Asensus Surgical (ASXC) Risk Analysis

We are increasingly dependent on information technology systems and infrastructure to operate our business. In the ordinary course of our business, we collect, store, process, and transmit sensitive corporate, personal, and other information, including intellectual property, proprietary business information, customer data including PII, and other confidential information. Our obligations under applicable laws, regulations, contracts, industry standards, self-certifications, and other documentation may include maintaining the confidentiality, integrity, and availability of personal information in our possession or control, maintaining reasonable and appropriate security safeguards as part of an information security program. These obligations create potential legal liability to regulators, our business partners, our customers, and other relevant stakeholders, and also impact the attractiveness of our products and services to existing and potential customers. Our systems are subject to cyber-attacks, viruses, worms, malicious software programs, outages, equipment malfunction or constraints, software deficiencies, human error, hacking and other malicious intrusions, which may materially disrupt our business and compromise our data. Cyber-attacks are expected to accelerate on a global basis in both frequency and magnitude as threat actors are becoming increasingly sophisticated in using techniques and tools (including artificial intelligence) that circumvent controls, evade detection and even remove forensic evidence of the infiltration. There can be no assurance that the systems we have designed to prevent or limit the effects of cyber incidents or attacks will be sufficient to prevent or detect material consequences arising from such incidents or attacks, or avoid a material adverse impact on our systems after such incidents or attacks do occur. Even if we successfully defend our own digital technologies, we also rely on providers of third-party products, services, and networks, with whom we may share data and services, and who may be unable to effectively defend their digital technologies and services against attack. Unauthorized access to or modification of, or actions disabling our ability to obtain authorized access to, our customers' data, other external data, personal data, or our own data, as a result of a cyber incident, attack or exploitation of a security vulnerability, or loss of control of our clients' operations could result in significant damage to our reputation or disruption of the services we provide to our customers or of our customers' businesses. In addition, allegations, reports, or concerns regarding vulnerabilities affecting our digital products or services could damage our reputation. We may not be able to anticipate and prevent such disruptions or intrusions, and we may not be able to mitigate them when and if they occur. Any failure, breach or unauthorized access to our or third-party systems could result in the loss of confidential, sensitive or proprietary information, interruptions in service or production or otherwise encumber our ability to conduct business operations and could result in potential reductions in revenue and profits, damage to its reputation or liability. Furthermore, we may incur significant costs in responding to any such disruption or intrusion and remedying our systems. In such event we may also be subject to litigation and other potential liability, which could materially impact our business and financial condition. Further, as regulatory focus on privacy and data security issues continues to increase and worldwide laws and regulations concerning the protection of information become more complex, the potential risks and costs of compliance to the company's business will intensify. Although we have implemented remote working protocols for some employees and offer work-issued devices to employees, the actions of our employees while working remotely may have a greater effect on the security of our systems and the data we process, including by increasing the risk of compromise to our systems, intellectual property, or data arising from employees' combined personal and private use of devices, accessing our systems or data using wireless networks that we do not control, or the ability to transmit or store company-controlled data outside of our secured network. We maintain insurance policies to cover certain losses relating to our information technology systems. However, there may be exceptions to our insurance coverage such that our insurance policies may not cover some or all aspects of a security incident. Even where an incident is covered by our insurance, the insurance limits may not cover the costs of complete remediation and redress that we may be faced with in the wake of a security incident. The successful assertion of one or more large claims against us that exceeds our available insurance coverage, or results in changes to our insurance policies (including premium increases or the imposition of large deductible or co-insurance requirements), could have an adverse effect on our business. In addition, we cannot be sure that our existing insurance coverage and coverage for errors and omissions will continue to be available on acceptable terms or that our insurers will not deny coverage as to any future claim. In addition, any actual or perceived failure by us, our vendors, or our business partners to comply with our privacy, confidentiality, or data security-related legal or other obligations to customers or other third parties, or any further security incidents or other unauthorized access events that result in the unauthorized access, release, or transfer of sensitive information (which could include personal data), may result in governmental investigations, enforcement actions, regulatory fines, litigation, or public statements against us by advocacy groups or others, and could cause third parties, including current and potential partners, to lose trust in us (including existing or potential customers' perceiving our products or services as less desirable), or we could be subject to claims by third parties that we have breached our privacy- or confidentiality-related obligations, which could materially and adversely affect our business and prospects. There can be no assurance that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from liabilities or damages.

The delivery of healthcare by hospitals, health systems, and physicians depends on a number of government agencies and services. Further prolonged government shutdowns or restrictions could impact inspections, regulatory review and certifications, grants or approvals, or could cause other situations that could impede their ability to effectively deliver healthcare, including attempts to reduce payments and other reimbursements to hospitals by federal healthcare programs. These situations could adversely affect our customers' ability to perform procedures with our devices and/or their decisions to purchase additional products from us. In addition, the review and clearance, approval, or certification of new products can be affected by a variety of factors globally, including government budget and funding levels, global health concerns, ability to hire and retain key personnel and accept the payment of user fees, and statutory, regulatory, and policy changes. In addition, government funding of other government agencies that fund research and development activities is subject to unpredictable and ever-changing political processes. Disruptions at the FDA and other agencies or Notified Bodies for any of these or other reasons may cause significant regulatory delays and, therefore, delay our efforts to seek clearances, approvals, or certifications from the FDA, foreign authorities, and notified bodies and adversely affect business travel and import and export of products, all of which could have a material adverse effect on our business, financial condition, results of operations, or cash flows. For example, over the last several years, the U.S. government has shut down several times and certain regulatory agencies, such as the FDA, have had to furlough critical FDA employees and stop critical activities.

