Cyclacel Pharmaceuticals (CYCC) Risk Factors

Even if we successfully complete the clinical trials for one or more of our product candidates, the product candidates may fail for other reasons, including, without limitation, the possibilities that the product candidates will: - fail to receive the regulatory approvals required to market them as drugs;- be subject to proprietary rights held by others requiring the negotiation of a license agreement prior to marketing;- be difficult or expensive to manufacture on a commercial scale;- have adverse side effects that make their use less desirable; or - fail to compete effectively with product candidates or other treatments commercialized by our competitors. If we are unable to receive the required regulatory approvals, secure our intellectual property rights, minimize the incidence of any adverse side effects or if we fail to compete with our competitors' products, our business, financial condition, and results of operations may be materially and adversely affected.

The patent positions of pharmaceutical and biotechnology companies can be highly uncertain and involve complex legal and factual questions. The U.S. Patent and Trademark Office's, or USPTO's, standards are uncertain and could change in the future. Consequently, the issuance and scope of patents cannot be predicted with certainty. Patents, if issued, may be challenged, invalidated or circumvented. U.S. patents and patent applications may also be subject to interference proceedings, and U.S. patents may be subject to Inter Partes Review (IPR), Post Grant Review (PGR) or reexamination proceedings in the USPTO (and foreign patents may be subject to opposition or comparable proceedings in the corresponding foreign patent office), which proceedings could result in either loss of the patent or denial of the patent application or loss or reduction in the scope of one or more of the claims of the patent or patent application. Similarly, opposition or invalidity proceedings could result in loss of rights or reduction in the scope of one or more claims of a patent in foreign jurisdictions. In addition, such interference, reexamination and opposition proceedings may be costly. Accordingly, rights under any issued patents may not provide us with sufficient protection against competitive products or processes. If we fail to obtain and maintain patent protection and trade secret protection of our product candidates, proprietary technologies and their uses, we could lose our competitive advantage and competition we face would increase, reducing our potential revenues and adversely affecting our ability to attain or maintain profitability.

Despite the implementation of security measures, our internal computer systems, and those of our CROs and other third parties on which we rely, are vulnerable to damage from computer viruses, unauthorized access, natural disasters, terrorism, war and telecommunication and electrical failures. If such an event were to occur and cause interruptions in our operations, it could result in a material disruption of our drug development programs. For example, the loss of clinical trial data from completed or ongoing or planned clinical trials could result in delays in our regulatory approval efforts and significantly increase our costs to recover or reproduce the data. To the extent that any disruption or security breach were to result in a loss of or damage to our data or applications, or inappropriate disclosure of confidential or proprietary information, we could incur liability and the further development of our product candidates could be delayed.

