ITEM 1. BUSINESS.
Company Overview
CynergisTek, Inc. (including our subsidiaries, CTEK Solutions, Inc., CTEK Security, Inc., Delphiis, Inc. and Backbone Enterprises, Inc.) (referred to collectively in this Annual Report, as “CynergisTek,” the “Company,” “we,” “our” and “us”) is engaged in the business of providing companies with cybersecurity, privacy and compliance services through our assessment and technical testing, remediation, management, and validation services. CynergisTek combines intelligence, expertise, and a distinct methodology to validate a company’s security posture and ensure that the company’s team is rehearsed, prepared, and resilient against threats. These services are delivered primarily through our three-year managed services agreements or short-term consulting and professional services engagements. We serve companies in highly regulated industries, including healthcare, higher education, technology, government, manufacturing, and the financial sector through the CynergisTek, Backbone Consulting and Redspin brands. Our principal executive offices are located at 11940 Jollyville Road, Suite 300N, Austin, Texas, 78759.
Available Information
For more information on CynergisTek and our products and services, please see the section entitled “Principal Products or Services” below or visit our website at www.cynergistek.com. The inclusion of our Internet address in this Annual Report does not include or incorporate by reference into this Annual Report any information on our website. Our annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, amendments to those reports and other filings with the Securities and Exchange Commission (the “SEC”) are generally available through the EDGAR system maintained by the SEC at www.sec.gov.
Background
CynergisTek, Inc. was originally incorporated under the laws of the State of Nevada on August 29, 1995, under the name Corporate Development Centers, Inc. On April 1, 2004, we acquired Alan Mayo and Associates, Inc. dba The Mayo Group (“TMG”), a managed print company. TMG provided outsourced print management services to healthcare facilities throughout California. After we acquired TMG, we changed our name to “Auxilio, Inc.” and changed the name of TMG’s former subsidiary to “Auxilio Solutions, Inc.,” and later changed its name again to “CTEK Solutions, Inc.” Effective July 1, 2014, we acquired Delphiis, Inc., a California corporation, which provided IT security consulting services. On April 7, 2015, we acquired certain assets of Redspin, Inc. which provides IT security consulting services. On January 13, 2017, we acquired CynergisTek, Inc., a Texas corporation, which had the vision to help healthcare organizations assess risk and comply with regulatory measures and was one of the first organizations to follow the NIST Cybersecurity Framework, a standard now recognized by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) 7898 amendment. The company was reincorporated in Delaware in September 2017 and assumed its current name CynergisTek, Inc. and up listed to the NYSE. The Company expanded into providing additional IT security consulting services and solutions. On October 31, 2019, we acquired Backbone Enterprises, Inc., a Minnesota corporation (“Backbone”), which provides similar services including IT audits.
Our Common Stock currently trades on the NYSE American under the symbol “CTEK.”
Principal Products and Services
We are engaged in the business of helping U.S. based companies in highly regulated industries, including healthcare, be prepared to handle unforeseen cyber threats, comply with regulations, and gain the confidence that their efforts are strengthening their security posture and building resilience. This is achieved through our cybersecurity, privacy, compliance and audit services.
CynergisTek was born in healthcare and is one of the few consulting and advisory companies focused on converging security and privacy with a methodology to validate the rigor and effectiveness of the programs as a managed service. We believe that our years of experience of understanding our clients’ unique challenges allows us to provide our customers with services designed around industry best practices to improve security controls, policies and procedures and to protect sensitive information. Our team of subject matter experts and consultants are comprised of knowledgeable professionals who have learned their craft both in the classroom and through years of practical on-the-job experience, including as policy makers, attorneys and leaders in cybersecurity, privacy and compliance.
Our services are categorized into four service groups, which are: assess, build, manage, and validate. These services are designed to meet the client where they are in their security journey as recurring managed services under long-term contracts structured to provide a sustainable and growing program, or under shorter duration consulting or professional services engagements.
| · | Assess - identify, measure, and test security and privacy risk of an organization’s readiness and verify and validate their programs meet compliance and business objectives through IT audits, technical testing, and risk and program assessments. |
| · | Build - develop policies and procedures and playbooks to help build out a fully comprehensive risk management program and provide resources to help organizations prioritize, implement and execute initiatives to strengthen their security and privacy programs. |
| · | Manage - provide on-going management and oversight of specific components of an organization’s security and privacy programs to address or give alerts when an issue arises and to offer our expertise that they need to accelerate the effectiveness of their programs. |
| · | Validate - verify the processes, people, and technology are working effectively and provide insight to the ROI of an organization’s security investment through advanced services requiring highly experienced resources and/or technology to deliver. |
For sophisticated organizations our Resilience Partner Program encompasses a bundle of services from the assess, build, manage, and validate categories to deliver clarity and guidance as a consistent partner helping maintain and grow their security infrastructure through more rigorous proactive testing, evaluation and validation services.
Competition
The competition in the healthcare industry market for cybersecurity, privacy and compliance services generally comes from large or niche consulting and technology firms and regional companies that offer multiple approaches but within a much smaller geographic footprint. Examples include companies like Deloitte, Dell Secureworks, Coalfire, Fortified Health Security, Meditology, Impact Advisors, First Health Advisory and Clearwater Consulting.
