CervoMed (CRVO) Risk Analysis

The global data protection landscape is rapidly evolving, and the Company is currently and may become subject to or impacted by a wide variety of provincial, state, national, and international laws and regulations apply to the collection, use, retention, protection, disclosure, transfer and other processing of personal data. These data protection and privacy-related laws and regulations are evolving and may result in increased regulatory and public scrutiny and escalating levels of enforcement and sanctions. Implementation standards and enforcement practices are likely to remain uncertain and unpredictable for the foreseeable future, which may create uncertainty in the Company's business, affect the Company's or the Company's service providers' ability to operate in certain jurisdictions or to collect, store, transfer use and share personal data, result in liability or impose additional compliance or other costs on the Company. Failure to comply with data protection laws and regulations, where applicable, could result in government enforcement actions, which could include civil or criminal penalties, private litigation and/or adverse publicity and could negatively affect the Company's operating results and business. In the U.S., numerous federal and state laws and regulations, including state data breach notification laws, state health information privacy laws and federal and state consumer protection laws govern the collection, use, disclosure and protection of health-related and other personal information. For example, the CCPA, which became effective in 2020, broadly defines personal information, gives California residents expanded individual privacy rights and protections and provides for civil penalties for violations and a private right of action for data breaches. Further, the CPRA, which became effective in 2023 and amends the CCPA, creates additional obligations with respect to processing and storing personal information. While there is limited exception for protected health information that is subject to HIPAA and clinical trial regulations, the CCPA may regulate or impact the Company's processing of personal information depending on the context. Unlike other state privacy laws, the CCPA also regulates personal information collected in a business to business and in human resources contexts. Further, there continues to be some uncertainty about how provisions of the CCPA and the new regulations will be interpreted and how the law will be enforced. In addition to California, more U.S. states are enacting similar legislation, increasing compliance complexity and increasing risks of failures to comply. In 2023, comprehensive privacy laws in Virginia, Colorado, Connecticut, and Utah all took effect, and laws in Montana, Oregon, and Texas took effect in 2024. Laws in a number of other U.S. states took effect, or are set to take effect, in 2025, in 2026, and beyond, and additional U.S. states have proposals under consideration. The existence of differing comprehensive privacy laws in different states in the country may make the Company's compliance obligations more complex and costly and may require us to modify the Company's data processing practices and policies and to incur substantial costs and potential liability in an effort to comply with such legislation. In addition, other federal and state laws establish additional requirements for protecting the privacy and security of health information that is not protected by HIPAA. For instance, Washington state recently passed the "My Health My Data" Act, which came into force in 2024 and regulates "consumer health data," which is broadly defined as "personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health." The "My Health My Data" Act provides exemptions for personal data used or shared in connection with certain research activities, including data subject to 45 C.F.R. Parts 46, 50 and 56. Notably, the "My Health My Data" Act contains a private right of action. In addition, Nevada recently enacted a consumer health data privacy bill, SB 370, which also took effect in 2024, and regulates "consumer health data." SB 370 shares many similarities with Washington's "My Health My Data" Act, and Connecticut recently amended its comprehensive privacy law to include heighted regulation of "consumer health data." Additional states are considering and may adopt health-specific privacy laws that could impact the Company's business activities and the Company's collection and handling of health-related data. Numerous other countries have, or are developing, laws governing the collection, use and transmission of personal information as well. For example, the European Parliament and the Council of the European Union adopted a comprehensive general data privacy framework called the GDPR which became fully effective in May 2018 and governs the collection and use of personal data in the European Union, including by companies outside of the European Union., The GDPR also imposes strict rules on the transfer of personal data out of the European Union to the U.S. The GDPR imposes stringent data protection requirements and provides for penalties for noncompliance of up to the greater of €20 million or four percent of worldwide annual turnover. The GDPR and many other laws and regulations relating to privacy and data protection are still being tested in courts, and they are subject to new and differing interpretations by courts and regulatory officials. The GDPR and other changes in laws or regulations associated with the enhanced protection of certain types of personal data, such as healthcare data or other sensitive information, could greatly increase the Company's cost of providing the Company's