Acrivon Therapeutics, Inc. (ACRV) Risk Analysis

We maintain a large quantity of sensitive information, including confidential business and personal information in connection with the conduct of our clinical trials and related to our employees, and we are subject to laws and regulations governing the privacy and security of such information. In the United States, there are numerous federal and state privacy and data security laws and regulations governing the collection, use, disclosure and protection of personal information, including federal and state health information privacy laws, federal and state security breach notification laws and federal and state consumer protection laws. The legislative and regulatory landscape for privacy and data protection continues to evolve, and there has been an increasing focus on privacy and data protection issues, which may affect our business and is expected to increase our compliance costs and exposure to liability. In the United States, numerous federal and state laws and regulations could apply to our operations or the operations of our partners, including state data breach notification laws, state health information privacy laws and federal and state consumer protection laws and regulations, including Section 5 of the Federal Trade Commission Act, that govern the collection, use, disclosure and protection of health-related and other personal information. State privacy laws in particular are evolving, with more than a dozen new state privacy laws passed in recent years, along with additional health privacy specific laws. These laws may further increase our compliance obligations, and potential legal privacy risks. For example, Washington recently passed the My Health My Data Act, which has a broader scope than HIPAA and includes a private right of action. In addition, we may obtain health information from third parties, including research institutions from which we obtain clinical trial data, that are subject to privacy and security requirements under HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act, and the regulations promulgated thereunder. Depending on the facts and circumstances, we could be subject to significant penalties if we obtain, use or disclose individually identifiable health information in a manner that is not authorized or permitted by HIPAA. We may encounter vendors that engage in information blocking practices that may inhibit our ability to access the relevant data on behalf of patients or researchers or impose new or additional costs. In 2020, the U.S. Department of Health and Human Services' Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services promulgated final rules to support access, exchange, and use of electronic health information (EHI). Specifically, the information blocking rules were implemented as part of the 21st Century Cures Act, and are primarily designed to facilitate technology interoperability and enable the free flow of healthcare information for healthcare treatment, payment or operation purposes. On June 27, 2023, the Department of Health and Human Services Office of the Inspector General ("HHS-OIG") published its final rule implementing information blocking penalties for "actors," which is supplemented by ONC's January 9, 2024 final rule enhancing certain information blocking requirements. HHS-OIG may impose penalties for information blocking that has occurred after September 1, 2023, and ONC and HHS proposed a rule on November 1, 2023 listing certain disincentives for actors that conduct information blocking. The impact on the information blocking rules to our business is currently unclear. In the EU, the EU General Data Protection Regulation, or EU GDPR, took effect in all EU Member States on and from May 25, 2018. The UK has implemented the EU GDPR as the "UK GDPR," which sits alongside the UK Data Protection Act 2018, (the UK GDPR, together with the EU GDPR, the "GDPR"). The GDPR governs the collection, use, disclosure, transfer, and other processing of personal data, which may include clinical trial data. The GDPR has direct effect where an entity is established in the EEA or the UK (as applicable) and has extraterritorial effect, including where an entity established outside of the EEA or the UK processes personal data in relation to offering goods or services to individuals in the EEA and/or the UK or monitoring their behavior. The GDPR imposes obligations on controllers, including, among others accountability and transparency requirements, requiring controllers to demonstrate and record compliance with the GDPR and to provide more detailed information to data subjects regarding processing of their personal data; requirements to process personal data lawfully including specific requirements for obtaining valid consent where consent is the lawful basis for processing; obligations to consider data protection when any new products or services are developed and designed (including e.g., to limit the amount of personal data processed); obligations to comply with data protection rights of data subjects including a right: (i) of access to, erasure of, or rectification of personal data, (ii) to restriction of processing or to withdraw consent to processing, and (iii) to object to processing or to ask for a copy of personal data to be provided to a third party; and an obligation to report personal data breaches to: (i) the data supervisory authority without undue delay (and no later than 72 hours after discovering the personal data breach, where feasible), unless the personal data breach is unlikely to result in a risk to the data subjects' rights and freedoms; and (ii) to affected data subjects, where the personal data breach is likely to result in a high risk to their rights and freedoms. In addition, the EU GDPR prohibits the international transfer of personal data from the EEA to jurisdictions that the European Commission does not recognize as having ‘adequate' data protection laws unless a data transfer mechanism has been put in place or a derogation under the EU GDPR can be relied on. In July 2020, the Court of Justice of the EU ("CJEU") in its Schrems II judgement limited how organizations could lawfully transfer personal data from the EEA to the US by invalidating the EU-US Privacy Shield for purposes of international transfers and imposing further restrictions on the use of standard contractual clauses ("EU SCCs"), including a requirement for companies to carry out a transfer privacy impact assessment ("TIAs"). A TIA, among other things, assesses laws governing access to personal data in the recipient country and considers whether supplementary measures that provide privacy protections additional to those provided under EU SCCs will need to be implemented to ensure an ‘essentially equivalent' level of data protection to that afforded in the EEA. On October 7, 2022, US President Biden introduced an Executive Order to facilitate a new