Renalytix (RNLXY) Risk Factors

The diagnostics industry is characterized by rapid technological changes, scientific breakthroughs, frequent new product and service introductions and enhancements, and evolving industry standards, all of which could make KidneyIntelX obsolete. Further, the field of artificial intelligence is rapidly advancing and we must ensure that we keep pace with these changes in our technology and algorithms in order to ensure that KidneyIntelX delivers accurate and clinically relevant results. Our future success will depend on our ability to keep pace with the evolving needs of our customers and the evolution of our industry on a timely and cost-effective basis and to pursue new market opportunities that develop as a result of scientific and technological advances. In recent years, there have been numerous advances in technologies relating to life sciences research and the diagnosis and treatment of kidney disease. There have also been advances in technologies used to computationally analyze very large amounts of biologic information. If we do not update KidneyIntelX through the creation and deployment of new versions to reflect advances in artificial intelligence, new scientific knowledge about new disease diagnostics and therapies or the diseases we seek to target, KidneyIntelX could become obsolete.

Our success depends in large part on our ability to obtain and maintain patent protection in the United States and other countries with respect to our proprietary products. If we do not adequately protect our intellectual property, competitors may be able to erode or negate any competitive advantage we may have, which could harm our business and ability to achieve profitability. To protect our proprietary position, we file patent applications in the United States and abroad related to our novel products that are important to our business. The patent application and approval process is expensive and time-consuming. We may not be able to file and prosecute all necessary or desirable patent applications at a reasonable cost or in a timely manner. Our ability to obtain patent protection for our products is uncertain due to a number of factors, including: - we may not have been the first to make the inventions covered by pending patent applications or issued patents;- we may not have been the first to file patent applications for our products or the compositions we developed or for their uses;- others may independently develop identical, similar or alternative products or compositions and uses thereof;- our disclosures in patent applications may not be sufficient to meet the statutory requirements for patentability;- any or all of our pending patent applications may not result in issued patents;- we may not seek or obtain patent protection in countries that may eventually provide us a significant business opportunity;- any patents issued to us may not provide a basis for commercially viable products, may not provide any competitive advantages, or may be successfully challenged by third parties;- our compositions and methods may not be patentable;- others may design around our patent claims to produce competitive products which fall outside of the scope of our patents; or - others may identify prior art or other bases which could invalidate our patents. Our pending patent applications cannot be enforced against third parties practicing the technology claimed in such applications unless and until patent issues from such applications. Because the issuance of a patent is not conclusive as to its inventorship, scope, validity or enforceability, our patents or pending patent applications may be challenged in the courts or patent offices in the United States and abroad. For example, we may be subject to a third party preissuance submission of prior art to the U.S. Patent and Trademark Office, or USPTO, or become involved in post-grant review procedures, oppositions, derivations, reexaminations, inter partes review or interference proceedings, in the United States or elsewhere, challenging our patent rights or the patent rights of others. An adverse determination in any such challenges may result in loss of exclusivity or in patent claims being narrowed, invalidated or held unenforceable, in whole or in part, which could limit our ability to stop others from using or commercializing similar or identical technology and products, or limit the duration of the patent protection of our technology and products. In addition, given the amount of time required for the development, testing and regulatory review of new products, patents protecting such products might expire before or shortly after such products are commercialized. Obtaining and maintaining a patent portfolio entails significant expense and resources. Part of the expense includes periodic maintenance fees, renewal fees, annuity fees, various other governmental fees on patents and/or applications due in several stages over the lifetime of patents and/or applications, as well as the cost associated with complying with numerous procedural provisions during the patent application process. We may not choose to pursue or maintain protection for particular inventions. In addition, there are situations in which failure to make certain payments or noncompliance with certain requirements in the patent process can result in abandonment or lapse of a patent or patent application, resulting in partial or complete loss of patent rights in the relevant jurisdiction. If we choose to forgo patent protection or allow a patent application or patent to lapse purposefully or inadvertently, our competitive position could suffer. Even if our patent applications issue as patents, they may not issue in a form that will provide us with any meaningful protection, prevent competitors from competing with us or otherwise provide us with any competitive advantage. Our competitors may be able to circumvent our patents by developing similar or alternative technologies or products in a non-infringing manner. Our competitors may also seek approval to market