Nurix Therapeutics (NRIX) Risk Factors

Until such time, if ever, as we can generate substantial revenue from product sales, we expect to finance our cash needs through a combination of equity offerings, debt financings, collaborations, strategic alliances and marketing, distribution or licensing arrangements. Although we may receive potential future milestone payments under our collaborations with Gilead, Sanofi and Pfizer, we do not currently have any committed external source of funds. To the extent that we raise additional capital through the sale of equity or convertible debt securities, your ownership interest will be diluted, and the terms of these securities may include liquidation or other preferences that adversely affect your rights as a holder of common stock. Debt financing and preferred equity financing, if available, may involve agreements that include covenants limiting or restricting our ability to take specific actions, such as incurring additional debt, making acquisitions or capital expenditures or declaring dividends. If we raise additional funds through collaborations, strategic alliances or marketing, distribution or licensing arrangements with third parties, we may have to relinquish valuable rights to our intellectual property, technologies, future revenue streams, research programs or drug candidates or grant licenses on terms that may not be favorable to us.

We have never declared or paid cash dividends on our capital stock. We currently intend to retain all of our future earnings, if any, to finance the growth and development of our business. As a result, capital appreciation, if any, of our common stock will be your sole source of gain for the foreseeable future.

We expect our expenses to increase substantially in connection with our ongoing activities, particularly as we conduct our Phase 1 clinical trials of NX-5948, NX-2127 and NX-1607, grow our pipeline of drug candidates, expand the breadth of our DELigase platform, continue research and development and initiate additional clinical trials of and potentially seek marketing approval for our lead programs and other drug candidates. In addition, if we obtain marketing approval for any of our drug candidates, we expect to incur significant commercialization expenses related to product manufacturing, marketing, reimbursement and sales and distribution. Furthermore, we expect to incur additional costs associated with operating as a public company. Accordingly, we will need to obtain substantial additional funding in connection with our continuing operations. If we are unable to raise capital when needed or on attractive terms, we may be required to delay, limit, reduce or terminate our research, product development programs or any future commercialization efforts or grant rights to develop and market drug candidates that we otherwise would prefer to develop and market ourselves. We had cash, cash equivalents and marketable securities of $254.3 million as of February 29, 2024. We believe that our existing cash, cash equivalents and marketable securities will be sufficient to fund our operating expenses and capital expenditure requirements through at least the next 12 months. However, our future capital requirements and the period for which we expect our existing resources to support our operations may vary significantly from what we expect, and we may need to seek additional funds sooner than planned. In addition, we may seek additional capital due to favorable market conditions or strategic considerations, even if we believe we have sufficient funds for our current or future operating plans. Our future capital requirements will depend on many factors, including: - the progress, costs and results of our Phase 1 clinical trials for NX-5948, NX-2127 and NX-1607 and any future clinical development of such drug candidates;- the scope, progress, costs and results of preclinical and clinical development for our other drug candidates and development programs;- the number and development requirements of other drug candidates that we pursue;- the scope of, and costs associated with, future advancements to our DELigase platform;- the success of our collaborations with Gilead Sciences, Inc. (Gilead), Sanofi S.A. (Sanofi) and Seagen Inc. (now a part of Pfizer Inc. (Pfizer)) and any other collaborations we may establish;- the costs, timing and outcome of regulatory review of our drug candidates;- the costs and timing of future commercialization activities, including product manufacturing, marketing, sales and distribution, for any of our drug candidates for which we receive marketing approval;- the revenue, if any, received from commercial sales of our drug candidates for which we receive marketing approval;- the costs and timing of preparing, filing and prosecuting patent applications, maintaining and enforcing our intellectual property rights and defending any intellectual property-related claims; and - our ability to establish additional collaboration arrangements with other biotechnology or pharmaceutical companies on favorable terms, if at all, for the development or commercialization of our drug candidates. We will need to raise substantial additional capital to complete the development and commercialization of our drug candidates. In addition, our drug candidates, if approved, may not achieve commercial success. Our commercial revenues, if any, will be derived from sales of products that we do not expect to be commercially available for many years, if at all. Accordingly, we will need to obtain substantial additional funds to achieve our business objectives. Adequate additional funds may not be available to us on acceptable terms, or at all.

