Blueprint Medicines (BPMC) Risk Analysis

Until such time, as we can generate substantial drug revenues, we expect to finance our cash needs primarily through a combination of public and private equity offerings, debt financings, collaborations, strategic alliances, licensing arrangements and future revenue monetizations. We do not have any committed external source of funds, other than our collaborations with Roche, CStone and Zai Lab and the license agreements with Clementia and IDRx, and the Financing Agreement with Sixth Street Partners, which are limited in scope and duration and subject to the achievement of milestones or royalties on sales of licensed products, if any. To the extent that we raise additional capital through the sale of common stock or securities convertible or exchangeable into common stock, the ownership interest of our stockholders will be diluted, and the terms of these securities may include liquidation or other preferences that materially adversely affect the rights of our common stockholders. Debt financing, if available, would increase our fixed payment obligations and may involve agreements that include covenants limiting or restricting our ability to take specific actions, such as incurring additional debt, making capital expenditures or declaring dividends. If we are unable to raise additional funds through equity or debt financings when needed, we may be required to delay, limit, reduce or terminate our drug development or future commercialization efforts or grant rights to develop and market drugs and drug candidates that we would otherwise prefer to develop and market ourselves. If we raise funds through additional collaborations, strategic alliances, licensing arrangements or future revenue monetizations with third parties, we may have to relinquish valuable rights to our intellectual property, future revenue streams, research programs, drugs or drug candidates or to grant licenses on terms that may not be favorable to us. Further, due to the uncertainty of pharmaceutical development, the high historical failure rates generally associated with drug development and uncertainty of successful commercialization, we may not receive any regulatory, development, sales-based milestones or royalty payments under any such collaborations, strategic alliances, licensing arrangements or future revenue monetizations.

Under Section 382 of the Internal Revenue Code of 1986, as amended (the Code), if a corporation undergoes an "ownership change" (generally defined as a greater than 50 percentage point change (by value) in the ownership of its equity over a three-year period), the corporation's ability to use its pre-change net operating loss carryforwards and certain other pre-change tax attributes to offset its post-change income may be limited. We may have experienced such ownership changes in the past, and we may experience ownership changes in the future as a result of shifts in our stock ownership, some of which are outside our control. As of December 31, 2023, we had federal net operating loss carryforwards of approximately $809.5 million, and our ability to utilize those net operating loss carryforwards could be limited by an "ownership change" as described above, which could result in increased tax liability to us. In addition, pursuant to the TCJA, we may not use net operating loss carry-forwards generated in taxable years beginning after December 31, 2017 to reduce our taxable income in any year beginning after December 31, 2020 by more than 80%, and we may not carry back any net operating losses to prior years. These rules apply regardless of the occurrence of an ownership change. In April 2022, the Company completed an update to the prior Section 382 study dated February 25, 2021. Since the Section 382 owner shifts are tested on a cumulative basis, the current update incorporates the period from February 7, 2017, the day of the last identified ownership change, through December 31, 2021. The analysis concluded that it is more likely than not that an additional ownership change did not occur during the update analysis period. This is assuming that no further significant shifts in stock ownership have occurred by virtue of equity events that have not yet been reported in publicly available SEC filings. The Company engaged its external tax advisor to determine if the Company had equity activity through December 31, 2022 that would give rise to a greater than 50% ownership change. The previous Section 382 model, through December 31, 2021, was updated for reported transactions among the Company's 5% owners. The analysis concluded that there was no additional Company equity activity through December 31, 2022 that would rise to the level of a >50% ownership change. The Company has not performed an analysis through December 31, 2023 at this time. As part of this update, the Company also analyzed the shifts in the stock ownership of Lengo, which was acquired by the Company on December 29, 2021, for purposes of determining (1) whether and when Lengo experienced an "ownership change," as defined in Section 382(g)(1) of the Code, during the period beginning March 6, 2019, the date of the first reported issuance of Lengo stock, and ending on December 29, 2021 (Owner Shift Analysis), and (2) the extent to which Lengo's net operating loss and tax credit carryforwards may be subject to limitation under Sections 382 and 383 as a result of any such ownership changes (Limitation Analysis) (collectively, the Analysis). The analysis concluded that it is more likely than not that ownership changes occurred on (1) March 26, 2020 in connection with the issuance of Series A preferred stock and (2) on December 29, 2021 in connection with the Company's acquisition of the Lengo. An analysis of Lengo was not required as it was merged into the Company effective June 24, 2022.

