Enliven Therapeutics (ELVN) Risk Factors

In order to commercially produce our products, if approved, either at a third party's facility or in any of our facilities, we will need to comply with the FDA's cGMP regulations and guidelines. We may encounter difficulties in achieving quality control and quality assurance and may experience shortages of qualified personnel. We are subject to inspections by the FDA and comparable foreign regulatory authorities to confirm compliance with applicable regulatory requirements. Any failure to follow cGMP or other regulatory requirements or delay, interruption or other issues that arise in the manufacture, fill-finish, packaging, or storage of our precision medicines as a result of a failure of our facilities or the facilities or operations of third parties to comply with regulatory requirements or pass any regulatory authority inspection could significantly impair our ability to develop and commercialize our product candidates, including leading to significant delays in the availability of our precision medicines for our clinical trials or the termination of or suspension of a clinical trial, or the delay or prevention of a filing or approval of marketing applications for our product candidates. Significant non-compliance could also result in the imposition of sanctions, including warning or untitled letters, fines, injunctions, civil penalties, failure of regulatory authorities to grant marketing approvals for our product candidates, delays, suspension or withdrawal of approvals, license revocation, seizures or recalls of products, operating restrictions and criminal prosecutions, any of which could damage our reputation and our business.

Our business exposes us to significant product liability risks inherent in the development, testing, manufacturing and marketing of therapeutic treatments. Product liability claims could delay or prevent completion of our development programs. If we succeed in marketing products, such claims could result in an FDA, EMA or other regulatory authority investigation of the safety and effectiveness of our products, our manufacturing processes and facilities or our marketing programs. FDA, EMA or other regulatory authority investigations could potentially lead to a recall of our products or more serious enforcement action, limitations on the approved indications for which they may be used or suspension or withdrawal of approvals. Regardless of the merits or eventual outcome, liability claims may also result in decreased demand for our products, injury to our reputation, costs to defend the related litigation, a diversion of management's time and our resources and substantial monetary awards to trial participants or patients. We currently have product liability insurance that we believe is appropriate for our stage of development and may need to obtain higher levels prior to advancing additional product candidates into clinical trials or marketing any of our product candidates, if approved. Any insurance we have or may obtain may not provide sufficient coverage against potential liabilities. Furthermore, clinical trial and product liability insurance is expensive and may increase over time. As a result, we may be unable to obtain sufficient insurance at a reasonable cost to protect us against losses caused by product liability claims that could have an adverse effect on our business and financial condition.

Following the Merger, our NOLs are attributable to current year losses, as well as both the historic pre-Merger NOLs of Former Enliven and our historic pre-Merger NOLs, subject to applicable limitations. As of December 31, 2023, we had federal NOLs of approximately $185.3 million, of which approximately $177.3 million do not expire and approximately $8.0 million will begin to expire in 2037 for U.S. federal tax purposes. As of December 31, 2023, we also had California, Colorado and Massachusetts NOLs of approximately $126.7 million, $4,000 and $124.2 million, respectively, which will expire at various dates through 2043 for state tax purposes. As of December 31, 2023, we had federal tax credit carryforwards of approximately $10.5 million, which will begin to expire in 2036 for U.S. federal tax purposes. We also had state tax credit carryforwards of approximately $1.3 million, of which approximately $0.5 million will not expire. The remaining state tax credit carryforwards will expire at various dates through 2038. In general, our ability to use our NOLs and tax credit carryforwards to offset potential future taxable income and related income taxes that would otherwise be due is dependent upon our generation of future taxable income, and we cannot predict with certainty when, or whether, we will generate sufficient taxable income to use all of our NOLs and tax credit carryforwards. For U.S. federal income tax purposes, under the Tax Cuts and Jobs Act of 2017 ("TCJA"), as amended by the Coronavirus Aid, Relief, and Economic Security Act ("CARES Act"), NOLs generated in tax years beginning after December 31, 2017 may be carried forward indefinitely, but for taxable years beginning after December 31, 2020, the deductibility of federal NOLs is limited to 80% of current year taxable income. It is uncertain whether and to what extent various states will conform to the federal tax laws. In addition, at the state level, there may be periods during which the use of NOLs is suspended or otherwise limited, which could accelerate or permanently increase state income taxes owed. For example, recently enacted California legislation limits the use of state NOLs for tax years beginning on or after January 1, 2024 and before January 1, 2027. As a result of this legislation or other unforeseen reasons, we may not be able to utilize some or all of our California NOLs, even if we attain profitability. In addition, under Section 382 and Section 383 of the Code, and corresponding provisions of state law, if a corporation undergoes an "ownership change," its ability to use its pre-change NOLs and other pre-change tax attributes (such as tax credit carryforwards) to offset its post-change income may be limited, including as a result of ownership changes that are beyond its control. A Section 382 "ownership change" is generally defined as a greater than 50 percentage point change (by value) in the company's equity ownership by certain "5-percent shareholders" over a rolling three-year period. There is also a risk that due to regulatory changes, such as suspensions on the use of NOLs, or other unforeseen reasons, existing NOLs could expire or otherwise be unavailable to offset future income tax liabilities. We have completed an analysis and determined that ownership changes have occurred under Section 382 in the past, as well as in 2023 due to the Merger. Our deferred tax assets have been reduced by the amount of NOLs and tax credit carryforwards expected to expire unused due to the Section 382 limitation. We may experience subsequent shifts in our stock ownership, some of which are outside of our control. As a result, if we earn net taxable income and determine that an ownership change has occurred and our ability to use our historical NOLs and tax credit carryforwards are materially limited, it will adversely affect our future operating results by effectively increasing our future income tax obligations.

