our own partnerships to offer a broader range of products and capabilities to the market.

Sales and Marketing

Our solutions are sold worldwide through our direct sales force, as well as through distributors, resellers, systems integrators, and original equipment manufacturers. Our sales staff coordinates sales activity through both our sales channels and those of our strategic partners making direct sales calls either alone or with the sales personnel of our partners. Our sales staff also provides product education seminars to sales and technical personnel of vendors and distributors with whom we have working relationships and to potential end-users of our products.

Our sales force is able to offer customers a choice of an on-site implementation using our on-premises model or a cloud implementation for some solutions using our services platform.

Part of our expanded selling effort includes approaching our existing strategic partners to find additional applications for our security products. In addition, our marketing plan calls for the identification of new business opportunities that may require enhanced security or areas where we do not currently market our products. Our efforts also include various activities to increase market awareness of solutions as well as preparation and dissemination of white papers explaining how our security products can add value or otherwise be beneficial.

Customers and Markets

Customers for our products include some of the world’s most recognized names: JPMorgan Chase & Co., Citibank, HSBC, Rabobank, Deutsche Bank, Sumitomo Mitsui Banking Corporation, BNP-Paribas Fortis, The Bank of

Tokyo-Mitsubishi, Banco Santander, and U.S. government agencies including the Postal Service, USDA, Census Bureau, and GSA.

Our top 10 customers contributed 27%, 36%, and 50%, in 2017, 2016, and 2015, respectively, of total worldwide revenue. In 2015, Rabobank contributed 30% of our worldwide revenue.

A significant portion of our sales is denominated in foreign currencies and changes in exchange rates impact results of operations. To mitigate exposure to risks associated with fluctuations in currency exchange rates, we attempt to denominate an amount of billings in a currency such that it would provide a hedge against operating expenses being incurred in that currency. For additional information regarding how currency fluctuations can affect our business, please refer to “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and “Quantitative and Qualitative Disclosures about Market Risk.”

We experience seasonality in our business. Historically, these seasonal trends are most notable in the summer months, particularly in Europe, when many businesses defer purchase decisions; however, the timing of any one or more large orders may temper or offset this seasonality.

We generally focus our sales and marketing efforts in three primary areas:

We serve multiple markets via our two-tier indirect sales channel. We invest in and support our channel with training, marketing and sales support resources. Distributors and resellers get the tools they need to be successful, such as campaigns, case studies, marketing funds and more. We train employees of our resellers and distributors on-site and in our offices.

Backlog

Our backlog at December 31, 2017 was approximately $48 million compared to $50 million at December 31, 2016 and $51 million at December 31, 2015. We do not believe that the specific amount of backlog at any point in time is indicative of the trends in our markets or the expected results of our business. Given the large size of orders, the backlog number can change significantly with the receipt of a new order or modification of an existing order.

Financial Information Relating to Foreign and Domestic Operations

For financial information regarding VASCO, see our Consolidated Financial Statements and the related Notes, which are included in this Annual Report on Form 10-K. We have a single operating segment for all our products and operations. See Note 11 in the Notes to Consolidated Financial Statements for a breakdown of revenue and long-lived assets between U.S. and foreign operations.

Employees

As of December 31, 2017, we had 611 total employees, including 327 located in EMEA (Europe, the Middle East and Africa), 254 located in the Americas, and 30 located in Asia Pacific. Of the total employees, 311 were involved

in sales, marketing, operations and customer support, 203 in research and development and 97 in general and administration.

Item 1A - Risk Factors

RISK FACTORS

You should carefully consider the following risk factors, which we consider the most significant, as well as other information contained in this Annual Report on Form 10-K. In addition, there are a number of less significant and other general risk factors that could affect our future results. If any of the events described in the risk factors were to occur, our business, financial condition or operating results could be materially and adversely affected. We have grouped our Risk Factors under captions that we believe describe various categories of potential risk. For the reader’s convenience, we have not duplicated risk factors that could be considered to be included in more than one category.

Risks Related to Our Business

A significant portion of our sales are to a limited number of customers. The loss of substantial sales to any one of them could have an adverse effect on revenues and profits.

We derive a substantial portion of our revenue from a limited number of customers, many of which are financial institutions. The loss of substantial sales to any one of them could adversely affect our operations and results. In fiscal 2017, 2016, and 2015, our top 10 largest customers contributed 27%, 36%, and 50%, respectively, of total worldwide revenue. In 2015, Rabobank contributed 30% of total revenue principally due to an order for card readers incorporating our CRONTO technology.

The return of a worldwide recession and/or an increase in the concern over the European sovereign debt crisis may further impact our business.

Our business is subject to economic conditions that may fluctuate in the major markets in which we operate. Factors that could cause economic conditions to fluctuate include, without limitation, recession, inflation, deflation, interest rates, unemployment, consumer debt levels, general retail or commercial markets and consumer or business purchasing power or preferences.

While it appears that circumstances that led to the sovereign debt crisis have abated, many significant economic issues have not been addressed fully. As a result, we expect that parts of Europe will continue to face difficult economic conditions in 2018. If global economic and financial market conditions remain uncertain and/or weak for an extended period of time, any of the following factors, among others, could have a material adverse effect on our financial condition and results of operations:

While we believe that many of the effects of the recession and credit crisis have abated, we are unable to predict potential future economic conditions, disruptions in the sovereign debt markets or other financial markets, the Euro Monetary Union or the European Union, or the effect of any such disruption or disruptions on our business and results of operations, but the consequences may be materially adverse. We believe that our business in the Banking market in Europe would be impacted most directly by any such disruption and that the consequences may be materially adverse, as approximately 48% of our consolidated revenues originated in the EMEA region in 2017.

Disruptions in markets or the European Union may affect our liquidity and capital resources.

We believe our financial resources are adequate to meet our operating needs. However, disruptions in the sovereign debt markets or other financial markets, the Euro Monetary Union or the European Union, could materially adversely affect our liquidity and capital resources and expose us to additional currency fluctuation risk. Sufficiently adverse effects could cause us to modify our business plans.

Furthermore, in an adverse economic environment there is a risk that customers may delay their orders until the economic conditions improve further. If a significant number of orders are delayed for an indefinite period of time, our revenue and cash receipts may not be sufficient to meet the operating needs of the business. If this is the case, we may need to significantly reduce our workforce, sell certain of our assets, enter into strategic relationships or business combinations, discontinue some or all of our operations, or take other similar restructuring actions. While we expect that these actions would result in a reduction of recurring costs, they also may result in a reduction of recurring revenue and cash receipts. It is also likely that we would incur substantial non-recurring costs to implement one or more of these restructuring actions.

We could incur substantial accounting related costs if we are unable to maintain an effective system of internal control over financial reporting.

As a result of the material weakness disclosed as of December 31, 2016, related to deficiencies associated with our acquisition of Silanis Technology Inc. in November 2015 and its subsequent operations, we improved our internal control over financial reporting and the effectiveness of our disclosure controls and procedures.  We expended significant resources, including accounting-related costs and significant management oversight as we corrected past deficiencies. Management has determined that full remediation of the prior deficiencies in internal control over financial reporting that led to the material weakness has occurred, and the subsequent investment in the control environment will continue.

We cannot provide absolute assurance that additional material weaknesses, or significant deficiencies, in our internal controls will not be identified in the future. Failure to maintain effective controls or implement new or improved controls could result in significant deficiencies or material weaknesses, affect management evaluations and auditor attestations regarding the effectiveness of our internal controls, failure to meet periodic reporting obligations, and

material misstatements in our financial statements. Material misstatement of our financial statements may result in a restatement, loss of investor and customer confidence, a decline in the market price of the Company’s common stock, and potential sanctions or investigations by NASDAQ, the Securities and Exchange Commission or other regulatory authorities. Failure to remedy any material weakness in the Company’s internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict the Company’s future access to the capital markets.

We have a long operating history, but only modest accumulated profit.

Although we have reported net income (loss) of $(22.4) million, $10.5 million, and $42.2 million for the years ended December 31, 2017, 2016, and 2015, respectively, our retained earnings were $156.2 million at December 31, 2017. Over our 25 year operating history, we have operated at a loss for many of those years. In the current uncertain economic environment, it may be difficult for us to sustain our recent levels of profitability. We may also choose to invest for long term value which could decrease or eliminate short term profit.

We derive revenue from a limited number of products and do not have a broadly-diversified product base.

A majority of our revenue is derived from the sale of authentication products. We anticipate a substantial portion of future revenue, will be derived from authentication products and related services. If the sale of these products and services is impeded for any reason and we have not diversified our product offerings, our business and results of operations would be negatively impacted.

The sales cycle for our products and technology is long, and we may incur substantial expenses for sales that do not occur when anticipated.

