Beyondspring (BYSI) Risk Analysis

The regulatory framework for the collection, use, safeguarding, sharing, transfer and other processing of personal information worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. Regulatory authorities in virtually every jurisdiction in which we operate in Greater China and other Asian markets have implemented and are considering a number of legislative and regulatory proposals concerning personal data protection. Regulatory authorities in China have implemented and are considering a number of legislative and regulatory proposals concerning data protection. For example, the Cyber Security Law of the PRC, or the Cyber Security Law, which became effective in June 2017, created China's first national-level data protection regime for "network operators," which may include all organizations in China that provide services over the internet or another information network. We do not maintain, nor do we intend to maintain in the future, personally identifiable health information of patients in China. We do, however, collect and maintain de-identified or pseudonymized health data for clinical trials in compliance with local regulations. These data could be deemed as personal data or important data. With China's growing emphasis of its sovereignty over data derived from China, the outbound transmission of de-identified or pseudonymized health data for clinical trials may be subject to the new national security legal regime, including the Cyber Security Law, the Data Security Law (as defined below), the Personal Information Protection Law (as defined below), and various implementing regulations and standards. Under the Cyber Security Law and the Measures on Standard, Safety and Service of the National Medical Care Big Data (Tentative), or the Measures on Health and Medical Big Data, the transmission of certain personal information, important data and health and medical care big data outside of China is only permitted upon the completion of a security assessment conducted by or as determined by the Chinese government. On July 7, 2022, the Cyberspace Administration of China, or the CAC, promulgated the Security Assessment Measures for Outbound Data Transfer, effective from September 1, 2022, or the Security Assessment Measures, to regulate outbound data transfer activities, protect the information rights and interests of individuals, safeguard national security and social public interests, and promote the safe and free cross-border flow of data. On March 22, 2024, the CAC promulgated the Provisions on Facilitating and Regulating Cross-border Data Flow, effective on the same date. The provisions intend to replace the rules set forth in the Security Assessment Measures that are inconsistent with the new provisions, and provide for, among others, circumstances that are exempted from and circumstances that require application for security assessment for outbound data transfer, execution of a standard contract for personal information outbound transfer and passing of the certification for personal information protection. In addition, the Standing Committee of the National People's Congress of the PRC, or the SCNPC, promulgated the Data Security Law of the People's Republic of China, or the Data Security Law, on June 10, 2021, which became effective on September 1, 2021. The Data Security Law imposes data security and privacy obligations on entities and individuals carrying out data processing activities, and introduces a data classification and hierarchical protection system. The classification of data is based on its importance in economic and social development, as well as the degree of harm expected to be caused to national security, public interests, or legitimate rights and interests of individuals or organizations if such data is tampered with, destroyed, leaked, or illegally acquired or used. The security assessment mechanism was also included in the Personal Information Protection Law, or the Personal Information Protection Law, which was promulgated in August 2021 and became effective on November 1, 2021, for the Chinese government to supervise certain cross-border transfers of personal information. The Personal Information Protection Law provides a comprehensive set of data privacy and protection requirements that apply to the processing of personal information and expands data protection compliance obligations to cover the processing of personal information of persons by organizations and individuals in China, and the processing of personal information of persons in China outside of China if such processing is for purposes of providing products and services to, or analyzing and evaluating the behavior of, persons in China. The Personal Information Protection Law also provides that critical information infrastructure operators and personal information processing entities who process personal information meeting a volume threshold to be set by Chinese cyberspace regulators are also required to store in China personal information generated or collected in China, and to pass a security assessment administered by Chinese cyberspace regulators for any export of such personal information. Lastly, the Personal Information Protection Law contains proposals for significant fines for serious violations of up to RMB 50 million or 5% of annual revenues from the prior year and may also be ordered to suspend any related activity by competent authorities. We do not maintain, nor do we