IO Biotech (IOBT) Risk Factors

Until such time, if ever, as we can generate substantial product revenue, we expect to finance our operations through equity offerings, debt financings or other capital sources, including potentially grants, collaborations, licenses or other similar arrangements. To the extent that we raise additional capital through the sale of equity or convertible debt securities, our stockholders' ownership interest will be diluted, and the terms of these securities may include liquidation or other preferences that adversely affect the rights of holders of our common stock. Additional debt financing, if available, may involve agreements that include covenants further limiting or restricting our ability to take specific actions, such as further limitations on our ability to incur additional debt, make capital expenditures or declare dividends. If we raise funds through collaborations or licensing arrangements with third parties, we may have to relinquish valuable rights to our technologies, future revenue streams, research programs or product candidates or grant licenses on terms that may not be favorable to us. If we are unable to raise additional funds when needed, we may be required to delay, limit, reduce or terminate our product development or future commercialization efforts or grant rights to develop and market product candidates that we would otherwise prefer to develop and market ourselves.

As a public company, we operate in an increasingly demanding regulatory environment, which requires us to comply with the Sarbanes-Oxley Act, the regulations of Nasdaq, the rules and regulations of the SEC, expanded disclosure requirements, accelerated reporting requirements and more complex accounting rules. Company responsibilities required by the Sarbanes-Oxley Act include establishing corporate oversight and adequate internal control over financial reporting and disclosure controls and procedures. Effective internal controls are necessary for us to produce reliable financial reports and are important to help prevent financial fraud. Commencing with our fiscal year ending December 31, 2022, we must perform system and process evaluation and testing of our internal controls over financial reporting to allow management to report on the effectiveness of our internal controls over financial reporting in our Form 10-K filing for that and each subsequent year, as required by Section 404 of the Sarbanes-Oxley Act. Prior to our IPO, we were not required to test our internal controls within a specified period and, as a result, we may experience difficulty in meeting these reporting requirements. For example, in connection with the audit of our financial statements for the years ended December 31, 2021 and 2020, we and our independent registered public accounting firm identified a material weakness in our internal control over financial reporting. This material weakness was not previously remediated, and in connection with the preparation of our consolidated financial statements for the year ended December 31, 2021, the Company identified an error, which resulted in a restatement as disclosed in our Current Report on Form 8-K filed on December 17, 2021. For the year ended December 31, 2022, this material weakness was remediated and no additional material weaknesses were identified for the year ended December 31, 2023, the three months ended March 31, 2024, the six months ended June 30, 2024 or the nine months ended September 30, 2024 but we could experience further difficulty with internal control over financing reporting in the future. Our internal control over financial reporting will not prevent or detect all errors and all fraud. A control system, no matter how well designed and operated, can provide only reasonable, not absolute, assurance that the control system's objectives will be met. Because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that misstatements due to error or fraud will not occur or that all control issues and instances of fraud will be detected. If we are not able to comply with the requirements of Section 404 of the Sarbanes-Oxley Act in a timely manner, or if we are unable to maintain proper and effective internal controls, we may not be able to produce timely and accurate financial statements. If we cannot provide reliable financial reports or prevent fraud, our business and results of operations could be harmed, investors could lose confidence in our reported financial information and we could be subject to sanctions or investigations by Nasdaq, the SEC or other authorities.

