Interim Results

27 September 2021 – London, UK - Crossword Cybersecurity Plc (AIM:CCS, “Crossword”, the “Company” or the “Group”), the technology commercialisation company focused solely on cyber security and risk, today announces its unaudited interim results for the 6 months ended 30 June 2021.

Financial Highlights:

• Total revenue increased by 22% to £824,923.

• Product and Consulting revenue increased by 30% over the same period in the prior year.

• Consulting recurring revenue increased by more than 85% over the same period in the prior year.

• Total comprehensive loss for the period was £1,546,188, an increase of £152,995 over the same period in the prior year. The increase is due to additional overheads, particularly for legal and professional fees, as a result of corporate activities such as fund raise, acquisition, and share split, during the period.

• Cash and Cash Equivalents at 30 June 2021 were £682,407.

Operational Highlights:

• Launched Rizikon to the 10,000 Chartered Institute of Information Security members.

• Continued the roll out of Rizikon with our membership body program, to increase Rizikon market penetration.

• Tenfold increase in number of Rizikon users, c300, assessing nearly 4,000 suppliers.

• Commenced work with University of Glasgow on Privacy Governance Software.

• Launched the InnovateUK funded project to investigate Manufacturing Supply Chain Risk with Liverpool John Moores University.

• Crossword’s cyber security consulting division continued to grow in a range of high-profile sectors and to drive recurring revenue.

• Crossword completed £1.6m equity fundraise through a placing and subscription of Crossword Ordinary Shares at a price of 260 pence per share.

• Completed a 10:1 share split to support share liquidity giving the Company a post share split price of 42 pence.

• Tara Cemlyn-Jones and Robert Coles joined the board of the Company as non-executive directors.

• Acquired Verifiable Credentials Limited, adding ‘Identiproof’ to the product portfolio.

• Signed HOTs with Al-Rawahy Holdings to partner with Crossword in the Gulf region.

Outlook:

• Continuing to drive growth and meet market expectations of 50% revenue growth in 2021.

• Looking ahead the Board is confident of delivering strong revenue growth in FY 2022 taking revenues to £4m.

• In July 2021, undertook an oversubscribed fundraising of approximately £5.0 million at a price of 30 pence per share.

• In August 2021, Crossword acquired Stega UK Limited (“Stega”), the threat intelligence and monitoring company.

• Commenced a pilot of Rizikon with a global Aerospace, Defence and Security company that has over 6,000 suppliers.

• Target over 1,000 organisations using Rizikon to assess over 10,000 suppliers by end 2022.

• Launch Crossword in Oman in H2 2021 in partnership with Al-Rawahy Holdings.

• Taking Identiproof to market as well as continuing product development.

- Ends -

The information contained within this announcement is deemed to constitute inside information as stipulated under the Market Abuse Regulation (EU) No. 596/2014 which is part of UK law by virtue of the European Union (withdrawal) Act 2018. Upon the publication of this announcement, this inside information is now considered to be in the public domain.

Contacts

Crossword Cybersecurity plc – Tel: +44 (0) 20 3953 8460

Email: info@crosswordcybersecurity.com

Tom Ilube, Chief Executive Officer

Mary Dowd, Chief Financial Officer

Grant Thornton (Nominated Adviser) – Tel: +44 (0) 20 7383 5100

Colin Aaronson / Lukas Girzadas

Hybridan LLP (Broker) – Tel: +44 (0)203 764 2341

Claire Louise Noyce

For media enquiries contact:

Duncan Gurney, GingerPR

duncan@gingerpr.co.uk - Tel: +44 (0)1932 485 300

About Crossword Cybersecurity plc

Crossword Cybersecurity plc focuses on the development and commercialisation of university research-based cyber security and risk management related software and cyber security consulting. The Group’s specialist cyber security product development and software engineering teams work with its university partners to develop the research concept into a fully-fledged commercial product that it will then take to market. The Group’s aim is to build up a portfolio of revenue generating, intellectual property based, cyber security products. Rizikon Assurance, Crossword’s leading product, is a SaaS platform that enables medium to large companies to assess and manage all risks from their suppliers. Nixer CyberML, another Crossword product, is a new tool for businesses that want to solve advanced security and cybercrime problems, such as detecting and dealing with compromised accounts, fraud, and in-application denial of service attacks. Identiproof, Crossword’s most recent product, is the World Wide Web Consortium (W3C) verifiable credentials compatible middleware and wallet technology. Crossword’s team of expert cyber security consultants leverages years of experience in national security, defence and commercial cyber intelligence and operations to provide bespoke advice tailored to its clients’ business needs, including threat monitoring.