As a public company, we incur significant legal, accounting and other expenses. We are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act, the listing requirements of Nasdaq and other applicable securities rules and regulations which impose various requirements on public companies, including establishment and maintenance of effective disclosure and financial controls and corporate governance practices. Compliance with these rules and regulations may strain our financial and management systems, internal controls, and employees. For example, the Exchange Act requires, among other things, that we file annual, quarterly, and current reports with respect to our business and results of operations and the disclosure requirements under the Exchange Act are subject to change from time to time. For example, in 2023 the SEC adopted rules requiring disclosure of material cybersecurity incidents suffered by public companies, as well as annual disclosure regarding cybersecurity governance and risk management. Complying with these new disclosure obligations once applicable to our company, or any or any additional new disclosure requirements that may apply to us in the future, could cause us to incur substantial costs and could increase negative publicity surrounding any incident that we are required to disclose. Any failure or perceived failure by us to comply with these obligations may also subject us to enforcement action or litigation, any of which could harm our business. Therefore, as a result of being a public company, our management and other personnel are required to devote a substantial amount of time to these compliance initiatives. Moreover, these rules and regulations have increased our legal and financial compliance costs and have made some activities more time-consuming and costly. We cannot predict or estimate the amount or timing of additional costs we may incur to respond to these requirements. The impact of these requirements also could make it more difficult for us to attract and retain qualified persons to serve on our board of directors, our board committees or as executive officers. Moreover, these rules and regulations often are subject to varying interpretations, in many cases due to their lack of specificity, and, as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. This could result in continuing uncertainty regarding compliance matters and higher costs necessitated by ongoing revisions to disclosure and governance practices.

Once an NDA is approved, the drug covered thereby becomes a "reference-listed drug" in the FDA's publication, "Approved Drug Products with Therapeutic Equivalence Evaluations." Manufacturers may seek marketing approval of generic versions of reference-listed drugs through submission of abbreviated new drug applications (ANDAs) in the United States. In support of an ANDA, a generic manufacturer need not conduct clinical trials demonstrating safety and efficacy. Rather, the applicant generally must show that its drug is pharmaceutically equivalent to the reference listed drug, in that it has the same active ingredient(s), dosage form, strength, route of administration and conditions of use or labeling as the reference-listed drug, and that the generic version is bioequivalent to the reference-listed drug, meaning it is absorbed in the body at the same rate and to the same extent. Generic drugs may be significantly less costly to bring to market than the reference-listed drug and companies that produce generic drugs are generally able to offer them at lower prices. Thus, following the introduction of a generic drug, a significant percentage of the sales of any branded product or reference-listed drug is typically lost to the generic drug. The FDA may not approve an ANDA for a generic drug until any applicable period of non-patent exclusivity for the reference-listed drug has expired. The FDCA provides a period of five years of non-patent exclusivity for a new drug containing a new chemical entity. During the exclusivity period, the FDA may not accept for review an ANDA or a 505(b)(2) NDA submitted by another company for another version of such drug candidate where the applicant does not own or have a legal right of reference to all the data required for approval. However, an application may be submitted after four years if it contains a certification of patent invalidity or non-infringement. The FDCA also provides three years of marketing exclusivity for an NDA, 505(b)(2) NDA or supplement to an approved NDA if new clinical investigations, other than bioavailability studies, that were conducted or sponsored by the applicant are deemed by the FDA to be essential to the approval of the application, for example, for new indications, dosages or strengths of an existing drug candidate. This three-year exclusivity covers only the conditions associated with the new clinical investigations and does not prohibit the FDA from approving ANDAs for drug candidates containing the original active agent for other conditions of use. Five-year and three-year exclusivity will not delay the submission or approval of a full NDA. However, an applicant submitting a full NDA would be required to conduct or obtain a right of reference to all of the nonclinical studies and adequate and well-controlled clinical trials necessary to demonstrate safety and effectiveness. Manufacturers may seek to launch these generic drugs following the expiration of the marketing exclusivity period, even if we still have patent protection for our drug. Competition that our drug candidates may face from generic versions of our drug candidates could materially and adversely impact our future revenue, profitability and cash flows and substantially limit our ability to obtain a return on the investments we have made in those drug candidates. Our future revenues, profitability and cash flows could also be materially and adversely affected and our ability to obtain a return on the investments we have made in those drug candidates may be substantially limited if our drug candidates, if and when approved, are not afforded the appropriate periods of non-patent exclusivity.

