Keros Therapeutics (KROS) Risk Analysis

Until such time, if ever, as we can generate substantial product revenues, we expect to finance our operations with our existing cash and cash equivalents and revenue from our collaborations. In order to further advance development of our product candidates, discover additional product candidates and pursue our other business objectives, we will need to seek additional funds. We cannot guarantee that future financing will be available in sufficient amounts or on commercially reasonable terms, if at all. Moreover, the terms of any financing may adversely affect the holdings or the rights of holders of our common stock and the issuance of additional securities, whether equity or debt, by us, or the possibility of such issuance, may cause the market price of our common stock to decline. The sale of additional common stock or securities convertible or exchangeable into common stock would dilute all of our existing stockholders and the terms of these securities may include liquidation or other preferences that adversely affect your rights as a holder of our common stock. The incurrence of indebtedness could result in increased fixed payment obligations and we may be required to agree to certain restrictive covenants, such as limitations on our ability to incur additional debt or declare dividends, limitations on our ability to acquire, sell or license intellectual property rights and other operating restrictions that could adversely impact our ability to conduct our business. If we raise additional capital through marketing and distribution arrangements or other collaborations, strategic alliances or licensing arrangements with third parties, we may have to relinquish certain valuable rights to our product candidates, technologies, future revenue streams or research programs or grant licenses on terms that may not be favorable to us. We also could be required to seek collaborators for cibotercept, KER-065, elritercept or any future product candidate at an earlier stage than otherwise would be desirable or relinquish our rights to product candidates or technologies that we otherwise would seek to develop or commercialize ourselves. Further, any additional fundraising efforts may divert our management from its day-to-day activities, which may adversely affect our ability to develop and commercialize our product candidates. If we are unable to raise additional capital in sufficient amounts or on terms acceptable to us, we may have to significantly delay, scale back or discontinue the development or commercialization of one or more of our product candidates or one or more of our other research and development initiatives. Any of the above events could significantly harm our business, prospects, financial condition and results of operations and cause the price of our common stock to decline.

As of December 31, 2024, we had $160.3 million of U.S. federal, $180.9 million of state and no foreign NOL carryforwards. Under the Tax Act, as modified by the CARES Act, federal NOLs incurred in taxable years beginning after December 31, 2017 can be carried forward indefinitely, but the deductibility of federal NOLs in taxable years beginning after December 31, 2020, is limited. Our NOL carryforwards are subject to review and possible adjustment by the U.S. and state tax authorities. In addition, under Sections 382 and 383 of the Code and corresponding provisions of state law, if a corporation undergoes an "ownership change," which is generally defined as a greater than 50% change (by value) in its equity ownership over a three-year period, the corporation's ability to use its pre-change NOL carryforwards and research and development, or R&D, credits to offset its post-change income may be limited. This could limit the amount of NOLs or R&D credit carryforwards that we can utilize annually to offset future taxable income or tax liabilities. Subsequent ownership changes and changes to the U.S. tax rules in respect of the utilization of NOLs and R&D credits carried forward may further affect the limitation in future years. In addition, at the state level, there may be periods during which the use of NOLs is suspended or otherwise limited, which could accelerate or permanently increase state taxes owed. Through September 30, 2024, we completed a study to assess whether an ownership change has occurred or whether there have been multiple ownership changes since our formation. The results of this study indicated that we experienced ownership changes as defined by Section 382 of the Code in 2016 and 2020. These ownership changes have subjected and will continue to subject our NOL carryforwards to an annual limitation, which will significantly restrict our ability to use them to offset our taxable income in periods following an ownership change. Based on the results of the study, management has determined that these limitations may have a material impact on our ability to utilize our NOLs and R&D credit carryforwards to offset future tax liabilities.

