Invivyd (IVVD) Risk Factors

We maintain a large quantity of sensitive information, including confidential business and personal information in connection with the conduct of our clinical trials and related to our employees, and we are subject to laws and regulations governing the privacy and security of such information. In the U.S., there are numerous federal and state privacy and data security laws and regulations governing the collection, use, disclosure and protection of personal information, including federal and state health information privacy laws, federal and state security breach notification laws and federal and state consumer protection laws. The legislative and regulatory landscape for privacy and data protection continues to evolve, and there has been an increasing focus on privacy and data protection issues, which may affect our business and is expected to increase our compliance costs and exposure to liability. In the U.S., numerous federal and state laws and regulations could apply to our operations or the operations of our partners, including state data breach notification laws, state health information privacy laws and federal and state consumer protection laws and regulations, including Section 5 of the Federal Trade Commission Act ("FTC Act"), that govern the collection, use, disclosure and protection of health-related and other personal information. In addition, we may obtain health information from third parties, including research institutions from which we obtain clinical trial data, that are subject to privacy and security requirements under the federal Health Insurance Portability and Accountability Act ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act, and the regulations promulgated thereunder. HIPAA imposes privacy and security obligations on covered entity health care providers, health plans, and health care clearinghouses, as well as their "business associates" (i.e., certain persons or entities that create, receive, maintain, or transmit protected health information in connection with providing a specified service or performing a function for or on behalf of a covered entity). Depending on the facts and circumstances, we could be subject to significant penalties if we, our affiliates, or our agents knowingly receive individually identifiable health information maintained by a HIPAA-covered entity in a manner that is not authorized or permitted by HIPAA. At the federal level, the FTC also sets expectations for failing to take appropriate steps to keep consumers' personal information secure, or failing to provide a level of security commensurate to promises made to individuals about the security of their personal information (such as in a privacy notice) may constitute unfair or deceptive acts or practices in violation of the FTC Act. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Individually identifiable health information is considered sensitive data that merits stronger safeguards. With respect to privacy, the FTC also sets expectations for failing to honor the privacy promises made to individuals about how the company handles consumers' personal information; such failure may also constitute unfair or deceptive acts or practices in violation of the FTC Act. Enforcement by the FTC under the FTC Act can result in civil penalties or enforcement actions. In Europe, the GDPR governs the collection, use, disclosure, transfer or other processing of personal data of individuals within the European Economic Area ("EEA"), including clinical trial data. Among other things, the GDPR imposes requirements regarding the security of personal data and notification of data breaches to the competent national data processing authorities, requires having lawful bases on which personal data can be processed and includes notice and consent requirements which may apply to clinical trial subjects and investigators. The GDPR imposes substantial fines for breaches and violations (for the most serious breaches of up to the greater of €20 million or 4% of annual global turnover) and confers the right for data subjects to lodge complaints with supervisory authorities, seek judicial remedies and obtain compensation for damages resulting from violations of the GDPR. In addition, the GDPR increases the scrutiny of transfers of personal data from the EEA, including the European Union, United Kingdom and Switzerland, to other jurisdictions that the European Commission/United Kingdom Secretary of State, as applicable, does not recognize as having "adequate" data protection laws. While, previously, United States companies could rely on self-certification to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks administered by the United States Department of Commerce as one of these safeguards to legitimize transfers from the European Union and Switzerland to the United States, this has been invalidated by the Court of Justice of the European Union (the "CJEU"). The CJEU found that the Standard Contractual Clauses ("SCCs"), one of the primary safeguards for legitimizing data transfers, were valid in principle, but placed obligations on the parties entering into them including to verify whether an adequate level of protection is provided in the recipient jurisdiction, and whether additional measures are required to bring the level of protection in line with European Union standards. Following this decision, the European Data Protection Board issued guidance on how organizations should approach international data transfers of GDPR-covered personal data, including the supplemental measures companies can adopt to help protect against overarching surveillance outside of the European Union. In June 2021, the European Commission adopted a new set of SCCs aimed at enabling lawful transfers of personal data to non-adequate countries