Chinook Therapeutics (KDNY) Risk Analysis

The right of the holders of our contingent value rights, or CVRs, issued prior to the closing of the Merger will be contingent solely upon the occurrence of certain events described in the CVR Agreement and the consideration received being greater than the amounts that could be deducted by us under the CVR Agreement. In 2022, we paid $7.5 million to CVR holders following receipt of a development milestone under our license agreement with Merck for MK-5890. In April 2021, prior to the disposition period set forth in the CVR Agreement, we entered into an agreement with Sairopa, a private company created by Van Herk Royalty B.V. and D.S. Chahal to acquire certain of our non-renal assets in exchange for stock in Sairopa. We will hold our equity interests in Sairopa until there is a liquidity event, upon which 50% of any proceeds, net of deductions permitted under the CVR Agreement, including taxes and certain other expenses, will be distributed to CVR holders, provided such liquidity event occurs during the 10-year CVR period. If no additional events described within the CVR Agreement occur within the 10-year CVR period specified in the CVR Agreement or the consideration received is not greater than the amounts that could be deducted by us, no additional payments will be made under the CVR Agreement, and the CVRs will expire valueless. We do not have any obligation to develop the non-renal assets, or to expend any effort or resources to divest or otherwise monetize the non-renal assets. Furthermore, the CVRs are unsecured obligations of us and all payments under the CVRs, all other obligations under the CVR Agreement and the CVRs and any rights or claims relating thereto may be subordinated in right of payment to the prior payment in full of all current or future senior obligations of us.

To the extent our taxable income exceeds any current year operating losses, we plan to use our net operating loss carryforwards to offset income that would otherwise be taxable. Under Section 382 of the Code, changes in a company's ownership may limit the amount of net operating loss carryforwards and tax credit carryforwards that could be utilized annually to offset its future taxable income, if any. This limitation generally applies in the event of a cumulative change in ownership of more than 50 percent within a three-year period. Aduro experienced and Private Chinook likely experienced an ownership change under Section 382 as a result of the Merger. Any such limitation may significantly reduce our ability to utilize net operating loss carryforwards and tax credit carryforwards before they expire. Consequently, even if we achieve profitability, we may not be able to utilize a material portion of Private Chinook's or Aduro's net operating loss carryforwards and other tax attributes, which could have a material adverse effect on our cash flow and results of operations. There is also a risk that due to regulatory changes, such as suspensions on the use of net operating losses, or NOLs, or other unforeseen reasons, our existing NOLs could expire or otherwise be unavailable to offset future income tax liabilities. Under the TCJA, as modified by the CARES Act, NOLs and other carryforwards generated in tax years that began after December 31, 2017 may offset no more than 80 percent of current taxable income annually for taxable years beginning after December 31, 2020. Accordingly, we, Private Chinook or Aduro, as applicable, generated or will generate NOLs after the tax year ended December 31, 2017, and we might have to pay more federal income taxes in a subsequent year as a result of the 80 percent taxable income limitation than we would have had to pay under the law in effect before the Tax Act as modified by the CARES Act.

