CymaBay Therapeutics (CBAY) Risk Analysis

In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, process) personal data and other sensitive information, including proprietary and confidential business data, trade secrets, intellectual property, data collected about trial participants in connection with clinical trials, and other sensitive third-party data. These activities result in our being subject to or affected by numerous federal, state and foreign laws and regulations, as well as regulatory guidance, governing the collection, use, disclosure, retention, and security of personal data, such as information that we collect about patients and healthcare providers in connection with clinical trials in the United States and abroad. The global data protection landscape is rapidly evolving, and implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future. This evolution may create uncertainty in our business, affect our or our vendors' ability to operate in certain jurisdictions or to collect, store, transfer, use and share personal information, necessitate the acceptance of more onerous obligations in our contracts, result in liability or impose additional costs on us. The cost of compliance with these laws, regulations and standards is high and is likely to increase in the future. In many jurisdictions, enforcement actions and consequences for noncompliance are rising. In the United States, HIPAA imposes, among other things, certain standards relating to the privacy, security, transmission and breach reporting of individually identifiable health information (see "Federal and State HealthCare Laws" above). Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020-collectively, CCPA-applies to personal data of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. The CCPA provides for fines of up to $7,500 per intentional violation and allows private litigants affected by certain data breaches to recover significant statutory damages. Although the CCPA exempts some data processed in the context of clinical trials, the CCPA increases compliance costs and potential liability with respect to other personal data we maintain about California residents. Additionally, in the past few years, numerous U.S. states in addition to California-including Virginia, Colorado, Connecticut, and Utah-have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Similar laws are being considered in several other states, as well as at the federal and local levels, and we expect more states to pass similar laws in the future. While these states, like the CCPA, also exempt some data processed in the context of clinical trials, these developments further complicate compliance efforts, and increase legal risk and compliance costs for us, the third parties upon whom we rely. Our operations abroad may also be subject to increased scrutiny or attention from data protection authorities. Many countries in these regions have established or are in the process of establishing privacy and data security legal frameworks with which we, our customers, or our vendors must comply. For example, the EU has adopted the General Data Protection Regulation (EU) 2016/679, or GDPR, which went into effect in May 2018 and includes strict requirements for processing the personal information of EU subjects, including clinical trial data. The GDPR has increased compliance burdens on us, including by mandating potentially burdensome documentation requirements and granting certain rights to individuals to control how we collect, use, disclose, retain and process information about them. The processing of sensitive personal data, such as physical health condition, has imposed heightened compliance burdens under the GDPR and is a topic of active interest among foreign regulators. In addition, the GDPR provides for robust regulatory enforcement and fines for a noncompliant company. Under the GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros under the EU GDPR, 17.5 million pounds sterling under the UK GDPR or, in each case, 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. As we continue to expand into other foreign countries and jurisdictions, we may be subject to additional laws and regulations that may affect how we conduct business. Any failure or perceived failure by us to comply with federal, state or foreign laws or regulation, our internal policies and procedures or our contracts governing our processing of personal information could result in negative publicity, diversion of management time and effort and proceedings against us by governmental entities, litigation by private plaintiffs or others, additional reporting requirements and/or oversight, bans on processing personal data, orders to destroy or not use personal data, and imprisonment of company officials. Moreover, despite our efforts, our personnel or third parties on whom we rely may fail to comply with such obligations, which could negatively impact our business operations. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: loss of customers; interruptions or stoppages in our business operations (including, as relevant, clinical trials); inability to process personal data or to operate in certain jurisdictions; limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or substantial changes to our business model or operations.