intend to maintain in the future, personally identifiable health information of patients in China. We do, however, collect and maintain de-identified or pseudonymized health data for clinical trials in compliance with local regulations. Under the Cyber Security Law and Data Security Law, we are required to establish and maintain a comprehensive data and network security management system that will enable us to monitor and respond appropriately to data security and network security risks. We will need to classify and take appropriate measures to address risks created by our data processing activities and use of networks. We will be obligated to notify affected individuals and appropriate Chinese regulators of and respond to any data security and network security incidents. Establishing and maintaining such systems takes substantial time, effort and cost, and we may not be able to establish and maintain such systems fully as needed to ensure compliance with our legal obligations. Despite our investment, such systems may not fully guard us or enable us to appropriately respond to or mitigate all data security and network security risks or incidents we face. Furthermore, under the Data Security Law, data categorized as "important data," which will be determined by governmental authorities in the form of catalogs, is to be processed and handled with a higher level of protection. The notion of important data is not clearly defined by the Cyber Security Law or the Data Security Law. In order to comply with the statutory requirements, we will need to determine whether we possess important data, monitor the important data catalogs that are expected to be published by local governments and departments, perform risk assessments and ensure we are complying with reporting obligations to applicable regulators. We may also be required to disclose to regulators business-sensitive or network security-sensitive details regarding our processing of important data, and may need to pass the government security review or obtain government approval in order to share important data with offshore recipients, which can include foreign licensors, or share data stored in China with judicial and law enforcement authorities outside of China. If judicial and law enforcement authorities outside China require us to provide data stored in China, and we are not able to pass any required government security review or obtain any required government approval to do so, we may not be able to meet the foreign authorities' requirements. The potential conflicts in legal obligations could have adverse impact on our operations in and outside of China. Recently, the CAC has taken action against several Chinese internet companies in connection with their initial public offerings on U.S. securities exchanges, for alleged national security risks and improper collection and use of the personal information of Chinese data subjects. According to the official announcement, the action was initiated based on the National Security Law, the Cyber Security Law and the Cybersecurity Review Measures, which are aimed at "preventing national data security risks, maintaining national security and safeguarding public interests." In addition, on December 28, 2021, the CAC and several other PRC government authorities jointly issued the newly revised Cybersecurity Review Measures, according to which, among others, if an internet platform operator has personal information of over one million users and intends to be listed on a foreign stock exchange, it must be subject to the cybersecurity review. The newly revised Cybersecurity Review Measures became effective on February 15, 2022. On November 14, 2021, the CAC published the Administrative Regulations on the Internet Data Security (Draft for Comments), or the Draft Data Security Measures for public comments, according to which, among others, listing in a foreign country of data processors processing over one million users' personal information and listing in Hong Kong of data processors which affects or may affect national security must apply for cybersecurity review. As the Draft Data Security Measures have not been adopted and it remains unclear whether the formal version adopted in the future will have any further material changes, it is uncertain how these draft measures will be enacted, interpreted or implemented and how they will affect us. It is unclear at the present time how widespread the cybersecurity review requirement and the enforcement action will be and what effect they will have on the life sciences sector generally and the Company in particular. China's regulators may impose penalties for non-compliance ranging from fines or suspension of operations, and this could lead to us delisting from the U.S. stock market. The national security legal regime imposes stricter data localization requirements on personal information and human health-related data and requires us to undergo cybersecurity or other security review, obtain government approval or certification, or put in place certain contractual protections before transferring personal information and human health-related data out of China. As a result, personal information, important data and health and medical data that we or our customers, vendors, clinical trial sites, pharmaceutical partners and other third parties collect, generate or process in China may be subject to such data localization requirements and heightened regulatory oversight and controls. To