Trans-Atlantic Data Privacy Framework ("DPF") and on 10 July 2023, the European Commission adopted its Final Implementing Decision granting the U.S. adequacy ("Adequacy Decision") for EU-US transfers of personal data for entities self-certified to the DPF. Entities relying on EU SCCs for transfers to the U.S. are also able to rely on the analysis in the Adequacy Decision as support for their TIA regarding the equivalence of U.S. national security safeguards and redress. This may have implications for our cross-border data flows and has and may in the future result in increased compliance costs. The UK GDPR also imposes similar restrictions on transfers of personal data from the UK to jurisdictions that the UK Government does not consider adequate, including the United States. The UK Government has published its own form of the EU SCCs, known as the International Data Transfer Agreement and an International Data Transfer Addendum to the new EU SCCs. The UK Information Commissioner's Office has also published its version of the TIA and guidance on international transfers, although entities may choose to adopt either the EU or UK style TIA. Further, on September 21, 2023, the UK Secretary of State for Science, Innovation and Technology established a UK-U.S. data bridge (i.e., a UK adequacy decision) and adopted UK regulations to implement the UK-U.S. data bridge ("UK Adequacy Regulations"). The UK Adequacy Regulations have now been passed in the UK Parliament, and personal data may be transferred from the UK under the UK-U.S. data bridge through the UK extension to the DPF, from October 12, 2023 to organizations self-certified under the DPF. The GDPR imposes fines for serious breaches of up to the higher of 4% of the organization's annual worldwide turnover or €20m (under the EU GDPR) or £17.5m (under the UK GDPR). The GDPR identifies a list of points to consider when determining the level of fines for data supervisory authorities to impose (including the nature, gravity and duration of the infringement). Data subjects also have a right to compensation, as a result of an organization's breach of the GDPR which has affected them, for financial or non-financial losses (e.g., distress). Compliance with these and any other applicable privacy and data security laws and regulations is a rigorous and time-intensive process, and we may be required to substantially amend existing procedures and policies or put in place additional procedures and policies to ensure compliance with privacy and data protection rules and requirements. These changes could adversely impact our business by increasing operational and compliance costs or impact business practices. Further, there is a risk that the amended policies and procedures will not be implemented correctly or that individuals within the business will not be fully compliant with the new procedures. If we fail to comply with any such laws or regulations, we may face significant litigation, government investigations, fines and penalties as well as reputational damage which could adversely affect our business, operations, financial condition and prospects. Furthermore, the laws are not consistent, and compliance in the event of a widespread data breach is costly. In addition, states are constantly adopting new laws or amending existing laws, requiring attention to frequently changing regulatory requirements. For example, the CCPA took effect on January 1, 2020, and the amendments thereto under the CPRA took effect on January 1, 2023. The CCPA gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used by requiring covered companies to provide new disclosures to California consumers (as that term is broadly defined) and provide such consumers new ways to opt out of certain sales and sharing of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. Further, the CPRA imposed additional data protection obligations on companies doing business in California, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data and opt outs for certain uses of sensitive data. It also created the California Privacy Protection Agency to implement and enforce the law, which could result in increased privacy and information security enforcement. As a result of the CPRA going into effect earlier this year, additional compliance investment and potential business process changes may be required. Although the CCPA currently exempts certain health-related information, including clinical trial data, the CCPA and the amendments under the CPRA may increase our compliance costs and potential liability. Multiple states have followed California to legislate comprehensive privacy laws with data privacy rights. For example, Virginia passed the Virginia Consumer Data Protection Act ("VCDPA"), which went into effect on January 1, 2023 and affords consumers similar rights to the CCPA, along with additional rights, such as the right to opt-out of processing for profiling and targeted advertising purposes. Additionally, the Colorado Privacy Act ("CPA") and Connecticut Personal Data Privacy and Online Monitoring Act ("CTDPA") went into effect on July 1, 2023 and the Utah Privacy Rights Act will go into effect later this year, and each impose similar obligations to those in the CCPA and VCDPA. While these new laws generally include exemptions for HIPAA-covered and clinical trial data, they impact the overall privacy landscape. Several other states have followed suit and passed similar legislation which will go into effect in the coming years. Further, additional privacy laws that are similar in nature have been proposed in other states and at the federal level and, if passed, such laws may have potentially conflicting requirements that would make compliance challenging. With the GDPR, CCPA, and other US state privacy laws, as well as other laws, regulations and other obligations relating to privacy and data protection imposing new and relatively burdensome obligations, and with the substantial uncertainty over the interpretation and application of these and other obligations, we may face challenges in addressing their requirements and making necessary changes to our policies and practices and may incur significant costs and expenses in an effort to do so. We are currently in the process of developing and updating our policies and procedures in accordance with requirements under applicable data privacy and protection laws and regulations. We do not currently have any formal data privacy policies and procedures in place and have not completed formal assessments of whether we are in compliance with all applicable data privacy laws and regulations. Additionally, if third parties with which we work, such as vendors or service providers, violate applicable laws, rules or regulations or our policies, such violations may also put our or our clinical trial and employee data, including personal data, at risk, which could in turn have an adverse effect on our business.