From time to time, we may evaluate various acquisition opportunities and strategic collaborations, including licensing or acquiring complementary products, intellectual property rights, technologies or businesses. Any potential acquisition or strategic collaboration may entail numerous risks, including: ?increased operating expenses and cash requirements;?the assumption of additional indebtedness or contingent liabilities;?the issuance of our equity securities;?assimilation of operations, intellectual property and products of an acquired company, including difficulties associated with integrating new personnel;?the diversion of our management's attention from our existing programs and initiatives in pursuing such a strategic merger or acquisition;?retention of key employees, the loss of key personnel and uncertainties in our ability to maintain key business relationships;?risks and uncertainties associated with the other party to such a transaction, including the prospects of that party and their existing products or product candidates and marketing approvals; and ?our inability to generate revenue from acquired technology and/or products sufficient to meet our objectives in undertaking the acquisition or even to offset the associated acquisition and maintenance costs. In addition, if we undertake acquisitions or pursue collaborations in the future, we may issue dilutive securities, assume or incur debt obligations, incur large one-time expenses and acquire intangible assets that could result in significant future amortization expense. Moreover, we may not be able to locate suitable acquisition opportunities, and this inability could impair our ability to grow or obtain access to technology or products that may be important to the development of our business.

In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, process) personal data and other sensitive information, including personal data, proprietary and confidential business data, trade secrets, intellectual property and data we collect about trial participants in connection with clinical trials. Our data processing activities subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements and other obligations relating to data privacy and security. In the United States, numerous federal and state laws and regulations, including federal and state health information privacy laws, state data breach notification laws, and federal and state consumer protection laws (including Section 5 of the Federal Trade Commission Act) and other similar laws (e.g., wiretapping laws), that govern the collection, use, disclosure and protection of health information and other personal information could apply to our operations or the operations of our collaborators. In addition, we obtain health information from third parties, including research institutions from which we obtain clinical trial data, that are subject to privacy and security requirements under HIPAA, as amended by HITECH, which imposes specific requirements relating to the privacy, security, and transmission of individually identifiable protected health information. Depending on the facts and circumstances, we could be subject to civil, criminal and administrative penalties and fines if we violate HIPAA. In addition, certain state and foreign laws govern the privacy and security of health information in certain circumstances, some of which are more stringent than U.S. federal law and many of which differ from each other in significant ways and may not have the same effect, thus complicating compliance efforts. In the past few years, numerous U.S. states-including California, Virginia, Colorado, Connecticut, and Utah-have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, or the CPRA, collectively referred to as the CCPA, applies to personal data of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. The CCPA provides for fines and allows private litigants affected by certain data breaches to recover significant statutory damages. Similar laws are being considered in several other states, as well as at the federal and local levels, and we expect more states to pass similar laws in the future. These developments further complicate compliance efforts, and increase legal risk and compliance costs for us and the third parties with whom we work. Other laws and regulations also apply to our business model. We are subject to new laws governing the privacy of consumer health data. For example, Washington's My Health My Data Act, or MHMD, broadly defines consumer health data, places restrictions on processing consumer health data (including imposing stringent requirements for consents), provides consumers certain rights with respect to their health data, and creates a private right of action to allow individuals to sue for violations of the law. Other states are considering and may adopt similar laws. Additionally, under various privacy laws and other obligations, we may be required to obtain certain consents to process personal data. For example, some of our data processing practices may be challenged under wiretapping laws, if we obtain consumer information from third parties through various methods, including chatbot and session replay providers, or via third-party marketing pixels. These practices may be subject to increased challenges by class action plaintiffs. Our inability or failure to obtain consent for these practices could result in adverse consequences, including class action litigation and mass arbitration demands. Outside the United States, an increasing number of laws, regulations, and industry standards govern data privacy and security. For example, the EU's General Data Protection Regulation, or EU GDPR, the United Kingdom's GDPR (collectively referred to as the GDPR), Brazil's General Data Protection Law (Lei Geral de Proteção de Dados Pessoais) (Law No. 13,709/2018), Turkey's Personal Data Protection Law, South Korea's Personal Information Protection Act, Taiwan's Personal Data Protection Act, Peru's Personal Data Protection Law, South Africa's Protection of Personal Information Act, and China's Personal Information Protection Law impose strict requirements for processing personal data. For example, under GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to €20 million under the EU GDPR, 17.5 million pounds sterling under the UK GDPR, or in each case,4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. In the ordinary course of business, we transfer personal data from Europe and other jurisdictions to the United States or other countries. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area, or the EEA, and the UK have significantly restricted the transfer of personal data to countries whose privacy laws it believes are inadequate. Other jurisdictions may adopt or have already adopted similarly stringent data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the United States in compliance with law, such as the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework, under which we have self-certified to allow for transfers from the EEA and/or UK to the United States, these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA, the UK or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions (such as Europe) at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and UK to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. Regulators in the United States, such as the Department of Justice, are also increasingly scrutinizing certain personal data transfers and have proposed and may enact certain data localization requirements, for example, the Biden Administration's executive order Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. Laws such as these give rise to an increasingly complex set of compliance obligations on us. These data protection rules continue to evolve and may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions and increased costs of compliance. We strive to comply with these rules and obligations to the extent possible. Such compliance is a rigorous and time-consuming process. We are also bound by contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. We publish privacy policies, marketing materials, whitepapers and other statements, such as statements related to compliance with certain certifications or self-regulatory principles, concerning data privacy and security. Although we endeavor to comply with our policies and other documentation, we may at times fail to do so or may be perceived to have failed to do so. Regulators in the United States are increasingly scrutinizing these statements, and if these policies, materials, statements or documentation are found to be deficient, lacking in transparency, deceptive, unfair, misleading or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators or other adverse consequences. Obligations related to data privacy and security (and individuals' data privacy expectations) are quickly changing, becoming increasingly stringent and creating uncertainty. Additionally, these obligations are subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources. These obligations may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. In addition, these obligations may require us to change our business model. We may at times fail (or be perceived to have failed) in our efforts to comply with our data privacy and security obligations. Moreover, despite our efforts, our personnel or third parties with whom we work on may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties with whom we work fail, or are perceived to have failed, to address or comply with applicable data privacy and security obligations, we could face significant consequences, including but not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits and inspections); litigation (including class action claims) and mass arbitration demands; additional reporting requirements and/or oversight; bans or restrictions on processing personal data; orders to destroy or not use personal data; and imprisonment of company officials. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: interruptions or stoppages in our business operations (including clinical trials); inability to process personal data or to operate in certain jurisdictions; limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or substantial changes to our business model or operations. Compliance with U.S. and foreign data protection laws and regulations could require us to take on more onerous obligations in our contracts, increase our costs of legal compliance, restrict our ability to collect, use and disclose data, or in some cases, impact our or our partners' or suppliers' ability to operate in certain jurisdictions. Failure to comply with these laws and regulations could result in government investigations and/or enforcement actions (which could include civil, criminal and administrative penalties), private litigation and/or adverse publicity and could negatively affect our operating results and business. Moreover, clinical trial subjects, employees and other individuals about whom we or our potential collaborators obtain personal information, as well as the providers who share this information with us, may limit our ability to collect, use and disclose the information. Claims that we have violated individuals' privacy rights, failed to comply with data protection laws, or breached our contractual obligations, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business.