We face an inherent risk of product liability exposure related to the testing of our drug candidates in human clinical trials and will face an even greater risk if we commercially sell any products that we may develop. If we cannot successfully defend ourselves against claims that our drug candidates or products caused injuries, we will incur substantial liabilities. Regardless of merit or eventual outcome, liability claims may result in: - decreased demand for any drug candidates or products that we may develop;- termination of clinical trials;- withdrawal of marketing approval, recall, restriction on the approval or a "black box" warning or contraindication for an approved drug;- withdrawal of clinical trial participants;- significant costs to defend the related litigation;- substantial monetary awards to trial participants or patients;- loss of revenue;- injury to our reputation and significant negative media attention;- reduced resources of our management to pursue our business strategy; and - the inability to commercialize any products that we may develop. Although we maintain product liability insurance coverage, it may not be adequate to cover all liabilities that we may incur. We anticipate that we will need to increase our product liability insurance coverage as we initiate our clinical trials, as we expand our clinical trials and if we commence commercialization of our drug candidates. Insurance coverage is increasingly expensive. We may not be able to maintain or increase our insurance coverage at a reasonable cost or in an amount adequate to satisfy any liability that may arise.

We maintain and process, and our third-party vendors, collaborators, contractors and consultants maintain and process on our behalf, a large quantity of proprietary and sensitive information, including confidential business information, personal and patient health information in connection with our preclinical studies and clinical trials and personal information of our employees. We are subject to global privacy and data protection laws and regulations that apply to the collection, transmission, storage and use of personal information, which among other things, impose certain requirements relating to the privacy, security and transmission of personal information. Failure by us or our third-party vendors, collaborators, contractors and consultants to comply with any of these laws and regulations could result in enforcement actions by data protection authorities against us, including fines or penalties, claims for damages by affected individuals, damage to our reputation and loss of goodwill, any of which could have a material adverse effect on our business, financial condition, results of operations or prospects. In the United States, there are numerous federal and state privacy and data security laws and regulations governing the collection, use, disclosure and protection of personal information, including federal and state health information privacy laws, federal and state security breach notification laws, and federal and state consumer protection laws. Each of these laws is subject to varying interpretations and the legislative landscape is constantly evolving. In particular, laws and regulations governing the privacy of health information, such as HIPAA, establish privacy and security standards that limit the use and disclosure of individually identifiable health information, or protected health information, and require the implementation of administrative, physical and technological safeguards to protect the privacy of protected health information and ensure the confidentiality, integrity and availability of electronic protected health information. Determining how protected health information may be used, shared or processed in compliance with applicable privacy standards and our contractual obligations can be complex and may be subject to changing interpretation. Further, if we fail to comply with applicable privacy laws, we could face civil and criminal penalties, or claims for breach of contract. The HHS has enforcement discretion for HIPAA, and any enforcement activity can result in financial liability and reputational harm, and responses to such enforcement activity can consume significant internal resources. In addition, states have shown an increased interest in protecting the privacy of health data. Washington state passed the My Health My Data Act, which will take effect on March 31, 2024, and is focused on the collection of consumer health data. The My Health My Data Act has a broader scope than HIPAA and includes a private right of action-depending on whether this law applies to us, there may be substantial regulatory action and litigation associated with this act. Following Washington, Nevada enacted Senate Bill 370, which will take effect on March 31, 2024, and is similar to the My Health My Data Act and requires in-scope entities to comply with certain requirements regarding consumer health data. Notably, Senate Bill 370 does not include a private right of action nor does it apply to entities that are subject to HIPAA. Connecticut also amended its comprehensive privacy law in 2023, the Connecticut Data Privacy Act, to impose obligations aimed at "consumer health data." Furthermore, state attorneys general are authorized to bring civil actions seeking either injunctions or damages in response to violations that threaten the privacy of state residents pursuant to local state laws. We cannot be sure how