The sales cycle for our products, which is the period of time between the identification of a potential customer and completion of the sale, is typically lengthy and subject to a number of significant risks over which we have little control. If revenue falls significantly below anticipated levels, our business would be seriously harmed.

A typical sales cycle in the Banking market is often six months or more. Larger Banking transactions may take up to 18 months or more. Purchasing decisions for our products and systems may be subject to delays due to many factors that are not within our control, such as:

As our operating expenses are based on anticipated revenue levels, a small fluctuation in the timing of sales can cause our operating results to vary significantly between periods.

We have a great dependence on a limited number of suppliers and the loss of their manufacturing capability could materially impact our operations.

In the event that the supply of components or finished products is interrupted or relations with any of our principal vendors is terminated, there could be increased costs and considerable delay in finding suitable replacement sources to manufacture our products. The majority of our products are manufactured by four independent vendors domiciled in Hong Kong and Macau. Our hardware DIGIPASS authentication devices are assembled at facilities located in mainland China. The importation of these products from China exposes us to the possibility of product supply disruption and increased costs in the event of changes in the policies of the Chinese government, political unrest or unstable economic conditions in China or developments in the United States or European Union that are adverse to trade, including enactment of protectionist legislation.

We order some hardware components, such as processors, in advance of expected use and often produce finished goods prior to the receipt of executed customer orders. If orders are not received, we could suffer losses related to inventory that cannot be sold at full value.

In an attempt to minimize the risk of not having an adequate supply of component parts to meet demand and to take advantage of volume purchasing benefits, especially in situations where we have been notified that key processors will no longer be manufactured, we sometimes purchase multiple years’ supply of parts based on internal forecasts of demand. In addition, to meet customers’ demands for accelerated delivery of product, we sometimes produce finished product for existing customers before we receive the executed order from the customer. Should our forecasts of future demand be inaccurate or if we produce product that is never ordered, we could incur substantial losses related to the realization of our inventory.

Our success depends on establishing and maintaining strategic relationships with other companies to develop, market, and distribute our technology and products and, in some cases, to incorporate our technology into their products.

Part of our business strategy is to enter into strategic alliances and other cooperative arrangements with other companies in our industry. We currently are involved in cooperative efforts with respect to the incorporation of our products into products of others, research and development efforts, marketing efforts and reseller arrangements. None of these relationships are exclusive, and some of our strategic partners also have cooperative relationships with certain of our competitors. If we are unable to enter cooperative arrangements in the future or if we lose any of our current strategic or cooperative relationships, our business could be harmed. We do not control the time and resources devoted to such activities by parties with whom we have relationships. In addition, we may not have the resources available to satisfy our commitments, which may adversely affect these relationships. These relationships may not continue, may not be commercially successful, or may require our expenditure of significant financial, personnel and administrative resources from time to time. Further, certain of our products and services compete with the products and services of our strategic partners.

We may not be able to maintain effective product distribution channels, which could result in decreased revenue.

We rely on both our direct sales force and an indirect channel distribution strategy for the sale and marketing of our products. We may be unable to attract distributors, resellers and integrators, as planned, that can market our products effectively and provide timely and cost-effective customer support and service. There is also a risk that some or all of our distributors, resellers or integrators may be acquired, may change their business models or may go out of business, any of which could have an adverse effect on our business. Further, our distributors, integrators and resellers may carry competing lines of products. The loss of important sales personnel, distributors, integrators or resellers could adversely affect us.

We depend on our key personnel for the success of our business and the loss of one or more of our key personnel could have an adverse effect on our ability to manage our business or could be negatively perceived in the capital markets.

Our success and our ability to manage our business depend, in large part, upon the efforts and continued service of our senior management team. The loss of one or more of our key personnel could have a material adverse effect on our business and operations. It could be difficult for us to find replacements for our key personnel, as competition for such personnel is often intense. Further, such a loss could be negatively perceived in the capital markets, which could reduce the market value of our securities.

If we fail to continue to attract and retain qualified personnel, our business may be harmed.

Our future success depends upon our ability to continue to attract and retain highly qualified technical, sales and managerial personnel. Competition for such personnel is often intense and there can be no assurance that we can attract other highly qualified personnel in the future. If we cannot retain or are unable to hire such key personnel, our business, financial condition and results of operations could be significantly adversely affected.

Changes in our effective tax rate may have an adverse effect on our results of operations.

Our future effective tax rates may be adversely affected by a number of factors including the distribution of income among the various countries in which we operate, changes in the valuation of our deferred tax assets, increases in expenses not deductible for tax purposes, including the impairment of goodwill in connection with acquisitions, changes in share-based compensation expense, and changes in tax laws or the interpretation of such tax laws and changes in generally accepted accounting principles. Any significant increase in our future effective tax rates could adversely impact net income for future periods; and a reduction in our U.S. tax rate could negatively impact our deferred tax assets which could also adversely impact our net income.

Our worldwide income tax provisions and other tax accruals may be insufficient if any taxing authorities assume taxing positions that are contrary to our positions.

Significant judgment is required in determining our provision for income taxes and other taxes such as sales and VAT taxes. There are many transactions for which the ultimate tax outcome is uncertain. Some of these uncertainties arise as a consequence of intercompany agreements to purchase intellectual properties, allocate revenue and costs, and other factors, each of which could ultimately result in changes once the arrangements are reviewed by taxing authorities. Although we believe that our approach to determining the amount of such arrangements is reasonable, we cannot be certain that the final tax authority review of these matters will not differ materially from what is reflected in our historical income tax provisions and other tax accruals. Such differences could have a material effect on our income tax provisions or benefits, or other tax accruals, in the period in which such determination is made, and consequently, on our results of operations for such period.

Changes in global tax laws or in their interpretation or enforcement, could have a material adverse effect on our effective tax rate, results of operations, cash flows and financial condition.

We could be materially adversely affected by future changes in tax law or policy (or in their interpretation or enforcement) in Europe or other jurisdictions where we operate. These changes could be exacerbated by economic, budget or other challenges facing these jurisdictions. For example, foreign jurisdictions could impose tax rate changes along with additional corporate tax provisions that would disallow or tax perceived “base erosion” or profit shifting amongst jurisdictions. In addition, aspects of U.S. tax reform may lead foreign jurisdictions to respond by enacting additional tax legislation that results in an adverse effect on our effective tax rate, results of operations, cash flows and financial condition.

The ongoing effects of U.S. tax reform and the refinement of provisional estimates could make our results difficult to predict.

In December 2017, the United States enacted tax reform legislation (“U.S. tax reform”). The legislation implements many new U.S. domestic and international tax provisions. Many aspects of the U.S. tax reform are unclear, and although additional clarifying guidance is expected to be issued in the future (by the Internal Revenue Service, the U.S. Treasury Department or via a technical correction law change), it may not be clarified for some time. In addition, many states have not yet updated their laws to take into account the new federal legislation. As a result, we have not yet been able to determine the full impact of the new laws on our results of operations and financial condition. Provisional estimates used in our financial statements to reflect U.S. tax reform are expected to change and such changes could be significant depending on future guidance under U.S. tax reform and state actions.  It is possible that U.S. tax reform, or the guidance under it, could change in the future and could have a material adverse effect on our effective tax rate, results of operations, cash flows and financial condition.

We may acquire or invest in companies, which may disrupt our business and divert management's attention and cause harm to our financial condition or results. We may be unable to integrate acquired businesses and technologies successfully or achieve the expected benefits of such acquisitions.

We may evaluate and consider potential strategic transactions, including acquisitions of, or investments in, complementary businesses, technologies, services, products and other assets in the future. We also may enter into

relationships with other businesses to expand our products and platform, which could involve preferred or exclusive licenses, additional channels of distribution, discount pricing or investments in other companies.

Our failure to successfully structure or manage any acquisitions could seriously harm our financial condition or operating results. The expected benefits of any acquisition may not be realized. In connection with our acquisition of eSignLive and any future purchases, we will face additional financial and operational risks, including:

Reported revenue may fluctuate widely due to the interpretation or application of accounting rules.

Our sales arrangements often include multiple elements, including hardware, services, software, maintenance and support. In addition, we have sold software related arrangements in multiple forms, including perpetual licenses, term based licenses and SaaS, each of which may be treated differently under accounting rules. The accounting rules for such arrangements are complex and subject to change from time to time. Small changes in circumstances could cause wide deviations in the timing of reported revenue.

Provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.

Our agreements with customers, solution partners and channel partners generally include provisions under which we agree to indemnify them for losses suffered or incurred as a result of claims of intellectual property infringement and, in some cases, for damages caused by us to property or persons or for other damages. In addition, we make certain representations and warranties and incur obligations under our contracts in the ordinary course of business, including for items related to data security and potential data breaches. Not all of our potential losses under our contracts are covered by insurance policies, which could increase the impact of any such loss should it occur. Large indemnity payments or damages resulting from our contractual obligations could harm our business, operating results and financial condition.