We will require substantial future capital in order to complete planned and future preclinical and clinical development for atrasentan and other product candidates and potentially commercialize these product candidates. Based upon our current operating plan, we believe that our existing cash, cash equivalents, and marketable securities held as of March 31, 2023 will enable us to fund our operating expenses and capital expenditure requirements into 2025. We expect our spending levels to increase in connection with our preclinical studies and clinical trials of our product candidates. In addition, if we obtain marketing approval for any of our product candidates, we expect to incur significant expenses related to commercial launch, product sales, medical affairs, marketing, manufacturing and distribution. Accordingly, we will need to obtain substantial additional funding in connection with our continuing operations before any commercial revenue may occur. Additional capital might not be available when we need it and our actual cash requirements might be greater than anticipated. If we require additional capital at a time when investment in our industry or in the marketplace in general is limited, we may not be able to raise funding on favorable terms, if at all. If we are not able to obtain financing when needed or on terms favorable to us, we may need to delay, reduce or eliminate certain research and development programs or other operations, sell some or all of our assets or merge with another entity. Our operations have consumed significant amounts of cash since inception. Our future capital requirements will depend on many factors, including: - the costs associated with the scope, progress and results of discovery, preclinical development, laboratory testing and clinical trials for our product candidates;- the costs associated with the manufacturing of our product candidates;- the costs related to the extent to which we enter into partnerships or other arrangements with third parties to further develop our product candidates;- the costs and fees associated with the discovery, acquisition or in-license of product candidates or technologies;- our ability to establish collaborations on favorable terms, if at all;- the costs of future commercialization activities, if any, including product sales, marketing, manufacturing and distribution, for any of our product candidates for which we receive marketing approval;- revenue, if any, received from commercial sales of our product candidates, should any of our product candidates receive marketing approval; and - the costs of preparing, filing and prosecuting patent applications, maintaining and enforcing our intellectual property rights and defending intellectual property-related claims. Our product candidates, if approved, may not achieve commercial success. Our commercial revenues, if any, will be derived from sales of product candidates that we do not expect to be commercially available for many years, if at all. Accordingly, we will need to continue to rely on additional financing to achieve our business objectives, which may not be available to us on acceptable terms, or at all.

We expect to experience significant growth in the number of our employees and the scope of our operations, particularly in the areas of product candidate development, growing our capability to conduct clinical trials, and, if approved, through commercialization of our product candidates. To manage our anticipated future growth, we must continue to implement and improve our managerial, operational and financial systems, expand our facilities and continue to recruit and train additional qualified personnel, or contract with third parties to provide these capabilities for us. Due to our limited financial resources and the limited experience of our management team in managing a company with such anticipated growth, we may not be able to effectively manage the expansion of our operations or recruit and train additional qualified personnel. The expansion of our operations may lead to significant costs and may divert our management and business development resources. Any inability to manage growth could delay the execution of our business plans or disrupt our operations.

We will incur significant legal, accounting and other expenses as a public company that we did not incur as a private company, including costs associated with public company reporting obligations under the Securities Exchange Act of 1934, as amended, or the Exchange Act. Our management team consists, among others, of the executive officers of Private Chinook prior to the Merger, some of whom have not previously managed and operated a public company. These executive officers and other personnel will need to devote substantial time to gaining expertise related to public company reporting requirements and compliance with applicable laws and regulations to ensure that we comply with all of these requirements. Any changes we make to comply with these obligations may not be sufficient to allow us to satisfy our obligations as a public company on a timely basis, or at all. These reporting requirements, rules and regulations, coupled with the increase in potential litigation exposure associated with being a public company, could also make it more difficult for us to attract and retain qualified persons to serve on the board of directors or on board committees or to serve as executive officers, or to obtain certain types of insurance, including directors' and officers' insurance, on acceptable terms.

The U.S. federal income tax treatment of the CVRs is unclear. There is no legal authority directly addressing the U.S. federal income tax treatment of the receipt of, and payments under, the CVRs, and there can be no assurance that the IRS would not assert, or that a court would not sustain, a position that could result in adverse U.S. federal income tax consequences to holders of the CVRs. For example, Aduro did not report the issuance of the CVRs as a current distribution of property with respect to its common stock, but it is possible that the IRS could assert that CVR recipients are treated as having received a distribution of property equal to the fair market value of the CVRs on the date the CVRs are distributed, which could be taxable to such recipients without the corresponding receipt of cash. In addition, it is possible that the IRS or a court could determine that the issuance of the CVRs (and/or any payments thereon) and the reverse stock split constitute a single "recapitalization" for U.S. federal income tax purposes with the CVRs constituting taxable "boot" received in such recapitalization exchange. In such case, the tax consequences of the CVRs and the reverse stock split would differ from those described in the Merger proxy statement, including with respect to the timing and character of income.