We collect and maintain information in digital form that is necessary to conduct our business, and we are increasingly dependent on information technology systems and infrastructure to operate our business. In the ordinary course of our business, we collect, store and transmit confidential information, including intellectual property, proprietary business information and personal information. It is critical that we do so in a secure manner to maintain the confidentiality and integrity of such confidential information. We have established physical, electronic and organizational measures designed to safeguard and secure our systems to prevent a data compromise, and rely on commercially available systems, software, tools, and monitoring to provide security for our information technology systems and the processing, transmission and storage of digital information. We have also outsourced elements of our information technology infrastructure, and as a result a number of third-party vendors may or could have access to our confidential information. Our internal information technology systems and infrastructure, and those of our current and any future collaborators, contractors and consultants and other third parties on which we rely, are vulnerable to damage from computer viruses, malware, natural disasters, terrorism, war, telecommunication and electrical failures, cyber-attacks or cyber-intrusions over the Internet, attachments to emails, persons inside our organization, or persons with access to systems inside our organization, which may compromise our system infrastructure or lead to the loss, destruction, alteration or dissemination of, or damage to, our data. The risk of a security breach or disruption, particularly through cyber-attacks or cyber intrusion, including by computer hackers, foreign governments and cyber terrorists, has generally increased as the number, intensity and sophistication of attempted attacks and intrusions from around the world have increased. During times of war and other major conflicts, we, the third parties upon which we rely, may be vulnerable to a heightened risk of these attacks, including retaliatory cyber-attacks, that could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our goods and services. In particular, severe ransomware attacks are becoming increasingly prevalent and can lead to significant interruptions in our operations, ability to provide our products or services, loss of sensitive data and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. In addition, the prevalent use of mobile devices that access confidential information increases the risk of data security breaches, which could lead to the loss of confidential information or other intellectual property. The costs to us to mitigate network security problems and security vulnerabilities could be significant, and our efforts to address these problems may not be successful, and these problems could result in unexpected interruptions, delays, cessation of service and other harm to our business and our competitive position. If such an event is to occur and cause interruptions in our operations or our vendors, it may result in a material disruption of our product development programs and our reputation could be materially damaged. We could also be exposed to a risk of loss or litigation and potential liability, which could materially adversely affect our business, results of operations and financial condition. While we have implemented security measures designed to protect against security incidents, there can be no assurance that these measures will be effective. We may be unable in the future to detect vulnerabilities in our information technology systems because such threats and techniques change frequently, are often sophisticated in nature, and may not be detected until after a security incident has occurred. Further, we may experience delays in developing and deploying remedial measures designed to address any such identified vulnerabilities. Applicable data privacy and security obligations may require us to notify relevant stakeholders of security incidents. Such disclosures are costly, and the disclosure or the failure to comply with such requirements could lead to adverse consequences. We rely on third-party service providers and technologies to operate critical business systems to process sensitive information in a variety of contexts. Our ability to monitor these third parties' information security practices is limited, and these third parties may not have adequate information security measures in place. If our third-party service providers experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. If we (or a third party upon whom we rely) experience a security incident or are perceived to have experienced a security incident, we may experience adverse consequences, such as government enforcement actions (for example, investigations, fines, penalties, audits, and inspections); additional reporting requirements and/or oversight; restrictions on processing sensitive information (including personal data); litigation (including class claims); indemnification obligations; negative publicity; reputational harm; monetary fund diversions; interruptions in our operations (including availability of data); financial loss; and other similar harms. Security incidents and attendant consequences may cause stakeholders (including investors and potential customers) to stop supporting our platform, deter new customers from products, and negatively impact our ability to grow and operate our business. Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our data privacy and security obligations. We cannot be sure that our insurance coverage will be adequate or sufficient to protect us from or to mitigate liabilities arising out of our privacy and security practices, that such coverage will continue to be available on commercially reasonable terms or at all, or that such coverage will pay future claims.

As the manufacturing processes are scaled up they may reveal manufacturing challenges or previously unknown impurities that could require resolution in order to proceed with our planned clinical trials and obtain regulatory approval for the commercial marketing of our products. In the future, we may identify manufacturing issues or impurities that could result in delays in the clinical program and regulatory approval for our products, increases in our operating expenses, failure to obtain or maintain approval for our products, or delays in getting our products to market. Our reliance on third-party manufacturers entails risks, including the following: -   the inability to meet our product specifications, including product formulation, and quality requirements consistently;-   a delay or inability to procure or expand sufficient manufacturing capacity;-   manufacturing and product quality issues, including those related to scale-up of manufacturing;-   costs and validation of new equipment and facilities required for scale-up;-   a failure to comply with cGMP and similar quality standards;-   the inability to negotiate manufacturing agreements with third parties under commercially reasonable terms;-   termination or nonrenewal of manufacturing agreements with third parties in a manner or at a time that is costly or damaging to us;-   the reliance on a limited number of sources, and in some cases, single sources for key materials, such that if we are unable to secure a sufficient supply of these key materials, we will be unable to manufacture and sell our products in a timely fashion, in sufficient quantities or under acceptable terms;-   the lack of qualified backup suppliers for those materials that are currently purchased from a sole or single source supplier;-   operations of our third-party manufacturers or suppliers could be disrupted by conditions unrelated to our business or operations, including the bankruptcy of the manufacturer or supplier;-   carrier disruptions or increased costs that are beyond our control; and -   the failure to deliver our products under specified storage conditions and in a timely manner. Any of these events could lead to delays in any clinical study we may undertake, failure to obtain regulatory approval or impact our ability to successfully commercialize our products. Some of these events could be the basis for FDA or other regulatory authorities' action, including injunction, recall, seizure, or total or partial suspension of production.