The research, testing, manufacturing, labeling, approval, sale, marketing and distribution of drug products are, and will remain, subject to extensive regulation by the FDA in the United States and by the respective regulatory authorities in other countries where regulations differ. We are not permitted to market our product candidates in the United States until we receive the respective approval of an NDA from the FDA, or in any foreign countries until we receive the requisite approval from the respective regulatory authorities in such countries. The time required to obtain approval, if any, by the FDA, EMA and comparable foreign authorities is unpredictable, but typically takes many years following the commencement of clinical trials, if approval is obtained at all, and depends upon numerous factors, including the substantial discretion of the regulatory authorities and the type, complexity and novelty of the product candidates involved. Regulatory authorities have substantial discretion in the approval process and may refuse to accept any application or may decide that our data are insufficient for approval and require additional nonclinical studies or clinical trials. We have not submitted a marketing application such as an NDA to the FDA, an MAA to the EMA or any similar application to any other jurisdiction. We have limited experience in planning and conducting the clinical trials required for marketing approvals, and we have relied, and expect to continue to rely on third-party CROs to assist us in this process. Obtaining marketing approval requires the submission of extensive nonclinical and clinical data and supporting information to regulatory authorities for each therapeutic indication to establish the product candidate's safety and effiveness. Securing marketing approval also requires the submission of information about the product manufacturing process, and in many cases the inspection of manufacturing, processing and packaging facilities by the regulatory authorities. Our product candidates may not be effective, may be only moderately effective or may prove to have undesirable or unintended side effects, toxicities or other characteristics that may preclude our obtaining marketing approval or prevent or limit commercial use, or there may be deficiencies in cGMP compliance by us or by our contract manufacturers that could result in the candidate not being approved. Moreover, we have not obtained regulatory approval for any drug candidate in any jurisdiction and it is possible that none of our existing drug candidates or any drug candidates we may seek to develop in the future will ever obtain regulatory approval. Our drug candidates could fail to receive, or could be delayed in receiving, regulatory approval for many reasons, including any one or more of the following: - the FDA, EMA or comparable foreign regulatory authorities may disagree with the design or implementation of our clinical trials;- we may be unable to demonstrate to the satisfaction of the FDA, EMA or comparable foreign regulatory authorities that a drug candidate is safe and effective for its proposed indication;- the results of clinical trials may not meet the level of statistical significance required by the FDA, EMA or comparable foreign regulatory authorities for approval;- we may be unable to demonstrate that a drug candidate's clinical and other benefits outweigh its safety risks;- the FDA, EMA or comparable foreign regulatory authorities may disagree with our interpretation of data from preclinical studies or clinical trials;- the data collected from clinical trials of our drug candidates may not be sufficient to support the submission of an NDA or other submission or to obtain regulatory approval in the United States or elsewhere;- upon review of our clinical trial sites and data, the FDA or comparable foreign regulatory authorities may find our record keeping or the record keeping of our clinical trial sites to be inadequate;- the manufacturing processes or facilities of third-party manufacturers with which we contract for clinical and commercial supplies may fail to meet the requirements of the FDA, EMA or comparable foreign regulatory authorities;- the FDA, EMA or comparable foreign regulatory authorities may fail to approve the companion diagnostics we contemplate developing internally or with partners; and - the change of the medical standard of care or the approval policies or regulations of the FDA, EMA or comparable foreign regulatory authorities may significantly change in a manner that renders our clinical data insufficient for approval. The time and expense of the approval process, as well as the unpredictability of future clinical trial results and other contributing factors, may result in our failure to obtain regulatory approval to market any of our product candidates in one or more jurisdictions, which would significantly harm our business, results of operations and prospects. In such case, we may also not have the resources to conduct new clinical trials and/or we may determine that further clinical development of any such drug candidate is not justified and may discontinue any such programs. In addition, even if we were to obtain regulatory approval in one or more jurisdictions, regulatory authorities may approve any of our drug candidates for fewer or more limited indications than we request, may not approve prices we may propose to charge for our products, may grant approval contingent on the performance of costly post-marketing clinical trials (referred to as "conditional" or "accelerated" approval depending on the jurisdiction), or may approve a drug candidate with a label that does not include the labeling claims necessary or desirable for the successful commercialization of that drug candidate. Any of the foregoing circumstances could materially harm the commercial prospects for our drug candidates.

Because we conduct clinical trials in humans, we face the risk that the use of our drug candidates will result in adverse effects. We believe that we have obtained reasonably adequate product liability insurance coverage for our trials. We cannot predict, however, the possible harm or side effects that may result from our clinical trials. Such claims may damage our reputation and we may not have sufficient resources to pay for any liabilities resulting from a claim excluded from, or beyond the limit of, our insurance coverage or if the amount of the insurance coverage is insufficient to meet any liabilities resulting from any claims. We may also be exposed to additional risks of product liability claims. These risks exist even with respect to drugs that are approved for commercial sale by the FDA or other regulatory authorities in the United States, the European Union or elsewhere and manufactured in facilities licensed and regulated by the FDA, EMA or other such regulatory authorities. We have secured limited product liability insurance coverage but may not be able to maintain such insurance on acceptable terms with adequate coverage, or at a reasonable cost. There is also a risk that third parties that we have agreed to indemnify could incur liability. Even if we were ultimately successful in product liability litigation, the litigation would consume substantial amounts of our financial and managerial resources and may exceed insurance coverage creating adverse publicity, all of which would impair our ability to generate sales of the litigated product as well as our other potential drugs.