We collect, receive, retain, store, use, share, disclose, transfer, make accessible, disseminate, and otherwise process data (including personal and clinical trial information) relating to our employees and contractors, and other persons. Accordingly, we are, or may become, subject to numerous legal and contractual obligations regarding the privacy, security, protection and appropriate collection, storing, sharing, use, processing, transfer, and disclosure of certain data, including personal information. For example, we are, or may become, subject to various federal, state, local, and foreign laws, directives, and regulations regarding privacy, data protection, and data security, the scope of which are changing, subject to differing interpretations, and may be inconsistent among jurisdictions or conflict with other legal and regulatory requirements. We are also subject to certain contractual obligations to third parties related to privacy, data protection and data security and we strive to comply with our applicable policies and applicable laws, regulations, contractual obligations, and other legal obligations relating to privacy, data protection, and data security, to the extent possible. The regulatory framework for privacy, data protection and data security worldwide is evolving and is likely to remain complex and uncertain for the foreseeable future. Any perception of privacy, data security, or data protection concerns or an inability, by us or third parties that we rely on, to comply with applicable laws, regulations, policies, industry standards, contractual obligations, or other legal obligations, even if unfounded, may result in additional cost and liability to us, harm our reputation, and adversely affect our business, financial condition, and results of operations. We are not currently classified as a covered entity or business associate under HIPAA. Thus, we are not directly subject to HIPAA's requirements or penalties. The healthcare providers, including certain research institutions from which we may obtain patient or subject health information, may be subject to privacy, security, and breach notification requirements under HIPAA. Additionally, any person may be prosecuted under HIPAA's criminal provisions either directly or under aiding-and-abetting or conspiracy principles. Consequently, depending on the facts and circumstances, we could face substantial penalties if we knowingly receive individually identifiable health information from a HIPAA covered entity, business associate or subcontractor that has not satisfied HIPAA's requirements for disclosure of individually identifiable health information. In addition, we maintain sensitive personally identifiable information, including health and genetic information, that we receive throughout the clinical trial process and in the course of our research collaborations, and may maintain sensitive personally identifiable information received directly from individuals (or their healthcare providers) who may enroll in patient assistance programs if we choose to implement such programs. In addition, we may be subject to state laws requiring security and protection of personal information and notification of affected individuals and state regulators in the event of a breach of personal information, which is a broader class of information than the health information protected by HIPAA. Furthermore, certain health privacy laws, data breach notification laws, consumer protection laws and genetic information laws may apply directly to our operations and/or those of our collaborators and may impose or be asserted to impose restrictions on our collection, receipt, retention, storage, use, sharing, disclosure, dissemination, transfer or other processing of individuals' personal information, including health information. Individuals from whom we or our collaborators may obtain personal information, including health information, as well as the healthcare providers who may share this information with us, may have statutory or contractual rights that require certain security measures to protect such information or limit the ability to collect, retain, store, use, share, disclose, disseminate, transfer and otherwise process the information. We may be required to expend significant capital and other resources to ensure ongoing compliance with applicable privacy, data protection, and data security laws. Claims that we have violated individuals' privacy rights or breached our contractual obligations, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business. Additionally, we are subject to additional restrictions and requirements relating to privacy, data protection and data security in other jurisdictions outside the United States in connection with our clinical trials. For example, the collection, use, storage, disclosure, transfer (including cross-border), or other processing of personal data regarding individuals in the EU, including personal health data, is subject to the General Data Protection Regulation ("GDPR"). The GDPR is wide-ranging in scope and imposes numerous requirements on companies that process personal data, including requirements relating to processing health and other sensitive data, obtaining consent of the individuals to whom the personal data relates, providing information to individuals regarding data processing activities, implementing safeguards to protect the security and confidentiality of personal data, providing notification of certain personal data breaches (including to supervisory authorities and potentially affected individuals), and taking certain measures when engaging third-party processors. The GDPR also imposes strict rules on the transfer of personal data outside the European Economic Area ("EEA") to third-party countries that have not been found to provide adequate protection to such personal data, and permits data protection authorities to impose large penalties for violations of the GDPR, including potential fines of up to €20 million or 4% of annual global revenues, whichever is greater, for the most serious of violations. The GDPR also confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of the GDPR. While the GDPR applies uniformly across the EU, each EU Member State is permitted to issue nation-specific data protection legislation, which has created inconsistencies on a country-by-country basis. For example, the French national data protection authority has enacted specific requirements for the processing of health data. We are assessing our obligations under certain data protection requirements in the EU, and we may be required to modify our operations and relevant policies and practices in our efforts to comply with such requirements, which could require us to incur substantial costs and expenses. Additionally, we could be subject to recently enacted UK data privacy and protection laws, regulations and standards, if we decide to enroll patients in the UK clinical trials. While the UK General Data Protection Regulation (the "UK GDPR") largely mirrors the GDPR, Brexit and the subsequent implementation of the UK GDPR expose us to two parallel data protection regimes, each of which potentially authorizes similar significant fines and other potentially divergent enforcement