products and services or even prevent us from offering certain services in jurisdictions that the Company may operate in. The GDPR may increase the Company's responsibility and liability in relation to personal data that the Company processes where such processing is subject to the GDPR, and the Company may be required to put in place additional mechanisms to ensure compliance with the GDPR, including as implemented by individual countries. Ensuring the Company's continued compliance with the GDPR is a rigorous and time-intensive process that may increase the Company's cost of doing business or require us to change the Company's business practices, and despite those efforts, there is a risk that the Company may be subject to fines and penalties, litigation, and reputational harm in connection with the Company's European activities. Many jurisdictions outside of U.S. and Europe are also considering and/or enacting comprehensive data protection legislation that could have an impact on market expansion and clinical trials as well. Additionally, following the United Kingdom's withdrawal from the European Union (i.e., Brexit), and the expiry of the Brexit transition period, which ended on December 31, 2020, the GDPR has been implemented in the United Kingdom (as the UK GDPR). The UK GDPR sits alongside the UK Data Protection Act 2018 which implements certain derogations in the GDPR into UK law. Under the UK GDPR, companies not established in the UK but who process personal data in relation to the offering of goods or services to individuals in the UK, or to monitor their behavior will be subject to the UK GDPR – the requirements of which are (at this time) largely aligned with those under the EU GDPR and as such, may lead to similar compliance and operational costs with potential fines of up to £17.5 million or 4% of global turnover. Transfers of personal data to certain countries outside of the EEA and the UK are also highly regulated under the GDPR and UK GDPR. For example, the GDPR only permits exports of personal data outside of the EEA to "non-adequate" countries where there is a suitable data transfer mechanism in place to safeguard personal data (e.g., the EU Commission approved Standard Contractual Clauses or certification under the Data Privacy Framework). On July 16, 2020, the Court of Justice of the EU, or the CJEU, issued a landmark opinion in the case Maximilian Schrems vs. Facebook (Case C-311/18) (Schrems II). This decision calls into question certain data transfer mechanisms as between the EU member states and the U.S. The CJEU is the highest court in Europe and the Schrems II decision heightened the burden to assess U.S. national security laws on their business, and future actions of EEA data protection authorities are difficult to predict at this time. While the Data Privacy Framework was meant to address the concerns raised by the CJEU in Schrems II, it will likely be subject to future legal challenges. Consequently, there is some risk of any data transfers from the EEA being halted. Future actions of European Union data protection authorities are difficult to predict. Some customers or other service providers may respond to these evolving laws and regulations by asking us to make certain privacy or data-related contractual commitments that we are unable or unwilling to make. This could lead to the loss of current or prospective customers or other business relationships. Because the interpretation and application of many privacy and data protection laws (including laws in the U.S. and the GDPR), commercial frameworks, and standards are uncertain, it is possible that these laws, frameworks, and standards may be interpreted and applied in a manner that is inconsistent with the Company's existing data management practices and policies. If so, in addition to the possibility of fines, lawsuits, breach of contract claims, and other claims and penalties, the Company could be required to fundamentally change the Company's business activities and practices or modify the Company's solutions, which could have an adverse effect on the Company's business. Any inability to adequately address privacy and security concerns, even if unfounded, or comply with applicable privacy and security or data security laws, regulations, and policies, could result in additional cost and liability to us, damage the Company's reputation, inhibit the Company's ability to conduct trials, and adversely affect the Company's business. Applicable data privacy and data protection laws may conflict with each other, and by complying with the laws or regulations of one jurisdiction, the Company may find that it is violating the laws or regulations of another jurisdiction. Despite the Company's efforts, the Company may not have fully complied in the past and may not in the future. That could require the Company to incur significant expenses, which could significantly affect its business. Failure to comply with data protection laws or to protect personal data or other data the Company processes or maintains may expose the Company to risk of enforcement actions taken by data protection authorities or other regulatory agencies, private rights of action in some jurisdictions, potential significant fines, penalties and other liabilities if it is found to be non-compliant, and damage to the Company's reputation, any of which could materially affect its business, financial condition, results of operations and prospects. Furthermore, the number of government investigations related to data security incidents and privacy violations continue to increase and government investigations typically require significant resources and generate negative publicity, which could harm the Company's business and reputation.