Chief Executive Officer’s review

Crossword Cybersecurity plc (“Crossword”, “the Company” or “the Group”) got off to a strong start in the first half of 2021 as the economy and society more broadly started to bounce back after the challenges of 2020.

In the period to 30 June 2021, Crossword continued to grow both product and consulting revenue. As well as making one important acquisition during the period and one shortly after, Crossword progressed plans to expand internationally and strengthened its balance sheet to ensure that the Group is properly funded to support future growth. In the period under review, Group revenue grew by 22% compared with H1 2020, with product and consulting revenue increasing by 30% compared with the same period last year.

Both throughout the pandemic and as the economy recovers, cyber security challenges continue to drive demand for Crossword’s products. Over recent years, the cost of breaches has consistently risen in parallel with the growth of cyber security incidents, which has in turn driven demand for Crossword’s products. Whilst discretionary expenditure has been cut back by many organisations, there are still aspects of cyber security that are not considered discretionary, and investment continues in these areas.

The UK Government highlighted in the Department for Digital, Culture, Media and Sport’s, Cyber Security Breaches Survey, the increasing importance of cyber security to organisations, reporting that 77% of businesses say cyber security is a high priority for their senior management boards. 39% of businesses that took part in the survey, completed in March 2021, identify breaches or attacks, and of these, one in five (21%) have experienced a loss of money, material assets or data. The level of risk, however, has possibly increased as a result of COVID-19 as businesses have found it harder to administer cyber security measures during the pandemic. The recent SolarWinds attack where hackers gained sprawling remote access to monitor business and government computer networks, cost at least $18m in the first quarter of 2021. The Microsoft warning to Office365 customers of a widespread credential phishing campaign targeting passwords using Google reCAPTCHA pages, highlights the threat and sophistication of such cybercrime realities.

Rizikon Assurance, our Software as a Service (SaaS) supplier risk assessment platform based on a recurring revenue model, addresses supply chain risks which is a rapidly growing challenge for organisations across all sectors. The European Union Agency for Cyber Security concluded in a recent report that supply chain cyber security attacks are expected to quadruple in 2021 compared to last year. The report analysed 24 supply chain attacks and found that ‘attackers are exploring new potential highways to infiltrate organisations by targeting their suppliers’. Attackers focused on suppliers’ software in about 66% of the reported incidents and for about 58% of the incidents, the assets targeted were predominantly customer data and intellectual property. Rizikon helps organisations mitigate these supply chain risks.

Following the launch of Rizikon Pro in the second half of 2020, Crossword entered into a number of partnership agreements to roll out Rizikon at scale. This has been extremely successful with the number of organisations using Rizikon growing tenfold to over 300. These businesses are currently using the platform to assess nearly 4,000 suppliers between them. Partnerships with membership bodies, such as the Chartered Institute of Information Security with 10,000 members, are yielding positive results and ensuring that Rizikon is one of the leading platforms in this rapidly growing area.

Crossword continues to collaborate with leading security reseller and managed security services provider Satisnet Limited, as well as with Leonardo MW, the global aerospace, defence and security contractor and NCC Group, the leading information assurance group to provide Rizikon to their clients. Through our partners we have added new Rizikon clients both within and outside the UK, including as far afield as Australia.

