GlycoMimetics (GLYC) Risk Analysis

If a drug is intended for the treatment of a serious or life-threatening disease or condition and the drug demonstrates the potential to address unmet medical needs for this disease or condition, the drug sponsor may apply for the FDA fast track designation. If fast track designation is obtained, the FDA may initiate review of sections of a NDA before the application is complete. This "rolling review" is available if the applicant provides, and the FDA approves, a schedule for submission of the individual sections of the application. Although we have obtained a fast track designation from the FDA for uproleselan to treat AML and breakthrough therapy designation for uproleselan to treat AML, we may not experience a faster development process, review or approval compared to conventional FDA procedures. Our fast track designation may be withdrawn by the FDA if it believes that the designation is no longer supported by data from our clinical development programs. Our fast track designation does not guarantee that we will qualify for or be able to take advantage of the expedited review procedures or that we will ultimately obtain regulatory approval of uproleselan.

In addition to seeking patents for our drug candidates, we also rely on trade secrets, including unpatented know-how, technology and other proprietary information, to maintain our competitive position. For example, our platform is based on trade secrets that consist largely of expertise in carbohydrate chemistry and knowledge of carbohydrate biology. We do not believe that we can obtain patent protection for our platform. Thus, our competitors may use our methods, or acquire similar expertise, in order to develop glycomimetic drug candidates and progress these drug candidates through clinical development and commercialization, which could impair our ability to successfully commercialize our drug candidates. We seek to protect our trade secrets, in part, by entering into non-disclosure and confidentiality agreements with parties who have access to them, such as our employees, corporate collaborators, outside scientific collaborators, contract manufacturers, consultants, advisors and other third parties. We also enter into confidentiality and invention or patent assignment agreements with our employees and consultants. Despite these efforts, any of these parties may breach the agreements and disclose our proprietary information, including our trade secrets, and we may not be able to obtain adequate remedies for such breaches. Enforcing a claim that a party illegally disclosed or misappropriated a trade secret is difficult, expensive and time consuming, and the outcome is unpredictable. In addition, some courts inside and outside the United States are less willing or unwilling to protect trade secrets. If any of our trade secrets were to be lawfully obtained or independently developed by a competitor, we would have no right to prevent them, or those to whom they communicate it, from using that technology or information to compete with us. If any of our trade secrets were to be disclosed to or independently developed by a competitor, our competitive position would be harmed.