actions for certain violations. In addition, on July 16, 2020, the European Court of Justice invalidated the EU-US Privacy Shield Framework, a mechanism under which personal data could be transferred from the EEA to entities in the United States that had self-certified under the Privacy Shield Framework. The Court also called into question the Standard Contractual Clauses ("SCCs"), noting adequate safeguards must be met for SCCs to be valid. Use of the SCCs must now be assessed on a case-by-case basis taking into account the legal regime applicable in the destination country, in particular, applicable surveillance laws and rights of individuals and additional measures and/or contractual provisions may need to be put in place. Additionally, the European Commission has adopted new SCCs that are required to be implemented. The UK also has issued new standard contractual clauses, similar to the SCCs, that also are required to be implemented. The United States and EU replaced the EU-U.S. Privacy Shield transfer framework with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), which was the subject of an adequacy decision by the European Commission on July 10, 2023, allowing the EU-U.S. DPF to be utilized as a means of legitimizing EU-U.S. personal data transfers for participating entities. The UK and U.S. also established a UK Extension to the EU-U.S. DPF, effective as of October 12, 2023 (the "UK Extension"), whereby participants in the EU-U.S. DPF who participate in the UK Extension may rely upon the UK Extension as a means to legitimize personal data transfers from the UK to the U.S. The EU-U.S. DPF has faced a legal challenge, and it and the UK Extension may be subject to additional legal challenges, from privacy advocacy groups or others, and the European Commission's adequacy decision regarding the EU-U.S. DPF provides that the EU-U.S. DPF will be subject to future reviews and may be subject to suspension, amendment, repeal, or limitations to its scope by the European Commission. We have encountered, and may continue to encounter, difficulties putting in place SCCs with certain personal data exporters. As supervisory authorities issue further guidance on personal data export mechanisms, including on the new SCCs, and/or start taking enforcement action, our compliance costs could increase. More generally, we may be subject to complaints and/or regulatory investigations or fines relating to cross-border personal data transfers, and/or if we are otherwise unable to transfer personal data between and among countries and regions in which we may conduct clinical trials, this could negatively impact our business. Furthermore, On June 28, 2021, the European Commission issued an adequacy decision under the GDPR and the Law Enforcement Directive, pursuant to which personal data generally may be transferred from the EU to the UK without restriction; however, this adequacy decision is subject to a four-year "sunset" period, after which the European Commission's adequacy decision may be renewed. During that period, the European Commission will monitor the legal situation in the UK and may intervene at any time with respect to its adequacy decision. The UK's adequacy determination therefore is subject to future uncertainty and may be subject to modification or revocation in the future, with the UK potentially being considered an inadequate third country under the GDPR, in which case transfers of personal data from the EEA to the UK will require a transfer mechanism, such as SCCs. Furthermore, there will be increasing scope for divergence in application, interpretation, and enforcement of the data protection law as between the UK and the EEA. This may increase the complexity of transferring personal data across borders. Similar laws have been proposed in other foreign jurisdictions. For example, on August 20, 2021, the Personal Information Protection Law ("PIPL") of the People's Republic of China ("PRC") was adopted and went into effect on November 1, 2021. The PIPL shares similarities with the GDPR, including extraterritorial application, data minimization, data localization, and purpose limitation requirements, and obligations to provide certain notices and rights to citizens of the PRC. The PIPL allows for fines of up to 50 million renminbi or 5% of a covered company's revenue in the prior year. If additional laws are passed, such laws may have potentially conflicting requirements that would make compliance challenging. Such laws may require us to modify our operations, and may limit our ability to collect, retain, store, use, share, disclose, transfer, disseminate, and otherwise process personal data, may require additional investment of resources in compliance programs, impact strategies and could result in increased compliance costs and/or changes in our ongoing or planned business practices and policies. We may also be subject to federal and state privacy, data protection and data security laws and regulations in the United States including, without limitation, laws that regulate personal information, including health information. For example, California has enacted the California Consumer Privacy Act ("CCPA"), which creates new individual privacy rights for California consumers (as defined in the law) and places increased privacy, data protection, and data security obligations on entities handling personal information of California consumers, devices, or households. The CCPA requires covered companies to provide new disclosures to California consumers about such companies' data collection, use and sharing practices and provide such consumers new ways to opt-out of certain sales of personal information. The CCPA also provides consumers with a private right of action in certain data breach situations. The CCPA went into effect on January 1, 2020, and the California Attorney General commenced enforcement actions for violations on July 1, 2020. Moreover, the California Privacy Rights Act ("CPRA"), which significantly modified the CCPA, including by imposing additional obligations on covered companies and expanding consumers' rights with respect to certain sensitive personal information, became operative on January 1, 2023, potentially resulting in further uncertainty and requiring us to incur additional costs and expenses in an effort to comply. The CPRA also creates a new state agency that will be vested with authority to implement and enforce the CCPA and the CPRA. The CCPA and CPRA could mark the beginning of a trend toward more stringent privacy legislation in the United States. The CCPA has prompted a number of proposals for federal and state privacy legislation, some of which have been enacted. Many of these proposed and enacted laws are comprehensive privacy statutes that impose obligations similar to the CCPA. For example, Colorado enacted the Colorado Privacy Act ("CPA"), legislation similar to the CCPA that has taken effect in 2023; Connecticut, Utah, and Virginia have also enacted legislation similar to the CCPA and CPA that took effect in 2023; Florida, Montana, Oregon, and Texas have enacted similar legislation that has taken effect in 2024; Delaware, Iowa, Maryland, Minnesota, New Hampshire, New Jersey, and Tennessee have enacted similar legislation that will take effect in 2025; and Indiana, Kentucky, and Rhode Island have enacted similar legislation that will take effect in 2026. With regard to the CPA, we are monitoring developments closely in view of our operations in Colorado. The CPA and its implementing rules, the final versions of which were issued by the Colorado Attorney General, became effective July 1, 2023. Further, other states have enacted laws that cover certain aspects of the collection, use, disclosure, and/or other processing of health information, such as Washington's My Health, My Data Act, which, among other things, provides for a private right of action. The U.S. federal government also is contemplating federal privacy legislation. We may be required to modify our policies and practices and otherwise to incur additional costs and expenses in an effort to comply with the CPA and other new and evolving privacy legislation. Collectively, these reflect a trend toward more stringent privacy legislation in the United States. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging. We may also publish privacy policies and other documentation regarding our collection, processing, use and disclosure of personal information. Although we endeavor to comply with our published policies and documentation, we may at times fail to do so or may be perceived to have failed to do so. Moreover, despite our efforts, we may not be successful in achieving compliance if our employees or contractors fail to comply with our published policies and documentation. Such failures can subject us to potential foreign, local, state and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. The number and scope of obligations related to privacy, data protection and data security are changing, subject to differing applications and interpretations, and may be inconsistent between jurisdictions or in conflict with each other. As a result, compliance with United States and foreign privacy, data protection, and data security laws and regulations could require us to take on more onerous obligations in our contracts, restrict our ability to collect, retain, store, use, share, disclose, transfer, disseminate, and otherwise process data, or in some cases, impact our ability to operate in certain jurisdictions. Although we endeavor to comply with our published policies, other documentation, and all applicable privacy and security laws and regulations, we may at times fail to do so or may be perceived to have failed to do so. Any actual or alleged failure to comply with such obligations could result in governmental investigations, proceedings, and enforcement actions (which could include civil or criminal fines or penalties), private litigation or adverse publicity, harm to our reputation, and could negatively affect our operating results and business. Moreover, clinical trial subjects about whom we or our potential collaborators obtain information, as well as the providers who share this information with us, may contractually limit our ability to use and disclose the information or impose other obligations or restrictions in connection with our use, retention, and other processing of information, and we may otherwise face contractual restrictions applicable to our use, retention, and other processing of information. Claims that we have violated individuals' privacy rights, failed to comply with data protection laws, or breached our contractual obligations, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business.

The market price of our common stock has been and is likely to continue to be subject to significant fluctuations. Some of the factors that may cause the market price of our common stock to fluctuate include: - timing and results of INDs, preclinical studies and clinical trials of our product candidates, or those of our competitors or our existing or future collaborators;- failure to meet or exceed financial and development projections we may provide to the public;- failure to meet or exceed the financial and development projections of the investment community;- announcements of significant acquisitions, strategic collaborations, license agreements, joint ventures or capital commitments by us or our competitors;- actions taken by regulatory agencies with respect to our product candidates, clinical trials, manufacturing process or sales and marketing terms;- disputes or other developments relating to proprietary rights, including patents, litigation matters, and our ability to obtain patent protection for our technologies;- additions or departures of key personnel;- significant lawsuits, including patent or stockholder litigation;- if securities or industry analysts do not publish research or reports about our business, if articles are published about our business, or if such research, reports or articles contain incorrect statements or adverse or misleading opinions regarding our business and stock;- changes in the market valuations of similar companies;- geo-political developments, general market or macroeconomic conditions including inflation, interest rates and the new presidential administration;- market conditions in the pharmaceutical and biotechnology sectors;- expiration of market stand-off or lock-up agreements;- changes in the structure of healthcare payment systems;- announcement of expectation of additional financing efforts;- sales of securities by us or our securityholders in the future;- if we fail to raise an adequate amount of capital to fund our operations and continued development of our product candidates;- trading volume of our common stock;- publicity or announcements by competitors of new commercial products or success of competitive products (such as asciminib), clinical progress or lack thereof, significant contracts, commercial relationships or capital commitments;- the impact of any natural disasters, public health emergencies, health epidemics (including COVID-19) or other outbreaks;- the introduction of technological innovations or new product candidates that compete with our products and services; and - period-to-period fluctuations in our financial results. Moreover, the stock markets in general have experienced substantial volatility that has often been unrelated to the operating performance of individual companies. These broad market fluctuations may also adversely affect the trading price of our common stock. In addition, macroeconomic conditions, a recession, depression or other sustained adverse market event resulting from the Russia-Ukraine conflict, widening conflict in the Middle East, geopolitical events, the new presidential administration, or otherwise could materially and adversely affect our business and the value of our common stock. In the past, following periods of volatility in the market price of a company's securities, stockholders have often instituted class action securities litigation against such companies. Furthermore, market volatility may lead to increased shareholder activism if we experience a market valuation that activists believe is not reflective of our intrinsic value. Activist campaigns that contest or conflict with our strategic direction or seek changes in the composition of our board of directors could have an adverse effect on our operating results and financial condition.