We maintain a large quantity of sensitive information, including confidential business and patient health information in connection with our preclinical and clinical studies, and are subject to laws and regulations governing the privacy and security of such information. Privacy laws, rules and regulations evolve frequently, and their scope may continually change through new legislation, amendments to existing legislation, and changes in enforcement, and may be inconsistent from one jurisdiction to another. The interpretation and application of consumer, health-related and data protection laws, especially with respect to genetic samples and data, in the United States, the European Union and elsewhere, are often uncertain, contradictory and in flux. We cannot provide assurance that current or future legislation will not prevent us from generating or maintaining personal data or that patients will consent to the use of their personal data (as necessary); either of these circumstances may prevent us from undertaking or publishing essential research and development, manufacturing, and commercialization, which could have a material adverse effect on our business, results of operations, financial condition and prospects. Complying with these various laws and regulations could cause us to incur substantial costs or require us to change our business practices, systems, and compliance procedures in a manner adverse to our business. Any violations of these rules by us could subject us to civil and criminal penalties and adverse publicity and could harm our ability to initiate and complete clinical trials. In the United States, there are numerous federal and state privacy and data security laws and regulations governing the collection, use, disclosure and protection of personal information, including health information privacy laws, security breach notification laws, and consumer protection laws. We may obtain health information from third parties (including research institutions from which we obtain clinical trial data), that are subject to privacy and security requirements under HIPAA/HITECH. Entities that are found to be in violation of HIPAA/HITECH as the result of a breach of unsecured protected health information, a complaint about privacy practices or an audit by HHS, may be subject to significant civil, criminal, and administrative fines and penalties and/or additional reporting and oversight obligations if required to enter into a resolution agreement and corrective action plan with HHS to settle allegations of HIPAA non-compliance. Further, entities that knowingly obtain, use, or disclose individually identifiable health information maintained by a HIPAA covered entity in a manner that is not authorized or permitted by HIPAA may be subject to criminal penalties. Additionally, governmental agencies like the FTC have adopted, or are considering adopting, laws and regulations concerning personal data and data security. The FTC may also take action against companies for unfair acts or practices for failing to keep promises made in public statements, such as privacy policies. We make public statements about our use and disclosure of personal data through our privacy policy, information described on our website, and in press statements. Although we endeavor to ensure that our public statements are complete and accurate, any failure (real or perceived) by us to comply with our privacy and security commitments could be considered an "unfair and deceptive" act by the FTC resulting in an FTC consent decree that may include fines and sustained government-mandated audits for a period of 20 years. State Attorneys General may enforce comparable state law statutes covering unfair and deceptive practices with similar resulting consequences. Certain states have also adopted comparable privacy and security laws and regulations, some of which may be more stringent than HIPAA. California recently enacted legislation, the California Privacy Rights Act, or CPRA, which went into effect January 1, 2023. The CPRA, among other things, creates new data privacy obligations for covered companies and provides new privacy rights to California residents, including the right to opt out of the sale and disclosure of their information and receive detailed information about how their personal information is used. The CPRA provides for civil penalties for violations, as well as a private right of action for data breaches, in certain circumstances, that is expected to increase data breach litigation. The CPRA may increase our compliance costs and potential liability. The CPRA also creates a new state agency that will be vested with authority to implement and enforce the CPRA. Potential uncertainty surrounding the CPRA may increase our compliance costs and potential liability, particularly in the event of a data breach, and could have a material adverse effect on our business. Other states have followed California's lead. The Virginia Consumer Data Protection Act, or VCDPA, which went into effect on January 1, 2023, gives new data protection rights to Virginia residents and imposes additional obligations on controllers and processors of personal data. Colorado, Utah and Connecticut have passed similar laws which will go into effect in 2023. As of March 2023, four states have active consumer privacy legislation under review, which if enacted would add additional costs and expense of resources to maintain compliance. In Canada, the Personal Information Protection and Electronic Documents Act, or PIPEDA, and similar provincial laws may impose obligations with respect to processing personal information, including health-related information. PIPEDA requires companies to obtain an individual's consent when collecting, using, or disclosing that individual's personal information. Individuals have the right to access and challenge the accuracy of their personal information