Since our inception, we have used substantial amounts of cash to fund our operations and expect our expenses to increase substantially during the next few years. The development of biopharmaceutical product candidates, especially immune-oncology product candidates, is capital intensive. As our product candidates enter and advance through preclinical studies and clinical trials, we will need substantial additional funds to expand our clinical, regulatory, quality and manufacturing capabilities. In addition, if we obtain marketing approval for any of our product candidates, we expect to incur significant commercialization expenses related to marketing, sales, manufacturing and distribution. Furthermore, we expect to incur additional costs associated with operating as a public company. As of September 30, 2024, we had $80.2 million in cash and cash equivalents. Based upon our current operating plan, we estimate that our existing cash and cash equivalents will be sufficient to fund our operating expenses and capital expenditure requirements into the fourth quarter of 2025. However, our existing cash and cash equivalents may not be sufficient to fund any of our product candidates through regulatory approval, and we will need to raise substantial additional capital to complete the development and commercialization of our product candidates. We have based these estimates on assumptions that may prove to be incorrect or require adjustment as a result of business decisions, and we could utilize our available capital resources sooner than we currently expect. Our future capital requirements will depend on many factors, some of which are outside of our control, including: - the initiation, design, progress, timing, costs and results of drug discovery, preclinical studies and clinical trials of our product candidates, and in particular the clinical trials for IO102-IO103;- the number and characteristics of product candidates that we pursue;- the number of clinical trials needed for regulatory approvals from the FDA, the European Commission (based on recommendation from the EMA), and any other regulatory authority;- the length of our clinical trials, including, among other things, as a result of delays in enrollment, difficulties enrolling sufficient subjects or delays or difficulties in clinical trial site activations;- increased costs associated with conducting our clinical trials, including, among other things, clinical trial site activations and patient enrollment;- successfully completing ongoing pre-clinical studies and clinical trials;- the outcome, timing and costs of seeking regulatory approvals from the FDA, the European Commission, and any other regulatory authority;- the costs of manufacturing our product candidates, in particular for clinical trials in preparation for marketing approval and in preparation for commercialization;- the costs of any third-party products used in our combination clinical trials that are not covered by such third party or other sources;- the costs associated with hiring additional personnel and consultants as our preclinical, manufacturing and clinical activities increase;- the receipt of marketing approval and revenue received from any commercial sales of any of our product candidates, if approved;- the cost of commercialization activities for any of our product candidates, if approved, including marketing, sales, compliance and distribution costs;- the emergence of competing therapies and other adverse market developments;- the ability to establish and maintain strategic collaboration, licensing or other arrangements and the financial terms of such agreements;- the extent to which we in-license or acquire other products and technologies;- the amount and timing of any payments we may be required to make pursuant to our current or future license agreements;- the costs involved in preparing, filing, prosecuting, maintaining, expanding, defending and enforcing patent claims, including litigation costs and the outcome of such litigation;- our need and ability to retain key management and hire scientific, technical, business, medical, and compliance personnel;- our implementation of additional internal systems and infrastructure, including operational, financial, compliance and management information systems;- our costs associated with expanding our facilities or building out our laboratory space;- the effects of the disruptions to and volatility in the credit and financial markets in the United States and worldwide from public health emergencies, and geopolitical conflict (such as in Ukraine and the Middle East); and - the costs of operating as a public company. We will require additional capital to achieve our business objectives. Additional funds may not be available on a timely basis, on favorable terms, or at all, and such funds, if raised, may not be sufficient to enable us to continue to implement our long-term business strategy. Further, our ability to raise additional capital may be adversely impacted by potential worsening global economic conditions and the recent disruptions to and volatility in the credit and financial markets in the United States and worldwide. If we are unable to raise sufficient additional capital, we could be forced to curtail our planned operations and the pursuit of our growth strategy.

As a public company, we incur significant legal, accounting and other expenses that we did not incur as a private company. In addition, the Sarbanes-Oxley Act of 2002, as amended (the "Sarbanes-Oxley Act"), as well as rules subsequently implemented by the SEC and Nasdaq, have imposed various requirements on public companies. In July 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act (the "Dodd-Frank Act") was enacted. There are significant corporate governance and executive compensation related provisions in the Dodd-Frank Act that require the SEC to adopt additional rules and regulations in these areas such as "Say on Pay" and proxy access. Recent legislation permits smaller "emerging growth companies" to implement many of these requirements over a longer period and up to five years from the pricing of our IPO. We have taken advantage of this new legislation but cannot guarantee that we will not be required to implement these requirements sooner than budgeted or planned and thereby incur unexpected expenses. Stockholder activism, the current political environment and the current high level of government intervention and regulatory reform may lead to substantial new regulations and disclosure obligations, which may lead to additional compliance costs and impact the manner in which we operate our business in ways we cannot currently anticipate. Our management and other personnel need to devote a substantial amount of time to these compliance initiatives. Moreover, these rules and regulations increase our legal and financial compliance costs and make some activities more time-consuming and costlier than when we were a private company. For example, these rules and regulations make it more difficult and more expensive for us to obtain director and officer liability insurance.