We believe our analysis of the competitive landscape shows a very strong opportunity to provide the healthcare and adjacent industries with services to support the demand for security and privacy assessments, program development, offensive security testing and managed services, and we believe that we have a strong competitive position in the marketplace due to several important factors:
| · | We are not aware of many other vendors or service providers which have the majority of their business dedicated to addressing the healthcare industry. Our expertise and the depth of our client relationships are unmatched in the market. |
| | |
| · | We believe our offering provides a unique approach to address workforce and expertise shortages. We are able to deploy knowledgeable resources to perform a predefined security role on-site or virtually for a defined amount of time, which results in our customers receiving staff with expertise they need while controlling their costs. |
| | |
| · | We are not restricted to any single supplier, which allows us to bring the best hardware and software solutions to our customers. Our approach is to use the most appropriate technology to provide a superior solution without any prejudice as to manufacturer or developer. |
| | |
| · | We believe our relationship with healthcare providers gives us an advantage when targeting the larger pool of potential clients in the business associate category, including leading Electronic Health Record (EHR) providers and medical device manufacturers who have recently been added as clients. |
| | |
| · | We believe that combining both our traditional and more proactive approaches to data protection make us a more versatile solution for entities regardless of program maturity. |
| | |
| · | We have a strong referral base within healthcare as a result of serving more than a thousand hospitals and other healthcare clients under managed services agreements for twenty plus years. |
| | |
| · | Our employees have broad experience in and outside of healthcare to bring a wide range of knowledge and best practices. At the present time, we have employees who formerly worked for the Office of Civil Rights, were Chief Information Security Officers, Chief Information Officers and Chief Compliance Officers at some of the leading healthcare institutions. In addition, our subject matter experts and consultants maintain multiple industry certifications including CISSP, CISM, CGEIT, CRISC, CISA, CBCP, CCIE, CCNP, CCNA, CHPC, CHRC, CHC, CIPP, CHPS, MCSE, SCSA, SCNA, CIA, ISSMP, CMMC Provisional Assessor, CMMC Registered Provider and ISSAP. |
Customers
Most of our customers are considered part of the healthcare industry and third parties who provide services to the healthcare industry. Recently we have increased our efforts to expand outside of healthcare into other highly regulated industries and now have customers that operate in a variety of industries, including education, financial services, government, internet and media, and manufacturing. The loss of any key customer could have a material adverse effect upon our financial condition, business, prospects and results of operation. For the year ended December 31, 2021, our largest customer represented approximately 13% of our revenues.
Intellectual Property
Our success depends in part upon our ability to protect our core intellectual property. We rely on, among other things, confidentiality safeguards and procedures, and employee non-disclosure and invention assignment agreements to protect our intellectual property rights. We also license software from third parties for integration into our procedures, including open-source software and other software available on commercially reasonable terms.
We control access to and use of our proprietary information through the use of internal and external controls, including contractual protections with employees, contractors, end-customers and partners, and our intellectual property is protected by U.S. and international trade secret laws. Despite our efforts to protect our proprietary information, unauthorized parties may still copy or otherwise obtain and use our proprietary information without our permission.
We maintain databases that contain the results of our assessment efforts. This allows us to anticipate our customers’ future needs by developing or offering existing services to meet those needs. These databases provide us with exclusive insight into the state of cybersecurity of our customers and the healthcare industry. We consider our intellectual property an important and valuable asset that enhances our competitive position.
We have trademark registrations in the United States for “CYNERGISTEK,” “REDSPIN,” “MANAGED SECURITY VALIDATION” and the CynergisTek logo.
Human Capital Resources
As of December 31, 2021, we had 89 full-time employees, including 66 employees engaged in providing services, 10 employees engaged in sales and marketing, and 13 employees engaged in general and administrative activities. Our employees are not represented by any collective bargaining agreement, and we have never experienced a work stoppage. We are proud of our diversity efforts that include above industry averages in several minority categories and a high representation of veteran employees. We believe our employee relations are good.
CynergisTek complies with all applicable state, local and international laws governing nondiscrimination in employment in every location in which we operate. All applicants and employees are treated with the same high level of respect regardless of their gender, ethnicity, religion, national origin, age, marital status, political affiliation, sexual orientation, gender identity, disability or protected veteran status.
We value ongoing training to keep our employees’ skills current by providing them with an annual training budget, education assistance and a team with diverse skills for easy and collaborative cross-training opportunities. In addition to training from anyone on the team in areas of interest, employees are also empowered to train others.
CynergisTek is committed to the health, safety and wellness of its employees. We have modified our business practices and implemented certain policies at our offices in accordance with best practices to accommodate, and at times mandate, remote work practices, including restricting employee travel, modifying employee work locations, and cancelling attendance at events and conferences. In addition, we have invested in employee safety equipment, re-designed workplaces as necessary and adapted new processes for interactions with our customers to safely manage our operations.
Governmental Regulation
We are subject to federal, state and local consumer protection laws, including laws protecting the privacy of customer non-public information and regulations prohibiting unfair and deceptive trade practices. These consumer protection laws and regulations could result in substantial compliance costs and could interfere with the conduct of our business.
Legislation in the United States has increased public companies’ regulatory and compliance costs as well as the scope and cost of work provided by independent registered public accountants and legal advisors. As regulatory and compliance guidelines continue to evolve, we may incur additional costs in the future, which may or may not be material, in order to comply with legislative requirements or rules, pronouncements and guidelines by regulatory bodies.
ITEM 1A. RISK FACTORS
Before deciding to purchase, hold or sell our Common Stock, you should carefully consider the risks described below in addition to the other information contained in this Annual Report and in our other filings with the SEC, including subsequent reports on Forms 10-Q and 8-K. The risks and uncertainties not presently known to us or that we currently deem immaterial may also affect our business. If any of these known or unknown risks or uncertainties actually occurs with material adverse effects on CynergisTek, our business, financial condition, results of operations and/or liquidity could be seriously harmed. In that event, the market price of our Common Stock will likely decline, and you may lose all or part of your investment.
Risks Related to Our Industry
We face substantial competition from better established companies that may offer similar products and services at a lower cost to our customers, resulting in a reduction in the sale of our products and services.