In the past, securities class action litigation has often been brought against public companies following declines in the market prices of their securities. This risk is especially relevant for biopharmaceutical companies, which have experienced significant stock price volatility in recent years. If we face such litigation, it could result in substantial costs and a diversion of management's attention and our resources, which could harm our business, operating results, financial condition and cash flows.

We are exposed to the risk that our employees, independent contractors, vendors, principal investigators, CROs and consultants may engage in fraudulent conduct or other illegal activity. Misconduct by these parties could include intentional, reckless and/or negligent conduct or disclosure of unauthorized activities to us that violate the regulations of the FDA and comparable foreign regulatory authorities, including those laws requiring the reporting of true, complete and accurate information to such authorities; healthcare fraud and abuse laws and regulations in the United States and abroad; or laws that require the reporting of financial information or data accurately. In particular, sales, marketing and business arrangements in the healthcare industry are subject to extensive laws and regulations intended to prevent fraud, misconduct, kickbacks, self-dealing and other abusive practices. These laws and regulations may restrict or prohibit a wide range of pricing, discounting, marketing and promotion, sales commission, customer incentive programs and other business arrangements. Activities subject to these laws also involve the improper use of information obtained in the course of clinical trials or creating fraudulent data in our preclinical studies or clinical trials, which could result in regulatory sanctions and cause serious harm to our reputation. It is not always possible to identify and deter misconduct by employees and other third parties, and the precautions we take to detect and prevent this activity may not be effective in controlling unknown or unmanaged risks or losses or in protecting us from governmental investigations or other actions or lawsuits stemming from a failure to comply with these laws or regulations. Additionally, we are subject to the risk that a person could allege such fraud or other misconduct, even if none occurred. If any such actions are instituted against us, and we are not successful in defending ourselves or asserting our rights, those actions could have a significant impact on our business, including the imposition of significant civil, criminal and administrative penalties, damages, monetary fines, imprisonment, possible exclusion from participation in Medicare, Medicaid and other federal or comparable foreign healthcare programs, additional reporting requirements and oversight if we become subject to a corporate integrity agreement or similar agreement to resolve allegations of non-compliance with these laws, contractual damages, reputational harm, diminished profits and future earnings, and curtailment of our operations, any of which could adversely affect our ability to operate our business, financial condition and results of operations.