their own products similar to or otherwise competitive with our products. In these circumstances, we may need to defend or assert our patents, or both, including by filing lawsuits alleging patent infringement. In any of these types of proceedings, a court or other agency with jurisdiction may find our patents invalid or unenforceable, or that our competitors are competing in a non-infringing manner. Thus, even if we have valid and enforceable patents, these patents still may not provide protection against competing products or processes sufficient to achieve our business objectives. Legal actions to enforce our patent rights can be expensive and may involve the diversion of significant management time. In addition, these legal actions could be unsuccessful and could also result in the invalidation of our patents or a finding that they are unenforceable. We may or may not choose to pursue litigation or other actions against those that have infringed or are currently infringing our patent rights, or used them without authorization, due to the associated expense and time commitment of monitoring these activities. If we fail to protect or to enforce our intellectual property rights successfully, our competitive position could suffer, which could harm our results of operations. Even if we have or obtain patents covering our products or compositions, we may still be prevented from making, using, selling, offering for sale, or importing our products or technologies because of the patent rights of others. Others may have filed, and in the future may file, patent applications covering compositions or products that are similar or identical to ours. These filings could materially affect our ability to develop or sell our products. Because patent applications can take many years to issue and are not published for a period of time after filing, there may be currently pending applications unknown to us that may later result in issued patents that our products or compositions may infringe. These patent applications may have priority over patent applications filed by us.

We depend on our information technology and telecommunications systems and those of our third-party service providers, contractors and consultants for significant elements of our operations, including our KidneyIntelX platform, which is dependent upon Microsoft Azure cloud computing services. We have installed and are expanding a number of enterprise software systems that affect a broad range of business processes and functional areas, including, for example, systems handling human resources, financial controls and reporting, contract management, and other infrastructure operations. These information technology and telecommunications systems support a variety of functions, including laboratory operations, test validation, sample tracking, quality control, customer service support, billing and reimbursement, research and development activities, scientific and medical curation, and general administrative activities. Despite the implementation of preventative and detective security controls, such information technology and telecommunications systems are vulnerable to damage or interruption from a variety of sources, including telecommunications or network failures or interruptions, system malfunction, natural disasters, malicious human acts, terrorism and war. Such information technology and telecommunication systems, including our servers, are additionally vulnerable to physical or electronic break-ins, security breaches from inadvertent or intentional actions by our employees, third-party service providers, contractors, consultants, business partners, and/or other third parties, or from cyber-attacks by malicious third parties (including the deployment of harmful malware,ransomware, denial-of-service attacks, social engineering, and other means to affect service reliability and threaten the confidentiality, integrity, and availability of information). The risk of a security breach or disruption, particularly through cyber-attacks or cyber intrusion, including by computer hackers, foreign governments, and cyber terrorists, has generally increased as the number, intensity, and sophistication of attempted attacks and intrusions from around the world have increased. We may not be able to anticipate all types of security threats, and we may not be able to implement preventive measures effective against all such security threats. The techniques used by cyber criminals change frequently, may not be recognized until launched, and can originate from a wide variety of sources, including outside groups such as external service providers, organized crime affiliates, terrorist organizations, or hostile foreign governments or agencies. Failures or significant downtime of our information technology or telecommunications systems, or those used by our third-party service providers, contractors or consultants could prevent us, now or when we commercialize our products, from conducting our in vitro diagnostic tests, preparing and providing reports and data to physicians, billing payors, processing reimbursement appeals, handling patient or physician inquiries, conducting research and development activities, and managing the administrative aspects of our business. The costs related to significant security breaches or disruptions could be material and exceed the limits of any cybersecurity insurance we maintain against such risks. If the information technology systems of our third-party service providers and other contractors and consultants become subject to disruptions or security breaches, we may have insufficient recourse against such third parties and we may have to expend significant resources to mitigate the impact of such an event, and to develop and implement protections to prevent future events of this nature from occurring. Any disruption or loss of information technology or telecommunications systems on which critical aspects of our operations depend could have an adverse effect on our business, financial condition and results of operations.

