enGene Holdings (ENGN) Risk Analysis

The ability of the FDA to review and approve new products or take action with respect to other regulatory matters can be affected by a variety of factors, including government budget and funding levels, passage of federal FDA user fee legislation every five years, ability to hire and retain key personnel and accept the payment of user fees, public health emergencies, and statutory, regulatory, and policy changes. Average review times at the FDA have fluctuated in recent years as a result. In addition, government funding of the SEC and other government agencies on which our operations may rely, including those that fund research and development activities, is subject to the political process, which is inherently fluid and unpredictable. Disruptions at the FDA and other agencies may also slow the time necessary for new drugs to be reviewed and/or approved by necessary government agencies or for the FDA to take action with respect to other regulatory matters, which could adversely affect our business. For example, over the last several years, the U.S. government has shut down several times, and certain regulatory agencies, such as the FDA and the SEC, have had to furlough critical employees and stop critical activities. If a prolonged government shutdown or other disruption occurs, it could significantly impact the ability of the FDA to timely review and process our regulatory submissions, which could have a material adverse effect on our business. Similarly, a prolonged government shutdown or other disruption could prevent the timely review of patent applications by the United States Patent and Trademark Office, or USPTO, which could delay the issuance of any U.S. patents to which we might otherwise be entitled. Further, in our operations as a public company, future government shutdowns could impact our ability to access the public markets and obtain necessary capital in order to properly capitalize and continue our operations.

We are subject to data privacy and protection laws, rules and regulations, as well as contractual obligations, that apply to the collection, transmission, storage, use and other processing of personally-identifying information, which among other things, impose certain requirements relating to the privacy, security and transmission of personal information, including comprehensive regulatory systems in the United States, European Union and United Kingdom. The legislative and regulatory landscape for privacy and data protection continues to evolve in jurisdictions worldwide, and there has been an increasing focus on privacy and data protection issues with the potential to affect our business. Failure to comply with any of these laws and regulations could result in enforcement action against us, including fines, imprisonment of company officials and public censure, claims for damages by affected individuals, damage to our reputation and loss of goodwill, any of which could have a material adverse effect on our business, financial condition, results of operations and prospects. There are numerous U.S. federal and state laws, rules and regulations governing the collection, sharing, use, retention, disclosure, security, transfer, storage and other processing of personal information, including federal and state data privacy and security laws, data breach notification laws, and data disposal laws. In particular, at the federal level, regulations promulgated pursuant to the HIPAA establish privacy and security standards that limit the use and disclosure of individually identifiable health information, or protected health information, and require the implementation of administrative, physical and technological safeguards to protect the privacy of protected health information and ensure the confidentiality, integrity and availability of electronic protected health information. Determining whether protected health information has been handled in compliance with applicable privacy standards and our contractual obligations can be complex and may be subject to changing interpretation. These obligations may be applicable to some or all of our business activities now or in the future. At the federal level, we are also subject to, among other laws and regulations, the rules and regulations promulgated under the authority of the FTC (which has the authority to regulate and enforce against unfair or deceptive acts or practices in or affecting commerce, including acts and practices with respect to data privacy and security), as well as the Electronic Communication Privacy Act. The United States Congress also has considered, is currently considering, and may in the future consider, various proposals for comprehensive federal data privacy and security legislation, to which we may become subject if passed. If we are unable to properly protect the privacy and security of protected health information, we could be found to have breached certain contracts or obligations. Further, if we fail to comply with applicable privacy laws, including applicable HIPAA privacy and security standards, we could face civil and criminal penalties. HHS enforcement activity can result in financial liability and reputational harm, and responses to such enforcement activity can consume significant internal resources. In addition, state attorneys general are authorized to bring civil actions seeking either injunctions or damages in response to violations that threaten the privacy of state residents. We cannot be sure how these regulations will be