10-K 2019


UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C.20549

FORM 10-K

[X]

ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(D) OF THE SECURITIES EXCHANGE ACT OF 1934

For the fiscal year ended December 31, 2019.

[  ]

TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(D) OF THE SECURITIES EXCHANGE ACT OF 1934

For the transition period from _____ to _____

Commission File Number: 000-27507

CYNERGISTEK, INC.

(Exact name of registrant as specified in its charter)

Delaware

37-1867101

(State or other jurisdiction of incorporation or organization)

(I.R.S. Employer
Identification No.)

11940 Jollyville Road, Suite 300N, Austin Texas, 78759

(Address of principal executive offices) (Zip Code)

(512) 402-8550

(Registrant’s telephone number, including area code)

Securities registered under Section 12(b) of the Act:

Title of Class

Trading Symbol

Name of each exchange on which registered

Common Stock, $0.001 par value per share

CTEK

NYSE American

Securities registered under Section 12(g) of the Act: None

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes [  ] No [X]

Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes [  ] No [X]

Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.
Yes [X] No [  ]

Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files). Yes [X] No [  ]




Indicate by check mark whether the Registrant is a large accelerated filer, an accelerated filer, or a non-accelerated filer. See definition of “accelerated filer” and “large accelerated filer” in Rule 12b-2 of the Exchange Act.

Large accelerated filer  ¨

Accelerated filer  ¨

Non-accelerated filer  ý

Smaller reporting company  ý

Emerging growth company  ¨

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Act).
Yes [  ] No [X]

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standard provided pursuant to Section 13(a) of the Exchange Act.

The aggregate market value of the registrant’s common stock, $0.001 par value per share (“Common Stock”), held by non-affiliates of the registrant on June 30, 2019, the last business day of the registrant’s most recently completed second fiscal quarter, was approximately $44.0 million (based on the average bid price of the Common Stock on that date). Shares of Common Stock held by each officer and director and each person known to the registrant to own 10% or more of the outstanding voting securities of the registrant were excluded in that such persons may be deemed to be affiliates. This determination of affiliate status is not a determination for other purposes. The registrant has one class of securities, its Common Stock.  

As of March 30, 2020, the registrant had 10,379,164 shares of Common Stock outstanding.

DOCUMENTS INCORPORATED BY REFERENCE.

Part III incorporates by reference certain information from the registrant’s definitive proxy statement (the “Proxy Statement”) for the 2020 Annual Meeting of Stockholders.




CYNERGISTEK, INC.

ANNUAL REPORT ON FORM 10-K
FOR THE FISCAL YEAR ENDED DECEMBER 31, 2019

TABLE OF CONTENTS

Page

PART I

ITEM 1.

BUSINESS

1

ITEM 1A.

RISK FACTORS

4

ITEM 1B.

UNRESOLVED STAFF COMMENTS

12

ITEM 2.

PROPERTIES

12

ITEM 3.

LEGAL PROCEEDINGS

13

ITEM 4.

MINE SAFETY DISCLOSURES

13

PART II

ITEM 5.

MARKET FOR REGISTRANT’S COMMON EQUITY, RELATED STOCKHOLDER MATTERS AND ISSUER PURCHASES OF EQUITY SECURITIES

13

ITEM 6.

SELECTED FINANCIAL DATA

14

ITEM 7.

MANAGEMENT’S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS

14

ITEM 7A.

QUANTITATIVE AND QUALITATIVE DISCLOSURES ABOUT MARKET RISK

20

ITEM 8.

FINANCIAL STATEMENTS AND SUPPLEMENTARY DATA

20

ITEM 9.

CHANGES IN AND DISAGREEMENTS WITH ACCOUNTANTS ON ACCOUNTING AND FINANCIAL DISCLOSURE

21

ITEM 9A.

CONTROLS AND PROCEDURES

21

ITEM 9B.

OTHER INFORMATION

22

PART III

ITEM 10.

DIRECTORS, EXECUTIVE OFFICERS AND CORPORATE GOVERNANCE

23

ITEM 11.

EXECUTIVE COMPENSATION

23

ITEM 12.

SECURITY OWNERSHIP OF CERTAIN BENEFICIAL OWNERS AND MANAGEMENT AND RELATED STOCKHOLDER MATTERS

23

ITEM 13.

CERTAIN RELATIONSHIPS AND RELATED TRANSACTIONS AND DIRECTOR INDEPENDENCE

23

ITEM 14.

PRINCIPAL ACCOUNTING FEES AND SERVICES

24

PART IV

ITEM 15.

EXHIBITS, FINANCIAL STATEMENT SCHEDULES

24

ITEM 16.

FORM 10-K SUMMARY

26


i


Table of Contents


Cautionary Note Regarding Forward-Looking Statements

From time to time, we and our representatives may provide information, whether orally or in writing, including certain statements in this Annual Report on Form 10-K (this “Annual Report”), which are deemed to be “forward-looking” within the meaning of Section 27A of the Securities Act of 1933, as amended (the “Securities Act”) and Section 21E of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), that concern matters that involve risks and uncertainties which could cause actual results to differ materially from those projected in the forward-looking statements. These forward-looking statements are intended to qualify for the safe harbor from liability established by the Private Securities Litigation Reform Act of 1995 (the “Litigation Reform Act”) and are based on our beliefs as well as assumptions made by us using information currently available. All statements other than statements of historical fact contained in this Annual Report, including statements regarding future events, our future financial performance, our future business strategy and the plans and objectives of management for future operations, are forward-looking statements. The words “anticipate,” “believe,” “estimate,” “expect,” “intend,” “will,” “should” and similar expressions, as they relate to us, are intended to identify forward-looking statements. Such statements reflect our current views with respect to future events and are subject to certain risks, uncertainties and assumptions as more particularly described in the “Risk Factors” section of this Annual Report. For example, due to the recent outbreak of coronavirus, the United States economy has experienced substantial turmoil that has, and will likely continue to, cause disruptions to our and our customer’s supply chain and business operations, as well as social, economic, and labor instability. Should one or more of these risks or uncertainties materialize, or should underlying assumptions prove incorrect, actual results may vary materially from those described herein as anticipated, believed, estimated, expected or intended or using other similar expressions. In accordance with the provisions of the Litigation Reform Act, we are making investors aware that such forward-looking statements, because they relate to future events, are by their very nature subject to many important factors that could cause actual results to differ materially from those contemplated by the forward-looking statements contained in this Annual Report, any exhibits to this Annual Report and other public statements we make. Such factors are set forth in the “Business” section, the “Risk Factors” section, the “Legal Proceedings” section, the “Management’s Discussion and Analysis of Financial Condition and Results of Operations” section and other sections of this Annual Report, as well as in our Quarterly Reports on Form 10-Q and Current Reports on Form 8-K. We expressly disclaim any intent or obligation to update any forward-looking statements after the date hereof to conform such statements to actual results or to changes in our opinions or expectations, except as required by applicable law.

PART I

ITEM 1.BUSINESS.

Introduction

CynergisTek, Inc. (including our subsidiaries, CTEK Solutions, Inc., CTEK Security, Inc., Delphiis, Inc. and Backbone Enterprises, Inc.) (referred to collectively in this Annual Report, as “CynergisTek,” the “Company,” “we,” “our” and “us”) is engaged in the business of providing companies with cybersecurity, privacy and compliance services through three-year managed services agreements and short-term consulting and professional services engagements. We primarily serve the healthcare industry and those businesses that support healthcare. Our principal executive offices are located at 11940 Jollyville Road, Suite 300N, Austin, Texas, 78759.

For more information on CynergisTek and our products and services, please see the section entitled “Principal Products or Services” below or visit our website at www.cynergistek.com. The inclusion of our Internet address in this Annual Report does not include or incorporate by reference into this Annual Report any information on our website. Our annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, amendments to those reports and other filings with the Securities and Exchange Commission (the “SEC”) are generally available through the EDGAR system maintained by the SEC at www.sec.gov.

Background

CynergisTek, Inc. was originally incorporated under the laws of the State of Nevada on August 29, 1995, under the name Corporate Development Centers, Inc. On April 1, 2004, we acquired Alan Mayo and Associates, Inc. dba The Mayo Group (“TMG”), a managed print company. TMG provided outsourced print management


1


Table of Contents


services to healthcare facilities throughout California. After we acquired TMG, we changed our name to “Auxilio, Inc.” and changed the name of TMG’s former subsidiary to “Auxilio Solutions, Inc.” Effective July 1, 2014, we acquired Delphiis, Inc., a California corporation, which provides IT security consulting services. On April 7, 2015, we acquired certain assets of Redspin, Inc. which provides IT security consulting services. On January 13, 2017, we acquired CynergisTek, Inc., a Texas corporation, which provides IT security consulting services and solutions. On November 1, 2019, we acquired Backbone Enterprises, Inc., a Minnesota corporation, which provides similar services.

Our Common Stock currently trades on the NYSE American under the symbol CTEK.”

