Aethlon Medical (AEMD) Risk Factors

In the ordinary course of our business, we and third parties with whom we work may process proprietary, confidential and sensitive information, including personal data, intellectual property, trade secrets, and proprietary business information owned or controlled by ourselves or other third parties, or collectively, Sensitive Information. We may use and share Sensitive Information with service providers and subprocessors and other third parties with whom we work to help us operate our business. If we or such third parties with who we work have experienced, or in the future experience, any security incident(s) that result in any data loss; deletion or destruction; unauthorized access to; loss, unauthorized acquisition, disclosure, or exposure of, Sensitive Information, or other compromise related to the security, confidentiality, integrity of our, or their, information technology, software, services, communications or data, or collection, a Security Breach, it may result in an adverse impact on our business. Cyberattacks, malicious internet-based activity and online and offline fraud are prevalent, continue to rise, and are increasingly difficult to detect. These threats come from a variety of sources, including traditional computer "hackers," threat actors, "hacktivists," organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation states, and nation-state-supported actors. Some actors now engage and are expected to continue to engage in cyber-attacks, including without limitation nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we and the third parties with whom we work may be vulnerable to a heightened risk of these attacks, including retaliatory cyber-attacks, that could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our goods and services. We and the third parties with whom we work are subject to a variety of evolving threats, including but not limited to social-engineering attacks, including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks, supply-chain attacks, loss of data or other information technology assets, adware, software bugs, malicious code, such as viruses and worms, employee theft or misuse, denial-of-service attacks, such as credential stuffing, and ransomware attacks. We may also be the subject of viruses, malware, including as a result of advanced persistent threat intrusions, server malfunction, software or hardware failures, loss of data or other computer assets, adware, attacks enhanced or facilitated by AI, telecommunications failures, earthquakes, fires, floods, or other similar threats. Ransomware attacks, including by organized criminal threat actors, nation-states, and nation-state-supported actors, are becoming increasingly prevalent and severe, and can lead to significant interruptions in our operations, loss of Sensitive Information and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Remote work has become more common and has increased risks to our information technology systems and data, as more of our employees utilize network connections, computers, and devices outside our premises or network, including working at home, while in transit and in public locations. Additionally, future or past business transactions, such as acquisitions or integrations, could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. In addition, our reliance on third-party service providers could introduce new cybersecurity risks and vulnerabilities, including supply-chain attacks, and other threats to our business operations. We rely on third-parties and their technologies to operate critical business systems to process Sensitive Information in a variety of contexts, including, without limitation, cloud-based infrastructure, data center facilities, encryption and authentication technology, employee email, content delivery to customers, and other functions. We also rely on third-party service providers to assist with our clinical trials, provide other products or services, or otherwise to operate our business. Our ability to monitor these third parties' information security practices is limited, and these third parties may not have adequate information security measures in place. If our third-party service providers experience a Security Breach or other interruption, we could experience adverse consequences. While we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. In addition, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties' infrastructure in our supply chain or our third-party partners' supply chains have not been compromised or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our information technology systems (including our services) or the third-party information technology systems that support us and our services. While we have implemented security measures designed to protect against Security Breaches, these measures may not be effective. We take steps designed to detect, mitigate, and remediate vulnerabilities in our information technology systems, including our products, hardware and/or software, including that of third parties upon which we rely. We may not, however, detect or remediate all such vulnerabilities including on a timely basis. Further, we may experience delays in developing and deploying remedial measures and patched designed to address any such identified vulnerabilities. Vulnerabilities could be exploited and result in a security incident. Any of the previously identified or similar threats could cause a Security Breach or other interruption and disrupt our ability and that of third parties with whom we work to provide our services. We may expend significant resources, fundamentally change our business activities and practices, or modify our operations, including clinical trial activities, or information technology in an effort to protect against Security Breaches and to mitigate, detect and remediate actual and potential vulnerabilities. Applicable Data Protection Obligations may require us to implement specific security measures or use industry-standard or reasonable measures to protect against Security Breaches. Our security measures, or those of third parties with whom we work, may not be effective in protecting against Security Breaches. Applicable Data Protection Obligations may require us to notify relevant stakeholders of Security Breaches, including affected individuals, customers, investors, partners, collaborators, regulators, law enforcement agencies and others, or to implement other requirements, such as providing credit monitoring. Such disclosures and compliance with such requirements are costly, and the disclosures or the failure to comply with such requirements could lead to an adverse impact on our business, results of operations and financial condition. If we or a third party with whom we work experiences a Security Breach or are perceived to have experienced a Security Breach, we may experience adverse consequences. These consequences may include: government enforcement actions, for example, investigations, fines, penalties, audits, and inspections; additional reporting requirements and/or oversight; restrictions on processing Sensitive Information, including personal data; litigation, including class claims; indemnification obligations; negative publicity; reputational harm; monetary fund diversions; diversion of management attention; interruptions in our operations, including availability of data; financial loss; and other similar harms. Security Breaches or other interruptions and attendant consequences may prevent or cause customers to stop using our services, deter new customers from using our services, and negatively impact our ability to grow and operate our business. Our contracts may not contain limitations of liability, and even where they do, any such limitations or exclusions of liability in our contracts may not be adequate to protect us from liabilities or damages if we fail to comply with Data Protection Obligations related to information security or Security Breaches. Our insurance coverage may not be adequate or otherwise protect us from or adequately mitigate liabilities or damages with respect to claims, costs, expenses, litigation, fines, penalties, business loss, data loss, regulatory actions or other material adverse impact on our business, results of operations and financial condition arising out of our Processing operations, privacy and security practices, or Security Breaches that we may experience. In addition, such coverage may not continue to be available on commercially reasonable terms or at all or be sufficient coverage to pay future claims. The successful assertion of one or more large claims against us that exceeds our available insurance coverage, or results in changes to our insurance policies, including premium increases or the imposition of large excess or deductible or co-insurance requirements, could have a material adverse impact on our business, results of operations and financial condition. In addition to experiencing a Security Breach, third parties may gather, collect, or infer Sensitive Information about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position.