In the first half of the year, we completed our first acquisition, Verifiable Credentials Ltd, adding its product ‘Identiproof’ to Crossword’s product portfolio. Verifiable Credentials Ltd was founded by Professor David Chadwick, a global authority in the domain of digital credentials and certificates and the co-author of the W3C’s international veritable credential standard. Identiproof increases Crossword’s cybersecurity portfolio to three products alongside Rizikon and Nixer. Nixer is Crossword’s machine learning based product designed to defend against cyber attack tools such as credential stuffing. Our aim is to assemble a portfolio of five cyber security products by the end of 2022.

Crossword commenced work with the University of Glasgow on a new software product aimed at Privacy Governance, based on academic research at that university. Crossword also commenced a major project with Liverpool John Moores University, funded by InnovateUK, to investigate manufacturing supply chain risk. This project is being very well received by industry as it transforms the understanding of risk in complex cross-sector supply chains and has the potential to become a significant area of development in 2022.

Crossword’s Consulting division’s strong franchise in the insurance, legal and financial services sectors continues to deliver excellent results. Its recurring revenue vCISO service (virtual Chief Information Security Officer) offering has driven Consulting’s overall recurring revenue up by more than 85% over the same period last year. As well as a developing a range of high growth clients, the Consulting team is building long term, trusted relationships with a number of larger, Fortune 500 and FTSE 250 companies.

As part of its plans to expand outside of the UK, Crossword signed Heads of Terms with a major Oman based industrial group, Al-Rawahy Holdings, to partner with Crossword in Oman and the wider Gulf region.

On the corporate front, in February Crossword completed a £1.6m equity fundraise through a placing and subscription of Crossword Ordinary Shares at a price of 260 pence per share and carried out a 10:1 share split to support liquidity at a post split price of 42 pence.

With two directors, Professor David Stupples and Gordon Matthew stepping down from the Board, we were delighted to welcome Tara Cemlyn-Jones and Dr Robert Coles to the Board. Tara is an experienced investment banker, M&A specialist and corporate strategist and Robert is an industry leading CISO, who has been involved with Crossword for several years, chairing its fast growing Consulting business as well as its Advisory Board. Following his appointment to Crossword’s Board, Dr Coles stepped down from his role as Chair of the Advisory Board. Alison Dyer, Chief Information Security Officer at URENCO and former Director at GlaxoSmithKline (GSK), has since joined the Crossword Advisory Board as Chair.

Following the period, in July 2021, Crossword completed an oversubscribed fundraising of £5 million at a price of 30 pence per share, a price 15% higher than the £1.6m fundraise executed in February. This latest funding round puts the Group in a strong position to deliver on its future organic growth plans.

In August, Crossword completed its second acquisition of the year, acquiring Stega UK Limited, the threat intelligence and monitoring company with a specialist technical team, a unique monitoring and managed services platform and a range of financial services clients. Along with integrating Stega, the Group is busy taking its new product, Identiproof, to market.

Having successfully acquired and integrated two complementary product and services cyber security companies, Crossword will be actively looking for opportunities to execute more deals of this type in the future. In the meantime, the Group is working to deliver significant expansion of the Rizikon user base, with a target of over 1,000 organisations using Rizikon to assess over 10,000 suppliers by the end of 2022. Rizikon is currently being trialled by a global Aerospace, Defence and Security company that itself has over 6,000 suppliers. Before the end of 2021, Crossword also expects to launch Rizikon and the full range of the Group’s products and services in Oman with its partner, Al-Rawahy Holdings LLC, with a view to rolling out both in Oman and the wider Gulf region.

Outlook

Cash at 31 August was £4.1 million. With the team we have in place and a strengthened balance sheet, Crossword will continue to drive growth and expects to meet market expectations of 50% revenue growth in 2021. Looking towards 2022, the Board is confident of delivering further growth, taking revenue to £4m for that year.

Notes to the Financial Information

The group and its operations

Crossword Cybersecurity plc (the “Company”) is a company incorporated on 6 March 2014 in the United Kingdom under the Companies Act 2006. The Company is the parent company of the Crossword group of Companies focusing on the cybersecurity sector. The principle activities are the development and commercialisation of university research-based cyber security related software and cybersecurity consulting.

The financial information includes the results of the Company and its subsidiaries (together referred to as the “Group” and individually as “Group entities”.