We are dependent on principal members of our executive team. While we have entered into employment offer letters with each of our executive officers, any of them could leave our employment at any time, as all of our employees are "at will" employees. We do not maintain "key person" insurance for any of our executives or other employees. Recruiting and retaining other qualified employees for our business, including clinical, scientific, technical and sales and marketing personnel, will also be critical to our success. There is currently a shortage of skilled executives in our industry, which is likely to continue. We also experience competition from universities, competitors and research institutions for the hiring of scientific and clinical personnel. As a result, competition for skilled personnel is intense and the turnover rate can be high. We may not be able to attract and retain personnel on acceptable terms given the competition among numerous pharmaceutical and biotechnology companies for similar personnel. In addition, failure of any of our clinical studies may make it more challenging to recruit and retain qualified personnel. If we are unable to successfully recruit key employees or replace key executives or key employees, it may adversely affect the progress of our research, development and commercialization objectives. In addition, we rely on consultants and advisors, including scientific and clinical advisors, to assist us in formulating our research and development and commercialization strategies. Our consultants and advisors may be engaged by employers other than us and may have commitments under consulting or advisory contracts with other entities that may limit their availability to us, which could also adversely affect the progress of our research, development and commercialization objectives.

The life sciences industry is highly competitive, and we face significant competition from other pharmaceutical, biopharmaceutical and biotechnology companies and possibly from academic institutions, government agencies and private and public research institutions that are researching, developing and marketing products designed to address diseases that we are seeking to treat. Our competitors generally have significantly greater financial, manufacturing, marketing and drug development resources. Large pharmaceutical companies, in particular, have extensive experience in the clinical testing of, obtaining regulatory approvals for, and marketing of, drugs. New developments, including the development of other pharmaceutical technologies and methods of treating disease, occur in the pharmaceutical and life sciences industries at a rapid pace. These developments may render our product candidates obsolete or noncompetitive. Compared to us, potential competitors may have substantially greater: -   research and development resources, including personnel and technology;-   regulatory experience;-   experience in pharmaceutical development and commercialization;-   ability to negotiate competitive pricing and reimbursement with third-party payors;-   experience and expertise in the exploitation of intellectual property rights; and -   capital resources. As a result of these factors, our competitors may obtain regulatory approval of their products more rapidly than we do or may obtain patent protection or other intellectual property rights that limit our ability to develop or commercialize our product candidates. The competitors may also develop products that are more effective, better tolerated, more useful and less costly than our products and they may also be more successful in manufacturing and marketing their products.

If any of our product candidates receive marketing approval, they may nonetheless be unable to gain sufficient market acceptance by physicians, patients, health care payors and others in the medical community. If these products do not achieve an adequate level of acceptance, we may not generate significant product revenues and we may not become profitable. The degree of market acceptance of any of our products will depend on a number of factors, including the following: -   demonstration of clinical safety and efficacy in our clinical trials;-   the risk/benefit profile of our products;-   the relative convenience, ease of administration and acceptance by physicians, patients and health care payors;-   the prevalence and severity of any side effects;-   the safety of products seen in a broader patient group, including its use in unapproved indications;-   limitations or warnings contained in the FDA and other regulatory authorities approved label for the relevant product;-   acceptance of the product by physicians, other health care providers and patients as a safe and effective treatment;-   the potential and perceived advantages of products over alternative treatments;-   the timing of market introduction of competitive products;-   pricing and cost-effectiveness;-   the effectiveness of our or any future collaborators' sales and marketing strategies;-   manufacturing or product quality;-   our ability to obtain formulary approval;-   our ability to obtain and maintain sufficient third-party coverage or reimbursement, which may vary from country to country; and -   the effectiveness of our or any future collaborators' sales, marketing and distribution efforts.

We had a small number of clinical sites in Russia in our RESPONSE clinical trial. Ongoing geo-political turmoil and continuing military action in the region, together with widening sanctions imposed on Russia, caused us to wind down clinical trial activity in Russia. Clinical trial activity in Russia concluded in the end of the fourth quarter of 2023.

If our product candidates are approved for commercialization outside the United States, we expect that we will be subject to additional risks related to international operations, including the following: -   different regulatory requirements for drug approvals in foreign countries;-   compliance with local healthcare and pricing regulations;-   reduced protection for intellectual property rights;-   unexpected changes in tariffs, trade barriers and regulatory requirements;-   differing payor reimbursement regimes, governmental payors or patient self-pay systems and price controls;-   economic weakness, including inflation, or political instability in particular foreign economies and markets;-   compliance with tax, employment, immigration and labor laws for employees living or traveling abroad;-   foreign taxes, including withholding of payroll taxes;-   foreign currency fluctuations, which could result in increased operating expenses and reduced revenues, and other obligations incident to doing business in another country;-   workforce uncertainty in countries where labor unrest is more common than in the United States;-   production shortages resulting from any events affecting raw material supply or manufacturing capabilities abroad -   ensuring patient access through supply and packaging infrastructure requirements; and -   business interruptions resulting from geopolitical actions, including war and terrorism, pandemics, or natural disasters including earthquakes, typhoons, volcanic eruptions, floods and fires. We have no prior experience in these areas. In addition, there are complex regulatory, tax, labor and other legal requirements imposed by both the European Union and many of the individual countries in Europe with which we would need to comply. Many U.S.-based biopharmaceutical companies have found the process of marketing their own products in Europe to be very challenging.