In many activities, including the conduct of clinical trials, we are subject to laws and regulations governing data privacy and the protection of health-related and other personal information. The regulatory framework for collecting, using, safeguarding, sharing, transfering and other processing of information worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. The withdrawal of the United Kingdom from the European Union and the subsequent separation of the data protection regimes of these territories means we are required to comply with separate data protection laws in the European Union and the United Kingdom, which may lead to additional compliance costs and could increase our overall risk. Similar laws and regulations govern our processing of personal data, including the collection, access, use, analysis, modification, storage, transfer, security breach notification, destruction and disposal of personal data. For example, the collection, use, disclosure, transfer, or other processing of personal data regarding individuals in the European Union, including personal health data, is subject to the General Data Protection Regulation, or GDPR, which took effect across all Member States of the European Economic Area, or EEA, on May 25, 2018, and as still in effect in the United Kingdom as the UK GDPR. On June 28, 2021, the EU Commission adopted decisions on the UK's adequacy under the EU GDRP, and the UK continues to operate under this adequacy decision. The GDPR imposed a broad data protection framework that expanded the scope of EU and UK data protection law, including to non-EU and non-UK entities meeting the jurisdictional requirements that process, or control the processing of, personal data relating to individuals located in the EU or UK, including clinical trial data. The GDPR sets out a number of requirements for controllers and/or processors, as applicable, that must be complied with when handling the personal data of EU or UK based data subjects, including: providing expanded disclosures about how their personal data will be used; higher standards for organizations to demonstrate that they have obtained valid consent or have another legal basis in place to justify their data processing activities; the obligation to appoint data protection officers in certain circumstances; new rights for individuals to be "forgotten" and rights to data portability, as well as enhanced current rights (e.g., access requests); the principal of accountability and demonstrating compliance through policies, procedures, training and audit; and a new mandatory data breach regime. In particular, medical or health data, genetic data and biometric data are all classified as "special category" data under the GDPR and afford greater protection and require additional compliance obligations. Further, the UK and EU member states have a broad right to impose additional conditions-including restrictions-on these data categories. This is because the GDPR allows EU member states to derogate from the requirements of the GDPR mainly in regard to specific processing situations (including special category data and processing for scientific or statistical purposes). We must comply with laws and regulations associated with the international transfer of personal data based on the location in which the personal data originates and the location in which it is processed and/or controlled. Although there are legal mechanisms to facilitate the transfer of personal data from the UK, EEA, and Switzerland to the United States, the decision of the Court of Justice of the EU (CJEU) that invalidated the safe harbor framework has increased uncertainty around compliance with EU privacy law requirements. As a result of the decision, it was no longer possible to rely on safe harbor certification as a legal basis for the transfer of personal data from the European Union to entities in the United States. However, on July 10, 2023, the European Commission adopted an adequacy decision for a new mechanism for transferring data from the EU to the United States – the EU-U.S. Data Privacy Framework, which provides EU individuals with several new rights, including the right to obtain access to their data, or obtain correction or deletion of incorrect or unlawfully handled data. That being said, we have not yet self-certified under the Data Privacy Framework. The GDPR only permits exports of personal data outside of the EU to "non-adequate" countries where there is a suitable data transfer mechanism in place to safeguard personal data (e.g., the EU Commission approved Standard Contractual Clauses or certification under the newly-adopted Data Privacy Framework). On July 16, 2020, the Court of Justice of the EU, or the CJEU, issued a landmark opinion in the case Maximilian Schrems vs. Facebook (Case C-311/18) (Schrems II). This decision calls into question certain data transfer mechanisms as between the EU member states and the U.S. The CJEU is the highest court in Europe and the Schrems II decision heightened the burden to assess U.S. national security laws on their business, and future actions of EU data protection authorities are difficult to predict at this time. While the newly-adopted Data Privacy Framework was meant to address the concerns raised by the CJEU in Schrems II, it will likely be subject to future legal challenges. Consequently, there is some risk of any data transfers from the EU being halted. If we have to rely on third parties to carry out services for us, including processing personal data on our behalf, we are required under GDPR to enter into contractual arrangements to flow down or help ensure that these third parties only process such data according to our instructions and have sufficient security measures in place. Any security breach or non-compliance with our contractual terms or breach of applicable law by such third parties could result in enforcement actions, litigation, fines and penalties or adverse publicity and could cause customers to lose trust in us, which would have an adverse impact on our reputation and business. Any contractual arrangements requiring the processing of personal data from the EU to us in the U.S. will require greater scrutiny and assessments as required under Schrems II and may have an adverse impact on cross-border transfers of personal data or increase costs of compliance. The GDPR provides an enforcement authority to impose large penalties for noncompliance, including the potential for fines of up to €20 million or 4% of the annual global revenues of the noncompliant company, whichever is greater. Some customers or other service providers may respond to these evolving laws and regulations by asking us to make certain privacy or data-related contractual commitments that we are unable or unwilling to make. This could lead to the loss of current or prospective customers or other business relationships. The privacy and security of personally identifiable information stored, maintained, received or transmitted, including electronically, is subject to significant regulation in the United States and abroad. While we strive to comply with all applicable privacy and security laws and regulations, legal standards for privacy continue to evolve and any failure or perceived failure to comply may result in proceedings or actions against us by government entities or others, or could cause reputational harm, which could have a material adverse effect on our business. Numerous foreign, federal and state laws and regulations govern collection, dissemination, use and confidentiality of personally identifiable health information, including state privacy and confidentiality laws (including state laws requiring disclosure of breaches); federal and state consumer protection and employment laws; HIPAA; and European and other international data protection laws. These laws and regulations are increasing in complexity and number, may change frequently and sometimes conflict. HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH), establishes a set of U.S. national privacy and security standards for the protection of individually identifiable health information, including protected health information, or PHI, by health plans, certain healthcare clearinghouses and healthcare providers that submit certain covered transactions electronically, or covered entities, and their "business associates," which are persons or entities that perform certain services for, or on behalf of, a covered entity that involve creating, receiving, maintaining or transmitting PHI. While we are not currently a covered entity or business associate under HIPAA, we may receive identifiable information from these entities. Failure to receive this information properly could subject us to HIPAA's criminal penalties, which may include fines up to $50,000 per violation and/or imprisonment. In addition, responding to government investigations regarding alleged violations of these and other laws and regulations, even if ultimately concluded with no findings of violations or no penalties imposed, can consume company resources and impact our business and, if public, harm our reputation. In the United States, various federal and state regulators, including governmental agencies like the Federal Trade Commission, have promulgated, or are considering promulgating, regulations concerning personal information and data securityIn addition to fines and penalties imposed upon violators, some of these state laws also afford private rights of action to individuals who believe their personal information has been misused. California's patient privacy laws, for example, provide for penalties of up to $250,000 and permit injured parties to sue for damages. In addition, The California Consumer Privacy Act ("CCPA") went into effect January 1, 2020, and is one of the most restrictive state privacy laws, protecting a wide variety of personal information and granting significant rights to California residents with respect to their personal information. Regulations under CCPA have been modified several times, and continue to be modified. Additionally, a new privacy law, the California Privacy Rights Act, ("CPRA") was approved by California voters in the election of November 3, 2020 and went into effect in January of 2023. The CPRA modified the CCPA significantly, and may result in further uncertainty, additional costs and expenses stemming from efforts to comply with this law, and increases the potential for harm and liability for failure to comply. Among other things, the CPRA established a new regulatory authority, the California Privacy Protection Agency, which is enacting new regulations and has expanded enforcement authority. Other states have implemented similar laws protecting identifiable health and personal information, and most such laws differ from each other in significant ways and may not be preempted by HIPAA, thus complicating compliance efforts. In addition, various states, such as California, Colorado, Connecticut, New Jersey, Delaware, Utah, Virginia, Oregon, Indiana, Iowa, Tennessee, Montana, Florida and Texas , have implemented similar privacy laws and regulations. The interplay of federal and state laws may be subject to varying interpretations by courts and government agencies, creating complex compliance issues for us and our clients and potentially exposing us to additional expense, adverse publicity and liability. Further, as regulatory focus on privacy issues continues to increase and laws and regulations concerning the protection of personal information expand and become more complex, these potential risks to our business could intensify. The legislative and regulatory landscape for privacy and data security continues to evolve, and there has been an increasing focus on privacy and data security issues which may affect our business. Failure to comply with current and future laws and regulations could result in government enforcement actions (including the imposition of significant penalties), criminal and civil liability for us and our officers and directors, private litigation and/or adverse publicity that negatively affects our business.