Basis of preparation of financial information

The financial information has been prepared in accordance with the requirements of the London Stock Exchange plc AIM Rules for Companies ("AIM Rules") and in accordance with International Financial Reporting Standards (“IFRS”) in conformity with the requirements of the Companies Act 2006 applicable to companies reporting under IFRS. As permitted, this Half Yearly Financial Report has been prepared in accordance with the AIM Rules and not in accordance with IAS 34 ‘Interim Financial Reporting'. The financial information has been prepared on the historical cost basis, except for accounting for business combinations. The preparation of financial information in conformity with IFRS requires the use of certain critical accounting estimates. It also requires management to exercise its judgement in the process of applying the Group’s accounting policies. Changes in assumptions may have a significant impact on the financial information in the year the assumptions changed. Management believes that the underlying assumptions are appropriate.

The financial information does not comprise statutory accounts within the meaning of section 435 of the Companies Act 2006. The financial information together with the comparative information for the six months ended 30 June 2020 are unaudited with the audited information included for the 12 month period ended 31 December 2020. The audited information received an audit report which was unmodified and did not include a statement under section 498(2) or section 498(3) of the Companies Act 2006. The audit report for the 12 month period ended 31 December 2020 included an emphasis of matter relating to going concern.

The financial information was approved by the Board of Directors on 24 September 2021 and authorised for issue on 27 September 2021.

The accounting policies used in the preparation of the financial information for the six months ended 30 June 2021 are in accordance with the recognition and measurement criteria of the International Financial Reporting Standards in conformity with the requirements of the Companies Act 2006 and are consistent with those which will be adopted in the annual financial statements for year ending 31 December 2021.

These Interim Financial Statements have been prepared in accordance with the accounting policies, methods of computation and presentation adopted in the financial statements for the year ended 31 December 2020.

During the period the Group has developed a new accounting policy in relation to capitalisation and amortisation of intangible assets. Expenditure on research is written off in the period in which it is incurred. Development expenditure incurred on specific projects is capitalised where the Board is satisfied that the following criteria have been met:

• it is technically feasible to complete the software product so that it will be available for use;

• management intends to complete the software product and use or sell it;

• there is an ability to use or sell the software product;

• it can be demonstrated how the software product will generate probable future economic benefits;

• adequate technical, financial and other resources to complete the development and to use or sell the software product are available; and

• the expenditure attributable to the software product during its development can be reliably measured.

Directly attributable costs that are capitalised as part of the software product include the software development employee costs and an appropriate portion of relevant overheads.

Other development expenditures that do not meet these criteria are recognised as an expense as incurred.

Computer software development expenditure recognised as assets is amortised on a straight-line basis over their estimated useful lives, which does not exceed 5 years.

Following a completion of a successful fundraise in July 2021, the directors have concluded that the group has sufficient cash resources for the foreseeable future. Accordingly, they continue to adopt the going concern basis in preparing the half-yearly consolidated unaudited financial statements.

Basis of consolidation

Subsidiaries are fully consolidated from the date on which control is transferred to the Group. Control exists when then the Group has the power, directly or indirectly, to govern the financial and operating policies of an entity so as to obtain benefits from its activities.

All intra-group transactions, balances, income and expenses are eliminated on consolidation. Uniform accounting policies are applied by the Group entities to ensure consistency.

Business combinations

The purchase method of accounting is used to account for the acquisition of subsidiaries by the Group. The cost of acquisition is measured at fair value, which is calculated as a sum of the acquisition date fair values of the assets transferred, liabilities incurred or assumed, and equity instruments issued by the Group in exchange for control in the acquiree.

On 26 May 2021 the Company announced its acquisition of the whole of the share capital of Verifiable Credentials Limited (VCL), the provider of Identiproof™, the World Wide Web Consortium (W3C) verifiable credentials compatible middleware and wallet technology.

The Share Purchase Agreement establishes a total consideration of up to £2.75m for VCL, structured as an initial payment of £100k cash and £300k in Company shares - £150k issued on completion and £150k due on the first anniversary of completion, followed by an additional contingent consideration payable on the first and second anniversaries of the transaction, subject to achieving various revenue targets and signing a commercial licence deal, capped at £2.35m.