these regulations will be interpreted, enforced or applied to our operations. In addition to the risks associated with enforcement activities and potential contractual liabilities, our ongoing efforts to comply with evolving laws and regulations at the federal and state level may be costly and require ongoing modifications to our policies, procedures and systems. Personal data privacy remains an evolving landscape at both the U.S. state and international level, with new regulations coming into effect. For example, the CCPA, which came into effect on January 1, 2020, and was amended and expanded by the California Privacy Rights Act (CPRA) as of January 1, 2023, provides California residents expanded privacy rights, including the right to request correction, access, and deletion of their personal information, the right to opt out of certain personal information sharing, and the right to receive detailed information about how their personal information is processed, including by California residents' employers. Additionally, the CCPA, as amended, requires companies that process personal information of California residents to make disclosures to consumers about their data collection, use and sharing practices, allow consumers to opt out of certain data sharing with third parties, complete certain audits and assessments when processing higher risk data and provide a private right of action for data breaches, as described above. Although the CCPA includes limited exceptions-including exceptions for personal health information collected by covered entities or business associates subject to HIPAA among others, the CCPA may regulate or impact our processing of personal information depending on the context. Failure to comply with the CCPA may result in significant civil penalties, injunctive relief, or statutory or actual damages as determined by the California Privacy Protection Agency, the newly created state agency from the CPRA legislation that is charged with creating new rules and enforcing the CCPA, and the California Attorney General, who also still maintains some CCPA enforcement powers. Notably, following California's lead, several other states enacted privacy laws that took effect in 2023: the Colorado Privacy Act, the Connecticut Personal Data Privacy and Online Monitoring Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act. Additional state privacy laws are set to take effect in 2024: the Florida Digital Bill of Rights (July 1, 2024), Montana's Consumer Data Privacy Act (October 1, 2024), Oregon's protections for the personal data of consumer enacted through SB 619 (July 1, 2024), and the Texas Data Privacy and Security Act (July 1, 2024). Compliance with this new privacy legislation adds complexity and may require investment in additional resources for compliance programs, thus potentially result in additional costs and expense of resources to maintain compliance. In the EU, the EU GDPR governs the collection, use, disclosure, transfer, or other processing of personal data. The UK has implemented the EU GDPR as the UK GDPR which sits alongside the UK Data Protection Act 2018 (the UK GDPR, and together with the EU GDPR, the GDPR). The GDPR imposes compliance obligations on controllers, including (among others) mandating burdensome documentation requirements, granting certain privacy rights to individuals to control how companies collect, use, disclose, retain and otherwise process information about them as well as specific requirements for obtaining valid consent where consent is the legal basis for processing, requirements around accountability and transparency, the obligation to consider data protection when any new products or services are developed, the obligation to appoint data protection officers in certain circumstances, the obligation to notify relevant data supervisory authorities of notifiable personal data breaches without undue delay (and no later than 72 hours) after becoming aware of the personal data breach, and the requirement for more detailed notices for clinical trial subjects and investigators. In addition, the EU GDPR prohibits the international transfer of personal data from clinical trial sites and other third parties (e.g., CROs) located in the EEA to jurisdictions that the European Commission does not recognize as having ‘adequate' data protection laws, unless a data transfer mechanism has been put in place or a derogation under the EU GDPR can be relied upon. After years of uncertainty following the July 16, 2020 decision of the Court of Justice of the European Union invalidating the EU-U.S. Privacy Shield Framework for purposes of international transfers and imposing further restrictions on the use of standard contractual clauses (EU SCCs), including a requirement for companies to carry out a transfer privacy impact assessment (TIA), on July 10, 2023, the European Commission adopted its Final Implementing Decision granting the U.S. adequacy (Adequacy Decision) for EU-U.S. transfers of personal data for entities self-certified to the EU-U.S. Data Privacy Framework (DPF). Entities relying on EU SCCs for transfers to the United States are also able to rely on the analysis in the Adequacy Decision as support for their TIA regarding the equivalence of U.S. national security safeguards and redress. Under the UK GDPR, companies not established in the UK but who process personal data in relation to the offering of goods or services to individuals in the UK, or to the monitoring