Immunome (IMNM) Risk Factors

The trading market for our common stock on The Nasdaq Capital Market has been limited and an active trading market for our shares may not be sustained. If an active market for our common stock is not sustained, it may be difficult for you to sell your shares at a price that is attractive to you, or at all.

As a public company, we are subject to requirements of the Sarbanes-Oxley Act, the regulations of The Nasdaq Capital Market, the rules and regulations of the SEC, expanded disclosure requirements, accelerated reporting requirements and more complex accounting rules. Company responsibilities required by the Sarbanes-Oxley Act include, among other things, that we maintain corporate oversight and adequate internal control over financial reporting and disclosure controls and procedures. This will require that we incur substantial professional fees and internal costs to expand our accounting and finance functions and that we expend significant management efforts. We may experience difficulty in meeting these reporting requirements in a timely manner. Our current controls and any new controls that we develop may become inadequate because of changes in conditions in our business. Further, weaknesses in our disclosure controls and internal control over financial reporting may be discovered in the future. Any failure to develop or maintain effective controls or any difficulties encountered in their implementation or improvement could harm our results of operations or cause us to fail to meet our reporting obligations and may result in a restatement of our consolidated financial statements for prior periods. Any failure to implement and maintain effective internal control over financial reporting could also adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports regarding the effectiveness of our internal control over financial reporting that we will eventually be required to include in our periodic reports that will be filed with the SEC. Ineffective disclosure controls and procedures and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the trading price of our common stock. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on The Nasdaq Capital Market. If we cannot provide reliable financial reports or prevent fraud, our business and results of operations could be harmed, investors could lose confidence in our reported financial information and we could be subject to sanctions or investigations by Nasdaq, the SEC or other regulatory authorities. Any failure to maintain effective disclosure controls and internal control over financial reporting could have a material and adverse effect on our business, results of operations and financial condition and could cause a decline in the trading price of our common stock.

The success of our business strategy to pursue acquisitions of assets will depend, in part, on our ability to successfully integrate, develop and advance the acquired assets. If we are unable to do so following the consummation of such transaction, the anticipated benefits of such transaction may not be realized fully or at all, or may take longer to realize than expected. Any failure to timely realize the anticipated benefits of our strategic transaction could have a material adverse effect on our business, operating results, financial condition and stock price. Furthermore, in connection with the consummation of such transactions, we may become responsible for unknown or contingent liabilities. These liabilities could include, among others, exposure to unexpected compliance and regulatory violations and issues, clinical trial design or contract manufacturing and supply issues or delays that may impact the timing to submit applications for regulatory approval, unanticipated obligations to vendors and other creditors and other problems that could result in significant costs and delays to us. All these factors could decrease or delay the expected accretive effect of the transactions, negatively impact our stock price, or have a material adverse effect on our business, financial condition and results of operations.