interpreted, enforced or applied to our operations. In addition to the risks associated with enforcement activities and potential contractual liabilities, our ongoing efforts to comply with evolving laws and regulations at the federal and state level may be costly and require ongoing modifications to our policies, procedures and systems. At the state level, we are subject to similar and sometimes more onerous data protection and privacy laws and regulations such as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the "CPRA") (collectively, the "CCPA"). The CCPA imposes many requirements on certain businesses that process the personal information of California residents, including requirements similar to those found in the General Data Protection Regulation ("GDPR"). For example, the CCPA requires covered businesses to provide notice to California residents regarding the information collected about them and how such information is used and shared, provides California residents the right to request access to such personal information and, in certain cases, request the erasure of such personal information. The CCPA also affords California residents the right to opt-out of certain "sales" of their personal information. The CCPA provides for significant civil penalties and statutory damages for companies that violate its requirements, and also provides for a private right of action for certain data breaches that result in the loss of unencrypted personal information. This private right of action is expected to increase the likelihood of, and risks associated with, data breach litigation. The CPRA significantly expands the CCPA to incorporate additional GDPR-like provisions including requiring that the use, retention, and sharing of personal information of California residents be reasonably necessary and proportionate to the purposes of collection or processing, granting additional protections for sensitive personal information, and requiring greater disclosures related to notice to residents regarding retention of information. These provisions may apply to some of our business activities. In addition, other states, including Virginia and Colorado, already have passed comprehensive state-level data privacy and security laws, rules and regulations that share similarities with the CCPA. Other states are in the process of enacting or will be considering these laws in the future. Moreover,laws in all 50 U.S. states require businesses to provide notice under certain circumstances to consumers whose personal information has been disclosed as a result of a data breach. These laws, and other similar laws that may be enacted in the future, may impact our business activities, including our identification of research subjects and ultimately the marketing and distribution of our products. Similar to the laws in the United States, there are significant privacy and data security laws that apply in Europe and other countries. The collection, use, disclosure, transfer, or other processing of personal data, including personal health data, regarding individuals who are located in the EEA, and the processing of personal data that takes place in the EEA is regulated by the GDPR, which went into effect in May 2018 and imposes obligations on companies that operate in our industry with respect to the processing of personal data and the cross-border transfer of such data. The GDPR imposes onerous accountability obligations, including requiring data controllers and processors to maintain a record of their data processing and policies. Following the withdrawal of the United Kingdom from the European Union, the United Kingdom's Data Protection Act 2018 (the "U.K. GDPR"), which "implements" and complements the GDPR and achieved formal approval by United Kingdom's monarchy on May 23, 2018, applies to the processing of personal data that takes place in the United Kingdom and includes parallel obligations to those set forth by GDPR. While the GDPR and U.K. GDPR remain substantially similar for the time being, the U.K. government has announced that it would seek to chart its own path on data protection and reform its relevant laws, including in ways that may differ from the GDPR. While these developments increase uncertainty with regard to data protection regulation in the United Kingdom, even in their current, substantially similar form, the GDPR and U.K. GDPR can expose businesses to divergent parallel regimes that may be subject to potentially different interpretations and enforcement actions for certain violations and related uncertainty. If our or our service providers' privacy or data security measures fail to comply with the GDPR and U.K. GDPR requirements, we may be subject to litigation, regulatory investigations, enforcement notices requiring us to change the way we use personal data and/or fines of up to 20 million Euros (or GBP17.5 million under the U.K. GDPR) or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, as well as compensation claims by affected individuals, negative publicity, reputational harm and a potential loss of business and goodwill. The GDPR places restrictions on the cross-border transfer of personal data from the EEA to countries that have not been found by the European Commission to offer adequate data protection legislation, such as the United States. There are ongoing concerns about the ability of companies to transfer personal data from the EEA to other countries. Similar complexities and uncertainties also apply to transfers from the U.K. to third