Our management is required to report on the effectiveness of our internal control over financial reporting. The rules governing the standards that must be met for our management to assess our internal control over financial reporting are complex and require significant documentation, testing and possible remediation. Any failure to maintain effective internal control over financial reporting could severely inhibit our ability to accurately report our financial condition, results of operations or cash flows. If we are unable to conclude that our internal control over financial reporting is effective, or if we have a material weakness or significant deficiency in our internal control over financial reporting, investors may lose confidence in the accuracy and completeness of our financial reports, the market price of our common stock could decline, and we could be subject to sanctions or investigations by Nasdaq, the SEC or other regulatory authorities. Failure to remedy any material weakness in our internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets. General Risk Factors

We have broad discretion over the use of our cash, cash equivalents and marketable securities. You may not agree with our decisions, and our use of the proceeds may not yield any return on your investment. Our failure to apply these resources effectively could compromise our ability to pursue our growth strategy and we might not be able to yield a significant return, if any, on our investment of these net proceeds. You will not have the opportunity to influence our decisions on how to use our cash resources.

From time to time, we evaluate various acquisition opportunities and strategic partnerships, including licensing or acquiring complementary products, product candidates, intellectual property rights, technologies or businesses. Any potential acquisition or strategic partnership may entail numerous risks, including: - increased operating expenses and cash requirements;- the assumption of additional indebtedness or contingent liabilities;- the issuance of our equity securities;- assimilation of operations, intellectual property, products and product candidates of an acquired company, including difficulties associated with integrating new personnel;- the diversion of our management's attention from our existing programs and initiatives in pursuing such a strategic merger or acquisition;- retention of key employees, the loss of key personnel and uncertainties in our ability to maintain key business relationships;- risks and uncertainties associated with the other party to such a transaction, including the prospects of that party and their existing products, product candidates and marketing approvals; and - our inability to generate revenue from acquired technology and/or products sufficient to meet our objectives in undertaking the acquisition or even to offset the associated acquisition and maintenance costs. In addition, if we undertake acquisitions or pursues partnerships in the future, we may issue dilutive securities, assume or incur debt obligations, incur large one-time expenses and acquire intangible assets that could result in significant future amortization expense.

Manufacturing drugs, especially in large quantities, is complex and may require the use of innovative technologies. Each lot of an approved drug product must undergo thorough testing for identity, strength, quality, purity and potency. Manufacturing drugs requires facilities specifically designed for and validated for this purpose, as well as sophisticated quality assurance and quality control procedures. From time to time, we have experienced, and may in the future experience, deviations in the manufacturing process, including filling, labeling, packaging, storage and shipping and quality control and testing, which have resulted and may result in lot failures, product recalls or spoilage. When changes are made to the manufacturing process, we may be required to provide preclinical and clinical data showing the comparable identity, strength, quality, purity or potency of the products before and after such changes. If microbial, viral or other contaminations are discovered at the facilities of our manufacturer, such facilities may need to be closed for an extended period of time to investigate and remedy the contamination, which could delay clinical trials and adversely harm our business. The use of biologically derived ingredients can also lead to allegations of harm, including infections or allergic reactions, or closure of product facilities due to possible contamination. If our third-party manufacturers are unable to produce sufficient quantities for clinical trials or for commercialization as a result of these challenges, or otherwise, our development and commercialization efforts would be impaired, which would have an adverse effect on our business, financial condition, results of operations and prospects.