Principal Products and Services

We are a top-ranked cybersecurity, privacy and compliance service provider operating under the CynergisTek, Redspin and Backbone Consultants brands. We support the United States healthcare market to help organizations identify and protect against the ever-changing threat factors, to mature their security and privacy programs aligned to the globally recognized NIST frameworks and comply with regulations and standards including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Health Information Technology for Economic and Clinical Health Act (“HITECH”) Breach Notification Rule, Federal Trade Commission consumer protection guidelines and state privacy standards.

Our IT Security business founded in 2004, is one of the few consulting and advisory companies focused in the healthcare industry.  Our years of experience of understanding the industry’s unique challenges allows us to provide our customers with services designed around industry best practices and a methodology to evaluate the rigor and effectiveness of their programs to improve security controls, policies and procedures and to protect patient health information. Our team of subject matter experts and consultants are comprised of knowledgeable professionals who have learned their craft both in the classroom and through years of practical on-the-job experience, including as policy makers, attorneys and leaders in cybersecurity, privacy and compliance.

Our services are categorized into four groups which are assessment and audit, technical testing, program development and remediation, and monitoring and advisory services. Fifty percent of these services are delivered under three year recurring managed services agreements with the rest provided under consulting or professional services engagements.

·Assessment and Audit Services – identify and measure security and privacy risk of an organization’s readiness and verify and validate their programs meet compliance and business objectives.

·Technical Testing Services – test the effectiveness of controls in an organization’s environment.

·Program Development and Remediation Services – develop policies and procedures and playbooks to help build out a fully comprehensive risk management program and provide resources to help organizations prioritize, implement and execute initiatives to strengthen their security and privacy programs.

·Monitoring and Advisory Services – provide on-going management and oversight of specific components of an organization’s security and privacy programs to address or give alerts when an issue arises and to offer our expertise that they need to accelerate the effectiveness of their programs.

As of March 20, 2019, the Company was focused exclusively on cybersecurity and privacy. Prior to March 20, 2019, we also provided managed print services (MPS).  See Note 19 regarding discontinued operations.

Competition

The competition in the healthcare industry market for cybersecurity, privacy and compliance services generally come from large or niche consulting and technology firms and regional companies that offer multiple approaches but within a much smaller geographic footprint.  Examples include companies like Deloitte, Dell Secureworks, Fire Eye, Coal Fire, Fortified Health Security, Meditology and Clearwater Consulting.

We believe our analysis of the competitive landscape shows a very strong opportunity to provide the healthcare and adjacent industries with services to support the demand for security and privacy assessments,


2


Table of Contents


program development, offensive security testing and managed services, and we believe that we have a strong competitive position in the marketplace due to several important factors:

·We are not aware of many other vendors or service providers which have the majority of their business dedicated to addressing the healthcare industry. Our expertise and the depth of our client relationships are unmatched in the market.

·We believe our offering provides a unique approach to address workforce and expertise shortages. We are able to deploy knowledgeable resources to perform a predefined security role on-site or virtually for a defined amount of time, which results in our customers receiving staff with expertise they need while controlling their costs.

·We are not restricted to any single supplier, which allows us to bring the best hardware and software solutions to our customers. Our approach is to use the most appropriate technology to provide a superior solution without any prejudice as to manufacturer or developer.

·We believe our relationship with healthcare providers gives us an advantage when targeting the larger pool of potential clients in the business associate category, including leading Electronic Health Record (EHR) providers and medical device manufacturers who have recently been added as clients.

·We have a strong referral base within healthcare as a result of serving more than a thousand hospitals and other healthcare clients under managed services agreements.

·Our employees have a broad experience in and outside of healthcare to bring a wide range of knowledge and best practices. We have employees who formerly worked for the Office of Civil Rights, were Chief Information Security Officers, Chief Information Officers and Chief Compliance Officers at some of the leading healthcare institutions. In addition, our subject matter experts and consultants maintain multiple industry certifications including CISSP, CISM, CGEIT, CRISC, CISA, CBCP, CCIE, CCNP, CCNA, CHPC, CHRC, CHC, CIPP, CHPS, MCSE, SCSA, SCNA, CIA, ISSMP, and ISSAP.

Customers

Most of our customers are considered part of the healthcare industry and third parties who provide services to the healthcare industry but also include customers that operate in a variety of industries, including education, financial services, government, Internet and media, and manufacturing. The loss of any key customer could have a material adverse effect upon our financial condition, business, prospects and results of operation. During the year ended December 31, 2019, our largest customer represented approximately 14% of our revenues.

Intellectual Property

Our success depends in part upon our ability to protect our core intellectual property. We rely on, among other things, confidentiality safeguards and procedures, and employee non-disclosure and invention assignment agreements to protect our intellectual property rights. We also license software from third parties for integration into our procedures, including open source software and other software available on commercially reasonable terms.

We control access to and use of our proprietary information through the use of internal and external controls, including contractual protections with employees, contractors, end-customers and partners, and our intellectual property is protected by U.S. and international trade secret laws. Despite our efforts to protect our proprietary information, unauthorized parties may still copy or otherwise obtain and use our proprietary information without our permission.

We maintain a database that contains the results of our assessment efforts. This allows us to anticipate our customers’ future needs by developing or offering existing services to meet those needs. These databases provide us with exclusive insight into the state of cybersecurity of our customers and the healthcare industry. We consider our intellectual property an important and valuable asset that enhances our competitive position.

We have a registered trademark for the name “CynergisTek” and for the Company’s logo.


3


Table of Contents


Employees

As of December 31, 2019, we had 137 full-time employees and five part-time employees, including 101 employees engaged in providing services, 18 employees engaged in sales and marketing, and 18 employees engaged in general and administrative activities. Our employees are not represented by any collective bargaining agreement, and we have never experienced a work stoppage. We believe our employee relations are good.

ITEM 1A. RISK FACTORS

Before deciding to purchase, hold or sell our Common Stock, you should carefully consider the risks described below in addition to the other information contained in this Annual Report on Form 10-K and in our other filings with the SEC, including subsequent reports on Forms 10-Q and 8-K. The risks and uncertainties not presently known to us or that we currently deem immaterial may also affect our business. If any of these known or unknown risks or uncertainties actually occurs with material adverse effects on CynergisTek, our business, financial condition, results of operations and/or liquidity could be seriously harmed. In that event, the market price of our Common Stock will likely decline, and you may lose all or part of your investment.

Risks Related to Our Industry

We face substantial competition from better established companies that may offer similar products and services at a lower cost to our customers, resulting in a reduction in the sale of our products and services.

The market for our products and services is competitive and is likely to become even more competitive in the future. Increased competition could result in pricing pressures, reduced sales, reduced margins or the failure of our products and services to achieve or maintain market acceptance, any of which would have a material adverse effect on our business, results of operations and financial condition. Many of our current and potential competitors enjoy substantial competitive advantages, such as:

·greater name recognition and larger marketing budgets and resources;

·established marketing relationships and access to larger customer bases;

·substantially greater financial, technical and other resources; and

·larger technical and support staffs.

As a result, our competitors may be able to respond more quickly than we can to new or changing opportunities, technologies, standards or customer requirements. For all of the foregoing reasons, we may not be able to compete successfully against our current and future competitors.

Risks Related to Our Business

Our financial statements have been prepared assuming a going concern.

Our financial statements as of December 31, 2019 were prepared under the assumption that we will continue as a going concern for the next twelve months from the date of issuance of these financial statements. Our ability to continue as a going concern is dependent upon our ability to obtain additional financing, obtain further operating efficiencies, reduce expenditures, grow our security business, and ultimately, create cash flow profitable operations. We may not be able to raise capital or obtain additional capital on reasonable terms. Our financial statements do not include adjustments that would result from the outcome of this uncertainty.

A substantial portion of our business is dependent on our largest customers.

The loss of any key customer could have a material adverse effect upon our financial condition, business, prospects, and results of operation.  Our largest customer represented approximately 14% of our revenues for the year ended December 31, 2019.  A loss of any large customer could have a material impact on our operations that may require us to obtain equity funding or debt financing to continue our operations.  We cannot be certain that we will be able to obtain such financing on commercially reasonable terms, or at all.


4


Table of Contents


Fluctuations in demand for our services and solutions are driven by many factors, and a decrease in demand for our products could adversely affect our financial results.

We are subject to fluctuations in demand for our services and solutions due to a variety of factors, including market transitions, general economic conditions, competition, product obsolescence, technological change, shifts in buying patterns, financial difficulties and budget constraints of our current and potential customers, awareness of security threats to information systems and other factors. While such factors may, in some periods, increase services and solutions, fluctuations in demand can also negatively impact our sales. If demand for our services and solutions declines, whether due to general economic conditions or a shift in buying patterns, our revenues and margins would likely be adversely affected.

Our business may be adversely affected by the recent coronavirus (COVID-19) outbreak.