In the ordinary course of business, we process personal data and other sensitive data, including proprietary and confidential business data, trade secrets, intellectual property, clinical trial participant data, and other sensitive third-party data. Our data processing activities subject us to numerous data privacy and security obligations, such as federal, state, local and foreign laws, regulations, guidance, industry standards, external and internal privacy and security policies, contracts, and other obligations governing the processing and security of personal data. These obligations may change, are subject to differing interpretations and may be inconsistent among jurisdictions or conflict. The global data protection landscape is rapidly evolving, and implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future. This evolution may create uncertainty in our business; affect our (or the third parties upon which we rely) ability to operate in certain jurisdictions or to collect, store, transfer, use and share personal data; necessitate the acceptance of more onerous obligations in our contracts; result in liability; or impose additional costs on us. These obligations may necessitate changes to our information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. In addition, these obligations may require us to change our business model. Outside the U.S., an increasing number of laws, regulations, and industry standards apply to data privacy and security. For example, the European Union's General Data Protection Regulation (GDPR) (EU) 2016/679, or the EU GDPR and the United Kingdom's GDPR (UK GDPR), or collectively GDPR, impose strict requirements on the processing of personal data. Under the GDPR, government regulators may impose temporary or definitive bans on data processing, as well as fines in the event of violations. Under the GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros under the EU GDPR, 17.5 million pounds sterling under the UK GDPR or, in each case, 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. In the ordinary course of business, we may transfer personal data from Europe and other jurisdictions to the United States or other countries. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area (EEA) and the UK have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws it generally believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the U.S. in compliance with law, such as the EEA standard contractual clauses, the UK's International Data Transfer Agreement / Addendum, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allows for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the U.S. If there is no lawful manner for us to transfer personal data from the EEA, the UK, or other jurisdictions to the U.S., or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions (such as Europe) at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Some EEA regulators have prevented companies from transferring personal data out of the EEA for allegedly violating the GDPR's cross-border data transfer limitations. In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, HIPAA, as amended by HITECH, imposes specific requirements relating to the privacy, security, and transmission of individually identifiable health data. See "Our current and future business and relationships with customers and third-party payors in the United States and elsewhere may be subject, directly or indirectly, to applicable anti-kickback, fraud and abuse, false claims, transparency, health information privacy and security and other healthcare laws and regulations, which could expose us to significant penalties, including criminal sanctions, civil penalties, contractual damages, reputational harm, administrative burdens and diminished profits and future earnings." In the past few years, numerous U.S. states-including California, Virginia, Colorado, Connecticut, and Utah-have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, or CPRA, collectively CCPA, applies to personal data of consumers, business representatives, and employees who are California residents. These obligations include, but are not limited to, providing specific disclosures in privacy notices and honoring requests of such individuals certain rights related to their personal data. The CCPA provide for fines of up to $7,500 per intentional violation and allows private litigants affected by certain data breaches to recover significant statutory damages. While the CCPA and other comprehensive state privacy laws contain limited exceptions for clinical trial data, these developments may further complicate compliance efforts, and increase legal risk and compliance costs for us and the third parties upon whom we rely. Similar laws are being considered in several other states, as well as at the federal and local levels, and we expect more states to pass similar laws in the future. In addition to data privacy and security laws, we may be contractually subject to industry standards adopted by industry groups and may become subject to such obligations in the future. We are also bound by other contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. For example, clinical trial participants or research subjects about whom we or our vendors obtain information, as well as the providers who share this information with us, may contractually limit our ability to use and disclose the information. We publish privacy policies, marketing materials, and other statements, such as compliance with certain certifications or self-regulatory principles, regarding data privacy and security. If these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. Obligations related to data privacy and security (and consumers' data privacy expectations) are quickly changing, becoming increasingly stringent, and creating uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources, which may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. It is possible that, in the future, we may fail or be perceived to have failed to comply with applicable data privacy and security obligations. Moreover, despite our best compliance efforts, our personnel or third parties whom we rely on could fail to comply with such obligations, which could negatively impact our business operations and compliance posture. If we or the third parties on which we rely fail, or are perceived to have failed, to address or comply with data privacy and security obligations, we could face significant consequences. These consequences may include, but are not limited to, government enforcement actions; litigation (including class claims) and mass arbitration demands; additional reporting requirements and/or oversight; bans on processing personal data; orders to destroy or not use personal data; and imprisonment of company officials. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: interruptions or stoppages in our business operations including, as relevant, clinical trials; inability to process personal data or to operate in certain jurisdictions; limited ability to develop or commercialize uproleselan; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or revision or restructuring of our operations.

We face an inherent risk of product liability exposure related to the testing of our drug candidates in human clinical trials, and will face an even greater risk if we commercially sell any drugs that we may develop. If we cannot successfully defend ourselves against claims that our drug candidates or drugs caused injuries, we will incur substantial liabilities. Regardless of merit or eventual outcome, liability claims may result in: - decreased demand for any drug candidates or drugs that we may develop;- injury to our reputation and significant negative media attention;- withdrawal of clinical trial participants;- significant costs to defend the related litigation;- substantial monetary awards paid to trial participants or patients;- loss of revenue;- reduced resources of our management to pursue our business strategy; and - the inability to commercialize any drugs that we may develop. We carry clinical trial insurance coverage in an amount that we believe is sufficient in relation to our clinical trials being conducted in the United States and in foreign countries where we have or plan to have sites as part of our clinical trials for uproleselan. The use of our drug candidates in clinical trials may result in liability claims for which our current insurance would not be adequate to cover all liabilities that we may incur. In addition, we may need to increase our insurance coverage as we expand our clinical trials or if we commence commercialization of our drug candidates. Insurance coverage is increasingly expensive. We may not be able to maintain insurance coverage at a reasonable cost or in an amount adequate to satisfy any liability that may arise.

We and our collaborators are exposed to the risk of employee fraud or other misconduct. Misconduct by employees could include intentional failures to comply with the FDA regulations, to provide accurate information to the FDA, to comply with manufacturing standards we have established, to comply with federal and state healthcare fraud and abuse laws and regulations, to report financial information or data accurately or to disclose unauthorized activities to us. In particular, sales, marketing and business arrangements in the healthcare industry are subject to extensive laws and regulations intended to prevent fraud, kickbacks, self-dealing and other abusive practices. These laws and regulations may restrict or prohibit a wide range of pricing, discounting, marketing and promotion, sales commission, customer incentive programs and other business arrangements. Employee misconduct could also involve the improper use of individually identifiable information, including, without limitation, information obtained in the course of clinical trials, which could result in regulatory sanctions and serious harm to our reputation. We have adopted a code of business conduct and ethics, but it is not always possible to identify and deter employee misconduct, and the precautions we take to detect and prevent improper activities may not be effective in controlling unknown or unmanaged risks or losses or in protecting us from governmental investigations or other actions or lawsuits stemming from a failure to be in compliance with such laws or regulations. If any such actions are instituted against us, and we are not successful in defending ourselves or asserting our rights, or any such actions are instituted against any of our collaborators, those actions could have a significant impact on our business, including the imposition of significant fines or other sanctions and diminished royalties.