An important element of a biotechnology company's strategy for developing, manufacturing and commercializing its drug candidates may be to enter into strategic alliances with pharmaceutical companies or other industry participants to advance its programs and enable it to maintain its financial and operational capacity. Biotechnology companies at the Company's stage of development sometimes rely upon collaborative arrangements or strategic alliances to complete the development and commercialization of drug candidates, particularly after the Phase 2 stage of clinical testing. To date, the Company has not entered into any collaborative arrangements or strategic alliances, and it may face significant competition in seeking such relationships. In addition, such arrangements may place the development of the Company's drug candidates outside its control, require the Company to relinquish important rights, or may otherwise be on terms unfavorable to the Company. The Company may not be able to negotiate collaborations and alliances on acceptable terms, if at all. If the Company enters a collaborative arrangement and it proves to be unsuccessful, the Company may have to delay, or limit the size or scope of, certain of its drug development activities. Alternatively, if the Company elects to fund drug development or research programs on its own, it will have to increase its expenditures and will need to obtain additional funding, which may not be available to the Company on acceptable terms, if at all.

Results of any clinical trial the Company conducts could reveal a high and unacceptable severity and prevalence of side effects or unexpected characteristics. SAEs or undesirable side effects caused by neflamapimod, or any other product candidates the Company may develop or acquire, could cause it or regulatory authorities to interrupt, delay or halt clinical trials and could result in a more restrictive label or the delay or denial of regulatory approval by the FDA or other comparable foreign authorities. Many compounds that have initially showed promise in clinical or earlier stage testing are later found to cause undesirable or unexpected side effects that prevented further development of the compound. Further, problems with product candidates or approved products marketed by third parties that utilize the same therapeutic target or that belong to the same therapeutic class as neflamapimod or any future product candidates of the Company could adversely affect the development, regulatory approval and commercialization of the Company's product candidates. For example, to date, neflamapimod has been evaluated in over 500 participants, at doses up to 750mg twice a day, and up to 32 weeks of treatment. The adverse effects seen in more than 5% of neflamapimod-treated participants in completed trials, which include headache, diarrhea, abdominal pain, respiratory infection, and falls, were generally mild. In addition, increased levels of certain "liver enzymes" in the blood are a well-known dose-dependent side effect of p38 MAPK inhibitors. These liver enzymes, aspartate aminotransferase and alanine aminotransferase, are proteins commonly produced in the liver, the measurements of which can help doctors evaluate liver function. In an early 2000s study of neflamapimod conducted by Vertex, during 12 weeks of dosing at 250mg BID (i.e., four-fold higher daily dosing than the dose in the RewinD-LB Trial) in 44 subjects with RA, elevations in such liver enzymes levels were noted in six subjects (14%). After the Company acquired an exclusive license from Vertex to develop and commercialize neflamapimod for the treatment of AD and other CNS disorders, the Company submitted an IND application to the DNP in February 2015. The DNP cleared the Company's clinical trial application in March 2015. However, in August 2015, following a standard review of the long-term animal toxicity studies, the DNP placed a partial clinical hold on the Company's then ongoing Phase 2a study in AD and any subsequent studies proposed under the IND. A partial clinical hold means that the FDA suspends part of the clinical work requested under the IND (e.g., a specific protocol or part of a protocol is not allowed to proceed); however, all other protocols and/or remaining parts of the protocol are allowed to proceed under the IND. Under DNP's partial clinical hold that remains in effect for the neflamapimod IND, the agency limited administration of neflamapimod to doses that lead to plasma drug levels that provide a ten-fold safety margin to human subjects, based on the plasma drug levels in animals that had previously led to minimal or equivocal toxicity findings. The Company's current understanding of plasma drug levels achieved with neflamapimod in humans means that its