Our Hemopurifier product may be made unmarketable prior to commercialization by us by new scientific or technological developments by others with new treatment modalities that are more efficacious and/or more economical than our products. The homeland security industry is growing rapidly with many competitors that are trying to develop products or vaccines to protect against infectious disease. Any one of our competitors could develop a more effective product which would render our technology obsolete. Further, our ability to achieve significant and sustained penetration of our key target markets will depend upon our success in developing or acquiring technologies developed by other companies, either independently, through joint ventures or through acquisitions. If we fail to develop or acquire, and manufacture and sell, products that satisfy our customers' demands, or we fail to respond effectively to new product announcements by our competitors by quickly introducing competitive products, then market acceptance of our products could be reduced and our business could be adversely affected. Our products may not remain competitive with products based on new technologies.

Our business exposes us to potential product liability and other liability risks that are inherent in the testing, manufacturing and marketing of medical devices. Claims may be asserted against us. A successful liability claim or series of claims brought against us could have a material adverse effect on our business, financial condition and results of operations. We may not be able to continue to obtain or maintain adequate product liability insurance on acceptable terms, if at all, and such insurance may not provide adequate coverage against potential liabilities. Claims or losses in excess of any product liability insurance coverage that we may obtain could have a material adverse effect on our business, financial condition and results of operations. Our Hemopurifier product candidate may be used in connection with medical procedures in which it is important that those products function with precision and accuracy. If our product candidates, including our Hemopurifier, do not function as designed, or are designed improperly, we may be forced by regulatory agencies to withdraw such products from the market. In addition, if medical personnel or their patients suffer injury as a result of any failure of our products to function as designed, or our products are designed inappropriately, we may be subject to lawsuits seeking significant compensatory and punitive damages. The risk of product liability claims, product recalls and associated adverse publicity is inherent in the testing, manufacturing, marketing and sale of medical products. We have obtained general clinical trial liability insurance coverage. However, our insurance coverage may not be adequate or available. We may not be able to secure product liability insurance coverage on acceptable terms or at reasonable costs when needed. Any product recall or lawsuit seeking significant monetary damages may have a material effect on our business and financial condition. Any liability for mandatory damages could exceed the amount of our coverage. Moreover, a product recall could generate substantial negative publicity about our products and business and inhibit or prevent commercialization of other future product candidates.

The tax regimes to which we are subject or under which we operate are unsettled and may be subject to significant change. The issuance of additional guidance related to existing or future tax laws, or changes to tax laws or regulations proposed or implemented by the current or a future U.S. presidential administration, Congress, or taxing authorities in other jurisdictions, including jurisdictions outside of the United States, could materially affect our tax obligations and effective tax rate. To the extent that such changes have a negative impact on us, including as a result of related uncertainty, these changes may adversely impact our business, financial condition, results of operations, and cash flows. The amount of taxes we pay in different jurisdictions depends on the application of the tax laws of various jurisdictions, including the United States, to our international business activities, tax rates, new or revised tax laws, or interpretations of tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions pursuant to our intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest, and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows, and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency. Similarly, a taxing authority could assert that we are subject to tax in a jurisdiction where we believe we have not established a taxable connection, often referred to as a "permanent establishment" under international tax treaties, and such an assertion, if successful, could increase our expected tax liability in one or more jurisdictions. The Tax Cuts and Jobs Act of 2017 eliminated the option to deduct research and development expenses for tax purposes in the year incurred and requires taxpayers to capitalize and subsequently amortize such expenses over five years for research activities conducted in the United States and over 15 years for research activities conducted outside the United States. Although there have been legislative proposals to repeal or defer the capitalization requirement to later years, there can be no assurance that the provision will be repealed or otherwise modified. Future guidance from the Internal Revenue Service and other tax authorities with respect to such legislation may affect us, and certain aspects of such legislation could be repealed or modified in future legislation.

Our research and development involves the controlled use of hazardous materials, chemicals and viruses. The primary hazardous materials include chemicals needed to construct the Hemopurifier cartridges and the infected plasma samples used in preclinical testing of the Hemopurifier. All other chemicals are fully inventoried and reported to the appropriate authorities, such as the fire department, which inspects the facility on a regular basis. We are subject to federal, state, local and foreign laws governing the use, manufacture, storage, handling and disposal of such materials. Although we believe that our safety procedures for the use, manufacture, storage, handling and disposal of such materials comply with the standards prescribed by federal, state, local and foreign regulations, we cannot completely eliminate the risk of accidental contamination or injury from these materials. We have had no incidents or problems involving hazardous chemicals or biological samples. In the event of such an accident, we could be held liable for significant damages or fines. We currently carry a limited amount of insurance to protect us from bodily injury or property damages arising from hazardous materials. Our product liability policy has a $5,000,000 limit of liability. For our facilities, our property policy provides $25,000 in coverage for contaminant clean-up or removal and $100,000 in coverage for damages to the premises resulting from contamination. Should we violate any regulations concerning the handling or use of hazardous materials, or should any injuries or death result from our use or handling of hazardous materials, we could be the subject of substantial lawsuits by governmental agencies or individuals. We may not have adequate insurance to cover all or any of such claims, if any. If we were responsible to pay significant damages for violations or injuries, if any, we might be forced to cease operations since such payments could deplete our available resources.