comply with these requirements, maintaining local data centers in China, conducting security assessments or obtaining the requisite approvals from the Chinese government for the transmission outside of China of such controlled information and data could significantly increase our operating costs or cause delays or disruptions in our business operations in and outside China. We expect that the evolving regulatory interpretation and enforcement of the national security legal regime will lead to increased operational and compliance costs and will require us to continually monitor and, where necessary, make changes to our operations, policies, and procedures. If our operations, or the operations of our CROs, licensees or partners, are found to be in violation of these requirements, we may suffer loss or use of data, suffer a delay in obtaining regulatory approval for our products, be unable to transfer data out of Mainland China, be unable to comply with our contractual requirements, suffer reputational harm or be subject to penalties, including administrative, civil and criminal penalties, damages, fines and the curtailment or restructuring of our operations. If any of these were to occur, it could adversely affect our ability to operate our business and our financial results. The General Office of the State Council passed the Scientific Data Administrative Measures in March 2018, which provides a regulatory framework for the collection, submission, retention, exploitation, confidentiality and security of scientific data. Scientific data is defined as data generated from basic research, applied research, experiments and developments in the fields of natural sciences, engineering and technology. It also includes the original and derived data by means of surveillance, monitoring, field studies, examination and testing that are used in scientific research activities. All scientific data generated by research entities, including research institutions, higher education institutions and enterprises that is created or managed with government funds, or funded by any source that concerns state secrets, national security, or social and public interests, must be submitted to data centers designated by the Chinese government for consolidation. Disclosure of scientific data will be subject to regulatory scrutiny. The definition of scientific data is quite broad, but the Chinese government has not issued further guidance to clarify if clinical study data would fall within the definition of scientific data. To our understanding, the Chinese government has not required life sciences companies to upload clinical study data to any government-designated data centers, or prevented the cross-border transmission and sharing of clinical study data. We plan to closely monitor legal and regulatory developments in this area to see how scientific data is interpreted, and we may be required to comply with additional regulatory requirements for sharing clinical study data with our licensors or foreign regulatory authorities, although the scope of such requirements, if any, is currently unknown. On July 7, 2022, the CAC promulgated the Security Assessment Measures, to regulate outbound data transfer activities, protect the information rights and interests of individuals, safeguard national security and social public interests, and promote the safe and free cross-border flow of data. Furthermore, the Security Assessment Measures provide that the security assessment for outbound data transfers shall follow principles of the combination of pre-assessment and continuous supervision and the combination of risk self-assessment and security assessment, so as to prevent the security risks arising from outbound data transfers and ensure the orderly and free flow of data according to the law. For outbound data transfers activities that have been carried out prior to the implementation of the Security Assessment Measures, and not in compliance with the Security Assessment Measures, rectification shall be completed within 6 months from the implementation of the Security Assessment Measures. The Security Assessment Measures further provide that a data processor intending to implement outbound data transfer under the following circumstances shall apply for security assessment to the CAC: (a) a data processor intending to provide critical data abroad; (b) a critical information infrastructure operator or a data processor processing the personal information of more than one million individuals intending to provide personal information abroad; (c) a data processor, who has cumulatively provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals abroad since January 1st of the previous year, intending to provide personal information abroad; and (d) other circumstances prescribed by the CAC for which application for security assessment for outbound data transfers is required. On March 22, 2024, the CAC promulgated the Provisions on Facilitating and Regulating Cross-border Data Flow, effective on the same date. The provisions intend to replace the rules set forth in the Security Assessment Measures that are inconsistent with the new provisions. Pursuant to the Provisions on Facilitating and Regulating Cross-border Data Flow, a data processor intending to implement outbound data transfer under the following circumstances shall apply for security assessment to the CAC: (a) a critical information infrastructure operator intending to provide personal