We are exposed to the risk that our employees, independent contractors, consultants, commercial collaborators, healthcare professionals, clinical investigators, CROs, suppliers, vendors and third-party payors may engage in misconduct or other improper activities. Healthcare providers and third-party payors play a primary role in the recommendation and prescription of any product candidates for which we obtain marketing approval. Our current and future arrangements with healthcare professionals, clinical investigators, CROs, third-party payors and customers may expose us to broadly applicable fraud and abuse and other healthcare laws and regulations that may constrain the business or financial arrangements and relationships through which we research, as well as market, sell and distribute our product candidates for which we obtain marketing approval. The laws that may affect our ability to operate include, but are not limited to: - the federal Anti-Kickback Statute, which prohibits, among other things, persons from knowingly and willfully soliciting, receiving, offering or paying any remuneration (including any kickback, bribe, or rebate), directly or indirectly, overtly or covertly, in cash or in kind, to induce, or in return for, either the referral of an individual, or the purchase, lease, order or recommendation of any good, facility, item or service for which payment may be made, in whole or in part, under a federal healthcare program, such as the Medicare and Medicaid programs. In addition, the government may assert that a claim including items or services resulting from a violation of the federal Anti-Kickback Statute constitutes a false or fraudulent claim for purposes of the False Claims Act ("FCA");- federal civil and criminal false claims laws, including the FCA, which can be enforced through civil "qui tam" or "whistleblower" actions, and civil monetary penalty laws, including the Civil Monetary Penalties Law, impose criminal and civil penalties against individuals or entities for, among other things, knowingly presenting, or causing to be presented, claims for payment or approval from Medicare, Medicaid, or other federal health care programs that are false or fraudulent, knowingly making or causing a false statement material to a false or fraudulent claim or an obligation to pay money to the federal government, or knowingly concealing or knowingly and improperly avoiding or decreasing such an obligation. Manufacturers can be held liable under the FCA even when they do not submit claims directly to government payors if they are deemed to "cause" the submission of false or fraudulent claims. The FCA also permits a private individual acting as a "whistleblower" to bring actions on behalf of the federal government alleging violations of the FCA and to share in any monetary recovery. When an entity is determined to have violated the federal civil FCA, the government may impose civil fines and penalties for each false claim, plus treble damages, and exclude the entity from participation in Medicare, Medicaid and other federal healthcare programs;- the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and the regulations that implement both laws (collectively, "HIPAA"), which created additional federal criminal statutes that prohibit, among other things, knowingly and willfully executing, or attempting to execute, a scheme to defraud any healthcare benefit program or obtain, by means of false or fraudulent pretenses, representations, or promises, any of the money or property owned by, or under the custody or control of, any healthcare benefit program, regardless of the payor (e.g., public or private) and knowingly and willfully falsifying, concealing or covering up by any trick or device a material fact or making any materially false statements in connection with the delivery of, or payment for, healthcare benefits, items or services relating to healthcare matters. Similar to the federal Anti-Kickback Statute, a person or entity can be found guilty of violating HIPAA without actual knowledge of the statute or specific intent to violate it;- HIPAA, which imposes requirements on certain covered healthcare providers, health plans, and healthcare clearinghouses and their respective business associates that perform services for them that involve the use, or disclosure of, individually identifiable health information as well as their covered subcontractors, relating to the privacy, security and transmission of individually identifiable health information without appropriate authorization. HITECH also created new tiers of civil monetary penalties, amended HIPAA to make civil and criminal penalties directly applicable to business associates, and gave state attorneys general new authority to file civil actions for damages or injunctions in federal courts to enforce the federal HIPAA laws and seek attorneys' fees and costs associated with pursuing federal civil actions;- the federal Physician Payments Sunshine Act, created under the ACA and our implementing regulations, which require applicable manufacturers of drugs, devices, biologics and medical supplies for which reimbursement is available under Medicare, Medicaid or the Children's Health Insurance Program (with certain exceptions) to report annually to CMS in HHS information related to payments or other transfers of value made to covered recipients, including physicians (defined to include doctors, dentists, optometrists, podiatrists and chiropractors), certain non-physician healthcare providers (such as physician assistants and nurse practitioners), and teaching hospitals, as well as ownership and investment interests held by physicians and their immediate family members; and - analogous state and foreign laws and regulations that apply to our business, such as state and foreign anti-kickback, false claims, consumer protection and unfair competition laws, state and foreign pharmaceutical compliance, price reporting and transparency laws, which can vary from jurisdiction to jurisdiction, thus complicating compliance efforts, and which can increase our exposure to liabilities and costs of compliance. We may also be subject to federal consumer protection and unfair competition laws, which broadly regulate marketplace activities and activities that potentially harm consumers. Efforts to ensure that our current and future business arrangements with third parties will comply with applicable healthcare and data privacy and security laws and regulations will involve on-going substantial costs. Because of the breadth of these laws and the narrowness of the statutory exceptions and safe harbors available, it is possible that governmental authorities will conclude that our business practices do not comply with current or future statutes, regulations, agency guidance or case law involving applicable fraud and abuse or other healthcare laws and regulations. If our operations are found to be in violation of any of the federal and state healthcare laws described above or any other governmental regulations that apply to us, we may be subject to significant penalties, including without limitation, civil, criminal and/or administrative penalties, damages, fines, disgorgement, imprisonment, exclusion from participation in government programs, such as Medicare and Medicaid, injunctions, private "qui tam" actions brought by individual whistleblowers in the name of the government, exclusion, debarment or refusal to allow us to enter into government contracts, contractual damages, reputational harm, administrative burdens, diminished profits and future earnings, additional reporting requirements and/or oversight if we become subject to a corporate integrity agreement or similar agreement to resolve allegations of non-compliance with these laws, and the curtailment or restructuring of our operations, any of which could adversely affect our ability to operate our business and our results of operations. Defending against any such actions can be costly, time-consuming and may require significant financial and personnel resources. Therefore, even if we are successful in defending against any such actions that may be brought against us, our business may be impaired. Further, if any of the physicians or other healthcare providers or entities with whom we expect to do business is found to be not in compliance with applicable laws, they may be subject to significant criminal, civil or administrative sanctions, including exclusions from government funded healthcare programs.