countries. In July 2020, the Court of Justice of the European Union ("CJEU"), invalidated the EU-U.S. Privacy Shield, one of the mechanisms used to legitimize the transfer of personal data from the EEA to the United States. The CJEU's decision also drew into question the long-term viability of an alternative means of data transfer, the standard contractual clauses ("SCCs"), for transfers of personal data from the EEA to the United States. While we were not self-certified under the EU-U.S. Privacy Shield, this CJEU decision may lead to increased scrutiny on data transfers from the EEA to the United States generally and increase our costs of compliance with data privacy legislation as well as our costs of negotiating appropriate privacy and security agreements with our vendors. While we may take steps to mitigate the impact on us, such as implementing SCCs, the efficacy and longevity of these mechanisms remains uncertain. Moreover, in 2021, the European Commission adopted new SCCs, which impose on companies additional obligations relating to personal data transfers out of the EEA, including the obligation to update internal privacy practices, conduct transfer impact assessments and, as required, implement additional security measures. The new SCCs may increase the legal risks and liabilities under European Union laws associated with cross-border data transfers, and result in material increased compliance and operational costs. While the European Commission announced in March 2022 that an agreement in principle had been reached between European Union and U.S. authorities regarding a new transatlantic data privacy framework, no formal agreement has been finalized, and any such agreement, if formalized, is likely to face challenge at the CJEU. Moreover, while the U.K. GDPR is now effective in the United Kingdom, it is still unclear whether transfer of data from the EEA to the United Kingdom will remain lawful under the GDPR. The United Kingdom has already determined that it considers all European Union and EEA member states to be adequate for the purposes of data protection, ensuring that data flows from the United Kingdom to the European Union and EEA remain unaffected. In addition, a decision from the European Commission appears to deem the United Kingdom as being "essentially adequate" for purposes of data transfer from the EEA to the United Kingdom, such that SCCs are not required for the transfer of personal data from the EEA to the United Kingdom, although such decision will sunset in June 2025 unless extended and it may be revoked in the future by the European Commission if the United Kingdom data protection regime is reformed in ways that deviate substantially from the GDPR. Adding further complexity for international data flows, in March 2022, the United Kingdom adopted its own International Data Transfer Agreement for transfers of personal data out of the United Kingdom to so-called third countries, as well as an international data transfer addendum that can be used with the SCCs for the same purpose. The European Union has also proposed legislation that would regulate non-personal data and establish new cybersecurity standards, and other countries, including the United Kingdom, may similarly do so in the future. If we are otherwise unable to transfer data, including personal data, between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results. Beyond the GDPR and U.K. GDPR, there are privacy and data security laws in a growing number of countries around the world. While many loosely follow the GDPR as a model, other laws contain different or conflicting provisions. These laws will impact our ability to conduct our business activities, including both our clinical trials and any eventual sale and distribution of commercial products, through increased compliance costs, costs associated with contracting and potential enforcement actions. While we continue to address the implications of the recent changes to data privacy regulations, data privacy remains an evolving landscape at both the domestic and international level, with new regulations coming into effect and continued legal challenges, and our efforts to comply with the evolving data protection rules may be unsuccessful. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our practices. We must devote significant resources to understanding and complying with this changing landscape. Any failure, actual or perceived, to comply with laws regarding data protection would expose us to risk of enforcement actions taken by data protection authorities in the EEA and elsewhere and carries with it the potential for significant penalties if we are found to be non-compliant. Similarly, any failure, actual or perceived, to comply with federal and state laws in the United States regarding privacy and security of personal information could expose us to penalties under such laws. Any such failure to comply with data protection and privacy laws could result in government-imposed fines or orders requiring that we change our practices, claims for damages or other liabilities, regulatory investigations and enforcement action, litigation and significant costs for remediation, any of which could adversely affect our business. Even if we are not determined to have violated these laws, government investigations into these issues typically require the expenditure of significant resources and generate negative publicity, which could harm our reputation and our business, financial condition, results of operations and prospects.