U.S. and foreign anti-corruption, anti-money laundering, export control, sanctions, and other trade laws and regulations (collectively, "Trade Laws") prohibit, among other things, companies and their employees, agents, CROs, legal counsel, accountants, consultants, contractors, and other partners from authorizing, promising, offering, providing, soliciting, or receiving directly or indirectly, corrupt or improper payments or anything else of value to or from recipients in the public or private sector. Violations of Trade Laws can result in substantial criminal fines and civil penalties, imprisonment, the loss of trade privileges, debarment, tax reassessments, breach of contract and fraud litigation, reputational harm, and other consequences. We have direct or indirect interactions with officials and employees of government agencies or government-affiliated hospitals, universities, and other organizations. We also expect to continue our non-U.S. activities, which may increase over time. We expect to rely on third parties for research, preclinical studies, and clinical trials and/or to obtain necessary permits, licenses, patent registrations, and other marketing approvals. We can be held liable for the corrupt or other illegal activities of our personnel, agents, or partners, even if we do not explicitly authorize or have prior knowledge of such activities.

The use of our product candidates in clinical trials and the sale of any products for which we obtain marketing approval exposes us to the risk of product liability claims. Product liability claims might be brought against us by consumers, healthcare providers, pharmaceutical companies or others selling or otherwise coming into contact with our products. There is a risk that our product candidates may induce adverse events. If we cannot successfully defend against product liability claims, we could incur substantial liability and costs. In addition, regardless of merit or eventual outcome, product liability claims may result in: - impairment of our business reputation;- withdrawal of clinical trial participants;- costs due to related litigation;- distraction of management's attention from our primary business;- substantial monetary awards to patients or other claimants;- the inability to commercialize our product candidates; and - decreased demand for our product candidates, if approved for commercial sale. We believe our product liability insurance coverage is sufficient in light of our current clinical programs; however, we may not be able to maintain insurance coverage at a reasonable cost or in sufficient amounts to protect us against losses due to liability. If and when we obtain marketing approval for product candidates, we intend to expand our insurance coverage to include the sale of commercial products; however, we may be unable to obtain product liability insurance on commercially reasonable terms or in adequate amounts. On occasion, large judgments have been awarded in class action lawsuits based on drugs or medical treatments that had unanticipated adverse effects. A successful product liability claims or series of claims brought against us could cause our stock price to decline and, if judgments exceed our insurance coverage, could adversely affect our results of operations and business. Patients with cancer and other diseases targeted by our product candidates are often already in severe and advanced stages of disease and have both known and unknown significant pre-existing and potentially life-threatening health risks. During the course of treatment, patients may suffer adverse events, including death, for reasons that may be related to, or perceived to be related to, our product candidates. Such events could subject us to costly litigation, require us to pay substantial amounts of money to injured patients, delay, negatively impact or end our opportunity to receive or maintain regulatory approval to market our products, or require us to suspend or abandon our commercialization efforts. Even in a circumstance in which we do not believe that an adverse event is related to our products, the investigation into the circumstance may be time-consuming or inconclusive. These investigations may divide the attention of our management team, interrupt our sales efforts, delay our regulatory approval process in other countries, or impact and limit the type of regulatory approvals our product candidates receive or maintain. As a result of these factors, a product liability claim, even if successfully defended, could have a material adverse effect on our business, financial condition or results of operations.