The development and commercialization of pharmaceuticals is capital intensive. We are currently advancing multiple drug candidates and development programs through clinical and preclinical development. Our expenses may increase in connection with our ongoing activities, particularly as we continue the research and development of, initiate or continue clinical trials of, and seek marketing approval for our drug candidates, including marketing approval for avapritinib in additional geographies. In addition, we expect to incur additional significant commercialization expenses for AYVAKIT/AYVAKYT and other drug candidates, if approved, related to drug sales, marketing, manufacturing and distribution to the extent that such sales, marketing, manufacturing and distribution are not the responsibility of potential collaborators or licensors. We may also need to raise additional funds if we choose to pursue additional indications or geographies for any of our approved drugs or drug candidates or otherwise expand more rapidly than we presently anticipate. Our future capital requirements will depend on and may increase as a result of many factors, including: - the success of our commercialization efforts and market acceptance for AYVAKIT/AYVAKYT or any of our current or future drug candidates for which we receive marketing approval;- the costs of maintaining, expanding or contracting for sales, marketing and distribution capabilities in connection with commercialization of AYVAKIT/AYVAKYT and any of our current or future drug candidates for which we receive marketing approval;- the costs of securing manufacturing, packaging and labeling arrangements for development activities and commercial production, including API, drug substance and drug product material for use in preclinical studies, clinical trials, our compassionate use program and for use as commercial supply, as applicable;- the cost of purchasing quantities of agents for use in our clinical trials in connection with our efforts to develop our drugs and drug candidates, including for development as combination therapies;- the scope, progress, results and costs of drug discovery, preclinical development, laboratory testing and clinical trials for our approved drugs and drug candidates;- the costs, timing and outcome of regulatory review of marketing applications for our drug candidates, including seeking marketing approval for avapritinib in additional geographies;- the success of our collaborations with CStone and our license agreements with Clementia and IDRx, as well as our ability to establish and maintain additional collaborations, partnerships or licenses on favorable terms, if at all;- the achievement of milestones or occurrence of other developments that trigger payments under our existing collaboration or license agreements, our financing agreements, or any collaboration, partnership, financing or license agreements that we may enter into in the future;- the extent to which we are obligated to reimburse, or entitled to reimbursement of, research and development, clinical or other costs under future collaboration agreements, if any;- the extent to which we acquire or in-license other approved drugs, drug candidates or technologies and the terms of any such arrangements;- the costs of preparing, filing and prosecuting patent applications, maintaining and enforcing our intellectual property rights and defending intellectual property-related claims; and - the costs of continuing to expand our operations. Accordingly, we may seek additional funding in connection with our continuing operations or business objectives. Any additional fundraising efforts may divert our management from their day-to-day activities, which may adversely affect our ability to develop and commercialize any of our approved drugs or drug candidates. We cannot guarantee that future financing will be available in sufficient amounts or on terms acceptable to us, if at all. Moreover, the terms of any financing may adversely affect the holdings or the rights of our stockholders and the issuance of additional securities, whether equity or debt, by us, or the possibility of such issuance, may cause the market price of our shares to decline. We could also be required to seek funds through collaborations, partnerships, licensing arrangements or otherwise at an earlier stage than would be desirable and we may be required to relinquish rights to some of our technologies, drugs or drug candidates or otherwise agree to terms unfavorable to us, any of which may have a material adverse effect on our business, operating results and prospects. If we are unable to obtain funding on a timely basis or on attractive terms, we may be required to significantly curtail, delay or discontinue one or more of our research or development programs or the commercialization of any of our approved drugs or be unable to expand our operations or otherwise capitalize on our business opportunities, as desired, which could materially affect our business, financial condition and results of operations.

We have entered into collaborations and licenses with CStone, Zai Lab, Proteovant, Clementia and IDRx for the development and commercialization of several of our drugs and drug candidates, and may enter into additional collaborations and licenses with other third parties in the future. The success of these arrangements will depend heavily on the efforts and activities of our collaborators and licensing partners. Collaborators generally have significant discretion in determining the efforts and resources that they will apply to these collaborations. In some situations, we may not be able to influence our collaboration partners' decisions regarding the development and collaboration of our partnered drugs and drug candidates, and as a result, our collaboration partners may not pursue or prioritize the development and commercialization of those partnered drugs and drug candidates in a manner that is in our best interest. Disagreements between parties to a collaboration arrangement regarding clinical development and commercialization matters can lead to delays in the development process or commercializing the applicable drug candidate and, in some cases, termination of the collaboration arrangement or result in litigation or arbitration, which would be time-consuming and expensive. Licensors generally have sole discretion in determining the efforts and resources that they will apply to the licensed products. Collaborations and licenses with pharmaceutical or biotechnology companies and other third parties often are terminated or allowed to expire by the other party. Any termination or expiration of our collaboration or license agreements with CStone, Zai Lab, Proteovant, Clementia or IDRx, or of any future collaboration or license agreement, could adversely affect us financially or harm our business reputation. For example, in February 2023, Roche provided written notice of its election to terminate for convenience our collaboration agreement for the development and commercialization of GAVRETO worldwide, excluding the CStone Territory. While we will regain rights to the development and commercialization of GAVRETO following the effective date of such termination, there can be no assurance that we will be able to successfully enter into a new arrangement with a third party to collaborate on the development and commercialization or GAVRETO. Further, following the termination of such collaboration agreement, we have not otherwise met the net sales milestone thresholds under the Royalty Purchase Agreement with Royalty Pharma and are no longer be eligible to receive any of the contingent milestone payments under the Royalty Purchase Agreement. However, the failure to meet such milestone thresholds shall not affect the $175.0 million upfront payment received.