We do not currently have, nor do we plan to acquire, the infrastructure or capability internally to manufacture drug supplies for our ongoing clinical trials or any future clinical trials that we may conduct, and we lack the resources to internally manufacture detalimogene or any other product candidates we develop on a commercial scale. We rely, and expect to continue to rely, on third-party manufacturers to produce detalimogene or other product candidates that we may identify for clinical trials, as well as for commercial manufacture if detalimogene or any other product candidates we develop receive marketing authorization and approval. We rely entirely on numerous third-party suppliers to provide us with various product components. We may not have alternative suppliers for certain of these product components. Any significant delay or discontinuity in the supply of a product candidate, or the raw material components thereof, for an ongoing clinical trial due to the need to replace a third-party manufacturer or testing laboratory could considerably delay the clinical development and potential regulatory authorization and commercial launch of such product candidate, which could harm our business, financial condition, results of operations and prospects. We currently do not have relationships with alternate third-party contract manufacturers and testing laboratories for our critical raw materials and product candidates that could sustain our operations in the event we experience a disruption of service from our existing third-party contract manufacturers and testing laboratories. As a result, we are materially reliant on our existing contract manufacturers and testing laboratories and susceptible to material operational disruptions due to factors that may be unknown to us and unforeseeable. Our providers may also materially change the terms of our commercial arrangements for any reason or no reason, which could adversely affect our materials costs, ability to manufacture the drug at a sustainable cost, and profit margin on any sales. We may be unable to identify and appropriately qualify third-party manufacturers and testing laboratories or establish agreements with third-party manufacturers and testing laboratories or do so on acceptable terms. Even if we are able to establish agreements with third-party manufacturers and testing laboratories, reliance on third-party manufacturers entails additional risks, including: - reliance on the third-party for sourcing of raw materials, components, testing and such other goods as may be required for execution party of our overall manufacturing process;- risk of single sourced critical raw materials, drug substance and drug product, where secondary back-up vendors are not yet available;- risk of increased and/or extended lead times for critical raw materials, reagents and equipment, thus requiring significant investment in building adequate inventory to avoid significant disruptions to manufacturing processes;- reliance on third-party to ensure availability of adequate manufacturing capacity to meet product demand based on the needs of their other clients;- reliance on the third-party for regulatory compliance and quality assurance for the manufacturing and/or testing activities each performs;- reliance on third-party to adequately validate processes for timely approval of the BLA required for commercialization of product;- the possible breach of the manufacturing and/or testing agreement by the third-party;- the possible misappropriation of proprietary information, including trade secrets and know-how; and the possible termination or non-renewal of the agreement by the third-party at a time that is costly or inconvenient for us. Furthermore, our contract manufacturing organizations ("CMOs") and testing laboratories are engaged with other companies to supply and/or manufacture and/or test materials or products, which exposes our manufacturers and testing laboratories to regulatory risks for the production and testing of such materials and products. The facilities used by our CMOs to manufacture and/or test detalimogene or any other product candidates we develop are subject to review by the FDA and other non-U.S. authorities pursuant to inspections that will be conducted after we submit a BLA, or other marketing application to the FDA and other non-U.S. authorities. We do not directly conduct the manufacturing and testing of any material or products. Therefore, we are materially dependent on our CMO partners and contract testing laboratories to operate in compliance with the regulatory requirements, known as current good manufacturing practice ("cGMP") requirements for manufacture of drug and device products or similar requirements outside the United States. If our CMOs and contract testing laboratories cannot successfully manufacture and/or test material that conforms to our specifications and the strict regulatory requirements of the FDA or others, we will not be able to secure or maintain regulatory authorization for detalimogene or any other product candidates we develop that are manufactured at these manufacturing facilities, resulting in delay or failure in the clinical development and commercialization of our products, which would have a material adverse effect on us. In addition, we have limited control over the ability of our CMOs to maintain adequate quality control, quality assurance and qualified personnel. If the FDA or another non-U.S. regulatory agency does not approve these facilities for the manufacture and/or testing of detalimogene or any other product candidates we develop, if any agency withdraws its approval in the future, or if we identify material gaps in quality control and compliance at our selected CMOs, we may need to find alternative manufacturing facilities, which would negatively impact our ability to develop and deliver our products to markets around the world could delay product supply to patients in clinical studies or to commercial customers for any approved products, and may increase the overall cost of manufacturing our products. Detalimogene or any other product candidates we develop may compete with other product candidates and marketed products for access to manufacturing and/or testing facilities. Any performance failure on the part of our existing or future CMOs could delay clinical development, marketing approval or commercialization. Our current and anticipated future dependence upon others for the manufacturing of detalimogene or any other product candidates we develop may adversely affect our future profit margins and our ability to commercialize detalimogene or any other product candidates we develop that receive marketing approval on a timely and competitive basis.