New income, sales, use, or other tax laws, statutes, rules, regulations or ordinances could be enacted at any time, which could adversely affect our business operations and financial performance. Further, existing tax laws, statutes, rules, regulations, or ordinances could be interpreted, changed, modified, or applied adversely to us. For example, the TCJA enacted many significant changes to the U.S. tax laws. Future guidance from the IRS and other tax authorities with respect to the TCJA may affect us, and certain aspects of the TCJA could be repealed or modified in future legislation. For example, the Coronavirus Aid, Relief, and Economic Security Act (the "CARES Act") modified certain provisions of the TCJA. In addition, it is uncertain if and to what extent various states will conform to the TCJA or any newly enacted federal tax legislation. For example, the U.S. government enacted the IRA in 2022, which, among other things, significantly changes the taxation of certain business entities, including by imposing a 1% excise tax on certain share buybacks, effective for tax years beginning in 2023. If and when applicable, it is possible that the 1% excise tax on share buybacks could result in an additional tax liability over the regular federal corporate tax liability in a given year. Any resulting tax liability could adverse impact our business, financial condition, results of operation, and liquidity. Changes in corporate tax rates, the realization of net deferred tax assets relating to our operations, the taxation of foreign earnings, and the deductibility of expenses under the TCJA or future reform legislation could have a material impact on the value of our deferred tax assets, could result in significant one time charges, and could increase our future U.S. tax expense. In addition, recent and upcoming presidential and congressional elections in the United States could also result in significant changes in, and uncertainty with respect to, tax legislation, regulation and government policy directly affecting us and our business. For example, the United States government may enact significant changes to the taxation of business entities including, among others, a permanent increase in the corporate income tax rate, an increase in the tax rate applicable to the global intangible low-taxed income and elimination of certain exemptions, and the imposition of minimum taxes or surtaxes on certain types of income. The likelihood of these changes being enacted or implemented is unclear.

We maintain a large quantity of sensitive information, including confidential business and personal information in connection with the conduct of our clinical trials and related to our employees, and we are subject to laws and regulations governing the privacy and security of such information. In the United States, there are numerous federal and state privacy and data security laws and regulations governing the collection, use, disclosure and protection of personal information, including federal and state health information privacy laws, federal and state security breach notification laws, and federal and state consumer protection laws. The legislative and regulatory landscape for privacy and data protection continues to evolve, and there has been an increasing focus on privacy and data protection issues, including with respect to regulatory enforcement and private litigation, which may affect our business and is expected to increase our compliance costs and exposure to liability. In the United States, numerous federal and state laws and regulations could apply to our operations or the operations of our partners, including state data breach notification laws, state health information privacy laws, and federal and state consumer protection laws and regulations (e.g., Section 5 of the Federal Trade Commission ("FTC") Act), that govern the collection, use, disclosure, and protection of health-related and other personal information. In addition, we may obtain health information from third parties (including research institutions from which we obtain clinical trial data) that may be subject to privacy and security requirements under HIPAA, as amended by HITECH and regulations promulgated thereunder. Depending on the facts and circumstances, we could be subject to significant penalties if we obtain, use, or disclose, or are subject to an actual or alleged data breach regarding, individually identifiable health information in a manner that is not authorized or permitted by HIPAA. In 2023, the SEC finalized rules requiring enhanced disclosures regarding cybersecurity risk management, strategy, and governance, as well as the timely reporting of material cybersecurity incidents. These rules mandate disclosures about our processes for identifying, assessing, and managing cybersecurity risks, the role of management and the board of directors in overseeing these risks, and specific incidents that materially affect us. In the EEA, we are subject to the EU GDPR, which took effect in May 2018. The EU GDPR governs the collection, use, disclosure, transfer or other processing of personal data (i.e., data which identifies an individual or from which an individual is identifiable), including clinical trial data, and grants individuals various data protection rights (e.g., the right to erasure of personal data). The EU GDPR imposes a number of obligations on companies, including inter alia: (1) accountability and transparency requirements, and enhanced requirements for obtaining valid consent; (2) obligations to consider data protection as any new products or services are developed and to limit the amount of personal data processed; (3) obligations to implement appropriate technical and organizational measures to safeguard personal data and to report certain personal data breaches to the supervisory authority without undue delay (and no later than 72 hours where feasible); and (4) additional, more onerous