The market for our products and services is competitive and is likely to become even more competitive in the future. Increased competition could result in pricing pressures, reduced sales, reduced margins or the failure of our products and services to achieve or maintain market acceptance, any of which would have a material adverse effect on our business, results of operations and financial condition. Many of our current and potential competitors enjoy substantial competitive advantages, such as:
| · | greater name recognition and larger marketing budgets and resources; |
| · | established marketing relationships and access to larger customer bases; |
| · | substantially greater financial, technical and other resources; and |
| · | larger technical and support staffs. |
As a result, our competitors may be able to respond more quickly than we can to new or changing opportunities, technologies, standards or customer requirements. For all of the foregoing reasons, we may not be able to compete successfully against our current and future competitors.
Risks Related to Our Business
Our financial statements have been prepared to assume a going concern.
Our financial statements as of December 31, 2021, were prepared under the assumption that we will continue as a going concern for the next twelve months from the date of issuance of these financial statements. Our ability to continue as a going concern is dependent upon our ability to obtain additional financing, obtain further operating efficiencies, reduce expenditures, grow our security business, and ultimately, create cash flow profitable operations. We may not be able to raise capital or obtain additional capital on reasonable terms. Our financial statements do not include adjustments that would result from the outcome of this uncertainty.
A substantial portion of our business is dependent on our largest customers.
The loss of any key customer could have a material adverse effect upon our financial condition, business, prospects, and results of operation. Our largest customer represented approximately 13% of our revenues for the year ended December 31, 2021. A loss of any large customer could have a material impact on our operations that may require us to obtain equity funding or debt financing to continue our operations. We cannot be certain that we will be able to obtain such financing on commercially reasonable terms, or at all.
Fluctuations in demand for our services and solutions are driven by many factors, and a decrease in demand for our products could adversely affect our financial results.
We are subject to fluctuations in demand for our services and solutions due to a variety of factors, including market transitions, general economic conditions, competition, product obsolescence, technological change, shifts in buying patterns, financial difficulties and budget constraints of our current and potential customers, awareness of security threats to information systems and other factors. While such factors may, in some periods, increase services and solutions, fluctuations in demand can also negatively impact our sales. If demand for our services and solutions declines, whether due to general economic conditions or a shift in buying patterns, our revenues and margins would likely be adversely affected.
We are currently operating in a period of economic uncertainty and capital markets disruption, which has been significantly impacted by geopolitical instability due to the ongoing military conflict between Russia and Ukraine. Our business, financial condition and results of operations may be materially adversely affected by any negative impact on the global economy and capital markets resulting from the conflict in Ukraine or any other geopolitical tensions.
U.S. and global markets are experiencing volatility and disruption following the escalation of geopolitical tensions and the start of the military conflict between Russia and Ukraine. On February 24, 2022, a full-scale military invasion of Ukraine by Russian troops was reported. Although the length and impact of the ongoing military conflict is highly unpredictable, the conflict in Ukraine could lead to market disruptions, including significant volatility in commodity prices, credit and capital markets, as well as supply chain interruptions. We are continuing to monitor the situation in Ukraine and globally and assessing its potential impact on our business.
Additionally, Russia’s prior annexation of Crimea, recent recognition of two separatist republics in the Donetsk and Luhansk regions of Ukraine and subsequent military interventions in Ukraine have led to sanctions and other penalties being levied by the United States, European Union and other countries against Russia, Belarus, the Crimea Region of Ukraine, the so-called Donetsk People’s Republic, and the so-called Luhansk People’s Republic, including agreement to remove certain Russian financial institutions from the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) payment system. Additional potential sanctions and penalties have also been proposed and/or threatened. Russian military actions and the resulting sanctions could adversely affect the global economy and financial markets and lead to instability and lack of liquidity in capital markets, potentially making it more difficult for us to obtain additional funds.
Any of the abovementioned factors could affect our business, prospects, financial condition, and operating results. The extent and duration of the military action, sanctions and resulting market disruptions are impossible to predict, but could be substantial. Any such disruptions may also magnify the impact of other risks described in this Annual Report on Form 10-K.
The ongoing COVID-19 pandemic and ensuing governmental responses has caused significant uncertainty in the United States and global economies as well as the markets we serve has negatively impacted and could further materially adversely affect our business, financial condition and results of operations.
COVID-19 cases (including the spread of variants and mutant strains, such as the recently detected omicron variant) continue to surge in certain parts of the world and have resulted in authorities implementing numerous measures to contain the virus, including travel bans and restrictions, quarantines, shelter-in-place orders, and business limitations and shutdowns. We remain unable to accurately predict the full impact that COVID-19 will have on our results of operations, financial condition, liquidity and cash flows due to numerous uncertainties, including the duration and severity of the pandemic and containment measures. Our compliance with containment and mitigation measures materially impacted our day-to-day operations, and there can be no guaranty that the pandemic will not disrupt our business and operations or impair our ability to implement our business plan successfully.
More generally, the pandemic raises the possibility of an extended global economic downturn and has caused volatility in financial markets, which could affect demand for our products and services and impact our results and financial condition even after the pandemic is contained. For example, we may be unable to collect receivables from those customers significantly impacted by COVID-19. Also, a decrease in bookings in a given period could negatively affect our revenues in future periods, particularly if experienced on a sustained basis. The pandemic may also have the effect of heightening many of the other risks described in these Risk Factors, particularly those risks associated with our customers.
Our current and potential customers’ businesses, specifically in the healthcare industry, have been directly impacted both financially and operationally in many ways by the pandemic. During this time, cybersecurity risks in healthcare have increased particularly with increased adoption of remote access and increased adoption of telehealth, as well as decreased budgets, diversion of resources and focus from all areas not directly related to patient care. In the current periods, the pandemic has led to customers delaying or deferring cybersecurity buying decisions, has limited our ability to visit customers and potential customers, and has resulted in an overall decrease in our orders, bookings and revenues in 2020 and 2021.