Our operations and performance depend on global, regional and U.S. economic and geopolitical conditions. General worldwide economic conditions have experienced significant instability in recent years, including due to recent global economic uncertainty and turbulent financial market conditions. The armed conflict in the Middle East has created volatility in the global capital markets and is expected to have further global economic consequences. Russia's ongoing military invasion of Ukraine has triggered significant sanctions from U.S. and European leaders and disruptions to financial markets around the world. Resulting changes in U.S. trade policy could trigger retaliatory actions by Russia, its allies and other affected countries, including China, resulting in a "trade war." In addition, changes in political conditions in China and changes in the state of China-U.S. relations, including any tensions relating to potential military conflict between China and Taiwan, are difficult to predict and could adversely affect our business. Furthermore, if other countries, including the United States, become further involved in the conflict, we could face significant adverse effects to our business and financial condition. The uncertain financial markets, disruptions in supply chains, mobility restraints, and changing priorities as well as volatile asset values could impact our business in the future. For example, increasing inflation has raised operating costs for us and many businesses, and, in the future, could impact demand, pricing or the cost we incur to manufacture our product candidates, foreign exchange rates (including in particular U.S. dollar and Canadian dollar exchange rates) or employee wages. Among other potential effects, continued increased inflation or interest rates may result in reduced liquidity and limits on our ability to access credit or otherwise raise capital. The Federal Reserve has previously raised, and may again raise, interest rates in response to concerns about inflation, which coupled with reduced government spending and volatility in financial markets may have the effect of further increasing economic uncertainty and heightening these risks and creating new, unforeseen risks to our operations. Actual events involving reduced or limited liquidity, defaults, non-performance or other adverse developments that affect financial institutions or other companies in the financial services industry or the financial services industry generally, or concerns or rumors about any events of these kinds, have in the past and may in the future lead to market-wide liquidity problems. These conditions make it extremely difficult for us to accurately forecast and plan future business activities. The above factors, including a number of other known and unknown economic and geopolitical factors in the United States and abroad, could ultimately have material adverse effects on our business, financial condition, results of operations and prospects.

The biotechnology and pharmaceutical industries, including the development of non-viral genetic medicines for administration into mucosal tissues as well as the development of novel therapies for bladder cancer and non-muscle invasive bladder cancer, or "NMIBC," specifically, are characterized by rapid growth, a dynamic landscape of competitive product candidates and a strong reliance on intellectual property. We face competition from a variety of organizations, including larger pharmaceutical companies, specialty biotechnology companies, specialty medical device companies, academic research institutions, governmental agencies, as well as public and private institutions. There are several companies that are currently developing gene-based therapeutics for use in a variety of indications, from cancer (including bladder cancer and NMIBC specifically) to rare disease, to regenerative medicine. There are also companies and institutions developing non-gene based therapies such as, but not limited to, drug/device combinations that may be effective in the clinical indications we choose to pursue and oncology drugs. DDX is our proprietary carrier for genetic medicines to mucosal tissues and is the foundation for our nanoparticle formulations. We developed DDX and our patented non-viral genetic medicines to penetrate mucus barriers and to deliver genes to mucosal epithelial cells in a way that is re-dosable, scalable, and designed to integrate into existing clinical practice. Our genetic medicine platform's leading program, detalimogene, is in the area of immuno-oncology. We believe that a significant number of products are currently under development, and may become commercially available in the future, for the treatment of indications for which we are developing detalimogene, including NMIBC. Competitors using genetic medicines for mucosal tissues include CG Oncology, Inc. and Ferring Pharmaceuticals Inc, both of which are developing products that will compete directly with detalimogene, if approved. More generally, if detalimogene or any future product candidates that we develop are approved, they will compete with surgery, radiation, and drug therapy, including chemotherapy, BCG, hormone therapy, biologic therapy, such as monoclonal and bispecific antibodies, antibody-drug conjugates, radiopharmaceuticals, immunotherapy, cell-based therapy, and targeted therapy, or a combination of any such methods, either approved or under development, which are intended to treat the same indications that we are targeting or may target, including through approaches that may prove to be more effective, have fewer side effects, be less costly to manufacture, be more convenient to administer or have other advantages over detalimogene and any future product candidates that we develop. To the extent Merck or another manufacturer increases the supply of BCG, there may be less demand for alternative treatments such as detalimogene, if approved, in earlier lines of treatment for NMIBC. There are