investigational dosing in the U.S. is limited by this partial clinical hold to no more than 40mg TID in patients weighing 50 kg (110 lbs.) or more. Accordingly, the Company's ongoing RewinD-LB Trial is being conducted at 40mg TID (limited to patients weighing 50 kg (110 pounds) or more within the U.S., and not so limited outside the U.S.) With respect to the adverse effects discussed above, the participants were asymptomatic, there were no associated increases in bilirubin, and the elevations resolved with treatment discontinuation. Furthermore, no liver enzyme abnormalities were observed in the AscenD-LB Trial. However, as the Company continues the development and clinical trials of neflamapimod, treatment-related SAEs may arise in the future. Side effects that are deemed to be drug-related could affect patient recruitment or the ability of enrolled subjects to complete the trial or result in potential product liability claims. Undesirable side effects in one of the Company's clinical trials for neflamapimod in one indication could adversely affect enrollment in clinical trials, regulatory approval and commercialization of the Company's product candidate in other indications. These side effects may not be appropriately recognized or managed by the treating medical staff. In addition, discovery of previously unknown class effect problems may prevent or delay clinical development and commercial approval of product candidates or result in restrictions on permissible uses after their approval. On the other hand, many drugs provide superior efficacy at higher doses and, if determined to be safe and tolerable, higher doses of neflamapimod may be desirable for a variety of reasons. Accordingly, the Company is currently undertaking a number of studies, including our Phase 2a DLB trial in Strasbourg, France, and several preclinical studies, to further evaluate the safety and tolerability profile of higher doses of neflamapimod, including 80mg BID. If the Company or others identify undesirable side effects caused by the mechanisms of action of a product candidate or a class of product candidates, the FDA may require the Company to conduct additional clinical trials, or to implement a REMS program prior to commercial approval. Alternatively, regulatory authorities may not approve the product candidate or, as a condition of approval, may require specific warnings and contraindications or place certain limitations on how the Company can promote the drug. Following a potential future drug product approval, regulatory authorities might also withdraw such approval due to the discovery of previously unknown safety issues relating to the product and require the Company to take its drug off the market. Any of these occurrences may harm the Company's business, financial condition and prospects significantly. Further, clinical trials, by their nature, utilize a sample of the potential patient population. With a limited number of patients, rare and severe side effects of neflamapimod or future product candidates may only be uncovered with a significantly larger number of patients exposed to the product candidate. If neflamapimod, or any other product candidates the Company may develop or acquire, receives marketing approval and the Company or others identify undesirable side effects caused by such product candidates (or any other similar products) after such approval, a number of potentially significant negative consequences could result, including: - regulatory authorities may withdraw or limit their approval of such product candidates;- regulatory authorities may require the addition of labeling statements, such as a "Boxed" Warning or a contraindication;- the Company may be required to change the way such product candidates are distributed or administered, conduct additional clinical trials or change the labeling of the product candidates;- the FDA may require a REMS plan to mitigate risks, which could include medication guides, physician communication plans, or elements to assure safe use, such as restricted distribution methods, patient registries and other risk minimization tools, and regulatory authorities in other jurisdictions may require comparable risk mitigation plans;- the Company may be subject to regulatory investigations and government enforcement actions;- the FDA or a comparable foreign regulatory authority may require the Company to conduct additional clinical trials or costly post-marketing testing and surveillance to monitor the safety and efficacy of the product;- the Company may decide to recall such product candidates from the marketplace after they are approved;- the Company could be sued and held liable for injury caused to individuals exposed to or taking its product candidates; and - the Company's reputation may suffer.