outside the EEA, the deadline for the adoption of which was December 27, 2022. There are also recent developments regarding data transfers in the United Kingdom, which formally approved two mechanisms for transferring United Kingdom-data overseas and that came into effect on March 21, 2022. The United Kingdom Information Commissioner's Office also issued guidance on how to approach undertaking risk assessments for transfers of United Kingdom- data to non-adequate countries outside the United Kingdom. With respect to the United States, on July 10, 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework, providing for personal data to flow freely from the European Union to United States-based companies that participate in the Data Privacy Framework. The adequacy decision followed the adoption by United States President Biden of an executive order as well as regulation issued by the United States Attorney General. A lack of valid transfer mechanisms for GDPR-covered data could increase exposure to enforcement actions as described above and may affect our business operations and require commercial cost (including potentially limiting our ability to collaborate/work with certain third parties and/or requiring an increase in our data processing capabilities in the European Union and United Kingdom). Further, the European Union and United Kingdom data protection laws (including laws on data transfers as set out above) may also be updated/revised, accompanied by new guidance and/or judicial/regulatory interpretations, which could entail further impacts on our compliance efforts and increased cost. Compliance with these and any other applicable privacy and data security laws and regulations is a rigorous and time-intensive process, and we may be required to put in place additional mechanisms ensuring compliance with the new data protection rules. Any failure or perceived failure by us, a company that we acquire, or one of our service providers to comply with laws, regulations, policies, legal or contractual obligations, industry standards or regulatory guidance relating to privacy or data security could result in governmental investigations and enforcement actions, litigation, fines and penalties, exposure to indemnification obligations or other liabilities, and adverse publicity, all of which could have an adverse effect on our reputation, as well as our business, financial condition, and results of operations. In addition, states are constantly adopting new laws or amending existing laws, requiring attention to frequently changing regulatory requirements. For example, the California Consumer Privacy Act ("CCPA") took effect on January 1, 2020 and was later amended by the California Privacy Rights Act ("CPRA"). The CPRA went into effect on January 1, 2023. The CCPA, as amended, gives California residents expanded rights, including to access, correct and delete their personal information and to opt-out of certain personal information disclosures, including sales of their personal information and use for cross-context behavioral advertising purposes. It also requires covered companies to provide disclosures to California consumers and includes new audit requirements for higher risk data and opt-out rights for certain uses of sensitive data. The CPRA also created a new California data protection agency authorized to issue substantive regulations which could result in increased privacy and information security enforcement. The agency continues to draft and propose implementing regulations for the CPRA. The lack of certainty regarding the final state of these regulations could result in significant compliance costs. The amended CCPA provides for civil penalties for violations, as well as a private right of action for data breaches of certain types of data that is expected to increase data breach litigation. Although the CCPA currently exempts certain health-related information, including clinical trial data, the amended CCPA may increase our compliance costs and potential liability. Similar state consumer protection laws have passed in other states. Such laws, including those in Colorado, Connecticut, Utah and Virginia, went into effect during 2023 and have potentially conflicting requirements that would make compliance challenging and present legal risk. Other states, such as Indiana, Iowa, Montana, and Texas have implemented similar laws which could result in significant compliance costs. With the GDPR, CCPA and other state laws, regulations and other obligations relating to privacy and data protection imposing new and relatively burdensome obligations, and with the substantial uncertainty over the interpretation and application of these and other obligations, we may face challenges in addressing their requirements and making necessary changes to our policies and practices and may incur significant costs and expenses in an effort to do so. However, these policies and practices may not be aligned with every applicable legal or regulatory standard immediately, due in part to the rapidly shifting landscape of privacy and data security requirements. A regulatory review or other independent assessment of the privacy program may result in identifying one or more areas of non-compliance. Additionally, if third parties with which we work, such as vendors or service providers, violate applicable laws, rules or regulations or our policies, such violations may also put our or our clinical trial and employee data, including personal data, at risk, which could in turn have an adverse effect on our business. The landscape of laws regulating personal data is constantly evolving, and compliance with these laws requires a flexible privacy framework and substantial resources, and compliance efforts will likely be an increasing and substantial cost in the future.