As is the case with small molecule therapeutics generally, side effects and adverse events associated with ACR-368 have been observed. Although ACR-368 has been evaluated in approximately 1,000 patients in clinical trials to date with a generally favorable tolerability profile, unexpected side effects may still arise in our ongoing or any future clinical trial. Our trials will be primarily based on the established RP2D dosing regimen used in over 400 patients in past trials. In these trials, the most frequent treatment related adverse events greater than or equal to Grade 3, which are considered serious adverse events, were primarily reversible, manageable hematological toxicities, including neutropenia and thrombocytopenia and there was only limited non-hematological toxicities. In one of the clinical trials (a cohort of 58 platinum-sensitive patients), there were three deaths deemed possibly related to study treatment. In addition, our trials will also, in part, include testing of ACR-368 at RP2D in combination with low dose gemcitabine, which could result in greater severity and prevalence of side effects or unexpected characteristics. Undesirable side effects could result in the delay, suspension or termination of clinical trials by us or regulatory authorities for a number of reasons. Furthermore, clinical trials by their nature utilize a sample of the potential patient population. With a limited number of subjects and limited duration of exposure, rare and severe side effects of our drug candidates or those of our competitors may only be uncovered with a significantly larger number of patients exposed to the drug. Additionally, due to the high mortality rates of the cancers for which we are initially pursuing development and the pretreated and advanced nature of disease in many patients in our ongoing clinical trials of ACR-368, a material percentage of patients in these clinical trials ultimately will die during a trial for reasons unrelated to the drug. For example, in the Phase 1b/2 combination arm of our Phase 2 trial for ACR-368 we dosed a patient who had previously failed three lines of prior therapy. The patient died prior to receiving a second dose of ACR-368 and the death was determined by the trial investigator not to be drug related, but instead related to the subject's disease progression. If we elect to, or are required to, delay, suspend or terminate any clinical trial, whether due to a patient death or otherwise, the commercial prospects of ACR-368 or our future drug candidates could be harmed and our ability to generate product revenues could potentially be delayed or eliminated. Serious adverse events observed in clinical trials could hinder or prevent market acceptance of our drug candidates, which would harm our commercial prospects, our financial condition and our reputation. Moreover, if ACR-368, ACR-2316, or any of our future drug candidates are associated with undesirable or unexpected side effects in clinical trials, we may elect to abandon or limit their development to more narrow uses or subpopulations in which the undesirable side effects or other characteristics are less prevalent, less severe or more acceptable from a risk-benefit perspective, which may limit the commercial expectations for the drug candidate, even if it is approved. We may also be required to modify our trial plans based on findings in our clinical trials. Side effects could also affect patient recruitment or the ability of enrolled patients to complete a trial. Many drugs that initially showed promise in early stage testing have later been found to cause side effects that prevented further development. In addition, regulatory authorities may draw different conclusions, require additional testing to confirm these determinations, require more restrictive labeling or deny regulatory approval of the drug candidate. It is possible that, as we test our drug candidates in larger, longer and more extensive clinical trials, including with different dosing regimens, or as the use of our drug candidates becomes more widespread following any regulatory approval, illnesses, injuries, discomforts and other adverse events that were observed in earlier trials, as well as conditions that did not occur or went undetected in previous trials, will be reported by patients. If such side effects become known later in development or upon approval, if any, such findings may harm our business, financial condition, results of operations and prospects significantly. In addition, if ACR-368 receives marketing approval, and we or others later identify undesirable side effects caused by treatment with such drug, a number of potentially significant negative consequences could result, including but not limited to: - regulatory authorities may withdraw approval of or seize the drug;- we may be required to recall a product, or change the way the drug is administered to patients, or conduct additional clinical trials;- regulatory authorities may require additional warnings in the labeling, such as a contraindication or a boxed warning, or issue safety alerts, Dear Healthcare Provider letters, press releases or other communications containing warnings or other safety information about the product;- we may be required to implement a REMS, or create a medication guide outlining the risks of such side effects for distribution to patients;- additional restrictions may be imposed on the marketing or promotion of the particular product or the manufacturing processes for the product or any component thereof;- we could be sued and held liable for harm caused to patients;- we may be subject to regulatory investigations and government enforcement actions;- the drug could become less competitive; and - our reputation may suffer. Any of these events could prevent us from achieving or maintaining market acceptance of our drug candidates, if approved, and could significantly harm our business, financial condition, results of operations and prospects.