held by an organization, and personal information may only be used for the purposes for which it was collected. If an organization intends to use personal information for another purpose, it must again obtain that individual's consent. Failure to comply with PIPEDA could result in significant fines and penalties. In May 2018, the General Data Protection Regulation, or the GDPR, took effect in the European Economic Area, the EEA. The GDPR governs the collection, use, disclosure, transfer, or other processing of personal data of natural persons. Among other things, the GDPR imposes strict obligations on the ability to process health-related and other personal data of data subjects in the EEA, including in relation to use, collection, analysis, and transfer (including cross-border transfer) of such personal data. The GDPR includes requirements relating to the consent of the individuals to whom the personal data relates, including detailed notices for clinical trial subjects and investigators. The GDPR also includes certain requirements regarding the security of personal data and notification of data processing obligations or security incidents to appropriate data protection authorities or data subjects as well as requirements for establishing a lawful basis on which personal data can be processed and a right to lodge a complaint with the government. The GDPR, as well as law in the United Kingdom, or the UK, and Switzerland, also prohibits the international transfer of personal data from the EEA/UK/Switzerland to countries outside of those jurisdictions unless made to a country deemed to have adequate data privacy laws by the European Commission or where a data transfer mechanism has been put in place. We rely on Standard Contracts Clauses, or SCCs, to transfer personal data to countries outside of the EEA, Switzerland, and the UK, including to the United States and are continuing to evaluate the guidance and mechanisms required to establish adequate safeguards for personal data. In July 2020 the Court of Justice of the European Union, or CJEU, declared the Privacy Shield to be invalid; however, the Biden administration recently announced the United States has agreed to new terms for protecting EU residents' data which may potentially result in the revised EU Privacy Shield being resurrected as an adequate method of transferring data to the US. The CJEU upheld the validity of the SCCs as a legal mechanism to transfer personal data but companies relying on SCCs will continually be subject to guidance from regulators in the EEA and need to evaluate and implement supplementary measures that provide privacy protections additional to those provided under SCCs. In turn, the findings of the CJEU will have significant implications for cross-border data flows. On June 4, 2021, the European Commission adopted new SCCs to apply to international transfers of data. We had until December 27, 2022 to update any existing agreements, or any new agreements executed before September 27, 2021, that rely on the former SCCs. If we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we conduct our operations, and we may find it necessary to establish systems in the EEA, Switzerland, and the UK to maintain personal data originating from the EEA and the UK, which may involve substantial expense and distraction from other aspects of our business. As supervisory authorities continue to issue further guidance on personal data export mechanisms, including circumstances where the SCCs cannot be used and/or what safeguards must be implemented, or start taking enforcement action, there will be uncertainty as to how we comply with EEA, Switzerland, and UK privacy and security laws and we could suffer additional costs, complaints, or regulatory investigations or fines. For example, German and Irish supervisory authorities have indicated that the SCCs alone provide inadequate protection for EU-U.S. data transfers. Use of the data transfer mechanisms must now be assessed on a case-by-case basis, taking into account the legal regime applicable in the destination country, in particular applicable surveillance laws and rights of individuals. We may need to implement additional safeguards to further enhance the security of data transferred out of the EEA/Switzerland/UK, conduct data transfer impact assessments, and review existing agreements which could increase our compliance costs, expose us to further regulatory scrutiny and liability, and adversely affect our business. Further, the GDPR provides that countries in the EEA may establish their own laws and regulations further restricting the processing of certain personal data, including genetic data, biometric data, and health data. Companies that must comply with the GDPR face increased compliance obligations and risk, including more robust regulatory enforcement of data protection requirements and potential fines for noncompliance of up to €20 million or 4 percent of the annual global revenues of the noncompliant company, whichever is greater. Additionally, following the UK's withdrawal from the EU and the EEA, companies must comply with the GDPR and the GDPR as incorporated into UK national law, the latter regime having the ability to separately fine up to the greater of £17.5 million or 4 percent of global turnover. Companies that violate the GDPR in the EEA and UK can also face prohibitions on data processing and other corrective action, such as class action lawsuits brought by classes of data subjects or by consumer protection organizations authorized at law to represent their interests. Further, as a consequence of the UK's departure from the EU, the UK is free to diverge from EU data privacy laws. The UK's Data Reform Bill, containing proposals for the UK GDPR to diverge from the EU GDPR is currently paused while ministers consider how to replace EU GDPR. We may, in the future, be subject to separate and