The evolution of our business requires more complex development and go-to-market strategies, which involve significant risk.

Our increasing focus on developing and marketing a platform of solutions for identity management, authentication, risk analysis, fraud detection, digital business processes and related areas requires different development and go-to-market strategies than our historic hardware authentication business. We are developing, buying and licensing technology weighted toward software solutions and investment in research, development, product management, sales training and senior management. This transformation strategy is currently in progress and brings with it significant risks related to our choice of solutions and our ability to execute the strategy successfully. This strategy requires a greater focus on marketing and selling product suites and software solutions rather than selling hardware products for authentication and transaction signing. Consequently, we are developing, and must continue to develop, new strategies for marketing and selling our offerings. In addition, marketing and selling new technologies to enterprises requires significant investment of time and resources in order to train our employees and educate our customers on the benefits of our new product offerings. These investments can be costly and the additional effort required to educate both customers and our own sales force can distract from efforts to sell existing products and services.

Risks Related to the Market

We face significant competition and if we lose or fail to gain market share our financial results will suffer.

The market for data security products and services is highly competitive. Our competitors include organizations that provide data security products based upon approaches similar to and different from those that we employ. Many of our competitors have significantly greater financial, marketing, technical and other competitive resources than we do. As a result, our competitors may be able to adapt more quickly to new or emerging technologies and changes in customer requirements, or to devote greater resources to the promotion and sale of their products.

A decrease of average selling prices for our products and services could adversely affect our business.

The average selling prices for our solution offerings may decline as a result of competitive pricing pressures or a change in our mix of products, software and services. In addition, competition continues to increase in the market segments in which we participate and we expect competition to further increase in the future, thereby leading to increased pricing pressures. Furthermore, we anticipate that the average selling prices and gross profits for our products will decrease over product life cycles. To maintain or realize our revenue and gross margins, we must continue to develop, or purchase and introduce new products and services that incorporate new technologies or increased functionality. If we experience such pricing pressures or fail to deliver new products and services relevant to our markets, our revenue and gross margins could decline, which could harm our business, financial condition and results of operations.

We may need additional capital in the future and our failure to obtain capital would interfere with our growth strategy.

Our ability to obtain financing will depend on a number of factors, including market conditions, our operating performance and investor or creditor interest. These factors may make the timing, amount, terms and conditions of any financing unattractive. They may also result in our incurring additional indebtedness or accepting stockholder dilution. If adequate funds are not available or are not available on acceptable terms, we may have to forego strategic acquisitions or investments, defer our product development activities, or delay the introduction of new products.

We experience variations in quarterly operating results and sales are subject to seasonality, both of which may result in a volatile stock price.

In the future, as in the past, our quarterly operating results may vary significantly, resulting in a volatile stock price. Factors affecting our operating results include:

We also experience seasonality in all markets. These seasonal trends are most notable in the summer months, particularly in Europe, when many businesses defer purchase decisions.

Our stock price may be volatile for reasons other than variations in our quarterly operating results.

The market price of our common stock may fluctuate significantly in response to factors, some of which are beyond our control, including the following:

A small group of persons control a substantial amount of our common stock and could delay or prevent a change of control.

Our Board of Directors, our officers and their immediate families and related entities beneficially own approximately 23%, with Mr. T. Kendall Hunt beneficially owning approximately 21%, of the outstanding shares of our common stock. As the Chairman of the Board of Directors and our largest stockholder, Mr. Hunt may exercise substantial control over our future direction and operations and such concentration of control may have the effect of discouraging, delaying or preventing a change in control and may also have an adverse effect on the market price of our common stock.

Certain provisions of our charter and of Delaware law make a takeover of our company more difficult.

Our corporate charter and Delaware law contain provisions, such as a class of authorized but unissued preferred stock which may be issued by our board without stockholder approval that might enable our management to resist a takeover of our company. Delaware law also limits business combinations with interested stockholders. These provisions might discourage, delay or prevent a change in control or a change in our management. These provisions could also discourage proxy contests, and make it more difficult for stockholders to elect directors and take other corporate actions. The existence of these provisions could limit the price that investors might be willing to pay in the future for shares of our common stock.

Future issuances of blank check preferred stock may reduce voting power of common stock and may have anti-takeover effects that could prevent a change in control.

Our corporate charter authorizes the issuance of up to 500,000 shares of preferred stock with such designations, rights, powers and preferences as may be determined from time to time by our Board of Directors, including such dividend, liquidation, conversion, voting or other rights, powers and preferences as may be determined from time to time by the Board of Directors without further stockholder approval. The issuance of preferred stock could adversely affect the voting power or other rights of the holders of common stock. In addition, the authorized shares of preferred stock and common stock could be utilized, under certain circumstances, as a method of discouraging, delaying or preventing a change in control.

Risks Related to Technology and Intellectual Property

Technological changes occur rapidly in our industry and our development of new products is critical to maintain our revenue.

The introduction by our competitors of products embodying new technologies and the emergence of new industry standards could render our existing products obsolete and unmarketable. Our future revenue growth and operating profit will depend in part upon our ability to enhance our current products and develop innovative products to distinguish us from the competition and to meet customers’ changing needs. Security-related product developments and technology innovations by others may adversely affect our competitive position and we may not successfully anticipate or adapt to changing technology, industry standards or customer requirements on a timely basis.

Our business could be negatively impacted by cyber security incidents and other disruptions.

Our use of technology is increasing and is critical in three primary areas of our business:

A cyber incident in any of these areas of our business could disrupt our ability to take orders or deliver products or services to our customers, cause us to suffer significant monetary and other losses and significant reputational harm, or substantially impair our ability to grow the business. We expect that there will continue to be hacking attempts intended to impede the performance of our products, disrupt our services and harm our reputation as a company, as the processes used by computer hackers to access or sabotage technology products, services and networks are rapidly evolving in sophistication.

In July 2011, we experienced a cyber incident related to DigiNotar B.V. shortly after we purchased the company. The hacking incident at DigiNotar B.V.led to the termination of DigiNotar B.V’s registration as a certification service provider and DigiNotar B.V.’s bankruptcy. We may incur losses from such events as a result of unanticipated costs associated with hacking incidents.

In addition, because we are in the cyber security industry, we could be targeted by hackers more than other companies and if a material cyber security breach occurred related to corporate or customer information, the reputational harm and potential lost future business could be greater than other companies not in our industry.  We have taken various measures to strengthen the security of our products and our systems, to establish information security governance procedures and to train our employees. However, we are the subject of a large volume of hacking attempts and our defenses might not always be effective. If a hacking attempt were to be successful and lead to a material data breach, then it could harm our business, financial condition and results of operations, both in the current period and for a significant future period of time.

We rely upon Amazon Web Services to operate portions of our platform and any disruption of or interference with our use of Amazon Web Services would adversely affect our business, results of operations and financial condition

We outsource portions of our cloud infrastructure to Amazon Web Services, or AWS. Customers of our products need to be able to access our platform at any time, without interruption or degradation of performance. AWS runs its own platform that we access, and we are, therefore, vulnerable to service interruptions at AWS. We have experienced, and expect that in the future we may experience interruptions, delays and outages in service and availability from time to time due to a variety of factors, including infrastructure changes, human or software errors, website hosting disruptions and capacity constraints. Capacity constraints could be due to a number of potential causes including technical failures, natural disasters, fraud or security attacks. In addition, if our security, or that of AWS, is compromised, our products or platform are unavailable or our users are unable to use our products within a reasonable amount of time or at all, then our business, results of operations and financial condition could be adversely affected. In some instances, we may not be able to identify the cause or causes of these performance problems within a period of time acceptable to our customers. It may become increasingly difficult to maintain and improve our platform performance, especially during peak usage times, as our products become more complex and the usage of our products increases. To the extent that we do not effectively address capacity constraints, either through AWS or alternative providers of cloud infrastructure, our business, results of operations and financial condition may be adversely affected.

In addition, any changes in service levels from AWS may adversely affect our ability to meet our customers' requirements.

Any of the above circumstances or events may harm our reputation, possibly move customers to stop using our products, impair our ability to increase revenue from existing customers, impair our ability to grow our customer base, subject us to financial penalties and liabilities under our service level agreements and otherwise harm our business, results of operations and financial condition. These risks are present with our other cloud service infrastructure vendors beside AWS as well.

Our products contain third-party, open-source software and failure to comply with the terms of the underlying open-source software licenses could restrict our ability to sell our products or otherwise result in claims of infringement.

Our products are distributed with software programs licensed to us by third-party authors under “open-source” licenses, which may include the GNU General Public License, the GNU Lesser Public License, the BSD License and the Apache License. These open-source software programs include, without limitation, Linux, Apache, Openssl, IPTables, Tcpdump, Postfix, Cyrus, Perl, Squid, Snort, Ruby, Rails, PostgreSQL, MongoDB and Puppet. These third-party, open-source programs are typically licensed to us for no fee and the underlying license agreements generally require us to make available to users the source code for such programs, as well as the source code for any modifications or derivative works we create based on these third-party, open-source software programs.