We took steps to reduce expenses throughout the Company over the past eighteen months, including workforce reductions, substantially reducing Company travel, trade shows and other business meetings and decreasing expenditures. We have modified our business practices and implemented certain policies at our offices in accordance with best practices to accommodate, and at times mandate, remote work practices, including restricting employee travel, modifying employee work locations, and cancelling attendance at events and conferences. In addition, we have adapted new processes for interactions with our customers to safely manage our operations. Many of our customers have made similar modifications. If necessary, we may take further actions in the best interests of our employees, customers, partners and suppliers. There is no certainty that such measures will be sufficient to mitigate the risks posed by COVID-19, in which case our employees may become sick, our ability to perform critical functions could be harmed, and our business and operations could be negatively impacted.
With less resources allocated to cybersecurity in healthcare over the past eighteen months, we believe risks are on increasing and expect the industry will need to increase attention and spend on cybersecurity in the near future. However, the ultimate duration and impact of the COVID-19 pandemic on our business, results of operations, financial condition and cash flows is uncertain. Even after the COVID-19 pandemic has subsided, we may continue to experience an adverse impact to our business, and we anticipate that our results of operations in future periods may continue to be adversely impacted by the COVID-19 pandemic and its negative effects on global economic conditions.
As we expect the industry to begin emerging from the pandemic, we have begun to increase our sales and marketing efforts and building our sales and operational teams for growth. However, our current and potential customers’ businesses could continue to be disrupted or they could seek to limit spending due to decreased budgets, reduced access to credit or various other factors, any of which could negatively impact the willingness or ability of such customers to order new, or any, services with us and ultimately adversely affect our revenues, as well as negatively impact the payment of accounts receivable and collections and potentially lead to write-downs or write-offs.
The ultimate duration and impact of the COVID-19 pandemic on our business, results of operations, financial condition and cash flows is dependent on future developments, including the duration of the pandemic and the related length of its impact on the global economy, which remain uncertain and cannot be predicted at this time. Furthermore, the extent to which our mitigation efforts are successful, if at all, is not presently ascertainable.
The impact of any deterioration in the U.S. economy as a result of the coronavirus (COVID-19) outbreak may negatively affect our business.
A deterioration in the U.S. economy as a result of the coronavirus outbreak could result in continued turmoil. The continued impact of this event on our business and the severity of an economic crisis is uncertain. It is possible that a crisis (such as the coronavirus outbreak) in the U.S. economy could continue to adversely affect our business, vendors and prospects as well as our liquidity and financial condition. This could continue to impact our ability to increase our customer base and customers could continue to delay deploying our services which could impact our ability to generate positive cash flows. Our current service offerings and our future growth may be minimized to a point that would be detrimental to our business development activities. These events would be detrimental to our business prospects and result in material changes to our operations and financial position.
Environmental, social and governance matters may impact our business and reputation.
Increasingly, in addition to the importance of their financial performance, companies are being judged by their performance on a variety of environmental, social and governance (“ESG”) matters, which are considered to contribute to the long-term sustainability of companies’ performance.
A variety of organizations measure the performance of companies on ESG topics, and the results of these assessments are widely publicized. In addition, investment in funds that specialize in companies that perform well in such assessments are increasingly popular, and major institutional investors have publicly emphasized the importance of ESG measures to their investment decisions. Topics taken into account in such assessments include, among others, companies’ efforts and impacts on climate change and human rights, ethics and compliance with law, diversity and the role of companies’ board of directors in supervising various sustainability issues.
ESG goals and values are embedded in our core mission and vision, and we actively take into consideration their expected impact on the sustainability of our business over time and the potential impact of our business on society. However, in light of investors’ increased focus on ESG matters, there can be no certainty that we will manage such issues successfully, or that we will successfully meet society’s expectations as to our proper role. This could lead to risk of reputational damage relating to our ESG policies or performance.
Further, our emphasis on ESG issues may not maximize short-term financial results and may yield financial results that conflict with the market’s expectations. We have and may in the future make business decisions that may reduce our short-term financial results if we believe that the decisions are consistent with our ESG goals, which we believe will improve our financial results over the long-term. These decisions may not be consistent with the short-term expectations of our stockholders and may not produce the long-term benefits that we expect, in which case our business, financial condition, and operating results could be harmed.
We may be subject to data breaches and cyber-attacks which could materially adversely affect our financial condition, our competitive position and operating results.
Data breaches and cyber-attacks could compromise our trade secrets and other sensitive information, be costly to remediate and cause significant damage to our business and reputation. The secure maintenance of this information is critical to our business and reputation. We believe that companies have been increasingly subject to a wide variety of security incidents, cyber-attacks, hacking and phishing attacks, and other attempts to gain unauthorized access or to cause disruption. These threats can come from a variety of sources, all ranging in sophistication from an individual hacker to a state-sponsored attack. Cyber threats may be generic, or they may be custom crafted against our information systems.
Cyber-attacks have become increasingly more prevalent and much harder to detect and defend against. Our network and storage applications, as well as those of our customers, business partners, and third-party providers, may be subject to unauthorized access, disruption or data manipulation by hackers or breached due to operator error, malfeasance or other system disruptions. It is often difficult to anticipate or immediately detect such incidents and the damage caused by such incidents. These data breaches and any unauthorized access, misuse, disruption, disclosure or modification of our information or intellectual property could compromise our intellectual property and expose sensitive business information, prevent us from accessing our systems or break integrity in our systems. Cyber-attacks on us or our customers, business partners or third-party providers could also cause us to incur significant remediation costs, result in product development delays, disrupt key business operations and divert attention of management and key information technology resources. Our data, corporate systems, third-party systems and security measures may be breached due to the actions of outside parties, employee error, malfeasance, a combination of these, or otherwise, and, as a result, an unauthorized party may obtain access to our data. These incidents could also subject us to liability, expose us to significant expense and cause significant harm to our reputation and business.