Our drug candidates and the activities associated with their development and commercialization, including their design, testing, manufacture, safety, efficacy, recordkeeping, labeling, storage, approval, advertising, promotion, sale, distribution, import and export, are subject to comprehensive regulation by the FDA and other regulatory agencies in the U.S. and by comparable authorities in other countries. Before we can commercialize any of our drug candidates, we must obtain marketing approval. We expect to rely on third-party CROs and/or regulatory consultants to assist us in filing and supporting the applications necessary to gain regulatory approvals. Securing regulatory approval requires the submission of extensive preclinical and clinical data and supporting information to the various regulatory authorities for each therapeutic indication to establish the drug candidate's safety and efficacy. Securing regulatory approval also requires the submission of information about the drug manufacturing process to, and inspection of manufacturing facilities by, the relevant regulatory authority. Should FDA determine that an inspection is necessary for approval of a marketing application and an inspection cannot be completed during the review cycle due to restrictions on travel, FDA has stated that it generally intends to issue a complete response letter. Further, if there is inadequate information to make a determination on the acceptability of a facility, FDA may defer action on the application until an inspection can be completed. Our drug candidates may not be effective, may be only moderately effective or may prove to have undesirable or unintended side effects, toxicities or other characteristics that may preclude our obtaining marketing approval or prevent or limit commercial use. The process of obtaining regulatory approvals, if approval is obtained at all, both in the U.S. and abroad is expensive, may take many years if additional clinical trials are required and can vary substantially based upon a variety of factors, including the type, complexity and novelty of the drug candidates involved. Changes in marketing approval policies during the development period, changes in or the enactment of additional statutes or regulations, or changes in regulatory review for each submitted NDA for a drug candidate, pre-market approval (PMA), or equivalent application types, may cause delays in the approval or rejection of an application. The FDA and comparable authorities in other countries have substantial discretion in the approval process and may refuse to accept any application or may decide that our data are insufficient for approval and require additional preclinical, clinical or other studies. We currently have multiple marketing applications for our drug candidates under review across the world. Our drug candidates could be delayed in receiving, or fail to receive, regulatory approval for many reasons, including the following: - the FDA or comparable foreign regulatory authorities may disagree with the design or implementation of our clinical trials;- we may be unable to demonstrate to the satisfaction of the FDA or comparable foreign regulatory authorities that a drug candidate is safe and effective for its proposed indication;- the results of clinical trials may not meet the level of statistical significance required by the FDA or comparable foreign regulatory authorities for approval;- we may be unable to demonstrate that a drug candidate's clinical and other benefits outweigh its safety risks;- the FDA or comparable foreign regulatory authorities may disagree with our interpretation of data from preclinical studies or clinical trials;- the data collected from clinical trials of our drug candidates may not be sufficient to support the submission of an NDA or other submission or to obtain regulatory approval in the U.S. or elsewhere;- the FDA or comparable foreign regulatory authorities may find deficiencies with or fail to approve the manufacturing processes or facilities of third-party manufacturers with which we contract for clinical and commercial supplies; and - the approval policies or regulations of the FDA or comparable foreign regulatory authorities may significantly change in a manner rendering our clinical data insufficient for approval. In addition, even if we were to obtain approval, regulatory authorities may approve any of our drug candidates for fewer or more limited indications than we request, may not approve the price we intend to charge for our drugs, may grant approval contingent on the performance of costly post-marketing clinical trials or other post-marketing requirements, or may approve a drug candidate with a label that does not include the labeling claims necessary or desirable for the successful commercialization of that drug candidate. Additionally, the receipt of regulatory approval for one indication does not ensure the likelihood of success for regulatory approval of expanded indications for a marketed product. Any of the foregoing scenarios could materially harm the commercial prospects for our drug candidates. If we experience delays in obtaining approval or if we fail to obtain approval of our drug candidates, the commercial prospects for our approved drugs or drug candidates may be harmed and our ability to generate revenues will be materially impaired.

