Syndax Pharmaceuticals (SNDX) Risk Factors

Until we can generate a sufficient amount of profit from our products, if ever, we expect to finance future cash needs through public or private equity or debt offerings. If we raise additional funds through the issuance of additional equity or debt securities, it may result in dilution to our existing stockholders and/or increased fixed payment obligations. For example, in December 2023, we sold a total of 12,432,431 shares of our common stock in a public offering. The issuance of these shares of our common stock resulted, and any future issuance pursuant to sales under the 2023 ATM Program will result, in dilution to our stockholders. The shares of common stock into which the warrants may be exercised are considered outstanding for the purposes of computing earnings per share. Additionally, in November 2023, we sold 2,719,744 common shares under the 2023 ATM Program, with net proceeds of approximately $42.1 million. The issuance of these shares of our common stock resulted, and any future issuance pursuant to the exercise of the outstanding pre-funded warrants or sales under the 2023 ATM Program will result, in dilution to our stockholders. We may also seek additional funding through government or other third-party funding and other collaborations, strategic alliances and licensing arrangements. These financing activities may have an adverse impact on our stockholders' rights as well as on our operations, and such additional funding may not be available on reasonable terms, if at all. Furthermore, these securities may have rights senior to those of our common stock and could contain covenants that would restrict our operations and potentially impair our competitiveness, such as limitations on our ability to incur additional debt, limitations on our ability to acquire, sell or license intellectual property rights and other operating restrictions that could adversely impact our ability to conduct our business. Additionally, if we seek funds through arrangements with collaborative partners, these arrangements may require us to relinquish rights to some of our technologies or product candidates or otherwise agree to terms unfavorable to us. Any of these events could significantly harm our business, financial condition and prospects.

The Sarbanes-Oxley Act requires, among other things, that we maintain effective internal controls for financial reporting and disclosure controls and procedures. Commencing after the filing of our initial annual report on Form 10-K, we have been required, under Section 404 of the Sarbanes-Oxley Act, to furnish a report by management on, among other things, the effectiveness of our internal control over financial reporting. This assessment needs to include disclosure of any material weaknesses identified by our management in our internal control over financial reporting. A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting that results in more than a reasonable possibility that a material misstatement of annual or interim financial statements will not be prevented or detected on a timely basis. Section 404 of the Sarbanes-Oxley Act also generally requires an attestation from our independent registered public accounting firm on the effectiveness of our internal control over financial reporting. We are required to get an attestation from our independent registered public accounting firm on the effectiveness of our internal control over financial reporting. Our compliance with Section 404 requires that we incur substantial expense and expend significant management efforts. We currently do not have an internal audit group, and we may need to hire additional accounting and financial staff with appropriate public company experience and technical accounting knowledge and compile the system and process documentation necessary to perform the evaluation needed to comply with Section 404. We may not be able to complete our evaluation, testing and any required remediation in a timely fashion. During the evaluation and testing process, if we identify one or more material weaknesses in our internal control over financial reporting, we will be unable to assert that our internal control over financial reporting is effective. We cannot assure you that there will not be material weaknesses or significant deficiencies in our internal control over financial reporting in the future. Any failure to maintain internal control over financial reporting could severely inhibit our ability to accurately report our financial condition, results of operations or cash flows. If we are unable to conclude that our internal control over financial reporting is effective, or if our independent registered public accounting firm determines we have a material weakness or significant deficiency in our internal control over financial reporting once that firm begin its Section 404 reviews, we could lose investor confidence in the accuracy and completeness of our financial reports, the market price of our common stock could decline, and we could be subject to sanctions or investigations by the Nasdaq Global Select Market, the SEC or other regulatory authorities. Failure to remedy any material weakness in our internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.

