Thorne HealthTech (THRN) Risk Analysis

From time to time, we may be subject to claims, lawsuits, government investigations and other proceedings involving products liability, competition and antitrust, intellectual property, privacy, data protection, information security, customer protection, securities, tax, labor and employment, commercial disputes and other matters that could adversely affect our business operations and financial condition. Litigation and regulatory proceedings, and particularly the intellectual property infringement matters that we are currently facing or could face, may be protracted and expensive, and the results are difficult to predict. Certain of these matters include speculative claims for substantial or indeterminate amounts of damages and include claims for injunctive relief. Additionally, our litigation costs could be significant. Adverse outcomes with respect to litigation or any of these legal proceedings may result in significant settlement costs or judgments, penalties and fines, or require us to modify our products or services, make content unavailable, or require us to stop offering certain features, all of which could negatively affect our membership and revenue growth. We are aware of third-party issued U.S. patents with claims relating to compositions of nicotinamide riboside, a component of some of our products, owned by the Trustees of Dartmouth and licensed to ChromaDex Corporation (ChromaDex). We have filed petitions for inter partes review against these patents at the Patent Trial and Appeal Board to seek to invalidate these patents. In May 2021, the Trustees of Dartmouth and ChromaDex initiated infringement proceedings against us. The complaint seeks to enjoin us from selling our nutritional supplement products that contain nicotinamide riboside, including our NiaCel suite of supplements, and further seeks monetary damages for alleged infringement. In August 2021, the trail judge in the patent infringement litigation issued an Order to Stay the litigation during the pendency of two inter partes reviews (described further in Item 3. Legal Proceedings), in which decision will likely be made in mid-2022. The results of litigation, investigations, claims, and regulatory proceedings cannot be predicted with certainty, and determining reserves for pending litigation and other legal and regulatory matters requires significant judgment. There can be no assurance that our expectations will prove correct, and even if these matters are resolved in our favor or without significant cash settlements, these matters, and the time and resources necessary to litigate or resolve them, could harm our business, financial condition, and operating results.

In the course of offering personalized health and wellness recommendations, we collect a substantial amount of personalized health information. Numerous state and federal laws and regulations govern the collection, dissemination, use, privacy, confidentiality, security, availability, integrity and other processing of protected health information (PHI), and other types of personal information. For example, HIPAA establishes a set of national privacy and security standards for the protection PHI by health plans, healthcare clearinghouses and certain healthcare providers, referred to as covered entities, and the business associates with whom such covered entities contract for services, as well as their covered subcontractors. When we act in the capacity of a business associate under HIPAA, we execute business associate agreements with our clients. HIPAA requires covered entities and business associates, such as us, to develop and maintain policies and procedures with respect to PHI that is used or disclosed, including the adoption of administrative, physical and technical safeguards to protect such information. Violations of HIPAA may result in significant civil and criminal penalties. HIPAA also authorizes state attorneys general to file suit on behalf of their residents. Courts may award damages, costs and attorneys' fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of duties related to PHI. In addition, HIPAA mandates that the Secretary of HHS conduct periodic compliance audits of HIPAA covered entities and business associates for compliance with the HIPAA privacy and security rules. HIPAA further requires that patients be notified of any unauthorized acquisition, access, use or disclosure of their unsecured PHI that compromises the privacy or security of such information, with certain exceptions related to unintentional or inadvertent use or disclosure by employees or authorized individuals. HIPAA requires such notifications to be made "without unreasonable delay and in no case later than 60 calendar days after discovery of the breach." If a breach affects 500 patients or more, it must be reported to HHS without unreasonable delay, and HHS will post the name of the breaching entity on its public web site. Breaches affecting 500 patients or more in the same state or jurisdiction must also be reported to the local media. If a breach involves fewer than 500 people, the covered entity must record it in a log and notify HHS at least annually. In addition to HIPAA, numerous other federal, state, and foreign laws and regulations protect the confidentiality, privacy, availability, integrity and security of health-related and other personal information. These laws and regulations in many cases are more restrictive than, and may not be preempted by, HIPAA and its implementing rules. These laws and regulations are often uncertain, contradictory, and subject to changed or differing interpretations, and we expect new laws, rules and regulations regarding privacy, data protection, and to be proposed and enacted in the future. Further, the U.S. and many state attorneys general are interpreting existing federal and state consumer protection laws to impose evolving standards for the online collection, use, dissemination and security of health-related and other personal information. Courts may also adopt the standards for fair information practices promulgated by the FTC, which concern consumer notice, choice, security and access. Consumer protection laws require us to publish statements that describe how we handle personal information and choices individuals may have about the way we handle their personal information. If such information that we publish is considered untrue, we may be subject to government claims of unfair or deceptive trade practices, which could lead to significant liabilities and consequences. Furthermore, according to the FTC, violating consumers' privacy rights or failing