We participate in the Medicaid Drug Rebate program, the 340B drug pricing program, and the Department of Veterans Affairs (VA)'s Federal Supply Schedule (FSS) pricing program. Under the Medicaid Drug Rebate program, we are required to pay a rebate to each state Medicaid program for our covered outpatient drugs that are dispensed to Medicaid beneficiaries and paid for by a state Medicaid program as a condition of having federal funds being made available to the states for our drugs under Medicaid and Medicare Part B. Those rebates are based on pricing data reported by us on a monthly and quarterly basis to CMS, the federal agency that administers the Medicaid Drug Rebate program. These data include the average manufacturer price and, in the case of innovator products, the best price for each drug which, in general, represents the lowest price available from the manufacturer to any entity in the U.S. in any pricing structure, calculated to include all sales and associated rebates, discounts and other price concessions. Our failure to comply with these price reporting and rebate payment obligations could negatively impact our financial results. The ACA made significant changes to the Medicaid Drug Rebate program. CMS issued a final regulation, which became effective on April 1, 2016, to implement the changes to the Medicaid Drug Rebate program under the ACA. The issuance of the final regulation has increased and will continue to increase our costs and the complexity of compliance, has been and will continue to be time-consuming to implement, and could have a material adverse effect on our results of operations, particularly if CMS challenges the approach we take in our implementation of the final regulation. Federal law requires that any company that participates in the Medicaid Drug Rebate program also participate in the Public Health Service's 340B drug pricing program in order for federal funds to be available for the manufacturer's drugs under Medicaid and Medicare Part B. The 340B program requires participating manufacturers to agree to charge statutorily defined covered entities no more than the 340B "ceiling price" for the manufacturer's covered outpatient drugs. These 340B covered entities include a variety of community health clinics and other entities that receive health services grants from the Public Health Service, as well as hospitals that serve a disproportionate share of low-income patients. The 340B ceiling price is calculated using a statutory formula based on the average manufacturer price and Medicaid rebate amount for the covered outpatient drug as calculated under the Medicaid Drug Rebate program, and in general, products subject to Medicaid price reporting and rebate liability are also subject to the 340B ceiling price calculation and discount requirement. Any additional future changes to the definition of average manufacturer price and the Medicaid rebate amount under the ACA, other legislation, or in regulation could affect our 340B ceiling price calculations and negatively impact our results of operations. The Health Resources and Services Administration, or HRSA, which administers the 340B program, issued a final regulation regarding the calculation of the 340B ceiling price and the imposition of civil monetary penalties on manufacturers that knowingly and intentionally overcharge covered entities, which became effective on January 1, 2019. We also are required to report our 340B ceiling prices to HRSA on a quarterly basis. Implementation of the civil monetary penalties regulation and the issuance of any other final regulations and guidance could affect our obligations under the 340B program in ways we cannot anticipate. In addition, legislation may be introduced that, if passed, would further expand the 340B program to additional covered entities or would require participating manufacturers to agree to provide 340B discounted pricing on drugs used in the inpatient setting. Pricing and rebate calculations vary across products and programs, are complex, and are often subject to interpretation by us, governmental or regulatory agencies and the courts. In the case of our Medicaid pricing data, if we become aware that our reporting for a prior quarter was incorrect, or has changed as a result of recalculation of the pricing data, we are obligated to resubmit the corrected data for up to three years after those data originally were due. Such restatements and recalculations increase our costs for complying with the laws and regulations governing the Medicaid Drug Rebate program and could result in an overage or underage in our rebate liability for past quarters. Price recalculations also may affect the ceiling price at which we are required to offer our products under the 340B program or could require us to issue refunds to 340B covered entities. Significant civil monetary penalties can be applied if we are found to have knowingly submitted any false pricing information to CMS, or if we fail to submit the required price data on a timely basis. Such conduct also could be grounds for CMS to terminate our Medicaid drug rebate agreement, in which case federal payments may not be available under Medicaid or Medicare Part B for our covered outpatient drugs. Significant civil monetary penalties also can be applied if we are found to have knowingly and intentionally charged 340B covered entities more than the statutorily mandated ceiling price. We cannot assure you that our submissions will not be found by CMS or HRSA to be incomplete or incorrect. In order to be eligible to have our products paid for with federal funds under the Medicaid and Medicare Part B programs and purchased by certain federal agencies and grantees, as noted above, we participate in the VA's FSS pricing program. As part of this program, we are obligated to make our products available for procurement on an FSS contract under which we must comply with standard government terms and conditions and charge a price that is no higher than the statutory Federal Ceiling Price, or FCP, to four federal agencies (the VA, U.S. Department of Defense, or DOD, Public Health Service, and the U.S. Coast Guard). The FCP is based on the Non-Federal Average Manufacturer Price, or Non-FAMP, which we calculate and report to the VA on a quarterly and annual basis. Pursuant to applicable law, knowing provision of false information in connection with a Non-FAMP filing can subject a manufacturer to significant penalties for each item of false information. These obligations also contain extensive disclosure and certification requirements. We also participate in the Tricare Retail Pharmacy program, under which we pay quarterly rebates on utilization of innovator products that are dispensed through the Tricare Retail Pharmacy network to Tricare beneficiaries. The rebates are calculated as the difference between the annual Non-FAMP and FCP. We are required to list our covered products on a Tricare Agreement in order for these products to be eligible for DOD formulary inclusion. If we overcharge the government in connection with our FSS contract or Tricare Agreement, whether due to a misstated FCP or otherwise, we are required to refund the difference to the government. Failure to make necessary disclosures and/or to identify contract overcharges can result in allegations against us under the FCA and other laws and regulations. Unexpected refunds to the government, and responding to a government investigation or enforcement action, would be expensive and time-consuming, and could have a material adverse effect on our business, financial condition, results of operations and growth prospects.