In addition, we could be subject to claims for damages resulting from loss of data from alleged vulnerabilities in the security of our processors who work in our Patient Privacy Monitoring Services (PPMS) group. We have implemented tighter measures to reduce risk of outsiders accessing our client’s ePHI, including direct hardwired internet connections that are VLANed and all connections are encrypted with viewing access from the customer’s environment. For remote work of our PPMS resources we have benchmarked against DoD standards for secure system configuration and provided a VPN that meets ISO 27001 requirements to ensure the confidentiality of the data while not utilizing the internal VLANed network. We also maintain confidential and personally identifiable information about our workers. The integrity and protection of our worker data is critical to our business and our workers have a high expectation that we will adequately protect their personal information, including medical records.
A breach in our data security, or that of our third-party service providers, could impact our networks creating system disruptions or slowdowns and exploiting security vulnerabilities of our systems, and the information stored on our networks or those of our third-party service providers could be accessed, publicly disclosed, altered, lost, stolen, or rendered inaccessible, which could subject us to liability and cause us financial harm. Although we have not yet experienced damages from unauthorized access by a third party of our internal network, any actual or perceived breach of network security in our systems or networks, or any other actual or perceived data security incident we or our third-party service providers suffer, could result in damage to our reputation, negative publicity, loss of channel partners, end-customers and sales, loss of competitive advantages over our competitors, increased costs to remedy any problems and otherwise respond to any incident, regulatory investigations and enforcement actions, costly litigation, and other liability. In addition, we may incur significant costs and operational consequences of investigating, remediating, eliminating and putting in place additional tools and devices designed to prevent actual or perceived security breaches and other security incidents, as well as the costs to comply with any notification obligations resulting from any security incidents. While we maintain cybersecurity insurance, our insurance may be insufficient to cover all liabilities incurred by these incidents, and any incidents may result in loss of, or increased costs of, our cybersecurity insurance. Any of these negative outcomes could adversely impact the market perception of our services and end-customer and investor confidence in our company and could seriously harm our business or operating results.
If our customers experience data losses, our brand, reputation and business could be harmed.
A breach of our customers’ network security and systems or other events that cause the loss or public disclosure of, or access by third parties to, our customers’ files or data could have serious negative consequences for our business, including reduced demand for our services, an unwillingness of our customers to use our services, harm to our brand and reputation. The techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently, often are not recognized until launched against a target, and may originate from less regulated or remote areas around the world. As a result, our customers may be unable to proactively prevent these techniques, implement adequate preventative or reactionary measures, or enforce the laws and regulations that govern such activities. If our customers experience any data loss, data disruption, or any data corruption or inaccuracies, whether caused by security breaches or otherwise, our brand, reputation and business could be harmed.
Our insurance may be inadequate or may not be available in the future on acceptable terms, or at all. In addition, our policy may not cover claims against us for loss of data or other indirect or consequential damages. Defending a suit based on any data loss or system disruption, regardless of its merit, could be costly and divert management’s attention.
Legislation and regulation.
We are a cybersecurity, privacy and compliance consulting firm dedicated to serving highly regulated industries including the healthcare and government industries. U.S. government agencies continue to implement extensive requirements on these industries. These have both positive and negative impacts with much remaining uncertain as to how various provisions will ultimately affect our customers and our business. As to prospective legislation and regulation concerning collection, transmission, storage and use of healthcare and personal data, we cannot determine what effect additional state or federal governmental legislation, regulations, or administrative orders would have on our business in the future. New legislation or regulation may require the reformulation of our business to meet new standards, require us to cease operations, impose stricter qualification and/or registration standards, impose additional record keeping, or require expanded consumer protection measures (such as heightened notification procedures and data subject access rights).
Failure to comply with governmental laws and regulations could harm our business.
Our business is subject to regulation by various federal, state, local, and foreign governmental agencies, including agencies responsible for monitoring and enforcing employment and labor laws, workplace safety, product safety, environmental laws, consumer protection laws, privacy and data-protection laws, antibribery laws (including the False Claims Act and the U.S. Foreign Corrupt Practices Act), federal securities laws, and tax laws and regulations. Noncompliance with applicable regulations or requirements could subject us to investigations, sanctions, enforcement actions, disgorgement of profits, fines, damages, civil and criminal penalties, or injunctions. If any governmental sanctions are imposed, or if we do not prevail in any possible civil or criminal litigation resulting from any alleged noncompliance, our business, operating results, and financial condition could be materially adversely affected. In addition, responding to any action will likely result in a significant diversion of management’s attention and resources and an increase in professional fees. Enforcement actions, litigation, and sanctions against us, as well as any governmental sanctions or actions in which our employees act as “whistleblowers” against our customers under the False Claims Act or state false claims laws, could harm our business, operating results, financial condition and reputation.
We may be unable to recruit and maintain our senior management and other key personnel on whom we are dependent.
We are highly dependent upon senior management and key personnel, and we do not carry any life insurance policies on such persons. The loss of any of our senior management, or our inability to attract, retain and motivate the additional highly skilled employees and consultants that our business requires, could substantially hurt our business, prospects, financial condition and results of operations. Competition for highly skilled personnel, particularly in cybersecurity, is often intense and could adversely affect our ability to retain qualified personnel. In addition, the industry in which we operate generally experiences high employee attrition. If we are unable to hire, integrate, train, or retain the qualified and highly skilled personnel required to fulfill our current or future needs, our business, financial condition, and operating results could be harmed.
Further, we believe that a critical contributor to our success and our ability to retain highly skilled personnel has been our corporate culture, which we believe fosters innovation, teamwork, passion for end-customers, focus on execution, and the facilitation of critical knowledge transfer and knowledge sharing. As we grow and change and move to a more remote work force, we may find it difficult to maintain these important aspects of our corporate culture. Any failure to preserve our culture as we grow could limit our ability to innovate and could negatively affect our ability to retain and recruit personnel, continue to perform at current levels or execute on our business strategy.
The market may not accept our services and solutions and we may not be able to continue our business operations.