In December 2019, a novel strain of coronavirus was reported to have surfaced in Wuhan, China. In January 2020, this coronavirus spread to other countries, including the United States, and efforts to contain the spread of this coronavirus intensified. The outbreak and any preventative or protective actions that governments or we may take in respect of this coronavirus may result in a period of business disruption, reduced customer traffic and reduced operations. Any resulting financial impact cannot be reasonably estimated at this time but may materially affect our business, financial condition and results of operations. The extent to which the coronavirus impacts our results will depend on future developments, which are highly uncertain and cannot be predicted, including new information which may emerge concerning the severity of the coronavirus and the actions to contain the coronavirus or treat its impact, among others. Moreover, the coronavirus outbreak has begun to have indeterminable adverse effects on general commercial activity and the world economy, and our business and results of operations could be adversely affected to the extent that this coronavirus or any other epidemic harms the global economy generally.

The impact of any deterioration in the U.S. economy or within the Healthcare industry as a result of the coronavirus outbreak may negatively affect our business.

A deterioration in the U.S. economy or the healthcare industry as a result of the coronavirus outbreak could result in a period of substantial turmoil.  The impact of this event on our business and the severity of an economic crisis is uncertain.  It is possible that a crisis (such as the coronavirus outbreak) in the U.S. economy and the healthcare industry could adversely affect our business, vendors and prospects as well as our liquidity and financial condition.  This could impact our ability to increase our customer base and customers could delay deploying our services which could impact our ability to generate positive cash flows. Our current service offerings and our future growth may be minimized to a point that would be detrimental to our business development activities.  These events would be detrimental to our business prospects and result in material changes to our operations and financial position.

We may be subject to data breaches and cyber-attacks which could materially adversely affect our financial condition, our competitive position and operating results.

Data breaches and cyber-attacks could compromise our trade secrets and other sensitive information, be costly to remediate and cause significant damage to our business and reputation. The secure maintenance of this information is critical to our business and reputation. We believe that companies have been increasingly subject to a wide variety of security incidents, cyber-attacks, hacking and phishing attacks, and other attempts to gain unauthorized access. These threats can come from a variety of sources, all ranging in sophistication from an individual hacker to a state-sponsored attack. Cyber threats may be generic, or they may be custom crafted against our information systems.

Cyber-attacks have become increasingly more prevalent and much harder to detect and defend against. Our network and storage applications, as well as those of our customers, business partners, and third-party providers, may be subject to unauthorized access by hackers or breached due to operator error, malfeasance or other system disruptions. It is often difficult to anticipate or immediately detect such incidents and the damage caused by such incidents. These data breaches and any unauthorized access, misuse or disclosure of our information or intellectual property could compromise our intellectual property and expose sensitive business information. Cyber-attacks on us


5


Table of Contents


or our customers, business partners or third-party providers could also cause us to incur significant remediation costs, result in product development delays, disrupt key business operations and divert attention of management and key information technology resources. These incidents could also subject us to liability, expose us to significant expense and cause significant harm to our reputation and business.

In addition, we could be subject to claims for damages resulting from loss of data from alleged vulnerabilities in the security of our processors who work in our Privacy Operations Center (POC). We have implemented tighter measures to reduce risk of outsiders accessing our client’s ePHI, including biometric access to the POC, direct hardwired internet connections that are VLANed and all connections are encrypted with viewing access from the customer’s environment. We also maintain confidential and personally identifiable information about our workers. The integrity and protection of our worker data is critical to our business and our workers have a high expectation that we will adequately protect their personal information, including medical records.

A breach of data privacy is likely to cause significant disruption of our business operations. Failure to adequately maintain and update our security systems could materially adversely affect our operations and our ability to maintain worker confidence. Failure to prevent unauthorized access to electronic and other confidential information and data breaches could materially adversely affect our financial condition, our competitive position and operating results.

If our customers experience data losses, our brand, reputation and business could be harmed.

A breach of our customers’ network security and systems or other events that cause the loss or public disclosure of, or access by third parties to, our customers’ files or data could have serious negative consequences for our business, including reduced demand for our services, an unwillingness of our customers to use our services, harm to our brand and reputation. The techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently, often are not recognized until launched against a target, and may originate from less regulated or remote areas around the world. As a result, our customers may be unable to proactively prevent these techniques, implement adequate preventative or reactionary measures, or enforce the laws and regulations that govern such activities. If our customers experience any data loss, data disruption, or any data corruption or inaccuracies, whether caused by security breaches or otherwise, our brand, reputation and business could be harmed.  We believe our risk here is mitigated by the security we employ and the fact that we do not take possession or control of customer sensitive information.

Our insurance may be inadequate or may not be available in the future on acceptable terms, or at all. In addition, our policy may not cover claims against us for loss of data or other indirect or consequential damages. Defending a suit based on any data loss or system disruption, regardless of its merit, could be costly and divert management’s attention.

Healthcare legislation and regulation.  

We are a cybersecurity, privacy and compliance consulting firm dedicated to serving the healthcare industry. The healthcare industry is highly regulated.  U.S. government agencies continue to implement the extensive requirements of the Patient Protection and Affordable Care Act (the “ACA”). These have both positive and negative impacts on the U.S. healthcare industry with much remaining uncertain as to how various provisions of the ACA will ultimately affect the industry, including our business.  

New legislation or regulation.

As to prospective legislation and regulation, we cannot determine what effect additional state or federal governmental legislation, regulations, or administrative orders would have on our business in the future. New legislation or regulation may require the reformulation of our business to meet new standards, require us to cease operations, impose stricter qualification and/or registration standards, impose additional record keeping, or require expanded consumer protection measures.  Congressional leaders and the current administration have attempted to repeal or modify the ACA.  At this time the Company is not certain as to the impact of federal health care legislation on its business.


6


Table of Contents


We may be unable to recruit and maintain our senior management and other key personnel on whom we are dependent.

We are highly dependent upon senior management and key personnel, and we do not carry any life insurance policies on such persons. The loss of any of our senior management, or our inability to attract, retain and motivate the additional highly skilled employees and consultants that our business requires, could substantially hurt our business, prospects, financial condition and results of operations.

The market may not accept our services and solutions and we may not be able to continue our business operations.

Our services and solutions are targeted to the healthcare market, a market in which there are many competing service providers. Accordingly, the demand for our products and services is very uncertain. The market may not accept our services and solutions. Even if our services and solutions achieve market acceptance, they may fail to adequately address the market’s requirements.

Our business depends on generating and maintaining ongoing, profitable customer demand for our services and solutions, including through the adaptation and expansion of our services and solutions in response to ongoing changes in technology and offerings.  A significant reduction in such demand or an inability to respond to the evolving technological environment could materially affect our results of operations.

Our revenue and profitability depend on the demand for our services and solutions with favorable margins, which could be negatively affected by numerous factors, many of which are beyond our control and unrelated to our work product. Volatile, negative or uncertain global economic conditions and lower growth in the markets we serve have adversely affected and could in the future adversely affect customer demand for our services and solutions. Our success depends, in part, on our ability to continue to develop and implement services and solutions that anticipate and respond to rapid and continuing changes in technology and offerings to serve the evolving needs of our customers. Technological developments may materially affect the cost and use of technology by our customers. Some technologies may replace some of our services and solutions in the future. This may cause customers to delay spending under existing contracts and engagements and to delay entering into new contracts while they evaluate new technologies. Such delays can negatively impact our results of operations if the pace and level of spending on new technologies is not sufficient to make up any shortfall.

Developments in the industries we serve, which may be rapid, also could shift demand to new services and solutions. If, as a result of new technologies or changes in the industries we serve, our customers demand new services and solutions, we may be less competitive in these new areas or need to make significant investment to meet that demand. Our growth strategy focuses on responding to these types of developments by driving innovation that will enable us to expand our business into new growth areas. We must continually address the challenges of dynamic and accelerating market trends, such as the emergence of advanced persistent threats in the security space, the continued decline in the PC market and the market shift towards mobility and the increasing transition towards cloud-based solutions. If we do not sufficiently invest in new technology and adapt to industry developments, or evolve and expand our business at sufficient speed and scale, or if we do not make the right strategic investments to respond to these developments and successfully drive innovation, our services and solutions, our results of operations, and our ability to develop and maintain a competitive advantage and to execute on our growth strategy could be negatively affected. New solutions product development and introduction involves a significant commitment of time and resources and is subject to a number of risks and challenges including without limitation:

·Managing the length of the development cycle for new solutions and service enhancements;

·Adapting to emerging and evolving industry standards and to technological developments by our competitors and customers;

·Extending the operation of our services and solutions to new and evolving platforms, operating systems and hardware products, such as mobile devices;

·Entering into new or unproven markets with which we have limited experience;

·Identifying new forms of adversarial cyber attacks and developing appropriate mitigation strategies;


7


Table of Contents


·Managing new service and solution strategies for the markets in which we operate; and

·Developing or expanding efficient sales channels.