The ability of the FDA to review and approve new products can be affected by a variety of factors, including government budget and funding levels, the ability to hire and retain key personnel and accept the payment of user fees, and statutory, regulatory and policy changes. Average review times at the agency have fluctuated in recent years as a result. In addition, government funding of the SEC and other government agencies on which our operations may rely, including those that fund research and development activities, is subject to the political process, which is inherently fluid and unpredictable. Disruptions at the FDA and other agencies may also slow the time necessary for new drug candidates to be reviewed and/or approved by necessary government agencies, which would adversely affect our business. If a prolonged government shutdown occurs, it could significantly impact the ability of the FDA to timely review and process our regulatory submissions, which could have a material adverse effect on our business. Further, future government shutdowns could impact our ability to access the public markets and obtain necessary capital in order to properly capitalize and continue our operations.

Privacy and data security have become significant issues in the U.S., Europe and in many other jurisdictions where we conduct or may in the future conduct our operations. The regulatory framework for the collection, use, safeguarding, sharing and transfer of information worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. Globally, virtually every jurisdiction in which we operate has established its own data security and privacy frameworks with which we must comply. Notably, for example, in Europe, the European General Data Protection Regulation 2016/679, which is commonly referred to as GDPR applies to any company established in the European Economic Area, or EEA, as well as any company outside the EEA that collects or otherwise processes personal data in connection with the offering goods or services to individuals in the EEA or the monitoring of their behavior. The GDPR imposes data protection obligations on processors and controllers of personal data, including, for example, disclosures about how personal information is to be used, having a valid legal basis to process personal data, maintaining records of our processing activities and documenting data protection impact assessments where there is high risk processing, limitations on retention of information, mandatory data breach notification requirements, ensuring appropriate technical and organizational measures are put in place to safeguard personal data and onerous obligations on services providers. Penalties under the GDPR include fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher. EEA Member States have adopted national laws to implement the GDPR which may partially deviate from the GDPR. Further, competent authorities in the EEA Member States may interpret GDPR obligations slightly differently from country to country. For these reasons, we do not expect to operate in a uniform legal landscape in the EEA. Further to the UK's exit from the European Union on January 31, 2020, the UK incorporated the GDPR (as it existed on December 31, 2020 but subject to certain UK specific amendments) into UK law (referred to as the UK GDPR). The UK GDPR and the UK Data Protection Act 2018 set out the UK's data protection regime, which is independent from but currently still aligned to the EU's data protection regime. Non-compliance with the UK GDPR may result in monetary penalties of up to £17.5 million or 4% of worldwide revenue, whichever is higher. Although the UK is regarded as a third country under the EU's GDPR, the European Commission has issued a decision recognizing the UK as providing adequate protection under the EU GDPR and, therefore, transfers of personal data originating in the EEA to the UK remain unrestricted. Likewise The UK government has confirmed that personal data transfers from the UK to the EEA remain free flowing. The UK Government has introduced a Data Protection and Digital Information Bill ("UK Bill") into the UK legislative process. The aim of the UK Bill is to reform the UK's data protection regime following Brexit. If passed, the final version of the UK Bill may have the effect of further altering the similarities between the UK and EEA data protection regime and threaten the UK Adequacy Decision from the European Commission ("EC"). This may lead to additional compliance costs and could increase our overall risk. The respective provisions and enforcement of the EU GDPR and UK GDPR may further diverge in the future and create additional regulatory challenges and uncertainties. Given the breadth and depth of changes in data protection obligations, preparing for and complying with the GDPR requirements has required and will continue to require significant time, resources and a review of our technologies, systems and practices, as well as those of any third-party collaborators, service providers, contractors or consultants that process or transfer personal data collected in the UK or EEA. Further, European data protection laws also regulates the transfer of personal data from the EEA, the UK and Switzerland to third countries that are not considered to provide adequate protections to personal data. On June 4, 2021,the European Commission ("EC") issued new Standard Contractual Clauses ("SCCs") for data transfers from controllers or processors in the EEA (or otherwise subject to the EU GDPR) to controllers or processors established outside the EEA (and not subject to the EU GDPR). The new SCCs replace the SCCs that were adopted previously under the Data Protection Directive. The UK is not subject to the EC's new SCCs but has published its own standard clauses, the International Data Transfer Agreement, which enables transfers from the UK. We will be required to implement these new safeguards when conducting restricted data transfers under the EU GDPR and UK GDPR and doing so will require significant effort and cost. Where relying on the SCCs or UK IDTA for data transfers, we may also be required to carry out transfer impact assessments to assess whether the recipient is subject to local laws which allow public authority access to personal data. On July 10, 2023, the EU adopted an adequacy decision for a new "Data Privacy Framework," which replaces the Privacy Shield, which the European Court of Justice invalidated in 2020 for personal data transferred from the EU to the U.S. On July 17, 2023 the U.S. Department of Commerce released registration means and requirements for U.S. companies to register. The Framework provides additional certification mechanisms to provide for UK and Swiss data transfers. We have registered and have active membership under the Framework, allowing for transfer of HR and non-HR data from Switzerland and EEA member states. We will be required to maintain these new safeguards when conducting restricted cross-border data transfers and doing so will require significant effort and cost. These and other future developments regarding the flow of data across borders could increase the cost and complexity of delivering our services in some markets and may lead to governmental enforcement actions, litigation, fines, and penalties or adverse publicity, which could adversely affect our business and financial position. While we have taken steps to mitigate the impact on us with respect to transfers of data, such as registering with the U.S. governing bodies managing the Data Privacy Framework, and