We do not believe that we have created any modifications or derivative works to, an extended version of, or works based on, any open-source software programs referenced above. We include instructions to users on how to obtain copies of the relevant open-source code and licenses.

We do not provide end users a copy of the source code to our proprietary software because we believe that the manner in which our proprietary software is aligned or communicates with the relevant open-source programs does not create a modification, derivative work or extended version of, or a work based on, that open-source program requiring the distribution of our proprietary source code.

Our ability to commercialize our products by incorporating third-party, open-source software may be restricted because, among other reasons:

We must continue to attract and retain highly skilled technical personnel for our research and development efforts.

The market for highly skilled technicians is highly competitive. If we fail to attract, train, assimilate and retain qualified technical personnel for our research and development and product management efforts, we will experience delays or failures in introductions of new or modified products, and services, failures in adequate analysis of technology or acquisitions in the market, loss of clients and market share and a reduction in revenue.

We cannot be certain that our research and development activities will be successful.

While management is committed to enhancing our current product offerings and introducing new products, we cannot be certain our research and development activities will be successful. Furthermore, we may not have sufficient financial resources to identify and develop new technologies and bring new products to market in a timely and cost effective manner, and we cannot ensure that any such products will be commercially successful.

Failure to effectively manage our product and service lifecycles could harm our business.

As part of the natural lifecycle of our products and services, we periodically inform customers that products or services will be reaching their end of life or end of availability and will no longer be supported or receive updates and security patches.  Failure to effectively manage our product and service lifecycles could lead to customer dissatisfaction and contractual liabilities, which could adversely affect our business and operating results.

SaaS offerings, which involve various risks, constitute an important part of our business.

As we continue to acquire, develop and offer SaaS versions of products, we will need to continue to evolve our processes to meet a number of regulatory, intellectual property, contractual and service compliance challenges. These challenges include compliance with licenses for open source and third party software embedded in our SaaS offerings, maintaining compliance with export control and privacy regulations, including HIPAA and GDPR, protecting our services from external threats, maintaining continuous service levels and data security expected by our customers, preventing inappropriate use of our services and adapting our go-to-market efforts. In addition to using our internal resources, we also utilize third party resources to deliver SaaS offerings, such as third party data hosting vendors. The failure of a third party provider to prevent service disruptions, data losses or security breaches may require us to issue credits or refunds or indemnify or otherwise be liable to customers or third parties for damages that may occur. Additionally, if these third-party providers fail to deliver on their obligations, our reputation could be damaged, our customers could lose confidence in us and our ability to maintain and expand our SaaS offerings. Finally, our SaaS offerings need to be designed to operate at significant transaction volumes. When combined with third party software and hosting infrastructure, our SaaS offerings may not perform as designed which could lead to service disruptions and associated damages.

We depend significantly upon our proprietary technology and intellectual property and the loss of or successful challenge to our proprietary rights could require us to divert management attention and could reduce revenue and increase our operating costs.

From time to time, we receive claims that we have infringed the intellectual property rights of others, including claims regarding patents, copyrights, and trademarks. Because of constant technological change in the segments in which we compete, the extensive patent coverage of existing technologies, and the rapid rate of issuance of new patents, it is possible that the number of these claims may grow. In addition, former employers of our former, current, or future employees may assert claims that such employees have improperly disclosed to us the confidential or proprietary information of these former employers. Any such claim, with or without merit, could result in costly litigation and distract management from day-to-day operations. If we are not successful in defending such claims, we could be required to stop selling, delay shipments, redesign our products, pay monetary amounts as damages, enter into royalty or licensing arrangements, or satisfy indemnification obligations with our customers. Royalty or licensing arrangements we may seek in such circumstances may not be available to us on commercially reasonable terms or at all. We have made and expect to continue making significant expenditures to establish our intellectual property rights and to investigate, defend and settle claims related to the use of technology and intellectual property rights as part of our strategy to manage this risk. In addition, we license and use software from third parties in our business. These third party software licenses may not continue to be available to us on acceptable terms or at all, and may expose us to additional liability. This liability, or our inability to use any of this third party software, could result in shipment delays or other disruptions in our business that could materially and adversely affect our operating results.

We rely principally on trade secrets to protect much of our intellectual property in cases where we do not believe patent protection is appropriate or obtainable. However, trade secrets are difficult to protect. Although our

employees are subject to confidentiality obligations, this protection may be inadequate to deter or prevent misappropriation of our confidential information. We may be unable to detect unauthorized use of our intellectual property or otherwise take appropriate steps to enforce our rights. Failure to obtain or maintain trade secret protection could adversely affect our competitive business position. If we are unable to prevent third parties from infringing or misappropriating our copyrights, trademarks or other proprietary information, our competitive position could be adversely affected. In the course of conducting our business, we may inadvertently infringe the intellectual property rights of others, resulting in claims against us or our customers. Our contracts generally indemnify our customers for third-party claims for intellectual property infringement by the services and products we provide. The expense of defending these claims may adversely affect our financial results and may not be covered by any insurance policies we maintain.

Our patents may not provide us with competitive advantages.

We hold several patents in the United States and in other countries, which cover multiple aspects of our technology. A substantial part of our patents cover the DIGIPASS product line. Our patents expire between 2019 and 2035. There can be no assurance that we will continue to develop proprietary products or technologies that are patentable, that any issued patent will provide us with any competitive advantages or will not be challenged by third parties, or that patents of others will not hinder our competitive advantage. Although certain of our technologies are patented, there are other organizations that offer products with comparable functionality that employ different technological solutions and compete with us for market share.

We are subject to warranty and product liability risks.

A malfunction of or design defect in our products which results in a breach of a customer’s data security or physical harm or damage from our hardware products could result in tort or warranty claims against us. We seek to reduce the risk of these losses by using qualified engineers in the design, manufacturing and testing of our hardware products, attempting to negotiate warranty disclaimers and liability limitation clauses in our sales agreements, and maintaining customary insurance coverage. However, these measures may ultimately prove ineffective in limiting our liability for damages.

In addition to any monetary liability for the failure of our products, an actual or perceived breach of network or data security at one of our customers could adversely affect the market’s perception of us and our products, and could have an adverse effect on our reputation and the demand for our products. Similarly, an actual or perceived breach of network or data security within our own systems could damage our reputation and have an adverse effect on the demand for our products.

There is significant government regulation of technology exports and to the extent we cannot meet the requirements of the regulations we may be prohibited from exporting some of our products, which could negatively impact our revenue.

Our international sales and operations are subject to risks such as the imposition of government controls, new or changed export license requirements, restrictions on the export of critical technology, trade restrictions and changes in tariffs. If we are unable to obtain regulatory approvals on a timely basis our business may be impacted. Certain of our products are subject to export controls under U.S. law. The list of products and countries for which export approval is required, and the regulatory policies with respect thereto, may be revised from time to time and our inability to obtain required approvals under these regulations could materially and adversely affect our ability to make international sales. Violations of export control and international trade laws could result in penalties, fines, adverse reputational consequences, and other materially adverse consequences. Reference is made to Part 1, Item 3, Legal Proceedings of this Form 10-K with respect to the internal investigation regarding sales of VASCO products by a VASCO European subsidiary to a third party distributor which distributor may have resold such products to Iranian entities.

We employ cryptographic technology in our authentication products that uses complex mathematical formulations to establish network security systems.

Many of our products are based on cryptographic technology. With cryptographic technology, a user is given a key that is required to encrypt and decode messages. The security afforded by this technology depends on the integrity of a user’s key and in part on the application of algorithms, which are advanced mathematical factoring equations. These codes may eventually be broken or become subject to government regulation regarding their use, which would render our technology and products less effective. The occurrence of any one of the following could result in a decline in demand for our technology and products:

Risks Related to International Operations

We face a number of risks associated with our international operations, any or all of which could result in a disruption in our business and a decrease in our revenue.

In 2017, approximately 72% of our revenue and approximately 76% of our operating expenses were generated/incurred outside of the U.S. In 2016, approximately 88% of our revenue and approximately 73% of our operating expenses were generated/incurred outside of the U.S. In 2015, approximately 95% of our revenue and approximately 65% of our operating expenses were generated/incurred outside of the U.S. A severe economic decline in any of our major foreign markets could adversely affect our results of operations and financial condition.

In addition to exposures to changes in the economic conditions of our major foreign markets, we are subject to a number of risks any or all of which could result in a disruption in our business and a decrease in our revenue. These include:

We are subject to foreign currency exchange rate fluctuations and risks, and improper management of that risk could adversely affect our business, results of operations, and financial conditions.