We are exposed to the risk that our employees, independent contractors, principal investigators, contract research organizations, consultants or vendors may engage in fraudulent or other illegal activity. Misconduct by these parties could include intentional, reckless and/or negligent conduct or disclosure of unauthorized activities to us that violates: FDA regulations, including those laws requiring the reporting of true, complete and accurate information to the FDA; manufacturing standards; federal and state health care fraud and abuse laws and regulations; or laws that require the true, complete and accurate reporting of financial information or data. In addition, sales, marketing and business arrangements in the health care industry are subject to extensive laws and regulations intended to prevent fraud, kickbacks, self-dealing and other abusive practices. These laws and regulations may restrict or prohibit a wide range of pricing, discounting, marketing and promotion, sales commission, customer incentive programs and other business arrangements. Activities subject to these laws also involve the improper use or misrepresentation of information obtained in the course of clinical trials or creating fraudulent data in our nonclinical studies or clinical trials, which could result in regulatory sanctions and serious harm to our reputation. It is not always possible to identify and deter misconduct by our employees and other third parties, and the precautions we take to detect and prevent this activity may not be effective in controlling unknown or unmanaged risks or losses or in protecting us from governmental investigations or other actions or lawsuits stemming from a failure to be in compliance with such laws or regulations. Additionally, we are subject to the risk that a person could allege such fraud or other misconduct, even if none occurred. If any such actions are instituted against us, and we are not successful in defending ourselves or asserting our rights, those actions could have a significant impact on our business, including the imposition of civil, criminal and administrative penalties, damages, monetary fines, possible exclusion from participation in Medicare, Medicaid and other federal health care programs, contractual damages, reputational harm, diminished potential profits and future earnings, and curtailment of our operations, any of which could adversely affect our business, financial condition, results of operations or prospects.