We believe our success depends on obtaining and maintaining coverage and adequate reimbursement for our product candidates, including PEMGARDA, and the extent to which patients will be willing to pay out-of-pocket for such products, in the absence of reimbursement for all or part of the cost. In the U.S. and in other countries, patients who are provided medical treatment for their conditions generally rely on third-party payors to reimburse all or part of the costs associated with their treatment. The availability of coverage and adequacy of reimbursement for our products by third-party payors, including government healthcare programs (e.g., Medicare, Medicaid, TRICARE), managed care providers, private health insurers, health maintenance organizations, and other organizations is essential for most patients to be able to afford medical services and pharmaceutical products such as our product candidates. Third-party payors often rely upon Medicare coverage policy and payment limitations in setting their own coverage and reimbursement policies. However, decisions regarding the extent of coverage and amount of reimbursement to be provided are made on a payor-by-payor basis. One payor's determination to provide coverage for a drug product does not assure that other payors will also provide coverage, and adequate reimbursement. In the U.S., the principal decisions about Medicare reimbursement for new medicines are typically made by CMS, an agency within HHS. CMS decides whether and to what extent products will be covered and reimbursed under Medicare and private payors tend to follow CMS to a substantial degree. CMS has published in the Calendar Year Physician Fee Schedule a final rule that all COVID-19 mAbs for pre-exposure prophylaxis of COVID-19 and their administration will be covered and reimbursed under the Part B preventative vaccine benefit. CMS has not communicated a timeline for publishing this information following the granting of any EUAs by the FDA for such products. A significant delay in publication of product specific billing codes and their payment rates could impact initial prescription rates by providers and patients. Third-party payors determine which products and procedures they will cover and establish reimbursement levels. Even if a third-party payor covers a particular product or procedure, the resulting reimbursement payment rates may not be adequate. In addition, for products administered under the supervision of a physician, obtaining coverage and adequate reimbursement may be particularly difficult because of the higher prices often associated with such drugs. Reimbursement by a third-party payor may depend upon a number of factors, including the third-party payor's determination that a product is safe, effective and medically necessary; appropriate for the specific patient; cost-effective; supported by peer-reviewed medical journals; included in clinical practice guidelines; and neither cosmetic, experimental nor investigational. Government entities, such as the CDC, the WHO and non-government professional societies, such as the IDSA, may produce treatment and/or prevention guidelines for the prevention and treatment of COVID-19, including guidance regarding the use of mAbs in these indications. If our product candidates, to the extent authorized or approved, fail to be added to these guidelines, or if they receive poor positioning within these guidelines, payors and other customers may be less inclined to add any such product candidate to their formularies, significantly reducing demand for such product candidate, if approved. Further, increasing efforts by third-party payors in the U.S. and abroad to cap or reduce healthcare costs may cause such organizations to limit both coverage and the level of reimbursement for newly approved products and, as a result, they may not cover or provide adequate payment for our product candidates, if approved. In order to secure coverage and reimbursement for any product that might be authorized or approved for sale, we may need to conduct expensive pharmacoeconomic studies in order to demonstrate the medical necessity and cost-effectiveness of our products, in addition to the costs required to obtain FDA or comparable regulatory authorizations or approvals. Additionally, we may also need to provide discounts to purchasers, private health plans or government healthcare programs. Our product candidates may nonetheless not be considered medically necessary or cost-effective. If third-party payors do not consider a product to be cost-effective compared to other available therapies, they may not cover the product after approval as a benefit under their plans or, if they do, the level of payment may not be sufficient to allow a company to sell its product at a profit. We expect to experience pricing pressures from third-party payors in connection with the potential sale of any of our product candidates. Decreases in third-party reimbursement for any product or a decision by a third-party payor not to cover a product could reduce physician usage and patient demand for the product and also have a material adverse effect on sales. Foreign governments also have their own healthcare reimbursement systems, which vary significantly by country and region, and we cannot be sure that coverage and adequate reimbursement will be made available with respect to the treatments in which our products are used under any foreign reimbursement system, to the extent any of our product candidates are authorized or approved outside of the U.S. For example, in many countries in the European Union, procedures to obtain price approvals, coverage and reimbursement can take considerable time after the receipt of marketing authorization. Many European countries periodically review their reimbursement of medicinal products, which could have an adverse impact on reimbursement status. In addition, we expect that legislators, policymakers and healthcare insurance funds in the European Union member states will continue to propose and implement cost-containing measures, such as lower maximum prices, lower or lack of reimbursement coverage and incentives to use cheaper, usually generic, products as an alternative to branded products, and/or branded products available through parallel import to keep healthcare costs down. Moreover, in