If we are not successful in managing these risks and challenges, or if our new solutions and services are not technologically competitive or do not achieve market acceptance, our business and operating results could be adversely affected. We operate in a rapidly evolving environment in which there currently are, and we expect will continue to be, new technology entrants. New services or technologies offered by competitors or new entrants may make our offerings less differentiated or less competitive when compared to other alternatives, which may adversely affect our results of operations. In addition, companies in the industries we serve sometimes seek to achieve economies of scale and other synergies by combining with or acquiring other companies. If one of our current customers merges or consolidates with a company that relies on another provider for the services and solutions we offer, we may lose work from that customer or lose the opportunity to gain additional work if we are not successful in generating new opportunities from the merger or consolidation.

Many of our contracts allow customers to terminate, delay, reduce or eliminate spending on the services and solutions we provide. Additionally, a customer could choose not to retain us for additional stages of a project, try to renegotiate the terms of its contract or cancel or delay additional planned work. When contracts are terminated or not renewed, we lose the anticipated revenues, and it may take significant time to replace the level of revenues lost. Consequently, our results of operations in subsequent periods could be materially lower than expected. The specific business or financial condition of a customer, changes in management and changes in a customer’s strategy are also all factors that can result in terminations, cancellations or delays.

Achieving the desired benefits of recent acquisitions may be subject to a number of challenges and uncertainties which make it hard to predict the future success of each entity.

We have completed several acquisitions in recent years with expected benefits including, among other things, operating efficiencies, procurement savings, innovation, sharing of best practices and increased market share that may allow for future growth.  Achieving the anticipated benefits may be subject to a number of significant challenges and uncertainties, including, without limitation, whether unique corporate cultures will work collaboratively in an efficient and effective manner, the coordination of separate organizations, the possibility of imprecise assumptions underlying expectations regarding potential synergies and the integration process, unforeseen expenses and delays, and competitive factors in the marketplace.  We could also encounter unforeseen transaction and integration-related costs or other circumstances such as unforeseen liabilities or other issues.  Many of these potential circumstances are outside of our control and any of them could result in increased costs, decreased revenue, decreased synergies and the diversion of management time and attention.  If we are unable to achieve our objectives within the anticipated time frame, or at all, the expected benefits may not be realized fully or at all, or may take longer to realize than expected, which could have an adverse effect on our business, financial condition and results of operations.

Our business and operations expose us to numerous legal and regulatory requirements, and any violation of these requirements could harm our business.

We are subject to numerous federal and state legal requirements on matters as diverse as data privacy and protection, employment and labor relations, immigration, taxation, anticorruption, import/export controls, trade restrictions, internal and disclosure control obligations, securities regulation and anti-competition. Compliance with diverse and changing legal requirements is costly, time-consuming and requires significant resources. We also conduct business in certain identified growth areas, such as health information technology, which are highly regulated and may expose us to increased compliance risk. Violations of one or more of these diverse legal requirements in the conduct of our business could result in significant fines and other damages, criminal sanctions against us or our officers, prohibitions on doing business and damage to our reputation. Violations of these regulations or contractual obligations related to regulatory compliance in connection with the performance of customer contracts could also result in liability for significant monetary damages, fines and/or criminal prosecution, unfavorable publicity and other reputational damage, restrictions on our ability to compete for certain work and allegations by our customers that we have not performed our contractual obligations.


8


Table of Contents


We may need additional capital in the future and, if such capital is not available on terms acceptable to us or available to us at all, this may impact our ability to continue to grow our business operations.

We may need capital in the future to expand our business operations. If we need capital, we cannot be certain that it will be available on terms acceptable to us or available to us at all. In the event we are unable to raise capital, we may not be able to:

·develop or enhance our service offerings;

·take advantage of future opportunities; or

·respond to customers and competition.

We have indebtedness which may adversely affect our financial resources and our ability to operate our business.

We are indebted to a former shareholder of CTEK Security, Inc. in the aggregate principal amount of approximately $1.3 million pursuant to a promissory note with a maturity date in March 2022.    Our resulting level of indebtedness and other financial obligations increase the possibility that we may be unable to pay, when due, the principal of, interest on, or other amounts due in respect of, our indebtedness.   If we are unable to pay our indebtedness under the aforementioned promissory note when due, this could result in a default under the promissory note. In such event, the lender may elect (after the expiration of any applicable notice or grace periods) to declare, together with accrued and unpaid interest and other amounts payable under the note, to be immediately due and payable. Any such occurrence would have an immediate and materially adverse impact on our business and results of operations.

With the sale of our Managed Print Services assets, our business focus is narrower, and we are more dependent on the market’s acceptance of our cybersecurity and privacy services and solutions. If these services and solutions are not accepted by the market, any such rejection or delay in acceptance could have a material adverse impact on our business.

As disclosed in our public filings and discussed in the Business section of this Annual Report, in March 2019, we closed a transaction to sell the assets used in our Managed Print Services business (“MPS”). Since the sale of the MPS assets, we have focused on expanding our cybersecurity and privacy services and product offerings. However, there can be no guarantee that this narrower business focus will succeed or that we will be able to grow our business or implement this new and more focused business strategy. If our cybersecurity and privacy services and solutions are not accepted by the market, or if the acceptance of these services and solutions is delayed or takes longer than anticipated, any such non-acceptance or delay in acceptance of our services and solutions by the market could have a proportionately larger material adverse impact on our business.

Achieving the desired benefits of recent changes in our business focus may be subject to a number of challenges and uncertainties which make it hard to predict the future success of each entity.

As noted, we recently sold the assets used in our MPS business and are planning to focus more on expanding our cybersecurity and privacy services and product offerings. As we transition from the MPS business to a business more focused on cybersecurity and privacy, achieving the anticipated benefits may be subject to a number of significant challenges and uncertainties, including, without limitation, changes in corporate culture; removal of prior business synergies between the current business and the MPS business; unforeseen expenses and delays resulting from the sale of the MPS business assets; and competitive factors in the marketplace.  We could also encounter unforeseen transaction and disposition-related costs or other circumstances such as unforeseen liabilities or other issues.  Many of these potential circumstances are outside of our control, and any of them could result in increased costs, decreased revenue, and the diversion of management time and attention.  If we are unable to achieve our objectives within our anticipated time frame, or at all, the expected benefits may not be realized fully or at all, or may take longer to realize than expected, which could have an adverse effect on our business, financial condition and results of operations.


9


Table of Contents


Risks Related to the Market for Our Securities

Because the public market for shares of our Common Stock is limited, stockholders may be unable to resell their shares of Common Stock.

Currently, there is only a limited public market for our Common Stock on the NYSE American and our stockholders may be unable to resell their shares of Common Stock. Currently, the average daily trading volume of our Common Stock is not significant, and it may be more difficult for you to sell your shares in the future, if at all.

The development of an active trading market depends upon the existence of willing buyers and sellers who are able to sell shares of our Common Stock as well as market makers willing to create a market in such shares. Under these circumstances, the market bid and ask prices for the shares may be significantly influenced by the decisions of the market makers to buy or sell the shares for their own account. Such decisions of the market makers may be critical for the establishment and maintenance of a liquid public market in our Common Stock. Market makers are not required to maintain a continuous two-sided market and are free to withdraw quotations at any time. We cannot assure our stockholders that an active public trading market for our Common Stock will develop or be sustained.

The price of our Common Stock may be volatile and could decline in value, resulting in loss to our stockholders.

The market for our Common Stock is volatile, having ranged since January 1, 2019 through December 31, 2019 from a low of $2.44 to a high of $5.00. The market price for our Common Stock has been, and is likely to continue to be, volatile. Due in part to the outbreak of Covid-19, our Common Stock, and the stock market as a whole, has recently experienced substantial volatility.  The following factors, among others, may cause significant fluctuations in the market price of shares of our Common Stock:

·fluctuations in our quarterly revenues and earnings or those of our competitors;

·variations in our operating results compared to levels expected by the investment community;

·changes in senior management or members of the Board of Directors;

·announcements concerning us, our competitors or our customers;

·announcements of technological innovations;

·sale or purchases of shares by traders or other investors;

·market conditions in the industry; and

·the conditions of the securities markets.

The factors discussed above may depress or cause volatility of our share price, regardless of our actual operating results. In addition, the highly volatile nature of our stock price may cause investment losses for our stockholders. In the past, securities class action litigation has often been brought against companies following periods of volatility in the market price of their securities. If securities class action litigation is brought against us, such litigation could result in substantial costs while diverting management’s attention and resources.

There are a large number of shares of Common Stock that may be issued or sold, and if such shares are issued or sold, the market price of our Common Stock may decline.

As of December 31, 2019, we had 10,359,164 shares of our Common Stock outstanding and 33,333,333 shares authorized.