The biotechnology and pharmaceutical industries are highly competitive and subject to significant and rapid technological change. If neflamapimod is approved, it will face intense competition from a variety of businesses, including large, fully integrated pharmaceutical companies, specialty pharmaceutical companies, biopharmaceutical companies in the U.S. and other jurisdictions, academic institutions and governmental agencies and public and private research institutions. These organizations may have significantly greater resources than the Company does. They may also conduct similar research, seek patent protection, and establish collaborative arrangements for research, development, manufacturing and marketing of products that may compete with neflamapimod. Currently, there are a limited number of companies developing treatments specifically for DLB. However, given the potential market opportunity for the treatment of DLB and other neurodegenerative diseases, an increasing number of established pharmaceutical firms and smaller biotechnology/biopharmaceutical companies are pursuing a range of potential therapies for these diseases in various stages of clinical development. In addition to these current and potential competitors, the Company anticipates that more companies will enter the DLB market in the future. The Company's potential competitors could have significantly greater financial resources, as well as drug development, manufacturing, marketing, and sales expertise. They may also be able to develop and commercialize products that are safer, more effective, less expensive, more convenient, easier to administer, or have fewer severe effects, than existing treatments or, if it is ultimately approved, neflamapimod. Competitors may also obtain FDA or other regulatory approval for their product candidates more rapidly than the Company may obtain approval for neflamapimod, which could result in their establishing or strengthening a commercial position before the Company is able to enter the market. The highly competitive nature of the biotechnology and pharmaceutical industries, as well as the rapid technological changes in those fields, could limit The Company's ability to advance neflamapimod commercially. If the Company is unable to compete effectively, this could have a material adverse effect on its business and results of operations.

The Company intends to initially focus its product candidate development on treatments for various CNS and neurodegenerative indications, in particular DLB. The addressable patient populations that may benefit from treatment with the Company's product candidates, if approved, are based on its estimates. These estimates, which have been derived from a variety of sources, including scientific literature, surveys of clinics, patient foundations and market research, may prove to be incorrect. Further, new studies may change the estimated incidence or prevalence of these CNS and neurodegenerative diseases. Any regulatory approval of the Company's product candidates would be limited to the therapeutic indications examined in the Company's clinical trials and as determined by the FDA, which would not permit the Company to market its products for any other therapeutic indications not expressly reviewed and approved as safe and effective. In DLB, in particular, prevalence estimates among experts and practitioners vary greatly, as do estimates of the percentage of DLB patients that have AD co-pathology. Additionally, the potentially addressable patient population for the Company's product candidates may not ultimately be amenable to treatment with the Company's product candidates. Even if the Company receives regulatory approval for any of its product candidates, such approval could be conditioned upon label restrictions that materially limit the addressable patient population. The Company's market opportunity may also be limited by future competitor treatments that enter the market. If any of the Company's estimates prove to be inaccurate, the market opportunity for any product candidate that the Company or its strategic partners develop could be significantly diminished and have an adverse material impact on its business.

The Company's operations could be significantly adversely affected by the effects of a widespread outbreak of epidemics, pandemics or other health crises, including COVID-19. The Company cannot accurately predict the impact of epidemics and pandemics would have on our operations and the ability of third parties to meet their obligations under contracts or arrangements with the Company, including uncertainties relating to the ultimate geographic spread of epidemics and pandemics, the severity of the underlying diseases, the duration of outbreaks, and the length of travel and quarantine restrictions imposed by governments of affected countries. In addition, a significant outbreak of contagious diseases in the human population could result in a widespread health crisis that could adversely affect the economies and financial markets of many countries, resulting in an economic downturn that could further affect the Company's operations and ability to finance the Company's operations.