information or important data abroad; or (b) a data processor, that is not a critical information infrastructure operator, intending to provide important data abroad, or has since January 1st of the current year cumulatively provided personal information (excluding sensitive personal information) of over one million individuals, or sensitive personal information of over 10,000 individuals, abroad. For any data processors other than critical information infrastructure operators who have since January 1st of the current year cumulatively provided personal information (excluding sensitive personal information) of over 100,000 and less than one million individuals, or sensitive personal information of less than 10,000 individuals abroad, should execute a standard contract for outbound transfer of personal information with the recipient abroad or pass the certification for personal information protection. In addition, certain industry-specific laws and regulations affect the collection and transfer of personal data in China. For example, the Regulation on the Administration of Human Genetic Resources, or the HGR Regulation, promulgated by the State Council, which became effective on July 1, 2019, applies to activities that involve collection; biobanking; use of HGR, which includes the genetic materials with respect to organs, tissues, cells and other materials that contain the human genome, genes and other genetic substances, or the China Biospecimens; and derived data, in China (together with the China Biospecimens, the "China-Sourced HGR"), and provision of such items to foreign parties. The HGR Regulation prohibits both onshore and offshore entities established or actually controlled by foreign entities and individuals from collecting or biobanking any China-Sourced HGR in China, as well as providing such China-Sourced HGR out of China. Chinese parties are required to seek an advance approval for the collection of certain HGR and biobanking of all HGR. Approval for any export or cross-border transfer of China Biospecimens is required, and transfer of derived data by Chinese parties to foreign parties or entities established or actually controlled by them also requires the Chinese parties to file, before the transfer, a copy of the data with the China Human Genetic Resources Administrative Office, or HGRAO, for record and obtain a notification filing number in order to transfer. The HGR Regulation also requires that foreign parties ensure the full participation of Chinese parties in international collaborations and share all records and data with the Chinese parties. If the Chinese parties fail to comply with data protection laws, regulations and practice standards, and our research data is obtained by unauthorized persons, used or disclosed inappropriately or destroyed, we may lose our confidential information and be subject to litigation and government enforcement actions. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our or our collaborators' practices, potentially resulting in suspension of relevant ongoing clinical trials or delays in the initiation of new trials, confiscation of China-Sourced HGR, administrative fines, disgorgement of illegal gains or temporary or permanent debarment of our or our collaborators' entities and responsible persons from further clinical trials and, consequently, a de-facto ban on the debarred entities from initiating new clinical trials in China. So far, the HGRAO has disclosed a number of HGR violation cases. In one case, the sanctioned party was the Chinese subsidiary of a multinational pharmaceutical company that was found to have illegally transferred certain biospecimens to CROs for conducting certain unapproved research. In addition to a written warning and confiscation of relevant HGR materials, the Chinese subsidiary of the multinational pharmaceutical company was requested by the HGRAO to take rectification measures and was also banned by the HGRAO from submitting any clinical trial applications until the HGRAO was satisfied with the rectification results, which rendered it unable to initiate new clinical trials in China until the ban was lifted. In another case, the CRO engaged by the Chinese subsidiary of a multi-national pharmaceutical company was found to have forged an ethics committee approval in order to accelerate the HGRAO approval. Both the Chinese subsidiary of the multi-national pharmaceutical company and the CRO were debarred from initiating new applications for a period of six to 12 months, respectively. To further tighten the control of China HGR, the SCNPC issued the Eleventh Amendment to the Criminal Law of the People's Republic of China on December 26, 2020, which became effective on March 1, 2021, criminalizing the illegal collection of China-Sourced HGR, the illegal transfer of China-sourced biospecimens outside of China, and the transfer of China-sourced derived data to foreign parties or entities established or actually controlled by them without going through security review and assessment. An individual who is convicted of any of these violations may be subject to public surveillance, criminal detention, a fixed-term imprisonment of up to seven years and/or a criminal fine. In October 2020, the SCNPC adopted the Biosecurity of the People's Republic of China, or the PRC Biosecurity Law, which became effective on April 15, 2021. The PRC Biosecurity Law established an integrated system to regulate biosecurity-related activities in