In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, process) personal information and other sensitive information, including proprietary and confidential business data, trade secrets, intellectual property, data we collect about trial participants in connection with clinical trials, and sensitive third-party data. Due to these data processing activities, we and the third parties with whom we work, including our current and potential collaborators are or may become subject to numerous data privacy and security obligations, such as federal, state, local and foreign laws and regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations related to data privacy and security. In the United States, numerous federal, state and local laws and regulations, including federal health information privacy laws (e.g., the Health Insurance Portability and Accountability Act, or HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act, or HITECH, state data breach notification laws, state health information privacy laws, federal and state consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws), that govern the collection, use, disclosure and protection of health-related and other personal information could apply to our operations or the operations of the third parties with whom we work. For example, HIPAA imposes specific requirements relating to the privacy, security, and transmission of individually identifiable protected health information. We may obtain health information from third parties (including research institutions from which we obtain clinical trial data) that are subject to privacy and security requirements under HIPAA, or other data privacy and security laws. Depending on the facts and circumstances, we could be subject to criminal penalties if we knowingly obtain, use, or disclose protected health information maintained by a HIPAA-covered entity in a manner that is not authorized or permitted by HIPAA. However, determining whether protected health information has been handled in compliance with applicable privacy standards and our contractual obligations can be complex and may be subject to changing interpretation. Many state laws govern the data privacy and security of personal information and data in specified circumstances, are often not pre-empted by HIPAA, and may have a more prohibitive effect than HIPAA, thus complicating compliance efforts. In the past few years, numerous U.S. states-including California, Virginia, Colorado, Connecticut, and Utah-have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal information. As applicable, such rights may include the right to access, correct, or delete certain personal information, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal information, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, or CPRA (collectively, CCPA) applies to personal information of consumers, business representatives, and employees who are California residents. The CCPA provides for fines of up to $7,500 per intentional violation and allows private litigants affected by certain data breaches to recover significant statutory damages. While there is currently an exception for protected health information that is subject to HIPAA and clinical trial regulations in the CCPA and certain other U.S. state privacy laws, these laws increase compliance costs and potential liability with respect to other personal information we maintain. Similar laws are being considered in several other states, as well as at the federal and local levels, and we expect more states to pass similar laws in the future. Outside the United States, an increasing number of laws, regulations, and industry standards govern data privacy and security. For example, the European Union's General Data Protection Regulation, or EU GDPR, and the United Kingdom's GDPR, or UK GDPR, (collectively, GDPR) impose strict requirements for processing personal information. For example, under the GDPR, companies subject to these laws and in the event of non-compliance may experience temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros under the EU GDPR, 17.5 million pounds sterling under the UK GDPR or, in each case, 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal information brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. In Canada, the Personal Information Protection and Electronic Documents Act, or PIPEDA, and various related provincial laws, as well as Canada's Anti-Spam Legislation, or CASL, may apply to our operations. Compliance with foreign data privacy and security laws and regulations could require us to take on more onerous obligations in our contracts, restrict our ability to collect, use and disclose data, or in some cases, impact our ability to operate in certain jurisdictions. In the ordinary course of business, we may transfer personal data from Europe and other jurisdictions to the United States or other countries. Europe and certain other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area (EEA) and the United Kingdom (UK) have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws it generally believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the United States in compliance with law, such as the EEA standard contractual clauses, these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these mechanisms to lawfully transfer personal data to the United States. If there were no lawful manner for us to transfer personal data from the EEA, the UK or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions (such as Europe) at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and UK to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. Regulators in the United States are also increasingly scrutinizing certain personal data transfers and have and may further impose personal data localization requirements or restrictions on cross-border personal data transfers. Our employees and personnel have used, and may in the future use, generative artificial intelligence, or AI, technologies to perform their work, and the disclosure and use of personal information in generative AI technologies is subject to various privacy laws and other privacy obligations. Governments have passed and are likely to pass additional laws regulating generative AI. Our use of this technology could result in additional compliance costs, regulatory investigations and actions, and lawsuits. If we are unable to use generative AI, it could make our business less efficient and result in competitive disadvantages. We also have used, and may in the future use, AI and machine learning, or ML, technologies to assist us in making certain decisions, which is regulated by certain data privacy and security laws. Due to inaccuracies or flaws in the inputs, outputs, or logic of the AI/ML, the model could be biased and could lead us to make decisions that could bias certain individuals (or classes of individuals), and adversely impact their rights, employment, and ability to obtain certain pricing, products, services, or benefits. In addition to data privacy and security laws, we are contractually subject to industry standards adopted by industry groups, and we may become subject to such obligations in the future. We are also bound by contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. For example, clinical trial sites who share data about clinical trial participants may contractually limit our ability to use and disclose personal information. We publish privacy policies, marketing materials and other statements, such as compliance with certain certifications or self-regulatory principles, regarding data privacy and security. If these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators or other adverse consequences. Obligations related to data privacy and security (and consumers' data privacy expectations) are quickly changing, becoming increasingly stringent, and creating uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources, which may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties with whom we work. We may at times fail (or be perceived to have failed) in our efforts to comply with our data privacy and security obligations. Moreover, despite our efforts, our personnel or third parties with whom we work may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties with whom we work fail, or are perceived to have failed, to address or comply with applicable U.S. and foreign data privacy and security laws and regulations, we could face government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class claims) or mass arbitration demands; additional reporting requirements and/or oversight; bans on processing personal information; orders to destroy or not use personal information; and imprisonment of company officials. Claims that we or the third parties with whom we work have violated individuals' privacy rights, failed to comply with data privacy and security laws, or breached our contractual obligations, even if we are not found liable, could be expensive and time consuming to defend and could result in adverse publicity that could harm our business. Plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of the aforementioned events could have a material adverse effect on our reputation, business, or financial condition, including: interruptions or stoppages in our business operations (including, as relevant, clinical trials); inability to process personal information or to operate in certain jurisdictions; limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or substantial changes to our business model or operations.

The ability of the FDA to review and approve new products can be affected by a variety of factors, including government budget and funding levels, ability to hire and retain key personnel and accept the payment of user fees, and statutory, regulatory, and policy changes, and other events that may otherwise affect the FDA's ability to perform routine functions. Average review times at the agency have fluctuated in recent years as a result. In addition, government funding of the SEC and other government agencies on which our operations may rely, including those that fund research and development activities is subject to the political process, which is inherently fluid and unpredictable. Disruptions at the FDA and other agencies may also slow the time necessary for new drugs to be reviewed and/or approved by necessary government agencies, which would adversely affect our business. For example, in recent years, including beginning on December 22, 2018, the U.S. government shut down several times and certain regulatory agencies, such as the FDA and the SEC, had to furlough critical employees and stop critical activities. If a prolonged government shutdown occurs, or if global health concerns prevent the FDA or other regulatory authorities from conducting their regular inspections, reviews, or other regulatory activities, it could significantly impact the ability of the FDA to timely review and process our regulatory submissions, which could have a material adverse effect on our business. Further, in our operations as a public company, future government shutdowns or delays could impact our ability to access the public markets and obtain necessary capital in order to properly capitalize and continue our operations.