Because a significant number of our principal customers are located outside the United States, we expect that international sales will continue to generate a significant portion of our total revenue. We are subject to foreign exchange fluctuations and risks because the majority of our product costs are denominated in U.S. Dollars, whereas a significant portion of the sales and expenses of our foreign operating subsidiaries are denominated in various foreign currencies. A decrease in the value of any of these foreign currencies relative to the U.S. Dollar could adversely affect our revenue and profitability in U.S. Dollars of our products sold in these markets. We do not currently hold forward exchange contracts to exchange foreign currencies for U.S. Dollars to offset currency rate fluctuations.

Changes in the European regulatory environment regarding privacy and data protection regulations could have a material adverse impact on our results of operations.

In Europe, we are subject to the 1995 European Union (“EU”) Directive on Data Protection (“1995 Data Protection Directive”), which requires EU member states to impose minimum restrictions on the collection and use of personal data that, in some respects, are more stringent, and impose more significant burdens on subject businesses, than current privacy standards in the United States. We may also face audits or investigations by one or more foreign government agencies relating to our compliance with these regulations that could result in the imposition of penalties or fines. The EU member state regulations establish several obligations that organizations must follow with respect to use of personal data, including a prohibition on the transfer of personal information from the EU to other countries whose laws do not protect personal data to an adequate level of privacy or security. In addition, certain member states have adopted more stringent data protection standards. The Company addressed these requirements by certification to the U.S.-EU Safe Harbor Frameworks prior to such Frameworks being invalidated in October 2015 by the European Court of Justice. The General Data Protection Regulation (“GDPR”) will replace the 1995 Data Protection Directive effective May 25, 2018, creating significant impacts on how businesses can collect and process the personal data of EU individuals. In the interim, we are pursuing alternative methods of compliance, but those methods may be subject to scrutiny by data protection authorities in EU member states. The costs of compliance with, and other burdens imposed by, such laws, regulations and policies that are applicable to us may limit the use and adoption of our products and solutions and could have a material adverse impact on our results of operations.

We must comply with governmental regulations setting environmental standards.

Governmental regulations setting environmental standards influence the design, components or operation of our products. New regulations and changes to current regulations are always possible and, in some jurisdictions, regulations may be introduced with little or no time to bring related products into compliance with these regulations. Our failure to comply with these regulations may prevent us from selling our products in a certain country. In addition, these regulations may increase our cost of supplying the products by forcing us to redesign existing products or to use more expensive designs or components. In these cases, we may experience unexpected disruptions in our ability to supply customers with products, or we may incur unexpected costs or operational complexities to bring products into compliance. This could have an adverse effect on our revenues, gross profit margins and results of operations and increase the volatility of our financial results.

We are subject to the Restriction on the Use of Hazardous Substances Directive 2002/95/EC (also known as the “RoHS Directive”) and the Waste Electrical and Electronic Equipment Directive (also known as the “WEEE Directive”).

These directives restrict the distribution of products containing certain substances, including lead, within applicable geographies and require a manufacturer or importer to recycle products containing those substances.

These directives affect the worldwide electronics and electronics components industries as a whole. If we or our customers fail to comply with such laws and regulations, we could incur liabilities and fines and our operations could be suspended.

The vote by the United Kingdom (UK) to leave the European Union (EU) could adversely affect our financial results.

In June 2016, UK voters approved a referendum to withdraw the UK's membership from the EU, which is commonly referred to as "Brexit". In March 2017, the UK government initiated the exit process under Article 50 of the Treaty of the European Union, commencing a period of up to two years for the UK and the other EU member states to negotiate the terms of the withdrawal. We have operations in the UK and the EU, and as a result, we face risks associated with the potential uncertainty and disruptions that may lead up to and follow Brexit, including with respect to volatility in exchange rates and interest rates and potential material changes to the regulatory regime applicable to our operations in the UK. Brexit could adversely affect European or worldwide political, regulatory, economic or market conditions and could contribute to instability in global political institutions, regulatory agencies and financial markets. Although we do not have a substantial portion of our operations in, nor derive a substantial portion of our revenue from, the UK, we do have substantial operations and revenue in the EU. Any of these effects of Brexit, and others we cannot anticipate or that may evolve over time, could adversely affect our business, financial condition, and operating results.

We or our suppliers may be impacted by new regulations related to climate change.

In addition to the European environmental regulations noted above, we or our suppliers may become subject to new laws enacted with regards to climate change. In the event that new laws are enacted or current laws are modified in countries in which we or our suppliers operate, our flow of product may be impacted and/or the costs of handling the potential waste associated with our products may increase dramatically, either of which could result in a significant negative impact on our ability to operate or operate profitably.

The effects of regulations relating to conflict minerals may adversely affect our business.

The Dodd-Frank Wall Street Reform and Consumer Protection Act contains provisions to improve transparency and accountability concerning the supply of certain minerals and derivatives ( collectively “Conflict Minerals”) which may originate from the conflict zones of the Democratic Republic of Congo (DRC) and adjoining countries (collectively, “Covered Countries”). As a result, in August 2012 the SEC established annual disclosure and reporting requirements for companies using Conflict Minerals in their products, including products manufactured by third parties. Like many electronic devices, our hardware products contain Conflict Minerals and are subject to the disclosure and reporting requirements. Compliance with these rules also requires due diligence including country of origin inquiries to determine the sources of Conflict Minerals used in our products.

As required, we filed our annual reports related to products manufactured. We reported that we determined we had no reason to believe Conflict Minerals used in our products may have originated in Covered Countries.

We may incur continued costs associated with complying with these disclosure requirements. These requirements may affect pricing, sourcing and availability of Conflict Minerals used to produce our devices. We may be unable to verify the origin of all Conflict Minerals in our products. We may encounter challenges with customers and stakeholders if we are unable to certify that our products are conflict free.

U.S. investors may have difficulties in making claims for any breach of their rights as holders of shares because some of our assets and key employees are not located in the United States.

Several of our key employees are full-time or part-time residents of foreign countries, and a substantial portion of our assets and those of some of our key employees are located in foreign countries. As a result, it may not be possible

for investors to effect service of process on those persons located in foreign countries, or to enforce judgments against some of our key employees based upon the securities or other laws of jurisdictions in those foreign countries.

Our business in countries with a history of corruption and transactions with foreign governments increase the risks associated with our international activities.

We are subject to the U.S. Foreign Corrupt Practices Act (FCPA), and other laws that prohibit improper payments or offers of payments to foreign governments and their officials and political parties by U.S. and other business entities for the purpose of obtaining or retaining business. We have operations, deal with and make sales to governmental or quasi-governmental customers in countries known to experience corruption, particularly certain countries in the Middle East, Africa, East Asia and South America, and further expansion of our international selling efforts may involve additional regions. Our activities in these countries create the risk of unauthorized payments or offers of payments by one of our employees, consultants, sales agents or channel partners that could be in violation of various laws, including the FCPA and the U.K. Bribery Act, even though these parties are not always subject to our control. Violations of the FCPA may result in severe criminal or civil sanctions, including suspension or debarment from U.S. government contracting, and we may be subject to other liabilities, which could negatively affect our business, operating results and financial condition. Violations of the U.K. Bribery Act may result in severe criminal or civil sanctions and we may be subject to other liabilities that could negatively affect our business operating results and financial condition.

Item 1B - Unresolved Staff Comments

None.

Item 2 - Properties

Our corporate headquarters is located in Chicago, Illinois. Our international headquarters is in Zurich, Switzerland. Our European operational headquarters is located in Brussels, Belgium. We conduct sales and marketing, research and development and customer support activities from our operational headquarters. Our logistics facility is also located in Belgium. In the Netherlands, we have two research and development facilities, one of which also houses a sales office. Additionally, we have research and development facilities in Cambridge, United Kingdom, Bordeaux, France and Vienna, Austria.

We have sales personnel in our offices near Boston, Massachusetts, Sydney, Australia, Singapore, Tokyo, Japan, Sao Paulo, Brazil, Dubai, Zurich, Switzerland, Chicago, Illinois, and London, United Kingdom, and conduct sales activities through liaison offices and agents in other locations.

During 2015, we acquired Silanis Technology, Inc. with offices in Montreal, Canada.

All of our properties are leased.

Item 3 - Legal Proceedings

In addition to the legal matters described below, we are, from time to time, involved in routine legal matters incidental to the conduct of our business, including legal matters such as to protect our intellectual property rights and resolve employment claims. We believe that the ultimate resolution of any such current routine matter will not have a material adverse effect on our continued financial position, results of operations or cash flows.