additional data protection obligations to those that we are already subject to. This may result in substantial costs and may necessitate changes to our business practices, which in turn may adversely affect our business, reputation, legal exposures, and financial condition. Some countries (including some outside the EEA), also are considering or have passed legislation requiring local storage and processing of data, or similar requirements, which could increase the cost and complexity of delivering our products and services if we were to operate in those countries. If we are required to implement additional measures to transfer data from the EEA, this could increase our compliance costs, and could adversely affect our business, financial condition and results of operations. We create contractual obligations with third parties with whom we depend in relation to the operation of our business, a number of which process personal data on our behalf. With each such provider we attempt to mitigate the associated risks of using third parties by performing security assessments and detailed due diligence, entering into contractual arrangements to ensure that providers only process personal data according to our instructions, and that they have sufficient technical and organizational security measures in place. Where we transfer personal data outside the EEA, the UK, or Switzerland to such third parties, we do so while considering the relevant data export requirements, as described above. There is no assurance that these contractual measures and our own privacy and security-related safeguards will protect us from the risks associated with the third-party processing, storage, and transmission of such information. Any violation of data or security laws by our third-party processors could have a material adverse effect on our business and result in the fines and penalties outlined above. If our operations are found to be in violation of any of the privacy and data protection laws described above or any other laws that apply to us, we may be subject to penalties, including, but not limited to, criminal, civil and administrative penalties, damages, fines, disgorgement, individual imprisonment, possible exclusion from participation in government healthcare programs, injunctions, private qui tam actions brought by individual whistleblowers in the name of the government, class action litigation and the curtailment or restructuring of our operations, as well as additional reporting obligations and oversight if we become subject to a corrective action plan or other agreement to resolve allegations of non-compliance with these laws, any of which could adversely affect our ability to operate our business and our results of operations. When such events occur (or even alleged), our reputation may be harmed, we may lose current and potential users and the competitive positions of our brand might be diminished, any or all of which could materially adversely affect our business, reputation, operating results, and financial condition.

The Biologics Price Competition and Innovation Act, or BPCIA, was enacted as part of the Patient Protection and Affordable Care Act, as amended by the Health Care and Education Reconciliation Act of 2010, or the ACA, to establish an abbreviated pathway for the approval of biosimilar and interchangeable biological products. The regulatory pathway establishes legal authority for the FDA to review and approve biosimilar biologics, including the possible designation of a biosimilar as "interchangeable" based on its similarity to an approved biologic. Under the BPCIA, an application for a biosimilar product cannot be approved by the FDA until 12 years after the reference product was approved under a BLA. The law is complex and is still being interpreted and implemented by the FDA. As a result, its ultimate impact, implementation, and meaning are subject to uncertainty. While it is uncertain when such processes intended to implement the BPCIA may be fully adopted by the FDA, any such processes could have a material adverse effect on the future commercial prospects for our product candidates. We believe that if any of our product candidates is approved as a biological product under a BLA, such as BION-1301, it should qualify for the 12-year period of exclusivity. However, there is a risk that the FDA will not consider any of our product candidates to be reference products for competing products, potentially creating the opportunity for biosimilar competition sooner than anticipated. Additionally, this period of regulatory exclusivity does not apply to companies pursuing regulatory approval via their own traditional BLA, rather than via the abbreviated pathway. Moreover, the extent to which a biosimilar, once approved, will be substituted for any one of our reference products in a way that is similar to traditional generic substitution for non-biological products is not yet clear, and will depend on a number of marketplace and regulatory factors that are still developing. There has been public discussion of efforts to incentivize and increase biosimilar drug development including by potentially decreasing the period of exclusivity from the current 12 years. In September 2021, the Biden administration released its prescription drug pricing reform plans, which included proposals to reassess exclusivity periods, streamline biosimilar licensure, force disclosure of inactive ingredients, and other measures to increase biosimilar drug development. If such changes and reforms were to be enacted, our product candidates, if approved, could have a shorter period of exclusivity than anticipated or face increased competition from biosimilar drug products. We continue to evaluate executive, legislative and judicial efforts to modify aspects of the law, and the extent to which any such changes may impact our business or financial condition.