If any third-party manufacturer service providers do not meet our or our licensor's requirements for quality, quantity or timeliness, or do not achieve and maintain compliance with all applicable regulations, demand for our products or our ability to continue supplying such products could substantially decline. As the third-party manufacturers are the sole supplier of the products, any delays may impact our sales. In all the countries where we may sell our products, governmental regulations exist to define standards for manufacturing, packaging, labeling and storing. All of our suppliers of raw materials and contract manufacturers must comply with these regulations. Failure to do so could result in supply interruptions. In the United States, the FDA requires that all suppliers of pharmaceutical bulk material and all manufacturers of pharmaceuticals for sale in or from the United States achieve and maintain compliance with the FDA's cGMP. Similar requirements exist in the European Union through the EMA. Failure of our third-party manufacturers to comply with applicable regulations could result in sanctions being imposed on them or us, including fines, injunctions, civil penalties, disgorgement, suspension or withdrawal of approvals, license revocation, seizures or recalls of products, operating restrictions and criminal prosecutions, any of which could significantly and adversely affect supplies of our products. In addition, before any product batch produced by our manufacturers can be shipped, it must conform to release specifications for the content of the pharmaceutical product. If the operations of one or more of our manufacturers were to become unavailable for any reason, any required FDA or EMA review and approval of the operations of an alternative supplier could cause a delay in the manufacture of our products.

There are existing products in the marketplace that compete with our products. Companies may develop new products that compete with our products. Certain of these competitors and potential competitors have longer operating histories, substantially greater product development capabilities and financial, scientific, marketing and sales resources. Competitors and potential competitors may also develop products that are safer, more effective or have other potential advantages compared to our products. In addition, research, development and commercialization efforts by others could render our products obsolete or non-competitive. Certain of our competitors and potential competitors have broader product offerings and extensive customer bases, allowing them to adopt aggressive pricing policies that would enable them to gain market share. Competitive pressures could result in price reductions, reduced margins and loss of market share. We could encounter potential customers that, due to existing relationships with our competitors, are committed to products offered by those competitors. As a result, those potential customers may not consider purchasing our products.

Reimbursement decisions by third-party payors may have an adverse effect on pricing and market acceptance. If there is not sufficient reimbursement for our products, it is less likely that they will be widely used. Market acceptance and sales of our product candidates that we develop, if approved, will depend on reimbursement policies, and may be affected by future healthcare reform measures. Government authorities and third-party payors, such as private health insurers and health maintenance organizations, decide which drugs they will cover and establish payment levels. We cannot be certain that reimbursement will be available for our product candidates that we develop. Also, we cannot be certain that reimbursement policies will not reduce the demand for, or the price paid for, our products. If reimbursement is not available or is available on a limited basis, we may not be able to successfully commercialize any of our product candidates. Even if we succeed in bringing one or more products to the market, these products may not be considered medically necessary and/or cost-effective, and the amount reimbursed for any products may be insufficient to allow us to sell our products on a competitive basis. At this time, we are unable to determine their cost effectiveness or the likely level or method of reimbursement for our product candidates. Increasingly, third-party payors, such as government and private insurance plans, are requiring that biopharmaceutical companies provide them with predetermined discounts from list prices, and are seeking to reduce the prices charged or the amounts paid for biopharmaceutical products. If the price we are able to charge for any products we develop, or the payments provided for such products, is inadequate in light of our development and other costs, our return on investment could be adversely affected. Discussions continue at the federal level regarding policies that would require manufacturers to pay higher rebates in Medicare Part D, give states more flexibility on drugs that are covered under the Medicaid program, and other policy proposals that could impact reimbursement for our products. The efforts of governments and third-party payors to contain or reduce the cost of health care and legislative and regulatory proposals to broaden the availability of health care will continue to affect the business and financial condition of pharmaceutical and biopharmaceutical companies. A number of legislative and regulatory changes in the health care system in the United States and other major health care markets have been proposed and/or adopted in the recent past, and such efforts have expanded substantially in the past several years. Our business may be affected by the efforts of government and third-party pairs to contain or reduce the cost of healthcare through various means.