On January 10, 2011, we purchased our wholly-owned subsidiary, DigiNotar B.V., a private company organized and existing in The Netherlands from the shareholders (“Sellers”). On September 19, 2011, DigiNotar B.V. filed a bankruptcy petition under Article 4 of the Dutch Bankruptcy Act in the Haarlem District Court, The Netherlands. On September 20, 2011, the court declared DigiNotar B.V. bankrupt and appointed a bankruptcy trustee and a bankruptcy judge to manage all affairs of DigiNotar B.V. through the bankruptcy process. 

In January 2015, we received a notice of potential claim by the trustee against all of the individuals who served as Directors of DigiNotar, both before and after our acquisition of DigiNotar. T. Kendall Hunt, Jan Valcke, and Clifford K. Bown were the Directors of DigiNotar following its purchase by VASCO. We do not expect the resolution of the potential claim to have a material adverse effect on our business, financial condition or results of operations. VASCO is indemnifying Messrs. Hunt, Valcke, and Bown for this matter.

On July 28, 2015 a putative class action complaint was filed in the United States District Court for the Northern District of Illinois, captioned Linda J. Rossbach v. Vasco Data Security International, Inc., et al., naming VASCO and certain of its current and former executive officers as defendants and alleging violations under the Securities Exchange Act of 1934, as amended. The suit was purportedly filed on behalf of a putative class of investors who purchased VASCO securities between April 28, 2015 and July 28, 2015, and seeks to recover damages allegedly caused by the defendants’ alleged violations of the federal securities laws and to pursue remedies under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b‑5 promulgated thereunder. The complaint seeks certification as a class action and unspecified compensatory damages plus interest and attorneys’ fees. On January 30, 2017, the appointed lead plaintiff filed an amended complaint in which the allegations regarding OFAC related matters were dropped and replaced with allegations regarding public disclosures made by the defendants in April 2015 as compared to public statements made in July 2015, generally regarding the strength of the Company’s business and its future prospects. This case is now referred to by the name of the new lead plaintiff, Bunk. The defendants filed a motion to dismiss the Bunk complaint on March 31, 2017. A decision from the court on such motion has not been issued to date. Although the ultimate outcome of litigation cannot be predicted with certainty, the Company believes that this lawsuit is without merit and intends to defend against the action vigorously. VASCO is indemnifying its officers and directors for this matter.

On October 9, 2015, a derivative complaint was filed in the United States District Court for the Northern District of Illinois, captioned Elizabeth Herrera v. Hunt, et al., naming VASCO’s Board of Directors and certain of its current and former executive officers as individual defendants and the Company as a nominal defendant. The plaintiff in the Herrera case voluntarily dismissed the action on July 12, 2017. Two additional complaints, captioned Beth Seltzer v. Hunt, et al., and William Hooper v. Hunt, et al., were filed on October 22, 2015 and March 22, 2016, respectively, in the Circuit Court of Cook County, Illinois naming the same defendants.

The complaints assert, among other things, that the individual defendants breached their fiduciary duties by making material misstatements in, and omitting material information from, the Company’s public disclosures and by failing to maintain adequate internal controls and properly manage the Company. Among other things, the complaints seek unspecified compensatory damages and injunctive relief.

On February 9, 2016, the court granted an agreed motion for voluntary dismissal of the Seltzer action, which dismissed the action with prejudice as to the named plaintiff’s individual claims. As for the Hooper action, the court granted a stay on June 8, 2016 and on July 18, 2017, the plaintiff in Hooper amended the complaint to largely mirror the amended complaint in Bunk.

On July 19, 2017, a derivative complaint was filed in the Circuit Court of Cook County, Illinois, captioned Fancesco D’Angelo v. Hunt, et. al., naming VASCO’s Board of Directors and certain former officers as individual defendants and the Company as a nominal defendant. This complaint largely follows the allegations in the Bunk case. The D’Angelo case has been consolidated with the Hooper case and remains subject to stay.

In February 2017, we learned an integrated reseller and certain end customers, were named as defendants in a patent infringement lawsuit in Japan related to our CRONTO technology. We have indemnification obligations in favor of our reseller and end customers and are working with them to defend such suit. In December 2017 the Japan Patent Office ruled the plaintiff’s patent is invalid. In February 2018, a trial court decision declared the plaintiff’s patent to be invalid. The decision is subject to appeal.  We believe there are strong grounds to argue the plaintiff’s patent is invalid.

On March 14, 2017, a complaint was filed in the United States District Court for the District of Massachusetts, captioned StrikeForce Technologies, Inc. v. Vasco Data Security International, Inc., et al., claiming VASCO infringed on certain patent rights of the plaintiff. On May 8, 2017, VASCO answered the complaint denying the allegations of patent infringement. The parties then engaged in motion practice and discovery in the case. The plaintiff has also

brought suit against various other companies in the cybersecurity industry. In one such suit in the federal district court for the Central District of California, on December 1, 2017, the court granted defendant’s motion to dismiss, finding that the StrikeForce asserted claims are invalid. StrikeForce is in the process of appealing such decision. In light of such ruling, on December 20, 2017, the court in the Company’s case granted a stay of the proceedings pending the appeal in the related case. Although the ultimate outcome of litigation cannot be predicted with certainty, the Company believes that this lawsuit is without merit and intends to defend itself vigorously.

On February 14, 2018, a complaint was filed in the United States District Court for the District of Delaware, captioned Vortex Pathway LLC (a Texas non-practicing entity) v. VASCO Data Security International, Inc. et. al. claiming one of VASCO’s hardware authenticators infringes on certain patent rights of the plaintiff. The Company will analyze this recent complaint in the ordinary course and intends to defend itself vigorously.

Item 4 - Mine Safety Disclosures

Not applicable.

PART II

Item 5 - Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities

Our common stock, par value $0.001 per share, trades on the NASDAQ Capital Market under the symbol VDSI.

The following table sets forth the range of high and low daily closing prices of our common stock on the NASDAQ Capital Market for the past two years.

On February 22, 2018, there were 57 registered holders and approximately 18,279 street name holders of the company’s common stock.

We have not paid any dividends on our common stock since incorporation. The declaration and payment of dividends will be at the sole discretion of the Board of Directors and subject to certain limitations under the General Corporation Law of the State of Delaware. The timing, amount and form of dividends, if any, will depend, among other things, on the company’s results of operations, financial condition, cash requirements, plans for expansion and other factors deemed relevant by the Board of Directors. The company intends to retain any future earnings for use in its business and therefore does not anticipate paying any cash dividends in the foreseeable future.

Recent Sales of Unregistered Securities

None

Issuer Purchases of Equity Securities

The following table provides information about purchases by the Company of its shares of common stock during the three month period ended December 31, 2016:

Stock Performance Graph

The Stock Performance Graph below compares the cumulative total return through December 31, 2017, assuming reinvestment of dividends, by an investor who invested $100.00 on December 31, 2012, in each of (i) our common stock, (ii) the Russell 2000 index, (iii) the Standard Industrial Code Index 3577 – Computer Peripheral Equipment, NEC and (iv) a comparable industry (the peer group) index selected by the company. The peer group for this purpose consists of: American Software, Inc., Appian Corporation, Barracuda Networks, Inc., BlackLine, Inc., Callidus Software, Inc., Carbonite, Inc., CPI Card Group, Inc., FireEye, Inc., Gigamon, Inc., Imperva, Inc., Mobilelron, Inc., ProofPoint, Inc., PROS Holdings, Inc., Q2 Holdings, Inc., QAD, Inc., Qualys, Inc., Rapid7, Inc., SecureWorks Corp.,

Varonis Systems, Inc. The stock price performance shown on the graph below is not necessarily indicative of future price performance.

Item 6 - Selected Financial Data (in thousands, except per share data)

Item 7 - Management’s Discussion and Analysis of Financial Condition and Results of Operations (in thousands, except head count, ratios, time periods and percents)

The following discussion and analysis of our financial condition and results of operations should be read in conjunction with our financial statements and related notes appearing elsewhere in this Annual Report on Form 10-K. In addition to historical financial information, the following discussion may contain predictions, estimates and other forward-looking statements that involve a number of risks and uncertainties, including those discussed under Item 1A and elsewhere in this Form 10-K. These risks could cause our actual results to differ materially from any future performance suggested below. Please see “Cautionary Statement for Purposes of the Safe Harbor Provisions of the Private Securities Litigation Reform Act of 1995” at the beginning of this Form 10-K.

Overview

We design, develop and market digital solutions for identity, security, and business productivity that protect and facilitate electronic transactions, via mobile and connected devices. We are a global leader in providing anti-fraud and digital transaction management solutions to financial institutions and other businesses. Our solutions secure online and mobile access to accounts, data, assets, and applications for enterprises; provide tools for application developers to easily integrate security functions into their web-based and mobile applications; and facilitate digital transactions involving the signing, sending, and managing of documents. Our core technologies, multi-factor authentication and transaction signing, strengthen the process of preventing hacking attacks against online and mobile transactions to allow companies to transact business safely with remote customers.