implementing the SCCs where necessary in new contracts with our service providers, customers, subsidiaries, the validity of these transfer mechanisms remains uncertain. The previous data transfer mechanisms providing adequacy to enable cross-border transfers between the US and the EEA have been invalidated, and the Data Privacy Framework has already been challenged in several jurisdictions. Complying with this guidance as it exists today and evolves will be expensive and time consuming and may ultimately prevent us from transferring personal data outside Europe which would cause significant business disruption for ourselves and our customers and potentially require the changes in the way our products are configured, hosted and supported. In addition, we are subject to Swiss data protection laws, including the Federal Act on Data Protection, or FADP. While the FADP provides broad protections to personal data, on September 25, 2020, the Swiss federal Parliament enacted a revised version of the FADP, which is anticipated to become effective in September 2023. The new version of the FADP aligns Swiss data protection law with the GDPR. We have updated our agreements to reflect the new requirements per the FADP, but further modifications or changes may require revisiting these agreements. Further, in addition to existing European data protection law, the European Union also is considering another draft data protection regulation. The proposed regulation, known as the Regulation on Privacy and Electronic Communications (ePrivacy Regulation), would replace the current ePrivacy Directive. It is unclear whether and/or when the Draft Regulation will enter into force. Preparing for and complying with the evolving application of the GDPR, national laws in Switzerland and the UK, as well as ePrivacy Regulation (if and when it becomes effective) has required and will continue to require us to incur substantial operational costs and may require us to change our business practices. Despite our efforts to bring practices into compliance with the GDPR, appliable national data protection laws and before the effective date of the ePrivacy Regulation, we may not be successful either due to internal or external factors such as resource allocation limitations. Non-compliance could result in proceedings, fines or penalties against us by governmental entities, customers, data subjects, consumer associations or others. In addition to European data protection requirements, we are subject to the California Consumer Privacy Act, or CCPA, which took effect on January 1, 2020 and imposes sweeping privacy and security obligations on many companies doing business in California and provides for substantial fines for non-compliance and, in some cases, a private right of action to consumers who are victims of data breaches involving their unredacted or unencrypted personal information. While there is currently an exception for protected health information that is subject to HIPAA and clinical trial regulations, as currently written, the CCPA may impact our business activities. The CCPA became enforceable as of July 1, 2020, but there continues to be uncertainty about how the law will be interpreted and enforced. The CCPA was amended by the California Privacy Rights Act (CPRA) which became effective on January 1, 2023. The CPRA imposes additional obligations on companies covered by the legislation and significantly modified the CCPA, including by expanding consumers' rights with respect to certain sensitive personal information. The CPRA also created a new state agency that is vested with authority to implement and enforce the CCPA. The effects of the CCPA are potentially significant and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply and increase our potential exposure to regulatory enforcement and/or litigation. In addition to the CCPA, new privacy and data security laws have been enacted in numerous other states and have been proposed in even more states as well as in the U.S. Congress, reflecting a trend toward more stringent privacy legislation in the U.S., which may accelerate. Furthermore, a smaller number of states have passed or are considering laws that are specifically focused upon health privacy, such as Washington's My Health My Data Act. The effects of state and federal privacy laws are potentially significant and may require us to modify our data processing practices and policies and to incur substantial costs and potential liability in an effort to comply with such legislation. Additionally, the Federal Trade Commission (FTC) has focused enforcement actions in the healthcare space. Multiple enforcement actions around how healthcare companies collect, notice and share personal data have provided important signals on points of emphasis for us to focus our compliance efforts. We have taken necessary steps to comply with guidance to date, however guidance and enforcement actions may require additional investment of resources in compliance programs and/or changes in business practices and policies. On October 30, 2023, President Biden issued an Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence which provided a framework for and a call for Congress to enact laws establishing the appropriate development and use of artificial intelligence (AI.) The widespread use of generative AI and natural language processing tools have significant risk when used in the healthcare space. We are exposed to risks associated with employees utilizing generative AI in methods and ways that are contrary to the framework laid out by the Executive Order or the subsequent complementary laws. We will need to invest resources to ensure appropriate development and use of any generative AI, or like-technology, and to develop internal compliance policies and procedures addressing this use. Cybersecurity presents an ongoing risk vector for our company. A cybersecurity incident impacting our internal systems or network could compromise sensitive information of patients and employees, requiring additional resources to enable us to ensure remediation and proper notification. Additionally, we rely on vendors to provide many services where they collect, use or process sensitive data on our behalf or jointly. An incident compromising the databases of our internal network or our vendor's information may materially impact our ability to continue development of our products or have appropriate data to complete FDA submissions. If data related to drug development is compromised, the integrity of that data might be impacted in such a way to render it unusable or potentially modified to a degree it will not be reliable. This type of attack may have material financial impacts resulting from a cybersecurity incident disclosing or making unavailable IP related to our drug development through a ransomware attack or similar method. The continued development and management of our Information Security function may require additional investment of resources to mature our ability to prevent and respond to cybersecurity incidents. The increasing number and complexity of regional, country and U.S. state data protection laws, and other changes in laws or regulations across the globe, especially those associated with the enhanced protection of certain types of sensitive data, such as healthcare data or other personal information from our clinical trials, could lead to government enforcement actions and significant penalties against us and could have a material adverse effect on our business, financial condition or results of operations.