The initial accounting for the business combination has been recorded using provisional amounts due to the commercial exploitation of Identiproof being in its early stages and difficulties in determination of reliable forecasts of future cash flows of the product. The Group has recognised Intangible assets acquired as a sum of book value of £127k and a fair value uplift of £382k, which takes into account consideration paid and deferred (the latter discounted at the rate of 15% per annum), but not a contingent consideration. The provisional amounts will be reassessed within twelve months of the date of the business combination

Revenue

Revenue comprises the fair value of consideration received or receivable for licence income and the rendering of services in the ordinary course of the Group’s activities. Revenue is shown net of value added tax and trade discounts. Income is reported as follows:

(a) Licence income

Technology and product licensing revenue represents amounts earned for licenses granted under licensing agreements, including up-front payments. Revenues relating to up-front payments are recognised when the obligations related to the revenues have been completed. Revenues for maintenance and support services are recognised in the accounting periods in which the services are rendered.

(b) Rendering of Services

Services relate to implementation and deployment fees for the technology and products licensed to customers. Revenue is recognised in the accounting periods in which the services are rendered.

Revenue and segmental information

An analysis of the Group's revenue for each period for its continuing operations, is as follows:

The IFRS 8 Operating segments requires the Group to determine its operating segments based on information which is provided internally. Based on the internal reporting information and management structures within the Group, it has been determined that there are two geographic operating segments (UK and Poland) supported by one centralised cost segment (UK and Poland) and one revenue segment (UK). Reporting on this basis is reviewed by the Board of directors which is the chief operating decision-maker and is responsible for the strategic decision-making of the Group. No analysis of net assets by geographic segment is provided as the net assets are principally all within the UK.

Share sub-division

On 25 May 2021 the Shareholders of the Company passed a resolution to sub-divide each existing Ordinary Share of 5p into 10 new ordinary shares of 0.5p each.

Share Options

5,650 share options were issued by Crossword Cybersecurity plc in the period up to 30 June 2021, with total options issued amounted to 2,033,880. The fair value of these share options is calculated by the Company using the binomial option valuation model. The expense, where material, is recognised on a straight-line basis over the period from the date of award to the date of vesting, based on the Company’s best estimate of the number of shares that will eventually vest.

Loss per Share

Earnings per share is calculated by dividing the loss for the period attributable to ordinary equity shareholders of the parent by the weighted average number of ordinary shares outstanding during the year. During the period the calculation was based on the loss for the period of £1,542,060 (full year 2020: £2,249,707) divided by the weighted average number of ordinary shares of 56,225,376 (full year 2020: 49,819,800 (restated following a share sub-division in 2021)).

Subsequent events

On 28 July 2021 the Company announced that it had undertaken an oversubscribed fundraising of approximately £5.0 million through a placing and subscription of Crossword ordinary shares of 0.5p each at a price of 30 pence per share.

Following the placing of 16,083,331 Ordinary Shares and subscription of 583,333 Ordinary Shares from new and existing institutional shareholders, the Company intends to apply the proceeds of the fundraising to increase sales and marketing resource, for product development and support and for general working capital purposes. The placing price represents a 23% discount to the closing mid-price on 27 July 2021.

On 9 August 2021 the Company announced acquisition of the whole of the share capital of Stega UK Limited, the threat intelligence and monitoring company. The acquisition brings the additional capability of threat intelligence and monitoring services, using its sophisticated in-house platform. The Company has agreed to pay a total consideration of up to £1.8m for Stega, subject to achieving revenue growth targets.

On 10 August 2021 the Company announced that it had granted 277,923 options comprising 172,500 options under the Company’s Enterprise Management Incentive Scheme and 105,423 options under the Non-Tax Advantaged Plan to acquire ordinary shares of 0.5p each in the Company at an exercise price of 35.5p per share. The options vest in three equal tranches on the first, second and third anniversary of the date of grant.