If KidneyIntelX is authorized by the FDA for marketing in the United States, the test will be subject to the FDA's quality system regulation, or QSR, labeling regulations, registration and listing, the Medical Device Reporting regulation which requires that manufacturers report to the FDA if their device may have caused or contributed to a death or serious injury or malfunctioned in a way that would likely cause or contribute to a death or serious injury if it were to recur and the Reports of Corrections and Removals regulation, which requires manufacturers to report recalls and field actions to the FDA if initiated to reduce a risk to health posed by the device or to remedy a violation of the FDCA. The FDA enforces these requirements by inspection and market surveillance. If the FDA finds a violation, it can institute a wide variety of enforcement actions, ranging from an untitled or public warning letter to more severe sanctions such as fines, injunctions and civil penalties; recall or seizure of products; operating restrictions and partial suspension or total shutdown of production; refusing requests for 510(k) clearance or PMA approval of new products; withdrawing a marketing authorization already granted; and criminal prosecution. Accordingly, assuming we receive FDA marketing clearance for KidneyIntelX, we will continue to expend time, money and effort in all areas of regulatory compliance.

We are incorporated under English law. A substantial amount of our assets are located outside the United States. In addition, some of our executive officers and directors reside outside the United States. As a result, it may not be possible for investors to effect service of process within the United States upon such persons or to enforce judgments obtained in U.S. courts against them or us, including judgments predicated upon the civil liability provisions of the U.S. federal securities laws. The United States and the United Kingdom do not currently have a treaty providing for the reciprocal recognition and enforcement of judgments (other than arbitration awards) in civil and commercial matters. Consequently, a final judgment for payment given by a court in the United States, whether or not predicated solely upon U.S. securities laws, would not automatically be recognized or enforceable in England and Wales. In addition, uncertainty exists as to whether the English and Welsh courts would entertain original actions brought in England and Wales against us or our directors or executive officers predicated upon the securities laws of the United States or any state in the United States. Any final and conclusive monetary judgment for a definite sum obtained against us in U.S. courts would be treated by the courts of England and Wales as a cause of action in itself and sued upon as a debt so that no retrial of the issues would be necessary, provided that certain requirements are met consistent with English law and public policy. Whether these requirements are met in respect of a judgment based upon the civil liability provisions of the U.S. securities laws is an issue for the English court making such decision. If an English court gives judgment for the sum payable under a U.S. judgment, the English judgment will be enforceable by methods generally available for this purpose. As a result, U.S. investors may not be able to enforce against us or our executive officers, board of directors or certain experts named herein who are residents of the United Kingdom or countries other than the United States any judgments obtained in U.S. courts in civil and commercial matters, including judgments under the U.S. federal securities laws.

The rules dealing with U.S. federal, state and local income taxation are constantly under review by the Internal Revenue Service, the U.S. Treasury Department and other governmental bodies. Changes to tax laws (which changes may have retroactive application) could adversely affect us or holders of our ADSs or ordinary shares. In recent years, many such changes have been made and changes are likely to continue to occur in the future. Future changes in tax laws could have a material adverse effect on our business, cash flow, financial condition or results of operations. We urge investors to consult with their legal and tax advisers regarding the implication of potential changes in tax laws on an investment in our ADSs or ordinary shares.