requirements around the processing of special categories of personal data (including health data and genetic data). In addition, the EU GDPR prohibits the transfer of personal data from the EEA to the United States and other jurisdictions that the European Commission does not recognize as having "adequate" data protection laws unless a data transfer mechanism has been put in place. In July 2020, the Court of Justice of the EU ("CJEU") in the Schrems II decision limited how organizations could lawfully transfer personal data from the EEA to the United States by invalidating the EU-US Privacy Shield for purposes of international transfers and imposing further restrictions on use of the standard contractual clauses ("SCCs"), including a requirement for companies to carry out a transfer impact assessment, which among other things, assesses laws governing access to personal data in the recipient country and considers whether supplementary measures that provide privacy protections additional to those provided under SCCs will need to be implemented to ensure an essentially equivalent level of data protection to that afforded in the EEA. The European Commission subsequently issued new SCCs in June 2021 to account for the decision of the CJEU and recommendations made by the European Data Protection Board and which are in turn relatively more onerous. At present, there are few, if any, viable alternatives to the SCCs. However, on October 7, 2022, the Biden administration introduced an Executive Order to facilitate a new Trans-Atlantic Data Privacy Framework which will act as a successor to the invalidated EU-US Privacy Shield. On December 13, 2022, the European Commission also published its draft adequacy decision to reflect its view that the new Executive Order and Trans-Atlantic Data Privacy Framework, is able to meet the concerns raised in Schrems II. If the draft adequacy decision is approved and implemented, the agreement will facilitate the transatlantic flow of personal data and provide additional safeguards to data transfer mechanisms (including SCCs and Binding Corporate Rules) for companies transferring personal data from the EU to the US. However, before parties rely on the new framework, there are still legislative and regulatory steps that must be undertaken both in the US and in the EU. The EU GDPR imposes substantial fines for breaches and violations (up to the greater of €20 million or 4% of consolidated annual worldwide gross revenue), and confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies and obtain compensation for damages resulting from violations of the EU GDPR. The EU GDPR increases our responsibility and liability in relation to personal data that we process, and additional mechanisms put in place to address compliance with the EU GDPR must be kept under review as the legislative and regulatory landscape for data protection in the EU continues to evolve. Relatedly, following Brexit, the EU GDPR has been implemented in the United Kingdom (as the "UK GDPR"). The UK GDPR sits alongside the UK Data Protection Act 2018 which implements certain derogations in the EU GDPR into UK law. Under the UK GDPR, companies not established in the UK but that process personal data in relation to the offering of goods or services to individuals in the UK, or to monitor their behavior will be subject to the UK GDPR – the requirements of which are (at this time) largely aligned with those under the EU GDPR and as such, may lead to similar compliance and operational costs with potential fines of up to £17.5 million or 4% of global turnover. The UK Government has published its own form of SCCs, known as the International Data Transfer Agreement and International Data Transfer Addendum to the EU SCCs. The UK Information Commissioner's Office has also published its own version of the transfer impact assessment and recently revised guidance on international transfers, although entities may choose to adopt either the EU or UK style transfer impact assessment. In terms of international data transfers between the UK and US, it is understood that the UK and the US are also negotiating an adequacy agreement. Compliance with these and any other applicable privacy and data security laws and regulations is a rigorous and time-intensive process, and we may be required to devote additional resources to and put in place additional mechanisms ensuring compliance with the new data protection and disclosure rules. Despite our efforts to comply with these laws and regulations, the inherent complexity of data security and cyber threats, and the newness of some of these requirements, such as the SEC's cybersecurity disclosure requirements, present a risk of non-compliance or insufficient disclosure, which could invite regulatory scrutiny and affect our operational and financial performance. Furthermore, the laws are not consistent, and compliance in the event of a widespread data breach is costly. In addition, states are constantly adopting new laws or amending existing laws, requiring attention to frequently changing regulatory requirements. For example, California enacted the California Consumer Privacy Act (the "CCPA"), which took effect on January 1, 2020, became enforceable by the California Attorney General on July 1, 2020, and was the first comprehensive state privacy law in the United States. The CCPA gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used by requiring covered companies to provide new disclosures to California consumers (as that term is broadly defined) and provide such consumers new ways to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. Further, the California Privacy Rights Act (the "CPRA"), which further amended the CCPA, went into effect on January 1, 2023. The CCPA, as amended by the CPRA, imposes additional data protection obligations on companies doing business in California, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It will also create