Our drug candidates and the activities associated with their development and commercialization, including their design, testing, manufacture, safety, efficacy, recordkeeping, labeling, storage, approval, advertising, promotion, sale and distribution, are subject to comprehensive regulation by the FDA and other regulatory agencies in the United States and by the EMA and similar regulatory authorities outside the United States. Failure to obtain marketing approval for a drug candidate will prevent us or our collaborators from commercializing the drug candidate. We have not received approval to market any of our drug candidates from regulatory authorities in any jurisdiction. We have only limited experience in filing and supporting the applications necessary to gain marketing approvals and expect to rely on third-party CROs to assist us in this process. Securing marketing approval requires the submission of extensive preclinical and clinical data and supporting information to regulatory authorities for each therapeutic indication to establish the drug candidate's safety and efficacy. Securing marketing approval also requires the submission of information about the product manufacturing process to, and inspection of manufacturing facilities by, applicable regulatory authorities. Our drug candidates may not be effective, may be only moderately effective or may prove to have undesirable or unintended side effects, toxicities or other characteristics that may preclude our ability to obtain marketing approval or prevent or limit commercial use. If any of our drug candidates receives marketing approval, the accompanying label may limit the approved use of our drug, which could limit sales of the drug. The process of obtaining marketing approvals, both in the United States and abroad, is expensive and may take many years if additional clinical trials are required, if approval is obtained at all, and can vary substantially based upon a variety of factors, including the type, complexity and novelty of the drug candidates involved. Changes in marketing approval policies during the development period, changes in or the enactment of additional statutes or regulations or changes in regulatory review for each submitted drug application may cause delays in the approval or rejection of an application. Regulatory authorities have substantial discretion in the approval process and may refuse to accept any application, or may decide that our data are insufficient for approval and require additional preclinical, clinical or other studies. In addition, varying interpretations of the data obtained from preclinical and clinical testing could delay, limit or prevent marketing approval of a drug candidate. Any marketing approval we ultimately obtain may be limited or subject to restrictions or post-approval commitments that render the approved drug not commercially viable. If we experience delays in obtaining approval or if we fail to obtain approval of our drug candidates, the commercial prospects for our drug candidates may be harmed and our ability to generate revenue will be materially impaired.

We do not have a sales or marketing infrastructure and have no experience in the sale, marketing or distribution of pharmaceutical drugs. To achieve commercial success for any drug candidate for which we may obtain marketing approval, we will need to establish a sales and marketing organization to market or co-promote such drugs. There are risks involved with establishing our own sales, marketing and distribution capabilities. For example, recruiting and training a sales force is expensive and time consuming and could delay any product launch. If the commercial launch of a drug candidate for which we recruit a sales force and establish marketing capabilities is delayed or does not occur for any reason, we would have prematurely or unnecessarily incurred these commercialization expenses. This may be costly, and our investment would be lost if we cannot retain or reposition our sales and marketing personnel. Factors that may inhibit our efforts to commercialize our drugs on our own include: - our inability to recruit, train and retain adequate numbers of effective sales and marketing personnel;- the inability of sales personnel to obtain access to physicians or our failure to educate adequate numbers of physicians on the benefits of any future drugs;- the lack of complementary drugs to be offered by sales personnel, which may put us at a competitive disadvantage relative to companies with more products; and - unforeseen costs and expenses associated with creating an independent sales and marketing organization. If we are unable to establish our own sales, marketing and distribution capabilities and therefore enter into arrangements with third parties to perform these services, our revenue and our profitability, if any, are likely to be lower than if we were to sell, market and distribute any drugs that we develop ourselves. In addition, we may not be successful in entering into arrangements with third parties to sell, market and distribute our drug candidates or may be unable to do so on terms that are favorable to us. We likely will have little control over such third parties, and any of them may fail to devote the necessary resources and attention to sell and market our drugs effectively. If we do not establish sales, marketing and distribution capabilities successfully, either on our own or in collaboration with third parties, we will not be successful in commercializing our drug candidates.