We currently utilize and depend upon, and plan to utilize and depend upon, independent investigators and collaborators, such as medical institutions, CROs, CMOs, and strategic partners to conduct and support our preclinical studies and clinical trials under agreements with us. For example, we use Pharmaron to conduct preclinical studies and clinical trials and provide us with active pharmaceutical ingredients ("APIs"). Since Pharmaron is located in China, we are exposed to the possibility of product supply disruption and increased costs in the event of changes in the policies of the United States or Chinese governments, political unrest or unstable economic conditions in China. For example, a trade war could lead to tariffs on the APIs we obtain from Pharmaron. Any of these matters could materially and adversely affect our business and results of operations. Further, we may be exposed to fluctuations in the value of the local currency in China. Future appreciation of the local currency could increase our costs. In the future, we may also rely on third parties for the manufacture of any companion diagnostics we may develop. These third parties have had and will continue to have a significant role in the conduct of our preclinical studies and clinical trials and the subsequent collection and analysis of data. In particular, there is currently significant uncertainty about the future relationship between the United States and various other countries, most significantly China, including changes arising as a result of the new presidential administration with respect to trade policies, treaties, tariffs, taxes, and other limitations on cross-border operations, including but not limited to the provision of services and the exchange of data. The U.S. government has made and continues to make significant additional changes in U.S. trade policy and may continue to take future actions that could negatively impact U.S. trade. For example, legislation has been introduced in Congress to limit certain U.S. biotechnology companies from using equipment or services produced or provided by select Chinese biotechnology companies, and others in Congress have advocated for the use of existing executive branch authorities to limit those Chinese service providers' ability to engage in business in the U.S. We cannot predict what actions may ultimately be taken with respect to trade relations between the United States and China or other countries, what products and services may be subject to such actions or what actions may be taken by the other countries in retaliation. In addition, various U.S. regulators and legislators have advanced proposals that would limit the exchange of data with commercial counterparties in certain nations, including China, ranging from personal health information to clinical trial data to information related to drug development, and regulators in other countries have considered similar restrictions on the outflow of such data. Further, the current situation relating to trade with China and governmental and regulatory concerns relating to specific Chinese companies continue to remain fluid and unpredictable and may further change as a result of the new presidential administration. We also expect to manufacture certain of our product candidates in various countries, including countries in Europe, which we expect to increase the cost of manufacturing our product candidates. Potential issues or delays with this transition can impact our clinical plans and timelines, and we expect that such transition will increase our expenses. We may also face difficulties or challenges in connection with the collection, transfer across borders, or other use or processing of study data within particular jurisdictions, or originally obtained from particular jurisdictions, including China. If we are unable to obtain or use services from existing service providers, to obtain or use any necessary inputs (e.g.,data), or become unable to export or sell our products to any of our customers or service providers, our business, liquidity, financial condition, and/or results of operations would be materially and adversely affected. Our third parties are not our employees, and except for remedies available to us under our agreements with such third parties, we have limited ability to control the amount or timing of resources that any such third party will devote to our preclinical studies or clinical trials. The third parties we rely on for these services may also have relationships with other entities, some of which may be our competitors, for whom they may also be conducting clinical trials or other drug development activities, which could affect their performance on our behalf. Some of these third parties may terminate their engagements with us at any time. We also expect to have to negotiate budgets and contracts with CROs, clinical trial sites and CMOs and we may not be able to do so on favorable terms, which may result in delays to our development timelines and increased costs. If we need to enter into alternative arrangements with, or replace or add any third parties, it would involve substantial cost and require extensive management time and focus, or involve a transition period, and may delay our drug development activities, as well as materially impact our ability to meet our desired clinical development timelines. Our heavy reliance on these third parties for such drug development activities will reduce our control over these activities. As a result, we will have less direct control over the conduct, timing and completion of preclinical studies and clinical trials and the management of data developed through preclinical studies and clinical trials than would be the case if we were relying entirely upon our own staff. Nevertheless, we are responsible for ensuring that each of our studies and trials is conducted in accordance with applicable protocol, legal and regulatory requirements and scientific standards, and our reliance on third parties does not relieve us of our regulatory responsibilities. For example, we will remain responsible for ensuring that each of our clinical trials is conducted in accordance with the general investigational plan and protocols for the trial. Moreover, the FDA requires us to comply with GCP standards, regulations for conducting, recording and reporting the results of clinical trials to assure that data and reported results are reliable and accurate and that the rights, integrity and confidentiality of trial participants are protected. The EMA also requires us to comply with similar standards. Regulatory authorities enforce these GCP requirements through periodic inspections of trial sponsors, principal investigators and trial sites. If we or any of our CROs fail to comply with applicable GCP requirements, the clinical data generated in our clinical trials may be deemed unreliable and the FDA, EMA or comparable foreign regulatory authorities may require us to perform additional clinical trials before approving our marketing applications. There can be no assurance that upon inspection by a given regulatory authority, such regulatory authority will determine that any of our clinical trials substantially comply with GCP regulations. In addition, our clinical trials must be conducted with product produced under current cGMP regulations and will require a large number of test patients. Our failure or any failure by these third parties to comply with these regulations or to recruit a sufficient number of patients, may require us to repeat clinical trials, which would delay the regulatory approval process. Moreover, our business may be implicated if any of these third parties violates federal or state fraud and abuse or false claims laws and regulations or healthcare privacy and security laws. If these third parties do not successfully carry out their contractual duties, meet expected deadlines or conduct our clinical trials in accordance with regulatory requirements or our stated protocols, or if these third parties need to be replaced, we will not be able to obtain, or may be delayed in obtaining, marketing approvals for our product candidates and will not be able to, or may be delayed in our efforts to, successfully commercialize our product candidates. As a result, our financial results and the commercial prospects for our product candidates would be harmed, our costs could increase and our ability to generate revenue could be delayed.