If all warrants, options and restricted stock grants outstanding as of December 31, 2019 are exercised prior to their expiration, up to approximately 1.9 million additional shares of Common Stock could become freely tradable. Such sales of substantial amounts of Common Stock in the public market could adversely affect the prevailing market price of our Common Stock and could also make it more difficult for us to raise funds through future offerings of Common Stock.

We may require additional funding in the future, which may not be available to us on acceptable terms, or at


10


Table of Contents


all.

We believe we will need to raise additional capital in order to achieve our business objectives.  Until we generate a sufficient amount of revenue to finance our cash requirements, we may finance future cash needs through public or private equity offerings, debt financings or strategic collaborations. We do not know whether additional funding will be available on acceptable terms, or at all. If we are not able to secure additional funding when needed, we may have to delay, reduce the scope of or eliminate one or more of our business objectives. To the extent that we raise additional funds by issuing equity securities, our stockholders may experience significant dilution; and debt financing, if available, may involve restrictive covenants that limit our operations. If we enter into certain private placement transactions that include registration rights, we may be obligated to file one or more additional registration statements.  

Our stockholders may experience dilution.

We anticipate that we may raise substantial additional capital to achieve our business objectives. We have an effective shelf registration statement under which we have the current ability to raise up to $15 million through the issuance of equity or debt securities.  We cannot assure you that we will be able to sell shares or other securities in any offering at a price per share that is equal to or greater than the price per share paid by investors in previous offerings, and investors purchasing shares or other securities in the future could have rights superior to existing stockholders. The price per share at which we sell additional shares of our Common Stock or other securities convertible into or exchangeable for our Common Stock in future transactions may be higher or lower than the price per share in previous offerings. The future issuance of the Company’s equity securities will further dilute the ownership of our outstanding Common Stock.  Additionally, we have a three-year $4.0 million contingent earnout obligation to the shareholders of Backbone Consulting, Inc. related to our recent acquisition that allows the Company to settle this obligation with shares of common stock at the fair market value on the date earned.  The market price of our Common Stock has been, and may continue to be, highly volatile, and such volatility could cause the market price of our Common Stock to decrease and could cause stockholders to lose some or all of their investment in our Common Stock.

Other Risks

It may be difficult for a third party to acquire us even if doing so would be beneficial to our stockholders.

Some provisions of our Certificate of Incorporation, as amended, and Bylaws, as amended, as well as some provisions of Delaware, Texas, Minnesota or California law, may discourage, delay or prevent third parties from acquiring us, even if doing so would be beneficial to our stockholders.

As a public company, we are subject to complex legal and accounting requirements that will require us to incur significant expenses.

As a public company, we are subject to numerous legal and accounting requirements that do not apply to private companies. The cost of compliance with many of these requirements is material, not only in absolute terms but, more importantly, in relation to the overall scope of the operations of a small company. The cost of such compliance may prove to be a substantial competitive disadvantage vis-à-vis our privately held and larger public competitors.

The impact of any deterioration of the global credit markets, financial services industry and U.S. economy may negatively affect our business and our ability to obtain capital, if needed.

A deterioration in the global credit markets, the financial services industry and the U.S. economy could result in a period of substantial turmoil. The impact of these events on our business and the severity of an economic crisis is uncertain. It is possible that a crisis in the global credit markets, the financial services industry or the U.S. economy could adversely affect our business, vendors and prospects as well as our liquidity and financial condition. This could impact our ability to increase our customer base and generate positive cash flows. Although we have been able to raise additional working capital through convertible note agreements and private placement offerings of


11


Table of Contents


our Common Stock in the past, and obtain debt financing on reasonable terms, we may not be able to continue this practice in the future or we may not be able to obtain additional working capital through other debt or equity financings. In the event that sufficient capital cannot be obtained, we may be forced to minimize growth to a point that would be detrimental to our business development activities. These courses of action may be detrimental to our business prospects and result in material charges to our operations and financial position. In the event that any future financing should take the form of the sale of equity securities, the current equity holders may experience dilution of their investments.

Natural disasters, public health crises, and other events beyond our control could negatively impact us and/or our suppliers or customers.

We are subject to the risk of disruption by earthquakes, floods and other natural disasters, fire, power shortages, geopolitical unrest, war, terrorist attacks and other hostile acts, public health issues, epidemics or pandemics and other events beyond our control and the control of the third parties on which we depend. Any of these catastrophic events, whether in the United States or abroad, may have a strong negative impact on the global economy, our employees, facilities, partners, suppliers, distributors or customers, and could decrease demand for our products and services, create delays and inefficiencies in our supply chain and make it difficult or impossible for us to deliver products or services to our customers. For example, in December 2019 an outbreak of a novel strain of coronavirus originated in Wuhan, China, and has since spread to a number of other countries in which we or our customers operate, including the United States. This outbreak may result in disruptions to our and our customer’s supply chain and business operations. These could include disruptions from the temporary closure of third-party supplier and manufacturer facilities, interruptions in product supply, or restrictions on the export or shipment of our products. Global health concerns, such as coronavirus, could also result in social, economic, and labor instability in the countries in which we or our customers and suppliers operate. These uncertainties could have a material adverse effect on our business and our results of operation and financial condition. In addition, a catastrophic event that results in the destruction or disruption of our data centers or our critical business or information technology systems would severely affect our ability to conduct normal business operations and, as a result, our operating results would be adversely affected

The forward-looking statements contained in this Annual Report may prove incorrect.

This Annual Report contains certain forward-looking statements. These forward-looking statements are based largely on our current expectations and are subject to a number of risks and uncertainties. Actual results could differ materially from these forward-looking statements. In addition to the other risks described elsewhere in this “Risk Factors” discussion, important factors to consider in evaluating such forward-looking statements include: (i) changes to external competitive market factors or in our internal budgeting process which might impact trends in our results of operations; (ii) anticipated working capital or other cash requirements; (iii) changes in our business strategy or an inability to execute our strategy due to unanticipated changes in our industry; and (iv) various competitive factors that may prevent us from competing successfully in the marketplace. In light of these risks and uncertainties, many of which are described in greater detail elsewhere in this “Risk Factors” discussion, there can be no assurance that the events predicted in forward-looking statements contained in this Annual Report will, in fact, transpire.  Any negative change in the factors listed above could adversely affect the financial condition and operating results of the Company and its products and services.  

ITEM 1B. UNRESOLVED STAFF COMMENTS.

None.

ITEM 2. PROPERTIES.

We lease approximately 9,600 square feet of office space at 11940 Jollyville Road, Austin, Texas 78759. We amended this agreement in March 2020 to reduce the leased square footage to 4,600 expiring May 31, 2022. We also lease approximately 2,000 square feet of office space at 50 South 6th Street, Minneapolis, Minnesota. This lease terminates in July 2021.


12


Table of Contents


We lease approximately 18,320 square feet of office space on the 2nd floor, referred to as Suite 200, and a portion of the basement (the “Mission Viejo Premises”), in the building located at 27271 Las Ramblas, Mission Viejo, California 92691 (the “Mission Viejo Building”), pursuant to an Office Building Lease (the “Mission Viejo Lease”) dated June 26, 2015, with MVPlaza, Inc. (“Landlord”). The term of the Mission Viejo Lease commenced on or about October 1, 2015 and terminates in April 2021.  We sublease the Mission Viejo Premises pursuant to two Sublease Agreements that terminate April 15, 2021.

We expect that the current leased premises will be satisfactory until the future growth of our business operations necessitates an increase in office space.

ITEM 3. LEGAL PROCEEDINGS.

We are not a party to any material legal proceedings, nor has any material proceeding been terminated during the fiscal year ended December 31, 2019.

ITEM 4. MINE SAFETY DISCLOSURES.

Not applicable.

PART II

ITEM 5. MARKET FOR REGISTRANT’S COMMON EQUITY, RELATED STOCKHOLDER MATTERS AND ISSUER PURCHASES OF EQUITY SECURITIES.

Holders

On March 30, 2020, we had approximately 72 stockholders of record.

Dividends

We have never paid cash dividends on our Common Stock and do not anticipate paying such dividends in the foreseeable future. The future payment of dividends, if any, will be determined by our Board of Directors (the “Board”) in light of conditions then existing, including our financial condition and requirements, future prospects, restrictions in financing agreements, business conditions and other factors deemed relevant by the Board.

Repurchases

During the fiscal year ended December 31, 2019, we did not repurchase any of our securities.

Securities Authorized for Issuance under Equity Compensation Plans

The following table provides certain information as of December 31, 2019 with respect to our existing equity compensation plans under which shares of our Common Stock are authorized for issuance.


13


Table of Contents


Plan

Number of Securities to be Issued Upon Exercise of Outstanding Options, Warrants and Rights

Weighted Average Exercise Price of Outstanding Options, Warrants and Rights

Number of Securities Remaining Available for Future Issuances Under Plans (excluding securities reflected in column (a))

(a)

(b)

(c)

Equity compensation plan options approved by security holders (1) (2)

223,215

$2.95

562,919

Equity compensation plan restricted stock units approved by security holders (2)

1,138,200

Equity compensation plans not approved by security holders (3)

577,779

$4.61

Total

1,939,194

562,919

(1)These plans consist of the 2001 Stock Option Plan, the 2003 Stock Option Plan, the 2004 Stock Option Plan, the 2007 Stock Option Plan and the 2011 Stock Incentive Plan, each as amended.