In order to market any approved product candidate in the future, we must build our sales, marketing, distribution, managerial and other non-technical capabilities or make arrangements with third parties to perform these services, as we do not presently have all of these capabilities. To develop our internal sales, distribution and marketing capabilities, we must invest significant amounts of financial and management resources in the future. For drugs where we decide to perform sales, marketing and distribution functions ourselves, we could face a number of challenges, including that: - we may not be able to attract and build an effective marketing or sales organization;- the cost of establishing, training and providing regulatory oversight for a marketing or sales force may not be justifiable in light of the revenues generated by any particular product;- our direct or indirect sales and marketing efforts may not be successful; and - there are significant legal and regulatory risks in drug marketing and sales that we have never faced, and any failure to comply with all legal and regulatory requirements for sales, marketing and distribution could result in enforcement action by the FDA or other authorities that could jeopardize our ability to market the product or could subject us to substantial liabilities. Alternatively, we may rely on third parties to launch and market our product candidates, if approved. We may have limited or no control over the sales, marketing and distribution activities of these third parties and our future revenue may depend on the success of these third parties. Additionally, if these third parties fail to comply with all applicable legal or regulatory requirements, the FDA or another governmental agency could take enforcement action that could jeopardize their ability and our ability to market our product candidates.

In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share, or collectively, process, personal data and other sensitive information, including proprietary and confidential business data, trade secrets, intellectual property, sensitive third-party data, business plans, transactions, clinical trial data and financial information or collectively, sensitive data. Our data processing activities subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations relating to data privacy and security. In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, the federal Health Insurance Portability and Accountability Act of 1996, or HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act, or HITECH, imposes specific requirements relating to the privacy, security, and transmission of individually identifiable protected health information. For more information regarding risks associated with HIPAA, please refer to the section above that discusses risks associated with healthcare laws and regulations. In the past few years, numerous U.S. states-including California, Virginia, Colorado, Connecticut, and Utah-have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, or CPRA and collectively, CCPA, applies to personal data of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. The CCPA provides for fines of up to $7,500 per intentional violation and allows private litigants affected by certain data breaches to recover significant statutory damages. Although there are limited exemptions for clinical trial data under the CCPA, the CCPA and other similar laws may impact (possibly significantly) our business activities depending on how it is interpreted, should we become subject to the CCPA in the future. Similar laws are being considered in several other states, as well as at the federal and local levels, and we expect more states to pass similar laws in the future. These developments may further complicate compliance efforts and increase legal risk and compliance costs for us and the third parties upon whom we rely. Outside the United States, an increasing number of laws, regulations, and industry standards may govern data privacy and security. For example, the European Union's General Data Protection Regulation, or EU GDPR, and the United Kingdom's GDPR, or UK GDPR, impose strict requirements for processing personal data. For example, under GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros under the EU GDPR, 17.5 million pounds sterling under the UK GDPR or, in each case, 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. We may be subject to new laws governing the privacy of consumer health data, including reproductive, sexual orientation, and gender identity privacy rights. For example, Washington's My Health My Data Act, or MHMD, broadly defines consumer health data, places restrictions on processing consumer health data (including imposing stringent requirements for consents), provides consumers certain rights with respect to their health data, and creates a private right of action to allow individuals to sue for violations of the law. Other states are considering and may adopt similar laws. Our employees and personnel may occasionally use generative artificial intelligence, or AI, technologies to perform their work, and the disclosure and use of personal data in generative AI technologies is subject to various privacy laws and other privacy obligations. Governments have passed and are likely to pass additional laws regulating generative AI. Our use of this technology could result in additional compliance costs, regulatory investigations and actions, and lawsuits. If we are unable to use generative AI, it could make our business less efficient and result in competitive disadvantages. In addition, we may be unable to transfer personal data from Europe and other jurisdictions to the United States or other countries due to data localization requirements or limitations on cross-border data flows. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area, or EEA, and the United Kingdom, or UK, have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws it generally believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the United States in compliance with law, such as the EEA's standard contractual clauses, the UK's International Data Transfer Agreement / Addendum, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allows for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA, the UK, or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions (such as Europe) at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and UK to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activities groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers of personal data out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. In addition to data privacy and security laws, we are bound by other contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. We also publish privacy policies, marketing materials, and other statements regarding data privacy and security and if these policies, materials, or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. Obligations related to data privacy and security (and consumers' data privacy expectations) are quickly changing, becoming increasingly stringent, and creating uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources and may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. We may at times fail (or be perceived to have failed) in our efforts to comply with our data privacy and security obligations. Moreover, despite our efforts, our personnel or third parties on whom we rely may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties on which we rely fail, or are perceived to have failed, to address or comply with applicable data privacy and security obligations, we could face significant consequences, including but not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class-action claims) and mass arbitration demands; additional reporting requirements and/or oversight; bans on processing personal data (including clinical trial data); and orders to destroy or not use personal data. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: loss of customers; inability to process personal data or to operate in certain jurisdictions; limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or substantial changes to our business model or operations.