order to obtain reimbursement for products in some European countries, including some European Union member states, data comparing the cost-effectiveness of products to other available therapies may be required. Health Technology Assessment ("HTA") of medicinal products is becoming an increasingly common part of the pricing and reimbursement procedures in some European Union member states, including those representing the larger markets. The HTA process, which is currently governed by national laws in each European Union member state, is the procedure to assess therapeutic, economic and societal impact of a given medicinal product in the national healthcare systems of the individual country. The outcome of an HTA will often influence the pricing and reimbursement status granted to these medicinal products by the competent authorities of individual European Union member states. The extent to which pricing and reimbursement decisions are influenced by the HTA of the specific medicinal product currently varies between European Union member states, although the HTA Regulation which aims to harmonize the clinical benefit assessment of HTA across the European Union will apply beginning on January 12, 2025. If in the future we seek but are unable to obtain and then maintain favorable pricing and reimbursement status in European Union member states that represent significant markets, our anticipated revenue from and growth prospects for products in the European Union could be negatively affected. If we experience setbacks or unforeseen difficulties in obtaining favorable pricing and reimbursement decisions, any planned launches in the affected European Union member states would be delayed, which could negatively impact any anticipated revenue from and growth prospects for relevant product candidates. There can be no assurance that PEMGARDA or any other product candidate, if authorized or approved for sale in the U.S. or in other countries, will be considered medically reasonable and necessary, that it will be considered cost-effective by third-party payors, that coverage or an adequate level of reimbursement will be available or that reimbursement policies and practices in the U.S. and in foreign countries where our products are sold will not adversely affect our ability to sell our product candidates profitably, if they are authorized or approved for sale.

Our mission is to deliver antibody-based therapies that protect vulnerable people from the consequences of viral threats, beginning with COVID-19. In considering the market potential for our product candidates, our projections of the number of immunocompromised people in the U.S. who may not adequately respond to COVID-19 vaccination and the estimated U.S. total addressable market for our mAb candidates for the pre-exposure prophylaxis of COVID-19 are estimates based on Invivyd-sponsored market research and our internal analysis. The number of immunocompromised people in the U.S. who may not adequately respond to COVID-19 vaccination and the estimated U.S. total addressable market for our mAb candidates for the pre-exposure prophylaxis of COVID-19 may turn out to be lower than expected, and patients may not be amenable to our product candidates or may become increasingly difficult to identify and access, all of which would adversely affect our financial condition, results of operations and prospects. Further, even if we obtain authorization or approval for our product candidates, the FDA or other regulators may limit their authorized or approved indications to more narrow uses or subpopulations within the populations for which we are targeting development of our product candidates. A decline, or a widespread perception of a decline, in the spread or severity of COVID-19, including disease due to variants with relative or absolute resistance to other products, or an increase in available alternative therapies for or widespread immunity to COVID-19, could reduce the total addressable market for our product candidates targeting COVID-19. Similarly, if new SARS-CoV-2 variants are less impacted by our product candidates and their mechanism of action than expected and such variants become more prevalent, the number of patients that we will be able to successfully treat with our product candidates, if authorized or approved, such as PEMGARDA, will be decreased. The total addressable market opportunity for our product candidates, including PEMGARDA, will ultimately depend upon a number of factors, including the diagnosis and treatment criteria included on the final label, if authorized or approved for sale in specified indications, acceptance by the medical community, patient access, and product pricing and reimbursement. Incidence and prevalence estimates are frequently based on information and assumptions that are not exact and may not be appropriate, and the methodology is forward-looking and speculative. The process we have used in developing an estimated total addressable market has involved using a third party to model the number of people at high risk for severe COVID-19 based on a combination of different data sets, such as the incidence and prevalence of different medical conditions based on primary literature, the portion of patients who are receiving immunosuppressants based on claims data, and interviews/surveys with health care professionals. Accordingly, these estimates included in this filing may turn out to be inaccurate. Further, the data and statistical information used in this Annual Report on Form 10-K, and in our other filings with the SEC, including estimates derived from them, may differ from information and estimates made by our competitors or from current or future studies conducted by independent sources. Any revenue we are able to generate from product sales will be dependent, in part, upon the size of the market in the U.S. (and any other jurisdiction for which we may in the future obtain an EUA or similar authorization or obtain regulatory approval and have commercial rights) and our ability to meet the market demand. If the markets or patient subsets that we are targeting are not as significant as we estimate, or if we do not have sufficient supply to meet the market demand, we may not generate significant revenues from sales of such products, even if authorized or approved.