of their behavior will be subject to the UK GDPR-the requirements of which at this time are largely aligned with those under the EU GDPR. The European Commission has adopted an adequacy decision in favor of the UK, enabling data transfers from EU Member States to the UK without additional safeguards. However, the UK adequacy decision will automatically expire in June 2025 unless the European Commission reassesses and renews/extends that decision, and remains under review by the European Commission during this period. The UK GDPR also imposes similar restrictions on transfers of personal data from the UK to jurisdictions that the UK Government does not consider adequate, including the U.S.. The UK's Information Commissioner's Office (ICO) published: (i) its own form of EU SCCs, known as the International Data Transfer Agreement to replace the old Standard Contractual Clauses for transfers to outside the UK; (ii) a "UK addendum" to the new EU SCCs which amends the relevant provisions of such clauses to work in a UK context; and (iii) its own version of the TIA and guidance on international transfers (although entities may choose to adopt either the EU or UK-style TIA). Further, on September 21, 2023, the UK Secretary of State for Science, Innovation and Technology established a UK-U.S. data bridge (i.e., a UK equivalent of the Adequacy Decision) and adopted UK regulations to implement the UK-U.S. data bridge ("UK Adequacy Regulations"). Personal data may now be transferred from the UK under the UK-U.S. data bridge through the UK extension to the DPF to organizations self-certified under the UK extension to the DPF. As a company, we have invested, and expect to continue to invest, significant time and resources in our GDPR compliance program. This is necessary to ensure we can initiate and maintain GDPR-compliant clinical trials in the EU or UK (as applicable). Any failure or perceived failure by us with respect to GDPR compliance could mean we either cannot initiate additional GDPR-compliant clinical trials in the EU or UK (as applicable) or we may face regulatory investigations, significant fines and penalties, reputational damage or be required to change our business practices, all of which could adversely affect our business, financial condition and results of operations. There is a risk that we could be impacted by a cybersecurity incident that results in loss or unauthorized disclosure of personal data, potentially resulting in us facing harms similar to those described above. Some countries also are considering or have passed legislation requiring local storage and processing of data, or similar requirements, which could increase the cost and complexity for conducting preclinical testing and clinical trials or delivering our future products, if any. Additionally, other countries (e.g., Australia and Japan) have adopted certain legal requirements for cross-border transfers of personal information. These obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other requirements or our practices. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our practices, and our efforts to comply with the evolving data protection rules may be unsuccessful. In addition to the possibility of fines, lawsuits, regulatory investigations, public censure, other claims and penalties, and significant costs for remediation and damage to our reputation, we could be materially and adversely affected if legislation or regulations are expanded to require changes in our data processing practices and policies or if governing jurisdictions interpret or implement their legislation or regulations in ways that negatively impact our business. Compliance with these and any other applicable privacy and data security laws and regulations is a rigorous and time-intensive process, and we may be required to put in place additional mechanisms for ensuring compliance with the new data protection rules. In addition to government regulation, privacy advocates and industry groups have and may in the future propose self-regulatory standards from time to time. These and other industry standards may legally or contractually apply to us, or we may elect to comply with such standards. It is possible that if our practices are not consistent or viewed as not consistent with legal and regulatory requirements, including changes in laws, regulations and standards or new interpretations or applications of existing laws, regulations and standards, we may become subject to audits, inquiries, whistleblower complaints, adverse media coverage, investigations, loss of export privileges, or severe criminal or civil sanctions, all of which may have a material and adverse impact on our business, results of operations, reputation, and financial condition. Even if we are not determined to have violated these laws, government investigations into these issues typically require the expenditure of significant resources and generate negative publicity, which could harm our business, financial condition, results of operations or prospects. Any such liability, litigation, investigations and proceedings may or may not be covered by our liability insurance and may subject us to significant penalties and negative publicity, require us to change our business practices, increase our costs, severely disrupt our business, and may result in significant reputational harm and have a material and adverse impact on our business, financial condition, results of operations or prospects.