(2)Represents restricted stock units issued under the 2011 Stock Incentive Plan. Since this plan includes option grants, number of securities remaining available for future issuances is combined.

(3)From time to time and at the discretion of the Board, we may issue options or warrants to our key individuals or officers as compensation.

ITEM 6. SELECTED FINANCIAL DATA.

As a smaller reporting company as defined by Rule 12b-2 of the Exchange Act, we are not required to include this information in our Annual Report on Form 10-K.

ITEM 7. MANAGEMENT’S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS.

The following discussion presents information about our consolidated results of operations, financial condition, liquidity and capital resources and should be read in conjunction with our consolidated financial statements and the notes thereto beginning on page F-1 of this Annual Report.

Overview

We are engaged in the business of providing IT or cybersecurity services, privacy and compliance services to the healthcare and other industries.  Our business is operated throughout the United States.

We support the United States healthcare market to help organizations identify and protect against the ever-changing threat factors, develop and mature their security and privacy programs aligned to the globally recognized NIST frameworks and comply with regulations and standards including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Health Information Technology for Economic and Clinical Health Act (“HITECH”) Breach Notification Rule, Federal Trade Commission consumer protection guidelines and state privacy standards.

We are one of the few consulting and advisory companies focused in the healthcare industry, and our years of experience of understanding the industry’s unique challenges allows us to provide our customers with services designed around industry best practices and a methodology to evaluate the rigor and effectiveness of their programs to improve security controls, policies and procedures and to protect patient health information. Our team of subject matter experts and consultants are comprised of knowledgeable professionals who have learned their craft both in the classroom and through years of practical on-the-job experience, including as policy makers, attorneys and leaders in cybersecurity, privacy and compliance.


14


Table of Contents


Our services are categorized into four groups which are assessment and audit, technical testing, program development and remediation, and monitoring and advisory services. These services are delivered as recurring managed services or under consulting or professional services engagements.

·Assessment and Audit Services – identify and measure security and privacy risk of an organization’s readiness and verify and validate their programs meet compliance and business objectives.

·Technical Testing Services – test the effectiveness of controls in an organization’s environment.

·Program Development and Remediation Services – develop policies and procedures and playbooks to help build out a fully comprehensive risk management program and provide resources to help organizations prioritize, implement and execute initiatives to strengthen their security and privacy programs.

·Monitoring and Advisory Services – provide on-going management and oversight of specific components of an organization’s security and privacy programs to address or give alerts when an issue arises and to offer our expertise that they need to accelerate the effectiveness of their programs.

Prior to March 20, 2019, we provided document solutions to the healthcare industry.  See Note 19 to the consolidated financial statements regarding discontinue operations.

Results of Operations

Year Ended December 31, 2019 Compared to the Year Ended December 31, 2018

Net Revenue

Revenue was $21.4 million for the year ended December 31, 2019, as compared to $21.3 million for the same period in 2018.  Revenue increased $1.1 million from new multi-year managed service revenues and approximately $0.6 million from the addition of the Backbone business.  Those increases were offset by $1.6 million in lower revenues from consulting and professional services, primarily due to the completion of a large non-recurring contract for one of our largest customers.

Cost of Revenues

Cost of revenue primarily consists of salaries and related expenses for direct labor and indirect support staff.  Cost of revenue was $13.0 million for the year ended December 31, 2019, as compared to $11.1 million for the same period in 2018. This increase was almost entirely related to an increase in salaries and related costs due to increased headcount in order to support new services, and our efforts to augment the employee salary and benefit offerings to attract and retain talent and incremental cost of revenues from the Backbone acquisition.

Gross margin was 39% of revenue for the year ended December 31, 2019, and 48% for the same period in 2018. The reduction in gross margin is reflective of our investment in attracting talented cyber security employees, costs associated with ramping up our new managed services offerings and the lower than expected Consulting and Professional Services revenue from new and existing customers.

Sales and Marketing

Sales and marketing expenses include salaries, commissions and expenses for sales and marketing personnel, travel and entertainment, and other selling and marketing costs. Sales and marketing expenses were $5.3 for the year ended December 31, 2019, as compared to $5.2 million for the same period in 2018. The small increase is a result of additional marketing expenses incurred in an effort to increase sales including tradeshow and program related marketing expenses.

General and Administrative

General and administrative expenses include personnel costs for finance, administration, human resources, information systems, and general management, as well as facilities expenses, professional fees, legal expenses and other administrative costs. General and administrative expenses increased by $0.5 million to $6.9 million for the


15


Table of Contents


year ended December 31, 2019, as compared to $6.4 million for the same period in 2018. The increase in general and administrative expenses is attributed to 1) $0.9 million in non-recurring expenses related to the onboarding of our new CEO while our outgoing CEO remained as part of the transition, severance related costs associated with targeted cost reductions and transaction fees associated with the Backbone acquisition; and 2) $0.3 million in software subscriptions and support costs for streamlining operations and business tracking. These additional costs were primarily offset by lower costs of $0.6 million in severance paid to a departed executive in 2018.  We are continuing to look at additional areas we might be able to further reduce costs.

Valuation of Contingent Earnout

In 2018, we performed a valuation of the contingent earn-out to the sellers of CTEK Security, Inc. and incurred $0.3 million in earnout charges for meeting the 2018 criteria and we accrued an additional $178,269 related to the potential for payout for meeting earnout criteria in 2019 and 2020.  We did not hit the 2019 earnout targets and marked down the balance to $0 for the potential of not hitting the 2020 target.  In November 2019, with the acquisition of Backbone, we added $2.4 million of contingent earnout charges and liabilities.

Depreciation

Depreciation increased to $180,000 for the year ended December 31, 2019 as compared to $150,000 for the same period in 2018 due to an increase in purchased software related to automation tools.

Amortization

Amortization expense was steady at $1.9 million for the year ended December 31, 2019 compared to the $1.8 million for same period in 2018.

Revision of Useful Life and Impairment of Definite-Live Intangible Assets

At the end of 2019, we made the decision to phase out the Delphiis acquired technology to move to another third-party platform that provides more flexibility in the services we provide and allows us to reduce expenses related to maintaining this tool.  As a result, we updated our evaluation of the estimated useful life of the related intangible asset and accelerating amortization of the remaining balance of $77,000 in 2019.

Additionally, we identified events and circumstances related to the future revenue projections of the cybersecurity consulting business we acquired in 2017 compared to the original projections that indicated we should review our long-lived assets for impairment.  The Company engaged a valuation expert to assist management in updating its analysis of the fair value of the intangible assets. We determined that the carrying value of customer relationships exceeded its estimated fair value resulting in an impairment charge of $0.5 million in 2019.

Other Income (Expense)

Net interest expense for the year ended December 31, 2019 was $0.5 million compared to $1.4 million for the same period in 2018.  The decrease was due to a lower outstanding debt balance after the payoff of the term loan and paydown of the promissory notes from the proceeds of the sale of the managed print services business.

Income Tax Benefit (Expense)

Income tax benefit was $1.5 million for the year ended December 31, 2019 as compared to $1.3 million in 2018. Income tax expense is based on estimated annual income tax rates that we anticipate for the tax years.

Discontinued Operations

On March 20, 2019, we sold our assets used in the provision of our managed print services business division and the buyer assumed certain liabilities relating to this business. See Note 19 for additional details.


16


Table of Contents


Liquidity and Capital Resources

As of December 31, 2019, our cash balance was $5.3 million, current assets minus current liabilities was positive $6.0 million and our debt and lease obligations totaled $0.4 million, excluding our office lease space in Mission Viejo, California, that we sublease fully to two subtenants. The level of additional cash needed to fund operations and our ability to conduct business for the next twelve months will be influenced primarily by the following factors:

 ● our ability to access the capital and debt markets;

● our ability to manage our operating expenses and maintain gross margins as the Company grows while attracting, recruiting and retaining cybersecurity professionals;

● demand for our cybersecurity services from healthcare providers; the near-term impact of the Coronavirus on our customers allocation of time and resources to cybersecurity and their ability to enter into new contractual arrangements during a period of crisis; and

● general economic conditions and changes in healthcare reimbursement and regulatory environment.

We have historically funded our operating costs, acquisition activities, working capital requirements and capital expenditures with cash from operations, proceeds from the issuances of our common stock and other financing arrangements. Following the sale of the MPS business in 2019, we are now a much smaller cybersecurity focused business with significantly lower debt balances and debt service obligations. However, we also have less scale over which to leverage our operating expenses and public company expenses and are currently operating in a cash flow negative position while we seek to grow the cybersecurity business. During 2019, we reported a loss from continuing operations of $5.4 million and cash used in operating activities from continuing operations was $1.6 million.