a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement. The majority of the provisions went into effect on January 1, 2023, and additional compliance investment and potential business process changes may be required. Although the CCPA currently exempts certain health-related information, including clinical trial data, the CCPA (as amended by the CPRA) may increase our compliance costs and potential liability. Similar laws have been adopted in other states or proposed in other states and at the federal level, and if passed, such laws may have potentially conflicting requirements that would make compliance challenging. While these proposals and new laws generally include exemptions for HIPAA-covered and clinical trial data, they add layers of complexity to compliance in the U.S. market, and could increase our compliance costs and adversely affect our business. Additionally, newly introduced state laws related to health privacy may result in additional compliance costs. For example, the state of Washington recently passed the "My Health My Data" Act, which will regulate "consumer health data," defined as "personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health." The "My Health My Data" Act provides exemptions for personal data used or shared in research, including data subject to 45 C.F.R. Parts 46, 50, and 56. Additionally, Nevada recently enacted a consumer health data privacy bill, and other states could adopt health-specific privacy laws that could impact our business. The FTC and many state attorneys general are interpreting existing federal and state consumer protection laws to impose evolving standards for the collection, use, dissemination and security of health-related and other personal information. For instance, the FTC has promulgated standards for fair information practices, which concern consumer notice, choice, security and access, and also require notice of certain health information breaches outside the HIPAA context. Privacy laws require us to publish statements that describe how we handle personal information and choices individuals may have about the way we handle their personal information. Violating individuals' privacy rights, publishing false or misleading information about security practices, or failing to take appropriate steps to keep individuals' personal information secure may constitute unfair or deceptive acts or practices in violation of Section 5 of the FTC Act. Additionally, the FTC published an advance notice of proposed rulemaking on commercial surveillance and data security in 2022 and may implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive in the coming years. Federal regulators, state attorneys general and plaintiffs' attorneys have been and will likely continue to be active in this space, and if we do not comply with existing or new laws and regulations related to patient health information, we could be subject to criminal or civil sanctions. Any actual or perceived failure by us to comply with applicable privacy and data security laws and regulations could result in regulatory investigations, reputational damage, orders to cease/ change our processing of our data, enforcement notices, and/ or assessment notices (for a compulsory audit). We may also face civil claims including representative actions and other class action type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, as well as associated costs, diversion of internal resources, and reputational harm.

We have not yet manufactured or processed our product candidates on a commercial scale and may not be able to do so for any of our product candidates. We may encounter difficulties in production, particularly in scaling up or out, validating the production process, and assuring high reliability of the manufacturing process. These problems may include delays or break-downs in logistics and shipping, difficulties with production costs and yields, quality control, and product testing, operator error, lack of availability of qualified personnel, as well as failure to comply with strictly enforced federal, state and foreign regulations. Furthermore, if contaminations are discovered in our supply of product candidates or in the manufacturing facilities, such manufacturing facilities may need to be closed for an extended period of time to investigate and remedy the contamination. We cannot assure you that any of these or other issues relating to the manufacture of our product candidates will not occur in the future. Any delay or interruption in the supply of clinical trial supplies could delay the completion of clinical trials, increase the costs associated with maintaining clinical trial programs and, depending upon the period of delay, require us to begin new clinical trials at additional expense or terminate clinical trials completely. Manufacturing facilities also require commissioning and validation activities to demonstrate that they operate as designed, and are subject to government inspections by the FDA, EU Member States (coordinated by the EMA) and other comparable foreign regulatory authorities. If we are unable to reliably produce products to specifications acceptable to the regulatory authorities, we may not obtain or maintain the approvals we need to manufacture our products. Further, manufacturing facilities may fail to pass government inspections prior to or after the commercial launch of our product candidates, which would cause significant delays and additional costs required to remediate any deficiencies identified by the regulatory authorities. Any of these challenges could delay completion of clinical trials, require bridging clinical trials or the repetition of one or more clinical trials, increase clinical trial costs, delay approval of our product candidate, impair commercialization efforts, increase our cost of goods, and have an adverse effect on our business, financial condition, results of operations and growth prospects.