We collect, store, process and transmit sensitive data, including legally protected health information, or PHI, personally identifiable information, intellectual property and proprietary business information. As we seek to expand our business, we are, and will increasingly become, subject to numerous state, federal and foreign laws, regulations and standards, as well as contractual obligations, relating to the collection, use, retention, security, disclosure, transfer and other processing of sensitive and personal information in the jurisdictions in which we operate. In many cases, these laws, regulations and standards apply not only to third-party transactions, but also to transfers of information between or among us, our subsidiaries and other parties with which we have commercial relationships. These laws, regulations and standards may be interpreted and applied differently over time and from jurisdiction to jurisdiction, and it is possible that they will be interpreted and applied in ways that will materially and adversely affect our business, financial condition and results of operations. The regulatory framework for data privacy, data security and data transfers worldwide is rapidly evolving, and there has been an increasing focus on privacy and data protection issues with the potential to affect our business, and as a result, interpretation and implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future. Failure to comply with any of these laws and regulations could result in enforcement actions against us, including fines, imprisonment of company officials and public censure, claims for damages by affected individuals, damage to our reputation and loss of goodwill, any of which could have a material adverse effect on our business. There are numerous U.S. federal and state laws and regulations related to the privacy and security of health information. These laws and regulations include HIPAA, as amended by HITECH, which establishes a set of national privacy and security standards for the protection of PHI, by health plans, healthcare clearinghouses and certain healthcare providers, referred to as covered entities, and the business associates with whom such covered entities contract for services as well as their covered subcontractors. HIPAA requires covered entities and business associates to develop and maintain policies and procedures with respect to PHI that is used or disclosed, including the adoption of administrative, physical and technical safeguards to protect such information and ensure the confidentiality, integrity and availability of electronic PHI. HIPAA also implemented the use of standard transaction code sets and standard identifiers that covered entities must use when submitting or receiving certain electronic healthcare transactions, including activities associated with the billing and collection of healthcare claims. The United States Office of Civil Rights may impose penalties on a covered entity for a failure to comply with a requirement of HIPAA. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity's failure to comply was due to willful neglect. These penalties include significant civil monetary penalties, criminal penalties and, in certain instances, imprisonment. HIPAA also authorizes state attorneys general to file suit on behalf of their residents. Courts may award damages, costs and attorneys' fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI. Furthermore, in the event of a breach as defined by HIPAA, the covered entity has specific reporting requirements under HIPAA regulations. In the event of a significant breach, the reporting requirements could include notification to the general public. Enforcement activity can result in reputational harm, and responses to such enforcement activity can consume significant internal resources. Additionally, if we are unable to properly protect the privacy and security of PHI, we could be found to have breached our contracts. Determining whether PHI has been handled in compliance with applicable privacy standards and our contractual obligations can be complex and we cannot be sure how these regulations will be interpreted, enforced or applied to our operations. In addition, many states in which we operate have laws that protect the privacy and security of sensitive and personal information. Certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to sensitive and personal information than federal, international or other state laws, and such laws may differ from each other, which may complicate compliance efforts. Where state laws are more protective than HIPAA, we must comply with the state laws we are subject to, in addition to HIPAA. In certain cases, it may be necessary to modify our planned operations and procedures to comply with these more stringent state laws. Further, in some cases where we process sensitive and personal information of individuals from numerous states, we may find it necessary to comply with the most stringent state laws applicable to any of the information. For example, the California Consumer Privacy Act of 2018, or the CCPA, which increases privacy rights for California residents and imposes stringent data privacy and security obligations on companies that process their personal information, came into effect on January 1, 2020. Among other things, the CCPA requires covered companies to provide new disclosures to California consumers and provide such consumers new data protection and privacy rights, including the ability to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal information. This private right of action may increase the likelihood of, and risks associated with, data breach litigation. The CCPA was amended in September 2018 and November 2019, and it is possible that further amendments will be enacted, but even in its current form it remains unclear how various provisions of the CCPA will be interpreted and enforced. Despite the delay in adopting regulations, the California State Attorney General will commence enforcement actions against violators beginning July 1, 2020. While any information we maintain in our role as a business associate may be exempt from the CCPA, other records and information we maintain on our customers may be subject to the CCPA. New legislation proposed or enacted