Our services and solutions are targeted to regulated industries, like the healthcare market, and markets in which there are many competing service providers. Accordingly, the demand for our products and services is very uncertain. The market may not accept our services and solutions. Even if our services and solutions achieve market acceptance, they may fail to adequately address the market’s requirements.
Our business depends on generating and maintaining ongoing, profitable customer demand for our services and solutions. A significant reduction in such demand or an inability to respond to the evolving technological environment could materially affect our results of operations.
Our revenue and profitability depend on the demand for our services and solutions with favorable margins, which could be negatively affected by numerous factors, many of which are beyond our control and unrelated to our work product. Volatile, negative or uncertain global economic conditions and lower growth in the markets we serve have adversely affected and could in the future adversely affect customer demand for our services and solutions. Our success depends, in part, on our ability to continue to develop and implement services and solutions that anticipate and respond to rapid and continuing changes in technology and offerings to serve the evolving needs of our customers. Technological developments may materially affect the cost and use of technology by our customers. Some technologies may replace some of our services and solutions in the future. This may cause customers to delay spending under existing contracts and engagements and to delay entering into new contracts while they evaluate new technologies. Such delays can negatively impact our results of operations if the pace and level of spending on new technologies is not sufficient to make up any shortfall.
Developments in the industries we serve, which may be rapid, also could shift demand to new services and solutions. If, as a result of new technologies or changes in the industries we serve, our customers demand new services and solutions, we may be less competitive in these new areas or need to make significant investment to meet that demand. Our growth strategy focuses on responding to these types of developments by driving innovation that will enable us to expand our business into new growth areas. We must continually address the challenges of dynamic and accelerating market trends, such as the emergence of advanced persistent threats in the security space. If we do not sufficiently invest in new technology and adapt to industry developments or evolve and expand our business at sufficient speed and scale, or if we do not make the right strategic investments to respond to these developments and successfully drive innovation, our services and solutions, our results of operations, and our ability to develop and maintain a competitive advantage and to execute on our growth strategy could be negatively affected. New solutions product development and introduction involves a significant commitment of time and resources and is subject to a number of risks and challenges including without limitation:
| · | Managing the length of the development cycle for new solutions and service enhancements; |
| · | Adapting to emerging and evolving industry standards and to technological developments by our competitors and customers; |
| · | Extending the operation of our services and solutions to new and evolving platforms, operating systems and hardware products, such as mobile devices; |
| · | Entering into new or unproven markets with which we have limited experience; |
| · | Identifying new forms of adversarial cyber attacks and developing appropriate mitigation strategies; |
| · | Managing new service and solution strategies for the markets in which we operate; and |
| · | Developing or expanding efficient sales and marketing channels. |
If we are not successful in managing these risks and challenges, or if our new solutions and services are not technologically competitive or do not achieve market acceptance, our business and operating results could be adversely affected. We operate in a rapidly evolving environment in which there currently are, and we expect will continue to be, new technology entrants. New services or technologies offered by competitors or new entrants may make our offerings less differentiated or less competitive when compared to other alternatives, which may adversely affect our results of operations. In addition, companies in the industries we serve sometimes seek to achieve economies of scale and other synergies by combining with or acquiring other companies. If one of our current customers merges or consolidates with a company that relies on another provider for the services and solutions we offer, we may lose work from that customer or lose the opportunity to gain additional work if we are not successful in generating new opportunities from the merger or consolidation.
Many of our contracts allow customers to terminate, delay, reduce or eliminate spending on the services and solutions we provide. Additionally, a customer could choose not to retain us for additional stages of a project, try to renegotiate the terms of its contract or cancel or delay additional planned work. When contracts are terminated or not renewed, we lose the anticipated revenues, and it may take significant time to replace the level of revenues lost. Consequently, our results of operations in subsequent periods could be materially lower than expected. The specific business or financial condition of a customer, changes in management and changes in a customer’s strategy are also factors that can result in terminations, cancellations or delays.
Consolidation in the healthcare industry could have an adverse effect on our revenues and results of operations.
The healthcare industry has been consolidating and organizations such as group purchasing organizations, independent delivery networks, and large single accounts continue to consolidate purchasing decisions for many of our healthcare provider customers. As a result, transactions with our customers are more complex and tend to involve more long-term contracts. The purchasing power of these larger customers has increased, and may continue to increase, causing downward pressure on product and services pricing. If we are not one of the privacy or cybersecurity service providers selected by one of these consolidated organizations, we may be precluded from making sales to its members or participants. Even if we are one of the selected service providers, we may be at a disadvantage relative to other selected providers that are able to offer volume discounts based on purchases of a broader range of products and/or services. Further, we may be required to commit to pricing that has a material adverse effect on our revenues and profit margins, business, financial condition and results of operations. We expect that market demand, governmental regulation, third-party reimbursement policies and societal pressures will continue to change the worldwide healthcare industry, resulting in further business consolidations and alliances, which may exert further downward pressure on the prices of our services and could adversely impact our business, financial condition, and results of operations.
Achieving the desired benefits of recent acquisitions may be subject to a number of challenges and uncertainties which make it hard to predict the future success of each entity.
We have completed several acquisitions in recent years with expected benefits including, among other things, operating efficiencies, procurement savings, innovation, sharing of best practices and increased market share that may allow for future growth. Achieving the anticipated benefits may be subject to a number of significant challenges and uncertainties, including, without limitation, whether unique corporate cultures will work collaboratively in an efficient and effective manner, the coordination of separate organizations, the possibility of imprecise assumptions underlying expectations regarding potential synergies and the integration process, unforeseen expenses and delays, and competitive factors in the marketplace. We could also encounter unforeseen transaction and integration-related costs or other circumstances such as unforeseen liabilities or other issues. We are highly dependent upon key personnel from these acquisitions and the loss of any of these key personnel, or our inability to retain and motivate these employees, could substantially hurt our future growth and results of operations. This includes retention risk as a result of missing earnout targets that could negatively impact employee compensation. Many of these potential circumstances are outside of our control and any of them could result in increased costs, decreased revenue, decreased synergies and the diversion of management time and attention. If we are unable to achieve our objectives within the anticipated time frame, or at all, the expected benefits may not be realized fully or at all, or may take longer to realize than expected, which could have an adverse effect on our business, financial condition and results of operations.