Our success largely depends on the continued service of key management, advisors, consultants and other specialized personnel. While we have written employment agreements with our management team and each of our key employees, those employment arrangements are at-will and could be terminated at any time. The loss of one or more members of our management team or other key employees, advisors or consultants could delay our research and development programs and have a material and adverse effect on our business, financial condition, results of operations and prospects. We do not currently maintain "key man" insurance on any of our executive officers. The relationships that our key management team members have cultivated within our industry make us particularly dependent upon their continued employment with us. We are dependent on the continued service of our technical personnel because of the highly technical nature of our programs, development candidates and technologies and the specialized nature of the regulatory approval process. Our future success will depend in large part on our continued ability to attract and retain other highly qualified scientific, technical and management personnel, as well as personnel with expertise in clinical testing, manufacturing, governmental regulation and commercialization. Our future success is also dependent on our ability to retain qualified advisors and consultants. We face competition for personnel from other companies, universities, public and private research institutions, government entities and other organizations. As of September 30, 2024, we had 105 full-time employees. The continued operation of our business and execution of our plans will require material additional staffing within the next twelve months. We cannot provide assurance that we will be able to hire or retain adequate staffing levels to advance our discovery and ADC platforms, develop our programs or development candidates or run our operations or to accomplish our objectives.

We rely on, and expect to continue to rely on, third-party vendors for many aspects of our business. We depend on these third parties, and likely will continue to depend on them, to perform their obligations in a timely manner consistent with contractual and regulatory requirements. We also at times need to rely, and may continue to need to rely, on certain vendors as our sole source for research, development, manufacturing or other services. Establishing additional or replacement sole source vendors, if required, may not be accomplished quickly. In addition, these vendors may now or in the future partner with and conduct services for third parties developing in enabling technologies that are competitive with our discovery and ADC platforms and/or current or future development candidates. If we are unable to make arrangements with a vendor for a particular need, or maintain our relationship with that vendor, on commercially reasonable terms, we may not be able to develop and commercialize our programs or development candidates successfully or operate our business as we intend, which could harm our business, result of operations, financial condition and prospects.

Even if we are successful in achieving regulatory approval to commercialize a program or development candidate ahead of our competitors, our development candidates may face competition from biosimilar or generic products. In the United States, our antibody-based programs and development candidates are expected to be regulated by the FDA as biological products, and we intend to seek approval for these development candidates pursuant to the BLA pathway. The Biologics Price Competition and Innovation Act of 2009, or BPCIA, created an abbreviated pathway for FDA approval of biosimilar and interchangeable biological products based on a previously licensed reference product. Under the BPCIA, an application for a biosimilar biological product cannot be approved by the FDA until 12 years after the original reference biological product was approved under a BLA. We believe that any of our development candidates approved as a biological product under a BLA should qualify for the 12-year period of exclusivity available to reference biological products. However, there is a risk that this exclusivity could be shortened due to congressional action or otherwise, or that the FDA will not consider our development candidates to be reference biological products pursuant to its interpretation of the exclusivity provisions of the BPCIA for competing products, potentially creating the opportunity for generic follow-on biosimilar competition sooner than anticipated. Moreover, the extent to which a biosimilar product, once approved, will be substituted for any one of our reference products in a way that is similar to traditional generic substitution for non-biological products is not yet clear, and will depend on a number of marketplace and regulatory factors that are still developing including whether a future competitor seeks an interchangeability designation for a biosimilar of one of our products. Under the BPCIA as well as state pharmacy laws, only interchangeable biosimilar products are considered substitutable for the reference biological product without the intervention of the health care provider who prescribed the original biological product. However, as with all prescribing decisions made in the context of a patient-provider relationship and a patient's specific medical needs, health care providers are not restricted from prescribing biosimilar products in an off-label manner. In addition, a competitor could decide to forego the abbreviated approval pathway available for biosimilar products and to submit a full BLA for product licensure after completing its own preclinical studies and clinical trials. In such a situation, any exclusivity for which our development candidates may be eligible under the BPCIA would not prevent the competitor from marketing its biological product as soon as it is approved. In Europe, the European Commission has granted marketing authorizations for several biosimilar products pursuant to a set of general and product class-specific guidelines for biosimilar approvals issued over the past few years. In addition, companies may be developing biosimilar products in other countries that could compete with our products, if approved. If competitors are able to obtain marketing approval for biosimilars referencing our development candidates, if approved, our future products may become subject to competition from such biosimilars, whether or not they are designated as interchangeable, with the attendant competitive pressure and potential adverse consequences. Such competitive products may be able to immediately compete with us in each indication for which our development candidates may have received approval.