We are exposed to the risk of fraud or other misconduct by our employees, principal investigators, consultants and commercial partners. Misconduct by these parties could include intentional failures to comply with the regulations of the FDA and other comparable foreign regulatory authorities, provide accurate information to the FDA and other comparable foreign regulatory authorities, comply with healthcare fraud and abuse laws and regulations in the United States, EU, United Kingdom and in other jurisdictions, report financial information or data accurately or disclose unauthorized activities to us. In particular, sales, marketing and business arrangements in the healthcare industry are subject to extensive laws and regulations intended to prevent fraud, misconduct, kickbacks, self-dealing and other abusive practices. These laws and regulations may restrict or prohibit a wide range of pricing, discounting, marketing and promotion, sales commission, customer incentive programs and other business arrangements. Such misconduct could also involve the improper use of information obtained in the course of clinical trials, which could result in regulatory sanctions and cause serious harm to our reputation. It is not always possible to identify and deter employee misconduct, and the precautions we take to detect and prevent this activity may not be effective in controlling unknown or unmanaged risks or losses or in protecting us from governmental investigations or other actions or lawsuits stemming from a failure to comply with these laws or regulations. If any such actions are instituted against us those actions could have a significant impact on our business, including the imposition of significant civil, criminal and administrative penalties, damages, fines, disgorgement, imprisonment, exclusion from government funded healthcare programs, such as Medicare and Medicaid, contractual damages, reputational harm, diminished profits and future earnings, additional reporting obligations and oversight if subject to a corporate integrity agreement or other agreement to resolve allegations of non-compliance with these laws, and the curtailment or restructuring of our operations.

We do not have the ability to conduct all aspects of our preclinical testing or clinical trials ourselves. As a result, we are and expect to remain dependent on third parties to conduct our current and future preclinical studies and clinical trials. CROs that manage our preclinical studies and clinical trials as well as clinical investigators, including in investigator-initiated clinical trials, and consultants play a significant role in the conduct of our preclinical studies and clinical trials and the subsequent collection and analysis of data. The timing of the initiation and completion of these studies and trials will therefore be partially controlled by such third parties and may result in delays to our development programs. Nevertheless, we are responsible for ensuring that each of our preclinical studies and clinical trials is conducted in accordance with the applicable protocol, legal requirements, and scientific standards, and our reliance on the CROs and other third parties does not relieve us of our regulatory responsibilities. We and our CROs are required to comply with Good Laboratory Practice ("GLP") and GCP requirements, which are regulations and guidelines enforced by the FDA, the EMA, and comparable foreign regulatory authorities for all of our product candidates in clinical development. Regulatory authorities enforce these GLP and GCP requirements through periodic inspections of preclinical study sites, trial sponsors, clinical trial investigators and clinical trial sites. If we or any of our CROs or clinical trial sites, including clinical trial sites in investigator-initiated clinical trials, fail to comply with applicable GLP or GCP requirements, the data generated in our preclinical studies and clinical trials may be deemed unreliable, and the FDA, EMA, or comparable foreign regulatory authorities may require us to perform additional preclinical or clinical trials before approving our marketing applications. Further, requirements regarding clinical trial data may evolve. In June 2023, the FDA published a draft guidance, "E6(R3) Good Clinical Practice (GCP)," which seeks to unify standards for clinical trial data for ICH member countries and regions. Changes to data requirements may cause the FDA or other foreign regulatory authorities to disagree with data from preclinical studies or clinical trials, and may require further studies. In addition, our clinical trials must be conducted with product produced under cGMP regulations. Our failure to comply with these regulations may require us to stop and/or repeat clinical trials, which would delay the marketing approval process. There is no guarantee that any such CROs, clinical trial investigators or other third parties on which we rely will devote adequate time and resources to our development activities or perform as contractually required. If any of these third parties fails to meet expected deadlines, fails to adhere to our clinical protocols or meet regulatory requirements, otherwise performs in a substandard manner, or terminates its engagement with us, the timelines for our development programs may be extended or delayed or our development activities may be suspended or terminated. If any of our clinical trial sites terminates for any reason, we may experience the loss of follow-up information on subjects enrolled in such clinical trials unless we are able to transfer those subjects to another qualified clinical trial site, which may be difficult or impossible. In addition, clinical trial investigators for our clinical trials or investigator-initiated clinical trials may serve as scientific advisors or consultants to us from time to time and may receive cash or equity compensation in connection with such services. If these relationships and any related compensation result in perceived or actual conflicts of interest, or the FDA or any comparable foreign regulatory authority concludes that the financial relationship may have affected the interpretation of the trial, the integrity of the data generated at the applicable clinical trial site may be questioned and the utility of the clinical trial itself may be jeopardized, which could result in the delay or rejection of any marketing application we submit by the FDA or any comparable foreign regulatory authority. Any such delay or rejection could prevent us from commercializing our product candidates. Furthermore, these third parties may also have relationships with other entities, some of which may be our competitors. If these third parties do not successfully carry out their contractual duties, meet expected deadlines or conduct our clinical trials in accordance with regulatory requirements or our stated protocols, we may be unable to obtain, or may be delayed in obtaining, marketing approvals for our product candidates and may be unable to, or may be delayed in our efforts to, successfully commercialize our products.