We will need to build and maintain a commercial infrastructure to support the anticipated marketing and distribution of our product candidates, which we will need to achieve commercial success for PEMGARDA and any other product candidate for which we may obtain authorization or marketing approval. To support the commercialization of PEMGARDA, we have directly hired key leaders for our sales, marketing, market access, and medical affairs teams, and we are leveraging contract organizations for certain field-based roles. There are risks involved with establishing our commercial infrastructure. For example, the establishment of our own commercial team and/or the hiring and training of a contract sales force is expensive and time consuming and could delay any product launch. If the commercial launch of a product candidate for which we develop a commercial team and/or hire a contract sales force to establish marketing capabilities is delayed or does not occur for any reason, we would have prematurely or unnecessarily incurred these commercialization expenses. This may be costly, and our investment would be lost if we cannot retain or reposition our sales and marketing personnel. Factors that may inhibit our efforts to develop and maintain our commercialization capabilities include: - our inability or the inability of a contract organization to recruit, train and retain adequate numbers of effective sales and marketing personnel;- the inability of sales personnel to obtain access to physicians in order to educate physicians about our product candidates, once authorized or approved;- the lack of complementary products to be offered by sales personnel, which may put us at a competitive disadvantage relative to companies with more extensive product lines; and - unforeseen costs and expenses associated with creating independent sales, marketing and market access organizations. To the extent that we rely on third parties to perform sales, marketing or distribution services, such as our leveraging of contract organizations for certain field-based roles for the commercialization of PEMGARDA, our revenue and our profitability, if any, are likely to be lower than if we had developed such capabilities ourselves. In addition, we likely will have little control over such third parties, and any of them may fail to devote the necessary resources and attention to sell and market our products effectively. If we do not establish sales, marketing and distribution capabilities successfully, either on our own or in collaboration with third parties, we will not be successful in commercializing our product candidates. We began commercializing PEMGARDA after we received an EUA from the FDA in March 2024. As a result, we have only limited experience marketing our product candidates. Our financial condition and results of operations are and will continue to be highly dependent on the ability of our marketing function to adequately promote PEMGARDA for appropriate patients in a manner that complies with applicable laws and regulations. A key element of our business strategy is the continued expansion of our marketing infrastructure and building brand awareness. As we increase our marketing efforts in connection with the expansion of PEMGARDA sales, we will need to further expand the reach of our marketing networks. Our future success will depend largely on our ability to continue to hire, train, retain and motivate a skilled marketing workforce, directly or through contract organizations, with significant industry-specific knowledge in various areas, including healthcare, prophylactic treatments, complex biologics, and applicable laws and regulations. If we are unable to expand our marketing capabilities, we may not be able to effectively commercialize PEMGARDA. Relatedly, if any of our marketing platforms significantly increase their advertising fees, our ability to expand our marketing reach will be greatly impeded. Any such failure could adversely affect our reputation, revenue, and results of operations.