China, including, among others, the security regulation of HGR and biological resources. The PRC Biosecurity Law for the first time expressly declares that China has sovereignty over its HGR, and further endorsed the HGR Regulation by recognizing the fundamental regulatory principles and systems established by it over the utilization of China-Sourced HGR by foreign entities in China. Though the PRC Biosecurity Law does not provide any specific new regulatory requirements on HGR, as it is a law adopted by China's highest legislative authority, it gives China's major regulator of HGR, the Ministry of Science and Technology, or the MOST, significantly more power and discretion to regulate HGR and it is expected that the overall regulatory landscape for China-Sourced HGR will evolve and become even more rigorous and sophisticated. In addition, the interpretation and application of data protection laws in China and elsewhere are often uncertain and in flux. In addition, in the United States, at both the federal and state levels, and in territories outside of Mainland China where we have rights to and plan to develop and commercialize our in-licensed product candidates, including Hong Kong, Macau, Singapore, South Korea, Taiwan and Thailand, we are subject to laws and regulations that address privacy, personal information protection and data security. Numerous laws and regulations, including security breach notification laws, health information privacy laws and consumer protection laws, govern the collection, use, disclosure and protection of health-related and other personal information. Given the variability and evolving state of these laws, we face uncertainty as to the exact interpretation of the new requirements, and we may be unsuccessful in implementing all measures required by regulators or courts in their interpretation. We expect that these data protection and transfer laws and regulations will receive greater attention and focus from regulators going forward, and we will continue to face uncertainty as to whether our efforts to comply with evolving obligations under data protection, privacy and security laws in China, the United States and other countries where we plan or conduct business will be sufficient. Any failure or perceived failure by us to comply with applicable laws and regulations could result in reputational damage or proceedings or actions against us by governmental entities, individuals or others. These proceedings or actions could subject us to significant civil or criminal penalties and negative publicity, result in the delayed or halted transfer or confiscation of certain personal information, result in the suspension of ongoing clinical trials or ban on initiation of new trials, require us to change our business practices, increase our costs and materially harm our business, prospects, financial condition and results of operations. In addition, our current and future relationships with customers, vendors, pharmaceutical partners and other third parties could be negatively affected by any proceedings or actions against us or current or future data protection obligations imposed on them under applicable law, including the European Union General Data Protection Regulation, Cyber Security Law and HGR Regulation. In addition, a data breach affecting personal information, including health information, or a failure to comply with applicable requirements could result in significant management resources, legal and financial exposure and reputational damage that could potentially have a material adverse effect on our business and results of operations. Moreover, the legal uncertainty created by the Data Security Law and the recent Chinese government actions could materially adversely affect our ability, on favorable terms, to raise capital, including engaging in follow-on offerings of our securities in the U.S. market. Even if our practices are not subject to legal challenge, the perception of privacy concerns, whether or not valid, may harm our reputation and brand and adversely affect our business, financial condition and results of operations.

Despite the implementation of security measures, our internal computer systems and those of our CROs and other contractors and consultants are vulnerable to damage from computer viruses and unauthorized access. Although, to our knowledge, we have not experienced any such material system failure or security breach to date, if such an event were to occur and cause interruptions in our operations, it could result in a material disruption of our development programs and our business operations. For example, the loss of clinical trial data from completed or future clinical trials could result in delays in our regulatory approval efforts and significantly increase our costs to recover or reproduce the data. Likewise, we partially rely on our third-party research institution collaborators for research and development of our product candidates and on other third parties for the manufacture of our product candidates and to conduct clinical trials, and similar events relating to their computer systems could also have a material adverse effect on our business. To the extent that any disruption or security breach were to result in a loss of, or damage to, our data or applications, or inappropriate disclosure of confidential or proprietary information, we could incur liability and the further development and commercialization of our product candidates could be delayed.