The precise incidence and/or prevalence for SM, chronic urticaria and other mast cell disorders, CDK2-vulnerable cancers and GIST are unknown. Our projections of the number of people who have these diseases, the frequency of the genetic alterations targeted by our drugs and drug candidates and the subset of patients who have the potential to benefit from our treatment options are based on estimates. These estimates have been derived from a variety of sources, including scientific literature, surveys of clinics, patient foundations or third-party market research, and may prove to be incorrect. Further, new studies may change the estimated incidence or prevalence of these cancers and the number of patients may turn out to be lower than expected. Additionally, the potentially addressable patient population for our approved drugs and drug candidates may be limited or may not be amenable to treatment with our precision therapies. Accordingly, the incidence and/or prevalence of the diseases we aim to address may not be otherwise amenable to treatment with our drugs, patients treated with our drugs and drug candidates may develop mutations that confer resistance to treatment or new patients may become increasingly difficult to identify or gain access to, all of which would adversely affect our results of operations and our business.

There are risks involved with both establishing our own sales and marketing capabilities and entering into arrangements with third parties to perform these services. For example, recruiting and training a sales force is expensive and time-consuming and could delay any drug launch. If the commercial launch of a drug candidate or a new indication for a drug product for which we establish marketing capabilities is delayed or does not occur for any reason, we would have prematurely or unnecessarily incurred these commercialization expenses, which may be costly. If we enter into arrangements with third parties to perform sales, marketing and distribution services, our drug revenues or the profitability of these drug revenues to us are likely to be lower than if we were to market and sell any current or future drugs ourselves. We likely will have little control over such third parties, and any of them may fail to devote the necessary resources and attention to sell and market our drugs effectively. In addition, we may not be successful in entering into arrangements with third parties to sell and market our current and future drugs or may be unable to do so on terms that are favorable to us. If we do not establish, maintain and, if necessary, expand sales and marketing capabilities successfully, either on our own or in collaboration with third parties, we will not be successful in commercializing our drugs and drug candidates, if approved. Further, our business, results of operations, financial condition and prospects will be materially adversely affected.

We are exposed to the risk that our employees, principal investigators, CROs and consultants may engage in fraudulent conduct or other illegal activity. Misconduct by these parties could include intentional, reckless and/or negligent conduct or disclosure of unauthorized activities to us that violate the regulations of the FDA and other regulatory authorities, including those laws requiring the reporting of true, complete and accurate information to such authorities; healthcare fraud and abuse laws and regulations in the U.S. and abroad; or laws that require the reporting of financial information or data accurately. In particular, sales, marketing and business arrangements in the healthcare industry are subject to extensive laws and regulations intended to prevent fraud, misconduct, kickbacks, self-dealing and other abusive practices. These laws and regulations may restrict or prohibit a wide range of pricing, discounting, marketing and promotion, sales commission, customer incentive programs and other business arrangements. Activities subject to these laws also involve the improper use of information obtained in the course of clinical trials or creating fraudulent data in our preclinical studies or clinical trials, which could result in regulatory sanctions and cause serious harm to our reputation. We have adopted a code of conduct applicable to all of our employees, but it is not always possible to identify and deter misconduct by employees and other third parties, and the precautions we take to detect and prevent this activity may not be effective in controlling unknown or unmanaged risks or losses or in protecting us from governmental investigations or other actions or lawsuits stemming from a failure to comply with these laws or regulations. In addition, we are subject to the risk that a person could allege such fraud or other misconduct, even if none occurred. If any such actions are instituted against us, and we are not successful in defending ourselves or asserting our rights, those actions could have a significant impact on our business, including the imposition of civil, criminal and administrative penalties, damages, monetary fines, possible exclusion from participation in Medicare, Medicaid and other federal healthcare programs, contractual damages, reputational harm, diminished profits and future earnings, and curtailment of our operations, any of which could adversely affect our ability to operate our business and our results of operations.