We offer cloud based and on premises solutions using both open standards and proprietary technologies. Some of our proprietary technologies are patented. Our products and services are used for authentication, fraud mitigation, e-signing transactions and documents, and identity management in Business-to-Business (“B2B”), Business-to-Employee (“B2E”) and Business-to-Consumer (“B2C”) environments. Our target market is business processes using electronic interface, particularly the Internet, where there is  risk of unauthorized access. Our products can increase security associated with accessing business processes, reduce losses from unauthorized access and reduce the cost of the process by automating activities previously performed manually.

Our Business Model

We offer our products through a product sales and licensing model or through our services platform, which includes our cloud-based service offering.

Our solutions are sold worldwide through our direct sales force, as well as through distributors, resellers, systems integrators, and original equipment manufacturers. Our sales force is able to offer customers a choice of an on-site implementation using our traditional on-premises model or a cloud implementation for some solutions using our services platform.

Industry Growth

We believe there are no reliable measurements of the industry size or growth rates for the segments that we serve. However, we believe the market for authentication, anti-fraud, and electronic signature solutions will continue to grow driven by new government regulations, growing awareness of the impact of cyber-crime, and the growth in electronic commerce. The issues driving growth are global however, the rate of adoption in each country is a function of culture, competitive position, economic conditions and use of technology.

Economic Conditions

Our revenue may vary significantly with changes in the economic conditions in the countries in which we currently sell products. With our current concentration of revenue in Europe and specifically in the banking and finance vertical market, significant changes in the economic outlook for the European Banking market may have a significant effect on our revenue.

Cybersecurity Risks

Our use of technology is increasing and is critical in three primary areas of our business:

We believe that the risks and consequences of potential incidents in each of the above areas are different.

In the case of the information systems we use to help us run our business, we believe that an incident could disrupt our ability to take orders or deliver product to our customers, but such a delay in these activities would not have a material impact on our overall results. To minimize this risk, we actively use various forms of security and monitor the use of our systems regularly to detect potential incidents as soon as possible.

In the case of products that we have traditionally sold, we believe that the risk of a potential cyber incident is minimal. We offer our customers the ability to either create the secret numbers themselves or have us create the numbers on their behalf. When asked to create the numbers, we do so in a secure environment with limited physical access and store the numbers on a system that is not connected to any other network, including other VASCO networks, and similarly, is not connected to the internet.

In the case of our new products and services, which involve the active daily processing of the secret numbers on our servers or servers managed by others in a hosted environment, we believe a cyber incident could have a material impact on our future business. We also believe that these products may be more susceptible to cyber attacks than our traditional products since it involves the active processing of transactions using the secret numbers. While we do not have a significant amount of revenue from these products today, we believe that these products have the potential to provide substantial future growth. A cyber incident involving these products in the future could substantially impair our ability to grow the business and we could suffer significant monetary and other losses and significant reputational harm.

To minimize the risk, we review our security procedures on a regular basis. Our reviews include the processes and software programs we are currently using as well as new forms of cyber incidents and new or updated software programs that may be available in the market that would help mitigate the risk of incidents. Certain insurance coverages may apply to certain cyber incidents. Overall, we expect the cost of securing our networks will increase in future periods, whether through increased staff, systems or insurance coverage.

While we did not experience any cyber incident in 2017, 2016, or 2015 that had a significant impact on our business, it is possible that we could experience an incident in 2018 or future years, which could result in unanticipated costs.

Currency Fluctuations

In 2017, approximately 72% of our revenue and approximately 76% of our operating expenses were generated/incurred outside of the U.S. In 2016, approximately 88% of our revenue and approximately 73% of our operating expenses were generated/incurred outside of the U.S. While the majority of our revenue is generated outside of the U.S., the majority of our revenue is billed in U.S. Dollars. In 2017, approximately 66% of our revenue was denominated in U.S. Dollars, 29% was denominated in Euros and 5% was denominated in other currencies. In 2016, approximately 69% of our revenue was denominated in U.S. Dollars, 26% was denominated in Euros, and 5% was denominated in other currencies.

In general, to minimize the net impact of currency fluctuations on operating income, we attempt to denominate an amount of billings in a currency such that it would provide a hedge against the operating expenses being incurred in that currency. We expect that changes in currency rates may also impact our future results if we are unable to match amounts of revenue with our operating expenses in the same currency. If the amount of our revenue in Europe denominated in Euros continues as it is now or declines, we may not be able to balance fully the exposures of currency exchange rates on revenue and operating expenses.

The financial position and the results of operations of our foreign subsidiaries, with the exception of our subsidiaries in Switzerland, Singapore and Canada, are measured using the local currency as the functional currency. Accordingly, assets and liabilities are translated into U.S. Dollars using current exchange rates as of the balance sheet date. Revenues and expenses are translated at average exchange rates prevailing during the year. Translation adjustments arising from differences in exchange rates generated comprehensive income of $4.0 million in 2017, and comprehensive losses of $2.5 million and $3.3 million, in 2016, and 2015, respectively. These amounts are included as a separate component of stockholders’ equity. The functional currency of our subsidiaries in Switzerland, Canada, and Singapore is the U.S. Dollar.

Gains and losses resulting from foreign currency transactions are included in the consolidated statements of operations as other non-operating income/expense. We reported foreign exchange transaction losses of $0.5 million in 2017, foreign exchange transaction gains of $0.1 million in 2016, and foreign exchange transaction losses of $1.2 million in 2015, respectively. 

Components of Operating Results

Revenue

We generate revenue from the sale of our hardware products, software licenses, subscriptions and services. We believe comparison of revenues between periods is heavily influenced by the timing of orders and shipments reflecting the transactional nature of our business.

Cost of Goods Sold

Our total cost of goods sold consists of cost of product and license revenue and cost of service and other revenue. We expect our cost of goods sold to increase in absolute dollars as our business grows, although it may fluctuate as a percentage of total revenue from period to period.

Gross Profit

Gross profit as a percentage of total revenue, or gross margin, has been and will continue to be affected by a variety of factors, including our average selling price, manufacturing costs, the mix of products sold, and the mix of revenue among products, subscriptions and services. We expect our gross margins to fluctuate over time depending on these factors.

Operating Expenses

Our operating expenses are generally based on anticipated revenue levels and fixed over short periods of time. As a result, small variations in revenue may cause significant variations in the period-to-period comparisons of operating income or operating income as a percentage of revenue.

Generally, the most significant factor driving our operating expenses is headcount. Direct compensation and benefit plan expenses generally represent between 55% and 65% of our operating expenses. In addition, a number of other expense categories are directly related to headcount. We attempt to manage our headcount within the context of the economic environments in which we operate and the investments we believe we need to make for our infrastructure to support future growth and for our products to remain competitive.

In November 2015, with the acquisition of eSignLive, our headcount increased by 156. Average headcount for the full-year 2017, 2016, and 2015 was 614, 595, and 412, respectively.

Historically, operating expenses have been impacted by changes in foreign exchange rates. We estimate the change in currency rates in 2017 compared to 2016 resulted in an increase in operating expenses of approximately $0.4 million in 2017.

The comparison of operating expenses can also be impacted significantly by costs related to our stock-based and long-term incentive plans. For full-year 2017, 2016, and 2015, operating expenses included $5.4 million, $4.9 million, and $5.7 million, respectively, related to stock-based and long-term incentive plans. Generally, performance awards granted at the beginning of 2016 were not earned. Long-term incentive awards granted at the beginning of 2015 were earned. Long-term incentive plan compensation expense includes both cash and stock-based incentives.

Interest Income

Interest income consists of income earned on our cash equivalents and short term investments. Our cash equivalents and short term investments are invested in short-term instruments at current market rates.

Other Income (Expense), Net

Other income (expense), net primarily includes exchange gains (losses) on transactions that are denominated in currencies other than our subsidiaries’ functional currencies, subsidies received from foreign governments in support of our research and development in those countries and other miscellaneous non-operational expenses.

Income Taxes

Our effective tax rate reflects our global structure related to the ownership of our intellectual property (“IP”). All our IP in our traditional authentication business is owned by two subsidiaries, one in the U.S. and one in Switzerland. These two subsidiaries have entered into agreements with most of the other VASCO entities under which those other entities provide services to our U.S. and Swiss subsidiaries on either a percentage of revenue or on a cost plus basis or both. Under this structure, the earnings of our service provider subsidiaries are relatively constant. These service provider companies tend to be in jurisdictions with higher effective tax rates. Fluctuations in earnings tend to flow to the U.S. company and Swiss company. In 2018, earnings flowing to the U.S. company are expected to be taxed at a rate of 21% to 25%, while earnings flowing to the Swiss company are expected to be taxed at a rate ranging from 11% to 12%. Our Canadian subsidiary currently sells and services global customers directly.