We face an inherent risk of product liability exposure related to the testing of our product candidates in human trials and will face an even greater risk if we commercially sell any products that we may develop. Product liability claims may be brought against us by subjects enrolled in our trials, patients, healthcare providers or others using, administering or selling our products. If we cannot successfully defend ourselves against claims that our product candidates or other products that we may develop caused injuries, we could incur substantial liabilities. Regardless of merit or eventual outcome, liability claims may result in: - decreased demand for our product candidates;- termination of clinical trial sites or entire trial programs;- injury to our reputation and significant negative media attention;- withdrawal of trial participants;- significant costs to defend the related litigation;- substantial monetary awards to trial subjects or patients;- diversion of management and scientific resources from our business operations; and - the inability to commercialize any products that we may develop. While we currently hold trial liability insurance coverage consistent with industry standards, this may not adequately cover all liabilities that we may incur. We also may not be able to maintain insurance coverage at a reasonable cost or in an amount adequate to satisfy any liability that may arise in the future. We intend to expand our insurance coverage for products to include the sale of commercial products if we obtain marketing approval for our product candidates, but we may be unable to obtain commercially reasonable product liability insurance. A successful product liability claim or series of claims brought against us, particularly if judgments exceed our insurance coverage, could decrease our cash and adversely affect our business and financial condition.

We are exposed to the risk that our employees, consultants, distributors, and collaborators may engage in fraudulent or illegal activity. Misconduct by these parties could include intentional, reckless or negligent conduct or disclosure of unauthorized activities to us that violates the regulations of the FDA and non-U.S. regulators, including those laws requiring the reporting of true, complete and accurate information to such regulators, manufacturing standards, healthcare fraud and abuse laws and regulations in the United States and abroad or laws that require the true, complete and accurate reporting of financial information or data. In particular, sales, marketing and business arrangements in the healthcare industry, including the sale of pharmaceuticals, are subject to extensive laws and regulations intended to prevent fraud, misconduct, kickbacks, self-dealing and other abusive practices. These laws and regulations may restrict or prohibit a wide range of pricing, discounting, marketing and promotion, sales commission, customer incentive programs and other business arrangements. It is not always possible to identify and deter misconduct by our employees and other third parties, and the precautions we take to detect and prevent this activity may not be effective in controlling unknown or unmanaged risks or losses or in protecting us from governmental investigations or other actions or lawsuits stemming from a failure to comply with these laws or regulations. If any such actions are instituted against us and we are not successful in defending ourselves or asserting our rights, those actions could result in the imposition of significant fines or other sanctions, including the imposition of civil, criminal and administrative penalties, damages, monetary fines, disgorgement, individual imprisonment, possible exclusion from participation in Medicare, Medicaid and other federal healthcare programs, additional reporting obligations and oversight if we become subject to a corporate integrity agreement or other agreement to resolve allegations of non-compliance with these laws, contractual damages, reputational harm, diminished profits and future earnings and curtailment of operations, any of which could adversely affect our ability to operate our business and our results of operations. Whether or not we are successful in defending against such actions or investigations, we could incur substantial costs, including legal fees, and divert the attention of management in defending ourselves against any of these claims or investigations.

The timely completion of clinical trials largely depends on patient enrollment. Many factors affect patient enrollment, including: - the impact of public health crises, or geopolitical tensions, such as the ongoing war between Russia and Ukraine and the war in Israel;- perception about the relative efficacy of our product candidates versus other compounds in clinical development or commercially available;- evolving standard of care in treating cancer patients;- the size and nature of the patient population, especially in the case of an orphan indication, we are pursuing;- the number and location of clinical trial sites enrolled;- competition with other organizations or our own clinical trials for clinical trial sites or patients;- the eligibility and exclusion criteria for the trial;- the design of the trial;- ability to obtain and maintain patient consent; and - risk that enrolled subjects will drop out before completion. As a result of the above factors, there is a risk that our or our collaborators' clinical trials may not be completed on a timely basis or at all.