to take appropriate steps to keep consumers' personal information secure may constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the FTC Act. California also has enacted the California Consumer Privacy Act (CCPA), which came into effect on January 1, 2020. Pursuant to the CCPA, certain businesses are required, among other things, to make certain enhanced disclosures related to California residents regarding the use or disclosure of their personal information, allow California residents to opt-out of certain uses and disclosures of their personal information without penalty, provide California residents with other choices related to personal information in our possession, and obtain opt-in consent before engaging in certain uses of personal information relating to California residents under the age of 16. The California Attorney General may seek substantial monetary penalties and injunctive relief in the event of our non-compliance with the CCPA. The CCPA also allows for private lawsuits from Californians in the event of certain data breaches. Moreover, the California Privacy Rights Act (CPRA), was recently passed in California. The CPRA significantly modifies the CCPA, creating additional data protection obligations relating to consumer data on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It will also create a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement. The majority of the CPRA provisions will go into effect on January 1, 2023, with enforcement beginning July 1, 2023. Aspects of the CCPA and CPRA remain uncertain, and we may be required to make modifications to our policies or practices in efforts to comply. Other states are considering similar legislation. A broad range of legislative measures also have been introduced at the federal level. In Europe, the collection, use, disclosure, transfer or other processing of personal data regarding individuals, including personal health data and employee data, is subject to the GDPR, which took effect in May 2018. The GDPR is wide-ranging in scope and imposes numerous requirements on companies that process personal data of individuals within the European Economic Area (EEA), including requirements relating to processing health and other sensitive data, obtaining consent of the individuals to whom the personal data relates, providing information to individuals regarding data processing activities, implementing safeguards to protect the security and confidentiality of personal data, providing notification of data breaches, and taking certain measures when engaging third-party processors. In addition, the GDPR imposes strict rules on the transfer of personal data to countries outside the EEA, including the United States and, as a result, increases the scrutiny that such rules should apply to transfers of personal data from the EEA to the United States. The GDPR also permits data protection authorities to require destruction of improperly gathered or used personal information and/or impose substantial fines for violations of the GDPR, which can be up to the greater of four percent of global revenues or €20 million, and confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of the GDPR. In addition, the GDPR provides that European Union member states may make their own further laws and regulations limiting the processing of personal data, including genetic, biometric, or health data. Further, the United Kingdom exited the EU effective January 31, 2020. The United Kingdom's decision to leave the European Union has created uncertainty with regard to data protection regulation in the United Kingdom. As of January 1, 2021, we are also subject to the UK General Data Protection Regulation and UK Data Protection Act of 2018, which retains the GSPR in the United Kingdom's national law. Failure to comply with any of these obligations could expose us to penalties of up to the greater of four percent of global revenues or £17.5 million. This complex, dynamic legal landscape regarding privacy, data protection, and information security creates significant compliance issues for us and our clients and potentially exposes us to additional expense, adverse publicity and liability. While we have implemented data privacy and security measures in an effort to comply with applicable laws and regulations relating to privacy, data protection and information security, PHI and other personal information is processed for us or transmitted to us by third parties,who may not implement adequate security and privacy measures, and it is possible that laws, rules or regulations relating to privacy, data protection, or information security may be interpreted and applied in a manner that is inconsistent with our practices or those of third parties who perform services for us or transmit PHI and other personal information to us. Any failure or perceived failure by us or these third parties to comply with laws, regulations, rules or other obligations relating to privacy, data protection or information security, may result in governmental investigations or enforcement actions, litigation, claims and other proceedings, and could result in significant fines, penalties, and other liability. Additionally, defending against any claims, litigation, regulatory proceedings, or other proceedings can be costly, time-consuming and may require significant financial and personnel resources. Therefore, even if we are successful in defending against any such actions or proceedings that may be brought against us, our business may be impaired, and we may suffer reputational and other harm. Further, complying with these various laws, regulations, and other obligations could cause us to incur substantial costs or require us to change our business practices, systems and compliance procedures in a manner adverse to our business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations and policies that are applicable to the businesses of our clients may limit the use and adoption of, and reduce the overall demand for, our platform. Even the perception of privacy concerns, whether or not valid, may harm our reputation and inhibit use and adoption of our platform. Further, if any information that we collect from or otherwise process about our customers is used, accessed or disclosed in an unauthorized manner, or if this is reported or perceived to have occurred, customers may not want to provide such information to us, which could prevent us from providing recommendations, subject us to liability or damage our reputation and brand. Any of the foregoing consequences could have a material adverse impact on our business and our financial results.