We operate and expect to operate in various countries, and we may not be able to market our products in, or develop new products successfully for, these markets. We may also encounter other risks of doing business internationally including: - unexpected changes in, or impositions of, legislative or regulatory requirements;- the occurrence of economic weakness, including inflation or political instability;- the effects of applicable non-U.S. tax structures and potentially adverse tax consequences;- differences in protection of our intellectual property rights including third party patent rights;- the burden of complying with a variety of foreign laws including difficulties in effective enforcement of contractual provisions;- delays resulting from difficulty in obtaining export licenses, tariffs and other barriers and restrictions, potentially longer payment cycles, greater difficulty in accounts receivable collection and potentially adverse tax treatment; and - production shortages resulting from any events affecting raw material supply or manufacturing capabilities abroad. In addition, we are subject to general geopolitical risks in foreign countries where we operate, such as political and economic instability, international hostilities and changes in diplomatic and trade relationships, which could affect, among other things, customers' inventory levels and consumer purchasing, which could cause our results to fluctuate and our net sales to decline. The occurrence of any one or more of these risks of doing business internationally, individually or in the aggregate, could materially affect our business and results of operations adversely.

We incur portions of our expenses, and may in the future derive revenues, in currencies other than the U.S. dollars, in particular, the RMB. As a result, we are exposed to foreign currency exchange risk as our results of operations and cash flows are subject to fluctuations in foreign currency exchange rates. For example, a significant portion of our clinical trial activities were conducted outside of the U.S., and associated costs were incurred in the local currency of the country in which the trial was being conducted, which costs were subject to fluctuations in currency exchange rates. We currently do not engage in hedging transactions to protect against uncertainty in future exchange rates between particular foreign currencies and the U.S. dollar. A decline in the value of the U.S. dollar against currencies in countries in which we conduct clinical trials could have a negative impact on our research and development costs. Foreign currency fluctuations are unpredictable and may adversely affect our financial condition, results of operations and cash flows. The value of the RMB against the U.S. dollar and other currencies may fluctuate and is affected by, among other things, changes in political and economic conditions and the foreign exchange policy adopted by the Chinese and other non-U.S. governments. China, U.S. or other government policies may impact the exchange rate between the RMB, U.S. dollar and other currencies in the future in ways that adversely affect our business. There remains significant international pressure on the Chinese government to adopt a more flexible currency policy, which could result in greater fluctuation of the RMB against the U.S. dollar. Our costs are denominated in U.S. dollars, RMB, Australian dollars and Euros, and a large portion of our financial assets are in U.S. dollars. To the extent that we need to convert U.S. dollars into RMB for our operations, appreciation of the RMB against the U.S. dollar would have an adverse effect on the RMB amount we would receive. Conversely, if we decide to convert our RMB into U.S. dollars for our operations or other business purposes, appreciation of the U.S. dollar against the RMB would have a negative effect on the U.S. dollar amount we would receive.

We maintain property insurance policies covering physical damage to, or loss of, our buildings and their improvements, equipment, office furniture and inventory. We hold employer's liability insurance generally covering death or work-related injury of employees. We also hold public liability insurance covering certain incidents involving third parties that occur on or in our premises, and directors and officers' liability insurance covering losses or advancement of defense costs resulting from certain legal actions brought against our directors and officers. We do not maintain "key-person" life insurance on any of our senior management or key personnel, or business interruption insurance. Our insurance coverage may be insufficient to cover any claim for damage to our fixed assets or employee injuries. Any liability or damage to, or caused by, our facilities or our personnel beyond our insurance coverage may result in our incurring substantial costs and a diversion of resources.

We believe that litigation and negative publicity surrounding companies with operations in China that are listed in the U.S. have negatively impacted stock prices for such companies. Various equity-based research organizations have published reports on China-based companies after examining, among other things, their corporate governance practices, related party transactions, sales practices and financial statements that have led to special investigations and stock suspensions on national exchanges. Any similar scrutiny of us, regardless of its lack of merit, could result in a diversion of management resources and energy, potential costs to defend ourselves against rumors, decreases and volatility in our ordinary share trading price, and increased directors and officers' insurance premiums and could have a material adverse effect upon our business, including its results of operations, financial condition, cash flows and prospects.