in Illinois, Massachusetts, Nevada, New Jersey, New York, Rhode Island, Washington and other states, and a proposed right to privacy amendment to the Vermont Constitution, imposes, or has the potential to impose, additional obligations on companies that collect, store, use, retain, disclose, transfer and otherwise process confidential, sensitive and personal information, and will continue to shape the data privacy environment nationally. State laws are changing rapidly and there is discussion in Congress of a new federal data protection and privacy law to which we would become subject if it is enacted. All of these evolving compliance and operational requirements impose significant costs that are likely to increase over time, may require us to modify our data processing practices and policies, divert resources from other initiatives and projects, and could restrict the way products and services involving data are offered, all of which may have a material and adverse impact on our business, financial condition and results of operations. Laws, regulations and standards in many foreign jurisdictions apply broadly to the collection, use, retention, security, disclosure, transfer and other processing of personal data; many of these requirements may impose significant, divergent and conflicting compliance obligations. For example, the General Data Protection Regulation of the European Union, or the GDPR, applies to processing operations carried out in the context of the activities of an establishment in the European Economic Area, or EEA, and any processing relating to the offering of goods or services to individuals in the EEA and/or the monitoring of their behavior in the EEA (including as may occur in the conduct of clinical trials in the EEA). Also, notwithstanding the U.K.'s withdrawal from the EU, by operation of the so-called U.K. GDPR, the GDPR continues to apply in substantially equivalent form to processing operations carried out in the context of the activities of an establishment in the U.K., and any processing relating to the offering of goods or services to individuals in the U.K. and/or monitoring of their behavior in the U.K. (including in the conduct of clinical trials in the U.K.). Accordingly, references in this section to the GDPR are also deemed to be references to the U.K. GDPR in the context of the U.K., unless the context requires otherwise. The GDPR also provides that EEA Member States and the U.K. may make their own further laws and regulations to introduce supplementary requirements related to the processing of "special categories of personal data" (including health data and genetic information processed in the course of clinical trials); as well as personal data related to criminal offences or convictions. Such country-specific regulations, as well as differing and/or conflicting interpretations of the GDPR across the EEA and U.K., may lead to divergence in the application of the laws that govern our processing of personal data across the EEA and/or U.K., endeavoring to comply with each of which may increase our costs and could increase our overall compliance risk. Such country-specific regulations could also limit our ability to collect, use and share data in the context of our EEA and/or U.K. operations, and/or could cause our compliance costs to increase, ultimately having an adverse impact on our business and harming our business and financial condition. The GDPR and the country-specific regulations noted above impose stringent data privacy and security requirements on both processors and controllers of personal data, including health data and genetic information processed in the course of clinical trials (even when that personal data is processed only in pseudonymized or key-coded form). In particular, the GDPR imposes several requirements relating to ensuring there is a lawful basis for processing personal data and, where relevant, a valid condition to processing special categories of personal data, extends the rights of individuals to whom the personal data relates, materially expands the definition of what is expressly noted to constitute personal data, requires additional disclosures about how personal data is to be used, imposes limitations on retention of personal data, , creates mandatory data breach notification requirements in certain circumstances, and establishes onerous obligations on service providers who process personal data on behalf of others. In particular, the GDPR and many other European data protection laws generally prohibit the transfer of personal data to the United States and other countries in respect of which the European Commission or other relevant regulatory body has not issued a so-called ‘adequacy decision', unless the parties to the transfer have implemented specific safeguards to protect the transferred personal data. This is an area of evolving complexity and achieving effective compliance with ever-changing requirements and guidance in relation to data transfers from Europe is highly challenging. If we are unable to implement sufficient safeguards to ensure that our transfers of personal data from Europe are lawful, we may face increased exposure to regulatory action(s), substantial fines and injunctions against processing personal data from Europe. Loss of our ability to lawfully transfer personal data out of Europe to the United States or any other jurisdictions may (1) restrict our activities in Europe, (2) limit our ability to conduct clinical trials in Europe and/or to work with partners, service providers, contractors and other companies subject to European data protection laws, and/or (3) require us to increase our data processing capabilities in Europe at significant expense or otherwise cause us to change the geographical location or segregation of our relevant systems and operations - any or all of which could adversely affect our financial results. Additionally, other countries outside of the EEA, UK and Switzerland have passed or are considering passing similar cross-border data transfer restrictions and laws requiring local data residency, which could increase the cost and complexity of operating our business. Companies that violate the GDPR, whether acting as a controller or a processor, can face robust regulatory enforcement and significant