Our operating plan for the next twelve months contemplates raising additional equity and/or debt capital, investing in enhancing our sales and operational resources while also streamlining our operations to reduce costs and improve financial performance while we expand our cybersecurity business.

While we have approximately $6 million of working capital as of December 31, 2019, we do expect to raise additional capital to grow the business.  Management believes potential sources of liquidity include at least the following:

▪ In March 2020, the Company received a funding commitment in the amount of $2.5 million from an existing investor.

▪ On March 27, 2020 President Trump signed the Coronavirus Aid, Relief, and Economic Security Act which provides economic relief to businesses. The Company is currently evaluating the opportunity to receive a loan under this program.

▪ On October 10, 2017, the Company filed a registration statement on Form S-3 to register an indeterminate number of securities.  On November 22, 2017, we filed an Amendment No. 1 to such registration statement on Form S-3 to update the information in the registration statement.  The registration statement covers such indeterminate principal amount or number of shares of Common Stock, debt securities, warrants and number of units of the registrant with an aggregate initial offering price not to exceed $15.0 million. The registration statement on Form S-3 was declared effective on November 22, 2017.

If these capital resources are not available, or not available on reasonable terms, we also have the ability to significantly reduce personnel and other variable and semi-variable costs to conserve cash and operate as a going concern. However, those actions if required, could negatively impact growth and the long-term value of the business.

Further, in late 2019, a novel strain of coronavirus was first detected in Wuhan, China. Following the outbreak of this virus, governments throughout the world, including in the United States of America, have


17


Table of Contents


quarantined certain affected regions, restricted travel and imposed significant limitations on other economic activities. The Company’s operations team is closely monitoring the potential impact to the Company’s business, including its cash flows, customers and employees. If the situation impacts our customers cash flow or resources available for cybersecurity projects, our cash flows, financial position and operating results for fiscal year 2020 and beyond will be negatively impacted. Neither the length of time nor the magnitude of the negative impacts can be presently determined.

As we execute our growth plans over the next 12 months, we intend to carefully monitor the impact of growth on our operating expenses, working capital needs and cash balances relative to the availability of cost-effective debt and equity financing. In the event that capital is not available, we may then have to scale back or freeze our organic growth plans, sell assets on less than favorable terms, reduce expenses, and/or curtail future acquisition plans to manage our liquidity and capital resources.   However, we cannot provide assurance that we will be able to raise additional capital.

In addition, our business is subject to additional risks and uncertainties, including, but not limited to, those described in Item 1A. “Risk Factors”.

Off-Balance Sheet Arrangements

Our off-balance sheet arrangements consist primarily of purchase and other commitments arising in the normal course of business, as further discussed below under the section “Contractual Obligations, Contingent Liabilities and Commitments.” As of December 31, 2019, we did not have any other relationships with unconsolidated entities or financial partners, such as entities often referred to as structured finance or special purpose entities, which would have been established for the purpose of facilitating off-balance sheet arrangements or other contractually narrow or limited purposes.

Application of Critical Accounting Policies

The SEC defines critical accounting policies as those that are, in management’s view, most important to the portrayal of our financial condition and results of operations and most demanding of our judgment. The discussion and analysis of our financial condition and results of operations are based upon our financial statements, which were prepared in accordance with accounting principles generally accepted in the U.S., which is referred to as “GAAP.”  The preparation of these financial statements requires us to make estimates and judgments that affect the reported amounts of assets, liabilities, revenues and expenses, and related disclosures of contingent assets and liabilities.  On an on-going basis, we evaluate these estimates, including those related to stock-based compensation, customer programs and incentives, bad debts, supply inventories, intangible assets, income taxes, contingencies and litigation.  We base our estimates on historical experience and on various other assumptions that are believed to be reasonable under the circumstances, the results of which form the basis for making judgments about the carrying values of assets and liabilities that are not readily apparent from other sources.  Actual results may differ from these estimates under different assumptions or conditions.

We consider the following accounting policies to be those most important to the portrayal of our financial condition and those that require the most subjective judgment:

Revenue Recognition and Deferred Revenue

We operate under a consolidated strategy and management structure, deriving revenue from the following sources:

oManaged services

oConsulting and professional services

Revenue is recognized pursuant to ASC Topic 606, “Revenue from Contracts with Customers” (ASC 606).  Accordingly, revenue is recognized at an amount that reflects the consideration to which we expect to be entitled in exchange for transferring goods or services to a customer.  This principle is applied using the following 5-step process:


18


Table of Contents


1.Identify the contract with the customer – A contract with a customer exists when (i) we enter into an enforceable contract with a customer that defines each party’s rights regarding the services to be transferred and identifies the payment terms related to these services, (ii) the contract has commercial substance and the parties are committed to perform, and (iii) we determine that collection of substantially all consideration to which it will be entitled in exchange for services that will be transferred is probable based on the customer’s intent and ability to pay the promised consideration.

2.Identify the performance obligations in the contract – Performance obligations promised in a contract are identified based on the services that will be transferred to the customer that are both capable of being distinct, whereby the customer can benefit from the service either on its own or together with other resources that are readily available from third parties or from us, and are distinct in the context of the contract, whereby the transfer of the services is separately identifiable from other promises in the contract. To the extent a contract includes multiple promised services, we apply judgment to determine whether promised services are capable of being distinct and distinct in the context of the contract. If these criteria are not met the promised services are accounted for as a combined performance obligation.

3.Determine the transaction price – The transaction price is determined based on the consideration to which we will be entitled in exchange for transferring services to the customer.

4.Allocate the transaction price to the performance obligations in the contract – If the contract contains a single performance obligation, the entire transaction price is allocated to the single performance obligation. Contracts that contain multiple performance obligations require an allocation of the transaction price to each performance obligation based on a relative standalone selling price (“SSP”) basis. Determination of SSP requires judgment. We determine standalone selling price taking into account available information such as historical selling prices of the performance obligation, overall strategic pricing objective, market conditions and internally approved pricing guidelines related to the performance obligations.

5.Recognize revenue when (or as) each performance obligation is satisfied – We satisfy performance obligations over time. Revenue is recognized over the time the related performance obligation is satisfied by transferring a promised service to a customer.

 

Managed Services

Managed services revenue is earned monthly during the term of the contract, as services are provided at a fixed fee and is recognized ratably over the contract term beginning on the commencement date of the contract. Managed services contracts are typically long-term contracts lasting three years. Revenue related to managed services provided is recognized based on the customer utilization of such resources, which management estimates to occur ratably over the customer contract term.

Prior to our sale of the MPS business in March 2019, our contracts with managed print service customers included provisions that related to guaranteed savings amounts and shared savings. Such provisions were considered by management during our initial proprietary client assessment. Our historical settlement of such amounts had been within management’s estimates.

Consulting and Professional Services

Consulting and professional services contracts are typically short-term, project-based services rendered on either a fixed fee or a time and materials basis. These contracts are normally for a duration of less than one year. For fixed fee arrangements, revenue is normally recognized ratably over the term of the project. For time and materials arrangements, revenues are recognized as the services are rendered.

Deferred and Unbilled Revenue

We receive payments from customers based on billing schedules established in our contracts.  Deferred revenue primarily consists of billings or payments received in advance of the amount of revenue recognized and


19


Table of Contents


such amounts are recognized as the revenue recognition criteria are met.  Unbilled revenue reflects our conditional right to receive payment from customers for our completed performance under contracts.  

Accounts Receivable Valuation and Related Reserves

We estimate the losses that may result from that portion of our accounts receivable that may not be collectible as a result of the inability of our customers to make required payments.  Management specifically analyzes customer concentration, customer creditworthiness, current economic trends and changes in customer payment terms when evaluating the adequacy of the allowance for doubtful accounts.  We review past due accounts on a monthly basis and record an allowance for doubtful accounts where we deem appropriate.

Impairment Review of Goodwill and Intangible Assets

We periodically evaluate our intangible assets and goodwill relating to acquisitions for impairment. Goodwill is not amortized but is evaluated at least annually at year end for any impairment in the carrying value. We review our intangible assets for impairment whenever events or changes in circumstances indicate that the carrying value of such assets may not be recoverable. Factors we consider important which could trigger an impairment review include, but are not limited to, the following: significant underperformance relative to expected historical or projected future operating results; significant changes in the manner of our use of the acquired assets or the strategy for our overall business; and a significant negative industry or economic trend for a sustained period. Goodwill and intangible asset impairment assessments are generally determined based on fair value techniques, including determining the estimated future discounted and undiscounted cash flows over the remaining useful life of the asset. Those models require estimates of future revenue, profits, capital expenditures and working capital for each reporting unit. We estimate these amounts by evaluating historical trends, the current state of the Company’s industries and the economy, current budgets, and operating plans. Determining the fair value of reporting units and goodwill includes significant judgment by management and different judgments could yield different results. Any resulting impairment loss could have a material impact on our financial condition and results of operations.