There are numerous state, federal, and foreign laws, regulations, decisions, and directives regarding privacy rights and the processing of information relating to identified or identifiable persons ("Personal Information") and other categories of data, the scope of which is continually evolving and subject to differing interpretations. We also must comply with the policies, procedures and business requirements of our customers relating to data privacy and security, which can vary based upon the customer, the customer's industry or location, and the product the customer selects, and which may be more restrictive than the privacy and security measures required by law or regulation. Around the world, the privacy and data protection legal landscape is rapidly changing, which may require us to adjust aspects of our operations or expend significant time and resources to come into compliance with new laws or regulatory obligations. In particular, the European Economic Area ("EEA"), the United Kingdom and Switzerland have stringent privacy laws and regulations, which may impact our ability to profitably operate in certain European countries or to offer products that meet the needs of customers subject to EU privacy laws and regulations. For example, the General Data Protection Regulation (the "GDPR") provides that EEA Member States may make their own further laws and regulations limiting the processing of genetic, biometric, or health data, which could limit our ability to use and share Personal Information or could cause our costs to increase and harm our business and financial condition. Non-compliance with the GDPR and the applicable EEA Member State laws may result in fines of up to 4% of the total worldwide annual turnover of the preceding financial year and other administrative penalties, as well as adverse publicity. It also confers the right for data subjects to lodge complaints with supervisory authorities, seek judicial remedies and obtain compensation for damages resulting from violations of the GDPR. Global laws such as the GDPR are increasingly restricting and regulating the cross-border transfer of Personal Information, which may require us to implement additional and, potentially, costly safeguards to receive Personal Information from overseas customers or transfer such data, including to our vendors. l For example,, in June 2021, the European Commission adopted a new set of Standard Contractual Clauses ("SCCs"), aimed at enabling lawful transfers of Personal Information to non-adequate countries outside the EEA,and on July 10, 2023 the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework, meaning that personal data can now flow freely from the EEA to US companies that participate in the Data Privacy Framework. A lack of valid transfer mechanisms for Personal Information subject to GDPR could increase exposure to enforcement actions as described above, and may affect our business operations and require commercial cost (including potentially limiting our ability to collaborate/work with certain third parties and/or requiring an increase in our data processing capabilities in the EU/U.K.). Further, the EEA/U.K., and Swiss data protection laws (including laws on data transfers as set out above) may also be updated/revised, accompanied by new guidance and/or judicial/regulatory interpretations, which could entail further impacts on our compliance efforts and increased cost. In addition to the laws specifically discussed, numerous other federal and state laws and regulations govern privacy and security, including state data breach notification laws, state health information and/or genetic privacy laws, and federal and state consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act, new state consumer protection laws), many of which differ from each other in significant ways and may not have the same effect, thus complicating compliance efforts. Compliance with these laws is difficult, constantly evolving, time consuming, and requires a flexible privacy framework and substantial resources. Compliance efforts will likely be an increasing and substantial cost in the future. Federal regulators, state attorneys general, and plaintiffs' attorneys have been and will likely continue to be active in this space. The costs of compliance with, and other burdens imposed by, our customers' own requirements, the privacy and security laws and regulations, as well as self-regulatory standards that are applicable to us and our customers' businesses may limit the use and adoption of our products, reduce overall demand and may incur substantial cost or require us to change our business practices. Non-compliance with our customers' specific requirements may lead to termination of contracts with these customers or liabilities to the customers.

The FDA and similar foreign governmental authorities such as the competent authorities of the EEA countries have the authority to require the recall of commercialized products in the event of material deficiencies or defects in design or manufacture or in the event that a product poses an unacceptable risk to health. Manufacturers may, under their own initiative, recall a product if any material deficiency in a device is found. Any future recalls of any of our products would divert managerial and financial resources and could have an adverse effect on our reputation, results of operations and financial condition, which could impair our ability to produce our products in a cost-effective and timely manner in order to meet our customers' demands. We may also be required to bear other costs or take other actions that may have a negative impact on our future sales and our ability to generate profits.

There have been social media and other publications regarding us published from time to time since we started selling the Senhance System. Negative media and social media coverage, whether true or not, concerning our products or us could reduce market acceptance of our products and increase volatility in our stock price.

Changes in economic conditions and supply chain constraints and steps taken by governments and central banks could lead to higher inflation than previously experienced or expected, which could, in turn, lead to an increase in costs. An inflationary environment could have a negative impact on our expenses, increase our labor costs and reduce our available cash flow.

We have an office and valued employees who live and work in Israel. The current conflict in Israel could have a material adverse impact on our business and operations. Our digital surgery software development efforts are centered in our Israeli subsidiary, and the conflict could cause unexpected delays in our development efforts. Some of our employees have been called to active military duty. In addition, a third-party manufacturer of our ISU located in Israel could be negatively impacted affecting our ability to meet our supply obligations, and export of such ISUs, and other supply management activities and materials due to transport restrictions. If the conflict is prolonged or significantly worsens, these factors could have a material adverse impact on our business operations and employees.

We conduct operations in several different countries, including the United States and throughout Europe, and portions of our revenues, expenses, assets and liabilities are denominated in U.S. dollars, Euros, and other currencies. Since our consolidated financial statements are presented in U.S. dollars, we must translate revenues, income and expenses, as well as assets and liabilities, into U.S. dollars at exchange rates in effect during or at the end of each reporting period. We have not historically hedged our exposure to foreign currency fluctuations.  Accordingly, increases or decreases in the value of the U.S. dollar against the Euro and other currencies could materially affect our net operating revenues, operating income and the value of balance sheet items denominated in foreign currencies.