penalties for noncompliance, including fines of up to the greater of €20 million or 4% of their worldwide annual revenue for the preceding financial year. In addition to administrative fines, a wide variety of other potential enforcement powers are available to competent supervisory authorities in respect of potential and suspected violations of the GDPR, including extensive audit and inspection rights, and powers to order temporary or permanent bans on all or some processing of personal data carried out by noncompliant actors. The GDPR also confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies and obtain compensation for damages resulting from violations of the GDPR. Additionally, as noted above, the U.K. has transposed the GDPR into the laws of the U.K. by way of the U.K. GDPR, which could expose us to two parallel regimes, each of which potentially authorizes similar fines, with the U.K. GDPR permitting fines of up to the higher of £17.5 million or 4% of global annual revenue of any noncompliant organizations for the preceding financial year; as well as other potentially divergent enforcement actions for certain violations. European data protection authorities may interpret the GDPR and national laws differently and impose additional requirements, which contributes to the complexity of processing personal data in or from the EEA or U.K. Guidance on implementation and compliance practices is often updated or otherwise revised. Given the breadth and depth of changes in data protection obligations, complying with its requirements has caused us to expend significant resources and such expenditures are likely to continue into the near future as we respond to new interpretations, additional guidance, and potential enforcement actions and patterns. While we have taken steps to comply with the GDPR, and implementing legislation in applicable EEA Member States and the U.K. if and where applicable, we cannot assure you that our efforts to achieve and remain in compliance have been, and/or will continue to be, fully successful. We make public statements about our use and disclosure of personal information through our privacy policy, self-certifications, information provided on our internet platform and press statements. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or be alleged to have failed to do so. Moreover, despite our efforts, we may not be successful in achieving compliance if our employees or vendors fail to comply with our published policies, certifications and documentation. The publication of our privacy policy and other statements that provide promises and assurances about data privacy and security can subject us to potential government or legal action if they are found to be deceptive, unfair or misrepresentative of our actual practices. Any failure, real or perceived, by us to comply with our posted privacy policies or with any legal or regulatory requirements, standards, certifications or orders or other privacy or consumer protection- related laws and regulations applicable to us could cause our customers to reduce their use of our products and services and could materially and adversely affect our business, financial condition and results of operations. In many jurisdictions, enforcement actions and consequences for non-compliance can be significant and are rising. In addition, from time to time, concerns may be expressed about whether our products, services or processes compromise the privacy of customers and others. Concerns about our practices with regard to the collection, use, retention, security, disclosure, transfer and other processing of personal information or other privacy-related matters, even if unfounded, could damage our reputation and materially and adversely affect our business, financial condition and results of operations. Many statutory requirements, both in the United States and abroad, include obligations for companies to notify individuals of security breaches involving certain personal information, which could result from breaches experienced by us or our third-party service providers. For example, laws in all 50 U.S. states and the District of Columbia require businesses to provide notice to consumers whose sensitive personal information has been disclosed as a result of a data breach. These laws are not consistent, and compliance in the event of a widespread data breach is difficult and may be costly. Moreover, states have been frequently amending existing laws, requiring attention to changing regulatory requirements. We also may be contractually required to notify customers or other counterparties of a security breach. Although we may have contractual protections with our third-party service providers, contractors and consultants, any actual or perceived security breach could harm our reputation and brand, expose us to potential liability or require us to expend significant resources on data security and in responding to any such actual or perceived breach. Any contractual protections we may have from our third-party service providers, contractors or consultants may not be sufficient to adequately protect us from any such liabilities and losses, and we may be unable to enforce any such contractual protections. In addition to the possibility of fines, lawsuits, regulatory investigations, public censure, other claims and penalties, and significant costs for remediation and damage to our reputation, we could be materially and adversely affected if legislation or regulations are expanded in a manner that requires changes in our data processing practices and policies or if governing jurisdictions interpret or implement their legislation or regulations in ways that negatively impact our business. Complying with these various laws could cause us to incur substantial costs or require us to change our business practices and compliance procedures in a manner adverse to our business. Any inability to adequately address data privacy or security-related concerns, even if unfounded, or to comply with applicable laws, regulations, standards and other obligations relating to data privacy and security, could result in additional cost and liability to us, harm our reputation and brand, damage our relationships with customers and have a material and adverse impact on our business.