Under the terms of the Takeda Agreement, Takeda will pay us milestone payments upon the achievement of specified development, commercial and sales milestones. In addition, if a licensed product is approved for marketing within the Takeda Territory, which includes all countries globally other than the territories of mainland China, Hong Kong and Macau, we will be entitled to receive royalty payments based on tiered increments of annual net sales in the Takeda Territory, with such percentage ranging from the low double-digits to high teens, subject to specified potential royalty reductions. However, under the terms of the Takeda Agreement, Takeda may terminate the agreement in its entirety or on a country-by-country basis for convenience and without cause on written notice of a certain period. In addition, Takeda generally has control over the further clinical development of elritercept and any other licensed compounds in the Takeda Territory. Takeda's decisions with respect to such development will affect the timing and availability of potential future payments under the Takeda Agreement, if any. If the Takeda Agreement is terminated early, or if Takeda's development activities are terminated early or suspended for an extended period of time, or are otherwise unsuccessful, our business and business prospects would be materially and adversely affected. Additionally, under the terms of the license agreement with Hansoh, Hansoh will pay us milestone payments upon the achievement of specified development and commercial milestones. In addition, if elritercept, or a licensed product containing elritercept, is approved for marketing within the territories of mainland China, Hong Kong and Macau, which we refer to collectively as the Hansoh Territory, we will be entitled to receive royalty payments based on a tiered percentage of annual net sales in each region within the Hansoh Territory, with such percentage ranging from the low double digit to high teens, subject to specified potential royalty reductions. We are relying on Hansoh to commercialize elritercept in the Hansoh Territory, and if Hansoh is not able to commercialize elritercept in those countries, or determines not to pursue development or commercialization of elritercept in those countries, we will not receive any milestone or royalty payments under the agreement.

We may decide to establish our own sales and marketing capabilities and promote our product candidates if and when regulatory approval has been obtained in the United States or in other jurisdictions. There are risks involved if we decide to establish our own sales and marketing capabilities or enter into arrangements with third parties to perform these services. Even if we establish sales and marketing capabilities, we may fail to launch our products, if approved, effectively or to market our products effectively since we have no experience in the sales and marketing of biopharmaceutical products. In addition, recruiting and training a sales force is expensive and time-consuming and could delay any product launch. In the event that any such launch is delayed or does not occur for any reason, we would have prematurely or unnecessarily incurred these commercialization expenses, and our investment would be lost if we cannot retain or reposition our sales and marketing personnel. Factors that may inhibit our efforts to commercialize our products, if approved, on our own include: ?our inability to recruit, train and retain adequate numbers of effective sales and marketing personnel;?the inability of sales personnel to obtain access to or educate adequate numbers of physicians on the benefits of our products, if approved;?the lack of complementary products to be offered by sales personnel, which may put us at a competitive disadvantage relative to companies with more extensive product lines;?unforeseen costs and expenses associated with creating an independent sales and marketing organization; and ?costs of marketing and promotion above those anticipated by us. If we enter into arrangements with third parties to perform sales and marketing services, our product revenues or the profitability of these product revenues to us could be lower than if we were to market and sell any products that we develop ourselves. Such collaborative arrangements with partners may place the commercialization of our products, if approved, outside of our control and would make us subject to a number of risks including that we may not be able to control the amount or timing of resources that our collaborative partner devotes to our products, if any, or that our collaborator's willingness or ability to complete its obligations, and our obligations under our arrangements may be adversely affected by business combinations or significant changes in our collaborator's business strategy. In addition, we may not be successful in entering into arrangements with third parties to sell and market our products, if approved, or may be unable to do so on terms that are favorable to us. Acceptable third parties may fail to devote the necessary resources and attention to sell and market our products, if any, effectively. If we do not establish sales and marketing capabilities successfully, either on our own or in collaboration with third parties, we may not be successful in commercializing our products, if any, which in turn would have a material adverse effect on our business, financial condition and results of operations.