Our business could be adversely affected by unstable economic and political conditions within the United States and foreign jurisdictions and geopolitical conflicts, such as the conflict in Ukraine and conflicts in the Middle East. While we do not have any operations in Russia or Ukraine at this time, the current military conflict, and related sanctions, as well as export controls or actions that may be initiated by nations and regions including the United States, the EU or Russia (e.g., potential cyberattacks, disruption of energy flows, disruptions to supply chains, etc.) and other potential uncertainties could adversely affect our business. Certain of our clinical trial sites are located in Israel and conflicts in the Middle East may delay, limit or hinder ongoing, planned or future trials and affect enrollment and retention of patients. Inability to enroll or retain patients and limitations or delays in clinical trials could increase costs and cause setbacks in product development. In the event geopolitical tensions fail to abate or deteriorate further, additional governmental sanctions may be enacted adversely impacting the global economy, which could adversely affect our business, financial condition or results of operations.

We have no sales, marketing or distribution capabilities or experience. To achieve commercial success for any approved product for which we retain sales and marketing responsibilities, we must either develop a sales and marketing organization, which would be expensive and time consuming, or outsource these functions to other third parties. In the future, we may choose to build a focused sales and marketing infrastructure to sell, or participate in sales activities with our collaborators for, some of our product candidates if and when they are approved. There are risks involved with both establishing our own sales and marketing capabilities and entering into arrangements with third parties to perform these services. For example, recruiting and training a sales force is expensive and time consuming and could delay any product launch. If the commercial launch of a product candidate for which we recruit a sales force and establish marketing capabilities is delayed or does not occur for any reason, we would have prematurely or unnecessarily incurred these commercialization expenses. This may be costly, and our investment would be lost if we cannot retain or reposition our sales and marketing personnel. Factors that may inhibit our efforts to commercialize future products on our own include: - our inability to recruit and retain adequate numbers of effective sales and marketing personnel;- the inability of sales personnel to compliantly obtain access to physicians or educate adequate numbers of physicians on the benefits of prescribing any future products;- the lack of complementary products to be offered by sales personnel, which may put us at a competitive disadvantage relative to companies with more extensive product portfolios; and - unforeseen costs and expenses associated with creating an independent sales and marketing organization. If we enter into arrangements with third parties to perform sales, marketing and distribution services, our product revenue or the profitability of the product revenue to us are likely to be lower than if we were to market and sell any products that we develop ourselves. In addition, we may not be successful in entering into arrangements with third parties to sell and market our product candidates or may be unable to do so on terms that are favorable to us. In entering into third-party marketing or distribution arrangements, any revenue we receive will depend upon the efforts of third parties and we cannot assure you that such third parties will establish adequate sales and distribution capabilities or devote the necessary resources and attention to sell and market any future products effectively. If we do not establish sales and marketing capabilities successfully, either on our own or in collaboration with third parties, we will not be successful in commercializing our product candidates.