Our business and operations expose us to numerous legal and regulatory requirements, and any violation of these requirements could harm our business.
We are subject to numerous federal and state legal requirements on matters as diverse as data privacy and protection, employment and labor relations, immigration, taxation, anticorruption, import/export controls, trade restrictions, internal and disclosure control obligations, securities regulation and anti-competition. Compliance with diverse and changing legal requirements is costly, time-consuming and requires significant resources. We also conduct business in certain identified growth areas, such as health information technology, which are highly regulated and may expose us to increased compliance risk. Violations of one or more of these diverse legal requirements in the conduct of our business could result in significant fines and other damages, criminal sanctions against us or our officers, prohibitions on doing business and damage to our reputation. Violations of these regulations or contractual obligations related to regulatory compliance in connection with the performance of customer contracts could also result in liability for significant monetary damages, fines and/or criminal prosecution, unfavorable publicity and other reputational damage, restrictions on our ability to compete for certain work and allegations by our customers that we have not performed our contractual obligations.
We will need additional capital in the future and, if such capital is not available on terms acceptable to us or available to us at all, this may impact our ability to continue to grow our business operations.
We will need capital in the future to expand our business operations. We cannot be certain that additional capital will be available on terms acceptable to us or available to us at all. In the event we are unable to raise capital, we may not be able to:
| · | develop or enhance our service offerings; |
| · | take advantage of future opportunities; or |
| · | respond to customers and competition. |
Risks Related to the Market for Our Securities
Because the public market for shares of our Common Stock is limited, stockholders may be unable to resell their shares of Common Stock.
Currently, there is only a limited public market for our Common Stock on the NYSE American and our stockholders may be unable to resell their shares of Common Stock. As of December 31, 2021, the average daily trading volume of our Common Stock was not significant, and it may be more difficult for our stockholders to sell their shares in the future, if at all. Historically, the effects have not been significant, but this could change.
The development of an active trading market depends upon the existence of willing buyers and sellers who are able to sell shares of our Common Stock as well as market makers willing to create a market in such shares. Under these circumstances, the market bid and ask prices for the shares may be significantly influenced by the decisions of the market makers to buy or sell the shares for their own account. Such decisions of the market makers may be critical for the establishment and maintenance of a liquid public market in our Common Stock. Market makers are not required to maintain a continuous two-sided market and are free to withdraw quotations at any time. We cannot assure our stockholders that an active public trading market for our Common Stock will develop or be sustained.
The price of our Common Stock may be volatile and could decline in value, resulting in loss to our stockholders.
The market for our Common Stock is volatile, having ranged from January 1, 2021, through December 31, 2021 from a low of $1.24 to a high of $2.86 per share. The market price for our Common Stock has been, and is likely to continue to be, volatile. Due in part to the outbreak of Covid-19, our Common Stock, and the stock market as a whole, has recently experienced substantial volatility. The following factors, among others, may cause significant fluctuations in the market price of shares of our Common Stock:
| · | fluctuations in our quarterly revenues and earnings or those of our competitors; |
| · | variations in our operating results compared to levels expected by the investment community; |
| · | changes in senior management or members of the Board of Directors; |
| · | announcements concerning us, our competitors or our customers; |
| · | announcements of technological innovations; |
| · | sale or purchases of shares by traders or other investors; |
| · | market conditions in the industry; and |
| · | the conditions of the securities markets. |
The factors discussed above may depress or cause volatility of our share price, regardless of our actual operating results. The stock market has recently experienced extreme price and volume fluctuations. The market prices of securities of companies have experienced fluctuations that often have been unrelated or disproportionate to their results of operations. Market fluctuations could result in extreme volatility in the price of shares of our Common Stock, which could cause a decline in the value of your investment. Price volatility may be greater if the public float and trading volume of shares of our Common Stock is low. In addition, the highly volatile nature of our stock price may cause investment losses for our stockholders. In the past, securities class action litigation has often been brought against companies following periods of volatility in the market price of their securities. If securities class action litigation is brought against us, such litigation could result in substantial costs while diverting management’s attention and resources.
There are a large number of shares of Common Stock that may be issued or sold, and if such shares are issued or sold, the market price of our Common Stock may decline.
As of December 31, 2021, we had 13,248,024 shares of our Common Stock outstanding and 33,333,333 shares authorized.
If all warrants, options and restricted stock grants outstanding as of December 31, 2021, are exercised prior to their expiration, up to approximately 2.2 million additional shares of Common Stock could become freely tradable. Such sales of substantial amounts of Common Stock in the public market could adversely affect the prevailing market price of our Common Stock and could also make it more difficult for us to raise funds through future offerings of Common Stock.
We will require additional funding in the future, which may not be available to us on acceptable terms, or at all.
We believe we will need to raise additional capital in order to achieve our business objectives. Until we generate a sufficient amount of revenue to finance our cash requirements, we may finance future cash needs through public or private equity offerings, debt financings or strategic collaborations. We do not know whether additional funding will be available on acceptable terms, or at all. If we are not able to secure additional funding when needed, we may have to delay, reduce the scope of or eliminate one or more of our business objectives. To the extent that we raise additional funds by issuing equity securities, our stockholders may experience significant dilution; and debt financing, if available, may involve restrictive covenants that limit our operations. If we enter into certain private placement transactions that include registration rights, we may be obligated to file one or more additional registration statements.
Our stockholders may experience dilution.