We currently do not have and have never had a marketing or sales team. In order to commercialize any product candidates, if approved, we must build marketing, sales, distribution, managerial and other non-technical capabilities or make arrangements with third parties to perform these services for each of the territories in which we may have approval to sell or market our product candidates. We may not be successful in accomplishing these required tasks. Establishing an internal sales or marketing team with technical expertise and supporting distribution capabilities to commercialize our product candidates will be expensive and time-consuming and will require significant attention of our executive officers to manage. Any failure or delay in the development of our internal sales, marketing and distribution capabilities could adversely impact the commercialization of any of our product candidates that we obtain approval to market if we do not have arrangements in place with third parties to provide such services on our behalf. Alternatively, if we choose to collaborate, either globally or on a territory-by-territory basis, with third parties that have direct sales forces and established distribution systems, either to augment our own sales force and distribution systems or in lieu of our own sales force and distribution systems, we will be required to negotiate and enter into arrangements with such third parties relating to the proposed collaboration and such arrangements may prove to be less profitable than commercializing the product on our own. If we are unable to enter into such arrangements when needed, on acceptable terms or at all, we may not be able to successfully commercialize any of our product candidates that receive regulatory approval, or any such commercialization may experience delays or limitations. If we are unable to successfully commercialize our approved product candidates, either on our own or through collaborations with one or more third parties, our future product revenue will suffer, and we may incur significant additional losses.

Our business could be adversely impacted by the effects of public health emergencies, health epidemics (including COVID-19) or other outbreaks, including: - delays or difficulties in clinical site initiation, including difficulties in recruiting clinical site investigators and clinical site staff;- difficulties interpreting data from our clinical trials due to the possible effects of public health emergencies, health epidemics or other outbreaks on patients;- interruption of key preclinical and clinical trial activities, such as clinical trial site monitoring, due to limitations on travel imposed or recommended by federal or state governments, employers and others, or due to restricted or limited operations of the CROs conducting such studies;- interruption or delays in the operations of the FDA, EMA or other regulatory authorities, which may impact review and approval timelines;- diversion of healthcare resources away from the conduct of clinical trials, including the diversion of hospitals serving as our clinical trial sites and hospital staff supporting the conduct of clinical trials;- limitations in resources that would otherwise be focused on the conduct of our business, our preclinical studies or our clinical trials, including because of sickness or the desire to avoid contact with large groups of people or as a result of government-imposed "shelter in place" or similar working restrictions;- delays in receiving approval from regulatory authorities to initiate our clinical trials;- delays in clinical sites receiving the supplies and materials needed to conduct our clinical trials;- interruption in global freight and shipping that may affect the transport of clinical trial materials, such as investigational drug product to be used in our clinical trials;- changes in regulations as part of a response to public health emergencies, health epidemics or other outbreaks which may require us to change the ways in which our clinical trials are to be conducted, or to discontinue the clinical trials altogether, or which may result in unexpected costs;- delays in necessary interactions with regulators, ethics committees and other important agencies and contractors due to limitations in employee resources or forced furlough of government or contractor personnel; and - refusal of the FDA, EMA or other regulatory authorities to accept data from clinical trials in affected geographies outside of their respective jurisdictions. The extent to which any public health concerns or other disruptions impact our results will depend on future developments, which are highly uncertain and cannot be predicted. There can be no assurance that we will be able to avoid a material impact on our business, financial condition and operating results from a public health emergency, health epidemic or its consequences, including disruption to our business and downturns in business sentiment generally or in our industry. To the extent a public health emergency, health epidemic or other outbreak adversely affects our business, financial condition and operating results, it may also have the effect of heightening many of the risks described in this section.