We have established relationships with key thought leaders at premier medical institutions and networks. If these key thought leaders determine that KidneyIntelX is not clinically effective, that alternative technologies and products are more effective, or if they elect to use internally developed products, we could encounter significant difficulty validating our technology platform, driving adoption, and establishing KidneyIntelX as a standard of care, which would limit our revenue growth and our ability to achieve profitability.

While we manage the overall processing of claims, we rely on third-party billing provider software to transmit the actual claims to payors based on the specific payor billing format. The potential exists for us to experience delays in claims processing when third-party providers make changes to their invoicing systems. Additionally, coding for diagnostic assays may change, and such changes may cause short-term billing errors that may take significant time to resolve. If claims are not submitted to payors on a timely basis or are erroneously submitted, or if we are required to switch to a different software provider to handle claim submissions, we may experience delays in our ability to process these claims and receipt of payments from payors, or possibly denial of claims for lack of timely submission, which would have an adverse effect on our revenue and our business.

Future sales of our products will be dependent on purchasing decisions of and reimbursement from government health administration authorities, distributors and other organizations. As a result of adverse conditions affecting the global economy and credit and financial markets, including disruptions due to political instability, global pandemics and diseases such as the current COVID-19 pandemic, or otherwise, these organizations may defer purchases, may be unable to satisfy their purchasing or reimbursement obligations, or may delay payment for any of our products.

Owing to the international scope of our operations, fluctuations in exchange rates, particularly between the pound sterling and the U.S. dollar, may adversely affect us. Since the Brexit referendum in 2016, there has been a significant increase in the volatility of the exchange rate between the pound sterling and the U.S. dollar and an overall weakening of the pound sterling. Our business and the price of our ADSs may be affected by fluctuations in foreign exchange rates not only between the pound sterling and the U.S. dollar, but also the currencies of other countries, which may have a significant impact on our results of operations and cash flows from period to period. Currently, we do not have any exchange rate hedging arrangements in place.

Our commercial success depends on our ability to maintain coverage and adequate reimbursement from those payors that decide to cover and reimburse KidneyIntelX and our other products that we commercialize. Further, one payor's determination to provide coverage for a product does not assure that other payors will also provide coverage and reimbursement for the product, and the level of coverage and reimbursement can differ significantly from payor to payor. Payors could withdraw coverage and stop providing reimbursement for our commercialized products in the future or may reimburse our products only on a case-by-case basis. Managing reimbursement on a case-by-case basis is time consuming and contributes to an increase in the number of days it takes us to collect accounts receivable and increases our risk of non-payment. Negotiating reimbursement on a case-by-case basis also typically results in the provision of reimbursement at a significant discount to the list price of our commercialized products. Further, even if we obtain written agreements regarding coverage and reimbursement with certain payors, these agreements are not guarantees of indefinite coverage in an adequate amount. For example, these agreements are typically terminable without cause by either party and are typically renewable annually, and the applicable payor could opt against renewal upon expiration. In addition, the terms of certain of our written arrangements may require us to seek pre-approval from the payor or put in place other controls and procedures prior to conducting a test for a customer. To the extent we fail to follow these requirements, we may fail to receive some or all of the reimbursement payments to which we are otherwise entitled. These payors must also conclude that our claim satisfies the applicable contractual criteria. In addition, our written agreements regarding reimbursement with payors may not guarantee us the receipt of reimbursement payments at what we believe to be the applicable contracted rate for each reimbursement claim that we submit to such payors. If payors withdraw coverage for our products, once commercialized, or reduce the reimbursement amounts for such products, our ability to generate revenue could be limited, which may have a material adverse effect on our financial condition, results of operations and cash flow. Further, due to the COVID-19 pandemic, millions of individuals have lost or will be losing employer-based insurance coverage, which may adversely affect our ability to commercialize our products.