We anticipate that we may raise substantial additional capital to achieve our business objectives through public and private offerings. We have an effective shelf registration statement under which we have raised $3.5 million, with the ability to raise additional capital through the issuance of equity or debt securities subject to the rules and regulations of the Securities Act. We cannot assure you that we will be able to sell shares or other securities in any offering at a price per share that is equal to or greater than the price per share paid by investors in previous offerings, and investors purchasing shares or other securities in the future could have rights superior to existing stockholders. The price per share at which we sell additional shares of our Common Stock or other securities convertible into or exchangeable for our Common Stock in future transactions may be higher or lower than the price per share in previous offerings. The future issuance of the Company’s equity securities will further dilute the ownership of our outstanding Common Stock. Additionally, we have a one-year $1.4 million maximum contingent earnout obligation to the shareholders of Backbone Consulting, Inc. related to our acquisition that allows the Company to settle this obligation with shares of common stock at the fair market value on the date earned. The market price of our Common Stock has been, and may continue to be, highly volatile, and such volatility could cause the market price of our Common Stock to decrease and could cause stockholders to lose some or all of their investment in our Common Stock.
We may not be able to maintain our NYSE American listing
Our common stock has been listed on the NYSE American since 2017. If we are unable to satisfy the continued listing standards of the NYSE American, which include, among others, minimum stockholders’ equity, market capitalization, pre-tax income and per share sales price, our common stock may be delisted. If our common stock is delisted, we would be forced to have our common stock quoted on the OTC Markets or some other quotation medium, depending on our ability to meet the specific requirements of those quotation systems. In that case, we may lose some or all of our institutional investors and selling our common stock on the OTC Markets would be more difficult because smaller quantities of shares would likely be bought and sold and transactions could be delayed. These factors could result in lower prices and larger spreads in the bid and ask prices for shares of our common stock. If this happens, we will have greater difficulty accessing the capital markets to raise any additional necessary capital.
General Risk Factors
It may be difficult for a third party to acquire us even if doing so would be beneficial to our stockholders.
Some provisions of our Certificate of Incorporation, as amended, and Bylaws, as amended, as well as some provisions of Delaware, Texas, Minnesota or California law, may discourage, delay or prevent third parties from acquiring us, even if doing so would be beneficial to our stockholders.
As a public company, we are subject to complex legal and accounting requirements that will require us to incur significant expenses.
As a public company, we are subject to numerous legal and accounting requirements that do not apply to private companies. The cost of compliance with many of these requirements is material, not only in absolute terms but, more importantly, in relation to the overall scope of the operations of a small company. The cost of such compliance may prove to be a substantial competitive disadvantage vis-à-vis our privately held and larger public competitors.
The impact of any deterioration of the global credit markets, financial services industry and U.S. economy may negatively affect our business and our ability to obtain capital, if needed.
A deterioration in the global credit markets, the financial services industry and the U.S. economy could result in a period of substantial turmoil. The impact of these events on our business and the severity of an economic crisis is uncertain. It is possible that a crisis in the global credit markets, the financial services industry or the U.S. economy could adversely affect our business, vendors and prospects as well as our liquidity and financial condition. This could impact our ability to increase our customer base and generate positive cash flows. Although we have been able to raise additional working capital through convertible note agreements and private placement offerings of our Common Stock in the past, and obtain debt financing on reasonable terms, we may not be able to continue this practice in the future or we may not be able to obtain additional working capital through other debt or equity financings. In the event that sufficient capital cannot be obtained, we may be forced to minimize growth to a point that would be detrimental to our business development activities. These courses of action may be detrimental to our business prospects and result in material charges to our operations and financial position. In the event that any future financing should take the form of the sale of equity securities, the current equity holders may experience dilution of their investments.
Natural disasters, public health crises, and other events beyond our control could negatively impact us and/or our suppliers or customers.
We are subject to the risk of disruption by earthquakes, floods and other natural disasters, fire, power shortages, geopolitical unrest, war, terrorist attacks and other hostile acts, public health issues, epidemics or pandemics and other events beyond our control and the control of the third parties on which we depend. Any of these catastrophic events, whether in the United States or abroad, may have a strong negative impact on the global economy, our employees, facilities, partners, suppliers, distributors or customers, and could decrease demand for our products and services, create delays and inefficiencies in our supply chain and make it difficult or impossible for us to deliver products or services to our customers. For example, the 2019 outbreak of a novel strain of coronavirus originating in Wuhan, China, that has since spread across the globe in which we and our customers operate, including the United States. This outbreak has resulted in disruptions to our and our customer’s supply chain and business operations. Global health concerns, such as coronavirus, have resulted in social, economic, and labor instability in the countries in which we or our customers and suppliers operate. These uncertainties could continue to have a material adverse effect on our business and our results of operation and financial condition. In addition, a catastrophic event that results in the destruction or disruption of our data centers or our critical business or information technology systems would severely affect our ability to conduct normal business operations and, as a result, our operating results would be adversely affected
The forward-looking statements contained in this Annual Report may prove incorrect.
This Annual Report contains certain forward-looking statements. These forward-looking statements are based largely on our current expectations and are subject to a number of risks and uncertainties. Actual results could differ materially from these forward-looking statements. In addition to the other risks described elsewhere in this “Risk Factors” discussion, important factors to consider in evaluating such forward-looking statements include: (i) changes to external competitive market factors or in our internal budgeting process which might impact trends in our results of operations; (ii) anticipated working capital or other cash requirements; (iii) changes in our business strategy or an inability to execute our strategy due to unanticipated changes in our industry; and (iv) various competitive factors that may prevent us from competing successfully in the marketplace. In light of these risks and uncertainties, many of which are described in greater detail elsewhere in this “Risk Factors” discussion, there can be no assurance that the events predicted in forward-looking statements contained in this Annual Report will, in fact, transpire. Any negative change in the factors listed above could adversely affect the financial condition and operating results of the Company and its products and services.