Nektar Therapeutics (NKTR) Risk Analysis

From time to time, we are involved in legal proceedings where we or other third parties are enforcing or seeking intellectual property rights, invalidating or limiting patent rights that have already been allowed or issued, or otherwise asserting proprietary rights through one or more potential legal remedies. Third parties have asserted, and may in the future assert, that we or our partners infringe their proprietary rights, such as patents and trade secrets, or have otherwise breached our obligations to them. A third party often bases its assertions on a claim that its patents cover the technology we use or our drug candidates or that we have misappropriated its confidential or proprietary information. Similar assertions of infringement could be based on future patents that may issue to third parties. In certain of our agreements with our partners, we are obligated to indemnify and hold harmless our collaboration partners from intellectual property infringement, product liability and certain other claims, which could cause us to incur substantial costs and liability if we are called upon to defend ourselves and our partners against any claims. We are also regularly involved in opposition proceedings at the European Patent Office and in inter partes review and re-examination proceedings at the U.S. Patent and Trademark Office where third parties seek to invalidate or limit the scope of our allowed patent applications or issued patents covering (among other things) our drug candidates and technologies. If a third party obtains injunctive or other equitable relief against us or our partners, they could effectively prevent us, or our partners, from developing or commercializing, or deriving revenue from, certain drugs or drug candidates in the U.S. and abroad. Costs associated with litigation, substantial damage claims, indemnification claims or royalties paid for licenses from third parties could have a material adverse effect on our business, financial condition and results of operations. From time to time, we may also be involved in legal proceedings other than those related to intellectual property, including securities actions or derivative actions or other complaints. On August 7, 2023, we filed a complaint in the United States District Court for the Northern District of California (the Court) against Lilly alleging, among other claims, breach of contract and breach of implied covenant of good faith and fair dealing (the Complaint), in connection with our collaboration with Lilly. Following the denial of its motion to dismiss the Complaint entirely, Lilly filed an answer that included counterclaims against us alleging breach of specified confidentiality provisions and defamation. The case is proceeding. The cost to us in initiating or defending any litigation or other proceeding, even if resolved in our favor, could be substantial, and litigation would divert our management's attention. Uncertainties resulting from the initiation and continuation of patent litigation or other proceedings could delay our research and development efforts or result in financial implications either in terms of seeking license arrangements or payment of damages or royalties. There is no guarantee that our insurance coverage for damages resulting from any litigation or the settlement would be sufficient and could result in substantial financial risk to the Company. Given the nature of lawsuits and complaints, we cannot reasonably estimate a potential future loss or a range of potential future losses for any of the legal proceedings we may be involved in. However, an unfavorable resolution could potentially have a material adverse effect on our business, financial condition, and results of operations or prospects, and potentially result in paying monetary damages. We have recorded no liability for any litigation matters in our Consolidated Balance Sheets at December 31, 2024.

Our business is subject to many laws and regulations intended to protect the privacy rights of individuals participating in our clinical trials and our employees, among others. For example, with regard to individuals participating in our clinical trials, various laws and regulations govern the safeguarding the privacy, integrity, availability, security and transmission of individually identifiable health information. In addition to federal laws and regulations in the United States, such as the HIPAA requirements relating to the privacy, security and transmission of individually identifiable health information, many state and foreign laws also govern the privacy and security of health information. These laws often differ from each other in significant ways, thus complicating compliance efforts. The global data protection landscape is rapidly evolving, and implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future. The California Consumer Privacy Act (CCPA) grants California residents expanded rights to access and delete their personal information, limit the sharing, use and disclosure of personal information, and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that may increase the risk of data breach litigation. The CCPA has increased our compliance costs and may expose us to additional liability. Similarly comprehensive privacy laws have become effective in more than a dozen other U.S. states, including, for example, Colorado, Connecticut, New Jersey, New Hampshire, Utah and Virginia, with several more expected to pass in the coming year. Like the CCPA, these laws grant consumers rights in relation to their personal information and impose new privacy and data security obligations on regulated businesses but contain key differences, including in their scope and application. In addition, certain states have passed or proposed laws to specifically regulate health information. For example, Washington's My Health My Data Act, which came into force in March 2024, requires regulated entities to obtain consent to collect health information, grants consumers certain rights, including to request deletion, and provides for robust enforcement mechanisms, including enforcement by the Washington state attorney-general and a private right of action for consumer claims. At the federal level, the FTC has used its authority over "unfair or deceptive acts or practices" to impose stringent requirements on the collection and disclosure of sensitive categories of personal information, including health information, which may increase our potential liability and compliance costs and adversely affect our business. The European Regulation 2016/679, known as the General Data Protection Regulation (EU GDPR), the implementing legislation of EU Member States, which became effective on May 25, 2018, and the EU GDPR as incorporated into the laws of the United Kingdom (UK GDPR) (together with the EU GDPR, the GDPR) apply to the collection and processing of personal data, including health-related information, by companies located in the EU and UK, or in certain circumstances, by companies located outside of the EU or UK and processing personal information of individuals located in the EU or UK. The GDPR is wide-ranging in scope and imposes strict obligations on the ability to process personal data, including health-related information, in particular in relation to their collection, use, disclosure and transfer. These include several requirements relating to, for example, (i) ensuring a legal basis or condition applies to the processing of personal data and, in some situations where required, obtaining the consent of the individuals to whom the personal data relates, (ii) the information provided to the individuals about how their personal information is used, (iii) responding to data subject requests, (iv) imposing requirements to notify the competent national data protection authorities and data subjects of personal data breaches, (v) implementing safeguards in connection with the security and confidentiality of the personal data, (vi) accountability requirements and (vii) taking certain measures when engaging third-party processors. The GDPR prohibits the transfer of personal data to countries outside of the European Economic Area (EEA) and UK, such as the United States, which are not considered by the European Commission to provide an adequate level of data protection. Potential pecuniary fines for noncompliant companies may be up to the greater of €20 million or 4% of annual global revenue. Regulators and legislators in the U.S. are increasingly scrutinizing and restricting certain personal data transfers and transactions involving foreign countries. For example, Executive Order 14117, Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, as implemented by U.S. Department of Justice rule dated December 27, 2024, prohibits data brokerage transactions involving certain sensitive personal data categories, including health data, genetic data, and biospecimens, to countries of concern, including China. The regulations also restrict certain investment agreements, employment agreements and vendor agreements involving such data and countries of concern, absent specified cybersecurity controls. Actual or alleged violations of these regulations may be punishable by criminal and/or civil sanctions, and may result in exclusion from participation in federal and state programs. Any actual or alleged failure to comply with data protection law, including with respect to information relating to our employees and/or clinical patients, could result in reputational harm, monetary fines (such as those imposed by the GDPR and CCPA), civil suits, civil penalties or criminal sanctions and requirements to disclose the breach, and the development of our drug candidates could be delayed. In addition, we continue to be subject to new and evolving data protection laws and regulations from a variety of jurisdictions, and there is a risk that our systems and processes for managing and protecting data may be found to be inadequate, which could materially adversely affect our business, financial condition and results of operations.