In order to conduct clinical trials of our drug candidates, we will need to manufacture our drug candidates in large quantities. Quality issues may arise during scale-up activities. Our reliance on a limited number of CMOs, the complexity of drug manufacturing and the difficulty of scaling up a manufacturing process could cause the delay of clinical trials, regulatory submissions, required approvals or commercialization of our drug candidates, cause us to incur higher costs and prevent us from commercializing our drug candidates successfully. Furthermore, if our CMOs fail to deliver the required commercial quality and quantities of materials on a timely basis and at commercially reasonable prices, and we are unable to secure one or more replacement CMOs capable of production in a timely manner at a substantially equivalent cost, then testing and clinical trials of that drug candidate may be delayed or infeasible, and regulatory approval or commercial launch of any resulting product may be delayed or not obtained, which could significantly harm our business.

We are exposed to the risk that our employees, independent contractors, vendors, principal investigators, CROs and consultants may engage in fraudulent conduct or other illegal activity. Misconduct by these parties could include: - intentional, reckless or negligent conduct or disclosure to us of unauthorized activities that violate the regulations of the FDA or similar foreign regulatory authorities;- healthcare fraud and abuse in violation of U.S. and foreign laws and regulations;- violations of U.S. federal securities laws relating to trading in our common stock; and - failures to report financial information or data accurately. In particular, sales, marketing and business arrangements in the healthcare industry are subject to extensive laws and regulations intended to prevent fraud, misconduct, kickbacks, self-dealing and other abusive practices. These laws and regulations regulate a wide range of pricing, discounting, marketing and promotion, sales commission, customer incentive programs and other business arrangements. While we have adopted a code of conduct and implemented other internal controls applicable to all of our employees, it is not always possible to identify and deter misconduct by employees and other third parties, and the precautions we take to detect and prevent this activity may not be effective. Additionally, we are subject to the risk that a person could allege fraud or other misconduct, even if none occurred. If any such actions are instituted against us, and we are not successful in defending ourselves or asserting our rights, those actions could have a significant impact on our business, including the imposition of civil, criminal and administrative penalties, damages, possible exclusion from participation in Medicare, Medicaid and other federal healthcare programs and diminished profits and future earnings, any of which could adversely affect our ability to operate our business or cause reputational harm.

We rely on third-party contract research organizations (CROs) to conduct our Phase 1 clinical trial programs for NX-5948, NX-2127 and NX-1607 and we will rely on third-party CROs to conduct any clinical trials for other drug candidates. Agreements with these CROs might terminate for a variety of reasons, including for such CRO's failure to perform. Entry into alternative arrangements, if necessary, could significantly delay our product development activities. Our reliance on these CROs for research and development activities will reduce our control over these activities but will not relieve us of our responsibilities. For example, we will remain responsible for ensuring that each of our clinical trials is conducted in accordance with the general investigational plan and protocols in the applicable IND. Moreover, the FDA and other foreign regulators such as the EMA and the MHRA require compliance with good clinical practice standards, commonly referred to as GCPs, for conducting, recording and reporting the results of clinical trials to assure that data and reported results are credible and accurate and that the rights, integrity and confidentiality of trial participants are protected. If these CROs do not successfully carry out their contractual duties, meet expected deadlines or conduct our clinical trials in accordance with regulatory requirements or our stated protocols, we will not be able to obtain, or may be delayed in obtaining, marketing approvals for our drug candidates and will not be able to, or may be delayed in our efforts to, successfully commercialize our drug candidates.

If any of our drug candidates receive marketing approval, they may nonetheless fail to gain sufficient market acceptance by physicians, patients, third-party payors and others in the medical community. For example, ibrutinib is a well-established current treatment for chronic lymphocytic leukemia (CLL), and doctors may continue to rely on this and other treatments. If our drug candidates do not achieve an adequate level of acceptance, we may not generate sufficient revenue from product sales and we may not become profitable. The degree of market acceptance of our drug candidates, if approved for commercial sale, will depend on a number of factors, including: - the efficacy and potential advantages compared to alternative treatments;- the prevalence and severity of any side effects, in particular compared to alternative treatments;- our ability to offer our products for sale at competitive prices;- the convenience and ease of administration compared to alternative treatments;- the willingness of the target patient population to try new therapies and of physicians to prescribe these therapies;- the strength of our marketing, sales and distribution support;- the availability of third-party payor coverage and adequate reimbursement;- the ability to secure a positive HTA recommendation for the product to be prescribed and reimbursed under the national health system;- the timing of any marketing approval in relation to other product approvals; and - any restrictions on the use of our products together with other medications.