Stock-Based Compensation

Under the fair value recognition provisions of the authoritative guidance, stock-based compensation cost granted to employees is measured at the grant date based on the fair value of the award and is recognized as expense over the requisite service or performance period, which is the vesting period.  Stock options and warrants issued to consultants and other non-employees as compensation for services to be provided to us are accounted for based upon the fair value of the services provided or the estimated fair value of the option or warrant, whichever can be more clearly determined.  We currently use the Black-Scholes option pricing model to determine the fair value of stock options.  The determination of the fair value of stock-based payment awards on the date of grant using an option-pricing model is affected by our stock price as well as assumptions regarding a number of complex and subjective variables.  These variables include our expected stock price volatility over the term of the awards, the expected term of the award, the risk-free interest rate and any expected dividends.  Compensation cost associated with grants of restricted stock units are also measured at fair value on the date of the grant.  We evaluate the assumptions used to value restricted stock units on a quarterly basis.  When factors change, including the market price of the stock, stock-based compensation expense may differ significantly from what has been recorded in the past.  If there are any modifications or cancellations of the underlying unvested securities, we may be required to accelerate, increase or cancel any remaining unearned stock-based compensation expense.

Income Taxes

Deferred tax assets and liabilities are recognized for the future tax consequences attributable to differences between the financial reporting requirements and those imposed under federal and state tax laws.  Deferred taxes are provided for timing differences in the recognition of revenue and expenses for income tax and financial reporting purposes and are measured using enacted tax rates expected to apply to taxable income in the years in which those temporary differences are expected to be recovered or settled.  The effect on deferred tax assets and liabilities of a change in tax rates is recognized in income in the period that includes the enactment date.  Deferred income tax expense represents the change during the period in the deferred tax assets and liabilities.  Realization of the deferred tax asset is largely dependent on generating sufficient taxable income in future years.  Deferred tax assets are


20


Table of Contents


reduced by a valuation allowance when, in the opinion of management, it is more likely than not that some portion or all the deferred tax assets will not be realized. Use of our net operating loss deferred assets may be limited by changes in our ownership.

The above listing is not intended to be a comprehensive list of all of our accounting policies. In many cases, the accounting treatment of a particular transaction is specifically dictated by GAAP, with no need for management’s judgment in its application.  There are also areas in which management’s judgment in selecting any available alternative would not produce a materially different result. Please see our audited financial statements and notes thereto which begin on page F-1 of this Annual Report on Form 10-K, which contain accounting policies and other disclosures required by GAAP and please refer to the disclosures in Note 1 of our financial statements for a summary of our significant accounting policies.

Recent Accounting Pronouncements

Refer to Note 1 to the consolidated financial statements for information regarding recent accounting pronouncements.

ITEM 7A. QUANTITATIVE AND QUALITATIVE DISCLOSURES ABOUT MARKET RISK.

We are a smaller reporting company as defined by Rule 12b-2 of the Exchange Act and are not required to provide the information under this item.

ITEM 8. FINANCIAL STATEMENTS AND SUPPLEMENTARY DATA.

The following consolidated financial statements and related notes thereto, and the report of our independent registered public accounting firm, are filed as part of this Annual Report:

Page

Report of Independent Registered Public Accounting Firm

F-1

Consolidated Balance Sheets as of December 31, 2019 and 2018

F-2

Consolidated Statements of Operations for the years ended December 31, 2019 and 2018

F-3

Consolidated Statements of Stockholders’ Equity for the years ended December 31, 2019 and 2018

F-4

Consolidated Statements of Cash Flows for the years ended December 31, 2019 and 2018

F-5

Notes to Consolidated Financial Statements

F-7

    


21


Table of Contents


REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM

To the Board of Directors and Stockholders
CynergisTek, Inc.

Opinion on the Consolidated Financial Statements

We have audited the accompanying consolidated balance sheets of CynergisTek, Inc. (the “Company”) as of December 31, 2019 and 2018, the related consolidated statements of operations, stockholders’ equity, and cash flows for each of the years then ended, and the related notes (collectively, the “consolidated financial statements”).  In our opinion, the consolidated financial statements present fairly, in all material respects, the consolidated financial position of the Company as of December 31, 2019 and 2018, and the consolidated results of its operations and its cash flows for each of the years then ended, in conformity with U.S. generally accepted accounting principles.

Emphasis of a Matter

As disclosed in Note 19 to the consolidated financial statements, the Company sold its assets used in the provision of its managed print services business division in March 2019. Our opinion is not modified with respect to this matter.

Adoption of New Accounting Pronouncement

As described in Note 1 to the consolidated financial statements, the Company adopted FASB Accounting Standards Codification Topic 842, Leases, using a modified retrospective transition approach with the Company electing to apply the transition approach as of January 1, 2018.

Basis for Opinion

These consolidated financial statements are the responsibility of the Company’s management. Our responsibility is to express an opinion on the Company’s consolidated financial statements based on our audits.  We are a public accounting firm registered with the Public Company Accounting Oversight Board (United States) (“PCAOB”) and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.

We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audits to obtain reasonable assurance about whether the consolidated financial statements are free of material misstatement, whether due to error or fraud.  The Company is not required to have, nor were we engaged to perform, an audit of its internal control over financial reporting. As part of our audits, we are required to obtain an understanding of internal control over financial reporting but not for the purpose of expressing an opinion on the effectiveness of the Company’s internal control over financial reporting.  Accordingly, we express no such opinion.

Our audits included performing procedures to assess the risks of material misstatement of the consolidated financial statements, whether due to error or fraud, and performing procedures that respond to those risks.  Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the consolidated financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the consolidated financial statements. We believe that our audits provide a reasonable basis for our opinion.

/s/ HASKELL & WHITE LLP

We have served as the Company’s auditor since 2005.

Irvine, California

March 30, 2020


F-1


Table of Contents


CYNERGISTEK, INC. AND SUBSIDIARIES

CONSOLIDATED BALANCE SHEETS

As of December 31,

2019

2018

ASSETS

Current assets:

Cash and cash equivalents

 $ 5,328,726 

 $ 6,571,381 

Accounts receivable

  3,210,726 

  5,572,467 

Prepaid and other current assets

  1,205,769 

  1,425,858 

Refundable income taxes

– 

472,059    

Current assets held for sale

  – 

  8,427,408 

Total current assets

  9,745,221 

  22,469,173 

Property and equipment, net

  946,219 

  1,403,525 

Deposits

  72,486 

  87,778 

Deferred income taxes

  1,836,258 

  2,146,020 

Intangible assets, net

  8,585,882 

  9,089,989 

Goodwill

23,983,483 

  17,008,189 

Noncurrent assets held for sale

  – 

  1,844,349 

Total assets

 $ 45,169,549 

 $ 54,049,023 

LIABILITIES AND STOCKHOLDERS’ EQUITY

Current liabilities:

Accounts payable and accrued expenses

 $ 638,864 

 $ 932,067 

Accrued compensation and benefits

  1,066,770 

  1,592,765 

Deferred revenue

  898,324 

  918,165 

Income taxes payable

31,976 

– 

Note payable

  – 

  343,750 

Current portion of term loan

– 

2,464,286 

Current portion of promissory note to related parties

  562,500 

  562,500 

Current portion of operating lease liability

533,371 

576,082 

Current liabilities held for sale

  – 

  7,299,561 

Total current liabilities

  3,731,805 

  14,689,176 

Long-term liabilities:

Term loan, less current portion

  – 

  12,851,617 

Promissory notes to related parties, less current portion

  703,125 

  5,015,625 

Capital lease obligations

  – 

  1,570 

Earnout liability

2,400,000 

438,269 

Operating lease liability, less current portion

  158,995 

  620,640 

Noncurrent liabilities held for sale

  – 

  58,967 

Total long-term liabilities

  3,262,120 

  18,986,688 

Commitments and contingencies

Stockholders’ equity:

Common stock, par value at $0.001, 33,333,333 shares authorized, 10,359,164 shares issued and outstanding at December 31, 2019 and 9,630,050 shares issued and outstanding at December 31, 2018

  10,359 

  9,630 

Additional paid-in capital

  34,821,863 

  31,910,831 

Accumulated earnings (deficit)

  3,343,402 

  (11,547,302)

Total stockholders’ equity

  38,175,624 

  20,373,159 

Total liabilities and stockholders’ equity

 $ 45,169,549 

 $ 54,049,023 

The accompanying notes are an integral part of these consolidated financial statements.


F-2


Table of Contents


CYNERGISTEK, INC. AND SUBSIDIARIES

CONSOLIDATED STATEMENTS OF OPERATIONS

</

Year Ended December 31,

2019

2018

Net revenues

 $ 21,364,810 

 $ 21,311,717 

Cost of revenues

  13,018,673 

  11,122,433 

Gross profit

  8,346,137 

  10,189,284