As the majority of our revenues are generated outside of the U.S., our consolidated effective tax rate is strongly influenced by the effective tax rate of our foreign operations. Changes in the effective rate related to foreign operations reflect changes in the geographic mix of earnings and the tax rates in each of the countries in which it is earned. The statutory tax rate for the primary foreign tax jurisdictions ranges from 11% to 35%.

The geographic mix of earnings of our foreign subsidiaries primarily depends on the level of pretax income of our service provider subsidiaries and the benefit realized in Switzerland through the sales of product. The level of pretax income in our service provider subsidiaries is expected to vary based on:

For items 1 and 2 above, there is a direct impact in the opposite direction on earnings of the U.S. and Swiss entities. Any change from item 3 is generally expected to result in a larger change in income in the U.S. and Swiss entities in the direction of the change (increased revenues expected to result in increased margins/pretax profits and conversely decreased revenues expected to result in decreased margins/pretax profits).

In addition to the provision of services, the intercompany agreements transfer the majority of the business risk to our U.S. and Swiss subsidiaries. As a result, the contracting subsidiaries’ pretax income is reasonably assured while the pretax income of the U.S. and Swiss subsidiaries varies directly with our overall success in the market.

In November 2015, we acquired eSignLive, a foreign company with substantial IP and net operating loss and other tax carryforwards. The tax benefit of the carryforwards has been fully reserved as realization has not been deemed more likely than not.

U.S. Tax Reform

On December 22, 2017, the United States enacted U.S. tax reform that included a broad range of business tax provisions, including but not limited to a reduction in the U.S. federal tax rate from 35% to 21% as well as provisions that limit or eliminate various deductions or credits. The legislation also includes a one-time transition tax on accumulated foreign earnings and profits.

In response to the enactment of U.S. tax reform, the SEC issued guidance to address the complexity in accounting for this new legislation. When the initial accounting for items under the new legislation is incomplete, the guidance allows us to recognize provisional amounts when reasonable estimates can be made or to continue to apply the prior tax law if a reasonable estimate of the impact cannot be made. The SEC has provided up to a one-year window for companies to finalize the accounting for the impacts of this new legislation and we anticipate finalizing our accounting during 2018.

While our accounting for the new U.S. tax legislation is not complete, we have made reasonable estimates for some provisions and recognized a $28.1 million discrete tax expense in our 2017 financial statements. This expense is primarily comprised of a $2.3 million provisional deferred tax expense from revaluing our net U.S. deferred tax assets to reflect the new U.S. corporate tax rate, an additional $7.3 million provisional deferred tax expense related to changes in our indefinite reinvestment assertion, as well as $18.5 million provisional charge for the deemed repatriation tax. However, as of the date of this Form 10-K, we are continuing to evaluate the accounting impacts of the legislation, as we continue to assemble and analyze all the information required to prepare and analyze these effects and await additional guidance from the U.S. Treasury Department, the IRS or other standard-setting bodies. Additionally, we continue to analyze other information and regulatory guidance, and accordingly we may record additional provisional amounts or adjustments to provisional amounts in future periods. See Note 6, Income Taxes, for further details on the impacts of U.S. tax reform.

Results of Operations

The following tables summarize our consolidated results of operations for the periods presented (dollars in thousands) and as a percentage of our total revenue for those periods. The period-to-period comparison of results is not necessarily indicative of results for future periods.

Comparison of the Years Ended December 31, 2017 and 2016

Revenue

Total revenue increased $1.0 million or 1%, during the year ended December 31, 2017 compared to the year ended December 31, 2016. Product and license revenue decreased by $8.8 million, or 6% during the year ended December 31, 2017. The decrease in product and license revenue was primarily due to a decrease in hardware revenue offset partially by an increase in software licenses. Services and other revenue increased by $9.8 million, or 27% during the year ended December 31, 2017. The increase was due to an increase in SaaS and maintenance revenue.

Revenue generated in EMEA decreased $3.0 million, or 3% during the year ended December 31, 2017. The decrease in revenue was primarily driven by a decline in our hardware products partially offset by an increase in software licenses.

Revenue generated in the Americas increased $19.8 million, or 60% during the year ended December 31, 2017. The increase in revenue was primarily due to increased revenue from non-hardware products, including eSignLive and security software licenses.

Revenue generated in the Asia Pacific region decreased $15.8 million, or 25% during the year ended December 31, 2017. The decrease in revenue was primarily due to a decline in hardware revenue.

Cost of Goods Sold and Gross Margin

The cost of product and license revenue decreased $4.9 million, or 9% during the year ended December 31, 2017 compared to the year ended December 31, 2016. The decrease in cost of product and license revenue was primarily driven by a decline in our hardware revenue.

The cost of services and other revenue increased $2.0 million, or 24%, during the year ended December 31, 2017 compared to the year ended December 31, 2016. The increase in cost of services and other revenue was primarily due to increased services and other revenues and increased SaaS hosting fees.

Gross profit increased $3.9 million, or 3%, during the year ended December 31, 2017 compared to the year ended December 31, 2016. Gross margin was 70% for the year ended December 31, 2017 and 68% for the year ended December 31, 2016. The increase in gross margin primarily reflects an increase in software solutions as a percentage of total revenues.

The majority of our inventory purchases are denominated in U.S. Dollars. Our sales are denominated in various currencies including the Euro. For the year ended December 31, 2017, as the U.S. Dollar weakened against the Euro compared to the year ended December 31, 2016, revenue from sales in Euros, as measured in U. S. Dollars, increased, without a corresponding change in the cost of goods sold. The impact of changes in currency rates are estimated to have increased revenue by approximately $1.2 million for the full year of 2017. Had currency rates in the full year of 2017 been equal to rates in the same period in 2016, the gross profit margin would have been approximately 0.2 percentage points lower for the full year of 2017.

Operating Expenses

Sales and marketing expenses increased $1.6 million, or 3% during the year ended December 31, 2017 compared to the year ended December 31, 2016, primarily due to headcount and increased marketing investments. Average full-time sales, marketing, support, and operating employee headcount for year ended December 31, 2017 was 614, compared to 595 for year ended December 31, 2016. Average headcount in 2017 was 3% higher than in 2016.

Research and development expenses decreased $0.1 million, or 0% during the year ended December 31, 2017 compared to the year ended December 31, 2016. Average full-time research and development employee headcount for year ended December 31, 2017 was 215, compared to 225 for year ended December 31, 2016. Average headcount in 2017 was 4% lower than in 2016, partially attributed to the divestiture of a non-strategic business line in August 2017.

General and administrative expenses increased $5.8 million, or 18% during the year ended December 31, 2017 compared to the year ended December 31, 2016. The increase in general and administrative expenses for the year ended December 31, 2017 primarily reflect increased headcount, professional fees and facilities expense. Professional fees primarily relate to internal controls, legal and internal systems. Average full-time general and administrative employee headcount for year ended December 31, 2017 was 91, compared to 82 for year ended December 31, 2016. Average headcount in 2017 was 11% higher than in 2016.

Amortization of purchased intangible assets expense for the year ended December 31, 2017 was $8.8 million, compared to $8.8 million for the year ended December 31, 2016. There were no significant changes in our amortization of purchased intangible assets for the year ended December 31, 2017 from the year ended December 31, 2016.

Interest Income

Consolidated net interest income for the year ended December 31, 2017 was $1.4 million, compared to $0.8 million for the year ended December 31, 2016. The increase in interest income for 2017 compared to the 2016 reflects an increase in the average interest rate earned on invested balances and an increase in the average invested balance.

Other Income (Expense), Net

Other income (expense), net for the year ended December 31, 2017 was $0.8 million, compared to $0.9 million for the year ended December 31, 2016. Other income (expense), net included exchange losses of $0.5 million for the year ended December 31, 2017 compared to exchange gains of $0.1 million for the year ended December 31, 2016.

Income Taxes

Income tax expense for 2017 was $30.8 million, compared to $0.9 million in 2016.  The effective tax rate in 2017 was 367%, compared to 8% in 2016.  The increase in the rate is primarily due to the repatriation tax, change in permanently reinvested assertion, and tax rate change on deferred tax assets described in Note 6.

Our future effective tax rate will be affected by U.S. tax reform. Effective in 2018, the U.S. statutory tax rate decreases from 35% to 21% and creates new taxes on certain foreign-sourced earnings which are referred to as the global intangible low-taxed income tax (“GILTI”).

Loss Carryforwards Available

At December 31, 2017, we have deferred tax assets of $21.7 million resulting from foreign and state NOL carryforwards of $120.5 million and other foreign deductible carryforwards of $31.2 million. At December 31, 2017, we have a valuation allowance of $12.8 million against deferred tax assets related to certain carryforwards. See Note 6 to the consolidated financial statements for more information regarding carryforwards and valuation allowances.

Comparison of the Years Ended December 31, 2016 and 2015

Revenue