We currently do not have an organization for the sales, marketing and distribution of atrasentan, BION-1301, CHK-336 and our other product candidates, and the expense of establishing and maintaining such an organization may exceed the cost-effectiveness of doing so. To market any products that may be approved, we must build our sales, marketing, managerial and other non-technical capabilities or make arrangements with third parties to perform these services. With respect to certain of our current programs as well as future programs, we may rely completely on an alliance partner for sales and marketing. In addition, although we intend to establish a sales organization if we are able to obtain approval to market any product candidates, we may enter into strategic alliances with third parties to develop and commercialize atrasentan and other product candidates, including in markets outside of the United States or for other large markets that are beyond our resources, such as the joint venture, SanReno Therapeutics, we formed for the development and commercialization of atrasentan and BION-1301 in China and certain other East-Asian countries. This will reduce the revenue generated from the sales of these products. Any future strategic alliance partners may not dedicate sufficient resources to the commercialization of our product candidates or may otherwise fail in their commercialization due to factors beyond our control. If we are unable to establish effective alliances to enable the sale of our product candidates to healthcare professionals and in geographical regions, including the United States, that will not be covered by our marketing and sales force, or if our potential future strategic alliance partners do not successfully commercialize the product candidates, our ability to generate revenues from product sales will be adversely affected. If we are unable to establish adequate sales, marketing and distribution capabilities, whether independently or with third parties, we may not be able to generate sufficient product revenue and may not become profitable. We will be competing with many companies that currently have extensive and well-funded marketing and sales operations. Without an internal team or the support of a third party to perform marketing and sales functions, we may be unable to compete successfully against these more established companies.

To succeed, we must recruit, retain, manage and motivate qualified clinical, scientific, technical and management personnel, and we face significant competition for experienced personnel. If we do not succeed in attracting and retaining qualified personnel, particularly at the management level, it could adversely affect our ability to execute our business plan, harm our results of operations and increase our capabilities to successfully commercialize atrasentan and other product candidates. In particular, we believe that our future success is highly dependent upon the contributions of our senior management, particularly our President and Chief Executive Officer, Eric Dobmeier. The loss of services of Mr. Dobmeier or any of our senior management could delay or prevent the successful development of our product pipeline, completion of our clinical trials or the commercialization of our product candidates, if approved. The competition for qualified personnel in the biotechnology field is intense and as a result, we may be unable to continue to attract and retain qualified personnel necessary for the development of our business or to recruit suitable replacement personnel. Many of the other biotechnology companies that we compete against for qualified personnel have greater financial and other resources, different risk profiles and a longer history in the industry than we do. They also may provide more diverse opportunities and better chances for career advancement. Some of these characteristics may be more appealing to high-quality candidates than what we have to offer. If we are unable to continue to attract and retain high-quality personnel, the rate and success at which we can discover and develop product candidates and our business will be limited.