The development and commercialization of drug products is highly competitive. We face competition with respect to our current drug candidates and will face competition with respect to any drug candidates that we may seek to develop or commercialize in the future, from major pharmaceutical companies, specialty pharmaceutical companies and existing or emerging biotechnology companies, academic research institutions and governmental agencies and public and private research institutions worldwide. We anticipate several biopharmaceutical companies will aim to develop precision oncology approaches for the larger subsets of cancers where genetics has proven insufficient for patient responder identification over the next decade. We expect that the broader biopharmaceutical field will eventually recognize proteomics as the next era of precision medicine. We are aware of several competitors with CHK1/2 inhibitors and WEE1 inhibitors, including Sierra Oncology (SRA737), Zentalis (azenosertib), Debiopharm (Debio0123), Impact Therapeutics (IMP7068) and Shouya Holdings (SY-4835), one company with a PKMYT1 inhibitor, Repare Therapeutics (lunresertib), and one company with a dual WEE1/PKMYT1 inhibitor, Schrödinger (SGR-3515). Many of the companies against which we are competing or against which we may compete in the future, either alone or through collaborations, have significantly greater financial resources and expertise in research and development, manufacturing, preclinical testing, conducting clinical trials, obtaining regulatory approvals and marketing approved products than we do. Mergers and acquisitions in the pharmaceutical and biotechnology industries may result in even more resources being concentrated among a smaller number of our competitors. Smaller and other early-stage companies may also prove to be significant competitors, particularly through collaborative arrangements with large and established companies. These third parties compete with us in recruiting and retaining qualified scientific, management and sales and marketing personnel, establishing clinical trial sites and patient registration for clinical trials, as well as in acquiring technologies complementary to, or necessary for, our programs. Furthermore, we also face competition more broadly across the oncology market for cost-effective and reimbursable cancer treatments. There are a variety of available drug therapies marketed for cancer. In many cases, these drugs are administered in combination to enhance efficacy. While ACR-368 or our future drug candidates, if approved, may compete with these existing drugs and other therapies, to the extent they are ultimately used in combination with or as an adjunct to these therapies, our drug candidates may not be competitive with them. Some of these drugs are branded and subject to patent protection, and others are available on a generic basis. Insurers and other third-party payors may also encourage the use of generic products or specific branded products. As a result, obtaining market acceptance of, and gaining significant share of the market for, our drug candidates may pose challenges. In addition, many companies are developing new oncology therapeutics, and we cannot predict what the standard of care will be as drug candidates progress through clinical development. Our commercial opportunity could be reduced or eliminated if our competitors develop and commercialize products that are safer, more effective, have fewer or less severe side effects, are more convenient to administer, are less expensive or with a more favorable labeling than ACR-368 or our future drug candidates. Our competitors also may obtain FDA, foreign regulatory authority, or other marketing or regulatory approval for their products more rapidly than any approval we may obtain for ours, which could result in our competitors establishing a strong market position before we are able to enter the market, thereby limiting our potential for commercial success.

Our results of operations could be adversely affected by general conditions in the global economy and in the global financial markets. The global credit and financial markets have experienced severe volatility and disruptions in the past several years, including as a result of recent events in the U.S. banking sector. A severe or prolonged economic downturn, such as the global financial crisis, could result in a variety of risks to our business, including our ability to raise additional capital when needed on acceptable terms, if at all. There can be no assurance that further deterioration in credit and financial markets and confidence in economic conditions will not occur. Our general business strategy may be adversely affected by any such economic downturn, volatile business environment, higher inflation, bank failures or continued unpredictable and unstable market conditions. A weak or declining economy could also strain our suppliers, possibly resulting in supply disruption, or cause our customers to delay making payments for our services. In addition, the current military conflict between Russia and Ukraine and / or conflicts in the Middle East could disrupt or otherwise adversely impact our operations and those of third parties upon which we rely. Related sanctions, export controls or other actions have been or may in the future be initiated by nations including the United States, the European Union or Russia (e.g., potential cyberattacks, disruption of energy flows, etc.), which could adversely affect our business and/or our supply chain, our CROs, CMOs and other third parties with whom we conduct business. Any of the foregoing could harm our business and we cannot anticipate all of the ways in which the current economic climate and financial market conditions could adversely impact our business.