numerous companies that have commercialized or are developing treatments for NMIBC that detalimogene will compete with, if approved, including Bristol Meyers Squibb, Gilead Sciences, Inc., Hoffman-La Roche AG (Roche), CG Oncology, Inc., Ferring Pharmaceuticals Inc., ImmunityBio Inc., Johnson & Johnson Inc., Merck, Protara Therapeutics, Inc., Pfizer, Inc., Aura Biosciences Inc., and UroGen Pharma, Inc.. In addition, many of our current or potential competitors, either alone or with their collaboration partners, have significantly greater financial resources and expertise in research and development, manufacturing, preclinical testing, conducting clinical trials and marketing approved products than we do. Mergers and acquisitions in the biotechnology and pharmaceutical industry may result in even more resources being concentrated among a smaller number of our competitors. Smaller or early-stage companies may also prove to be significant competitors, particularly through collaborative arrangements with large and established companies. These competitors also compete with us in recruiting and retaining qualified scientific and management personnel and establishing clinical trial sites and patient registration for and participation in clinical trials, as well as in acquiring technologies complementary to, or necessary for, our programs. Our commercial opportunities could be reduced or eliminated if our competitors develop and commercialize products that are safer, more effective, have fewer or less severe side effects, are more convenient, are more shelf-stable or are less expensive than any products that we may develop. Our competitors also may obtain FDA or other regulatory approval for their products more rapidly than we may obtain approval for ours, which could result in our competitors establishing a strong market position before we are able to enter the market, if we successfully enter it at all. The key competitive factors affecting the success of all of our programs, including detalimogene, are likely to be their efficacy, safety, convenience and availability of reimbursement. Competing products could present superior treatment alternatives, including by being more effective, safer, more convenient, less expensive, or marketed and sold more effectively than any products we may develop. Competitive products may make detalimogene or any future product candidates we develop obsolete or noncompetitive before we generate sufficient revenue to recover the expense of their development and commercialization. If we are unable to compete effectively, our opportunity to generate revenue from the sale of detalimogene or any future product candidates we may develop, if approved, could be adversely affected. If detalimogene or other product candidates that we may develop are approved for the indications for which we are currently conducting or planning clinical trials, they may compete with other products currently under development. We may not be aware of all competitive or potentially competitive products under development by other market participants, and information relating to such products may not be publicly accessible. Competition with other related products currently under development may include competition for clinical trial sites, patient recruitment and product sales. See "Item 1. Business-Competition" for additional information.

Cancer and other disease therapies are sometimes characterized as first-line, second-line or third-line and the FDA often approves new therapies initially only for third-line use. When cancers are detected they are treated with first-line of therapy with the intention of curing the cancer. This treatment generally consists of chemotherapy, radiation, antibody drugs, tumor-targeted small molecules, or a combination of these. If the patient's cancer relapses, then the patient is given a second-line or third line therapy, which can consist of more chemotherapy, radiation, antibody drugs, tumor targeted small molecules, or a combination of these. Generally, the later the line of therapy, the lower the chance of a cure. With third or higher line, the goal of the therapy is to control the growth of the tumor and extend the life of the patient, as a cure is unlikely to happen. Patients are generally referred to clinical trials in these situations. Initial approvals for new cancer and other disease therapies are often restricted to later lines of therapy for patients with advanced or metastatic disease, limiting the number of patients who may be eligible for such new therapies, which may include our product candidates. Our lead product candidate, detalimogene, is being developed to treat patients with BCG-unresponsive NMIBC. Our projections of both the number of people who have the disease we are targeting, as well as the subset of people with these diseases in a position to receive our therapies, if approved, are based on our beliefs, research and estimates. These estimates have been derived from a variety of sources, including scientific literature, input from key opinion leaders, patient foundations or secondary market research databases and may prove to be incorrect. Further, new studies may change the estimated incidence or prevalence of these diseases. The number of patients may turn out to be lower than expected. Additionally, the potentially addressable patient population for detalimogene or any other product candidates we develop may be limited or may not be amenable to treatment with such product candidates. Even if we obtain significant market share for detalimogene or any other product candidates we develop, because certain of the potential target populations may be small, we may never achieve profitability without obtaining regulatory approval for additional indications. If the market opportunities for detalimogene or any other product candidates we may develop are smaller than what we believe they are, our potential revenues may be lower than projected and our business may be harmed.