We do not have the ability to independently conduct clinical trials. We rely on medical institutions, clinical investigators, CROs, contract laboratories and other third parties to conduct or otherwise support clinical trials for our approved drugs and drug candidates. We rely heavily on these parties for execution of clinical trials for our drugs and drug candidates and control only certain aspects of their activities. Nevertheless, we are responsible for ensuring that each of our clinical trials is conducted in accordance with the applicable protocol, legal and regulatory requirements and scientific standards, and our reliance on CROs will not relieve us of our regulatory responsibilities. For any violations of laws and regulations during the conduct of our clinical trials, we could be subject to warning letters or enforcement action that may include civil penalties up to and including criminal prosecution. We and our CROs are required to comply with regulations, including GCPs, for conducting, monitoring, recording and reporting the results of clinical trials to ensure that the data and results are scientifically credible and accurate, and that the trial patients are adequately informed of the potential risks of participating in clinical trials and their rights are protected. These regulations are enforced by the FDA, the Competent Authorities of the Member States of the European Economic Area and comparable foreign regulatory authorities for any drugs in clinical development. The FDA enforces GCP regulations through periodic inspections of clinical trial sponsors, principal investigators and trial sites. If we or our CROs fail to comply with applicable GCPs, the clinical data generated in our clinical trials may be deemed unreliable, and the FDA or comparable foreign regulatory authorities may require us to perform additional clinical trials before approving our marketing applications. We cannot assure you that, upon inspection, the FDA will determine that our current or future clinical trials comply with GCPs. In addition, our clinical trials must be conducted with drug candidates produced under cGMPs regulations. Our failure or the failure of our CROs to comply with these regulations may require us to repeat clinical trials, which would delay the regulatory approval process and could also subject us to enforcement action. We also are required to register ongoing clinical trials and post the results of completed clinical trials on a government-sponsored database, ClinicalTrials.gov, within certain timeframes. Failure to do so can result in fines, adverse publicity and civil and criminal sanctions. Although we intend to design and sponsor the clinical trials for our approved drugs and drug candidates, CROs will conduct all of our clinical trials. As a result, many important aspects of our development programs, including their conduct and timing, will be outside of our direct control. Our reliance on third parties to conduct current or future clinical trials will also result in less direct control over the management of data developed through clinical trials than would be the case if we were relying entirely upon our own staff. Communicating with outside parties can also be challenging, potentially leading to mistakes as well as difficulties in coordinating activities. Outside parties may: - have staffing difficulties;- fail to comply with contractual obligations;- experience regulatory compliance issues;- undergo changes in priorities or become financially distressed; or - form relationships with other entities, some of which may be our competitors. Some of these factors may be beyond our control. These factors may materially adversely affect the willingness or ability of third parties to conduct our clinical trials and may subject us to unexpected cost increases that are beyond our control. If the CROs do not perform clinical trials in a satisfactory manner, breach their obligations to us or fail to comply with regulatory requirements, the development, regulatory approval and commercialization of our approved drugs for additional indications and our drug candidates may be delayed, we may not be able to obtain regulatory approval and commercialize our drug candidates, or our development program materially and irreversibly harmed. If we are unable to rely on clinical data collected by our CROs, we could be required to repeat, extend the duration of, or increase the size of any clinical trials we conduct and this could significantly delay commercialization and require significantly greater expenditures. If any of our relationships with these third-party CROs terminate, we may not be able to enter into arrangements with alternative CROs. If CROs do not successfully carry out their contractual duties or obligations or meet expected deadlines, if they need to be replaced or if the quality or accuracy of the clinical data they obtain is compromised due to the failure to adhere to our clinical protocols, regulatory requirements or for other reasons, any clinical trials such CROs are associated with may be extended, delayed or terminated, and we may not be able to obtain regulatory approval for or successfully commercialize our drug for additional indications or our drug candidates. As a result, we believe that our financial results and the commercial prospects for our drugs or our drug candidates in the subject indication would be harmed, our costs could increase and our ability to generate substantial revenue could be delayed.

Our results of operations could be adversely affected by general conditions in the global economy and in the global financial markets. For example, the COVID-19 pandemic caused extreme volatility and disruptions in the capital and credit markets. In addition, geopolitical developments, such as the Israeli-Palestinian conflict, Russian invasion of Ukraine or deterioration in the bilateral relationship between the U.S. and China could contribute to disruption, instability and volatility in the global markets, as well as an increased inflation, which in turn could adversely impact our operations and those of third parties upon which we rely. Geopolitical conflicts could also have an adverse impact on third parties located in the involved jurisdictions, which could in turn have an adverse impact on our business. For example, certain of our distributors are located in Israel, and may be adversely impacted by the Israeli-Palestinian conflict. Related sanctions, export controls or other actions that may be initiated by nations including the U.S., the EU, Israel or Russia (e.g., potential cyberattacks, disruption of energy flows) could adversely affect our business, our supply chain, CROs, CMOs, clinical trial sites, collaborative partners, distributors or other third parties with which we conduct business. There can be no assurance that further deterioration in credit and financial markets and confidence in economic conditions will not occur. A severe or prolonged economic downturn could result in a variety of risks to our business, including weakened demand for our drug candidates and our ability to raise additional capital when needed on acceptable terms, if at all. A weak or declining economy could also strain our suppliers, possibly resulting in supply disruption, or cause our customers to delay making payments for our services. Political developments can also lead to uncertainty around regulations and rules that may materially affect our business. For example, as the UK regulatory system is now independent from the EU, a long-term effect of Brexit could be that the UK significantly alters its regulations affecting the clearance or approval of our drug or drug candidates that are developed in the UK. Any new regulations could add time and expense to the conduct of our business, as well as the process by which our drug candidates receive regulatory approval in the UK, as compared to the EU and elsewhere.