Meeting customer demand partially depends on our ability to obtain timely and adequate delivery of ingredients for our nutritional supplement products. Certain ingredients that get incorporated into our nutritional supplement products are sourced from a limited number of third-party suppliers, and some of these ingredients are provided by a single supplier. These suppliers may breach or otherwise terminate our supply agreements, or their capabilities to deliver adequate ingredients to us may be affected by other factors such as fluctuations in the market, supply chain issues, litigation or regulatory issues or force majeure events, including the COVID-19 pandemic and international conflicts such as those affecting the Ukraine, and in any of the cases, the sourcing and commercialization of our products can be adversely affected. For example, there is considerable patent and other intellectual property development activity in the personalized health and wellness products industry, and litigation, based on allegations of infringement or other violations of intellectual property, is frequent in this industry. If our suppliers are sued, their capabilities to deliver adequate ingredients to us may be adversely affected. We are therefore subject to the risk of shortages and long lead times in the supply of these ingredients and the risk that our suppliers discontinue or modify ingredients. In addition, the lead times associated with certain ingredients are lengthy and preclude rapid changes in quantities and delivery schedules. We have experienced supply shortages and resulting longer lead-times in the past and may in the future experience ingredient shortages, and the predictability of the availability of these ingredients may be limited. In the event of an ingredient shortage or a supply interruption from suppliers of these ingredients, we may not be able to develop alternate sources of supply in a timely manner. Developing alternate sources of supply for these ingredients may be time-consuming, difficult and costly and we may not be able to source these ingredients on terms that are acceptable to us, or at all, which may undermine our ability to fill our orders in a timely manner. Any interruption or delay in the supply of any of these ingredients, or the inability to obtain these ingredients from alternate sources at acceptable prices and within a reasonable amount of time, would harm our ability to meet our scheduled product deliveries to our customers. In addition, increases in our ingredient costs could have a material effect on our gross margins. The loss of a significant supplier, an increase in ingredient costs, or delays or disruptions in the delivery of ingredients, could adversely impact our ability to generate future revenue and earnings and have an adverse effect on our business, financial condition and operating results.

Part of our success is our ability to innovate and introduce new products focused on our health professional and consumer demands. To maintain our success and increase our customer base, we must continue to develop products and services and anticipate and react to changing health professional and consumer demands in a timely manner. Our products and services are subject to changing consumer preferences that cannot be predicted with certainty. If we are unable to introduce new or enhanced products in a timely manner, or our new or enhanced products are not accepted by our customers, then our competitors may introduce competitive products faster than us, which could negatively affect our rate of growth. Moreover, our new products may not receive customer acceptance because preferences could shift rapidly to alternative nutritional supplements, and our future success depends in part on our ability to anticipate and respond to these changes. Failure to anticipate and respond in a timely manner to changing customer preferences could lead to, among other things, lower sales and subscriptions, pricing pressure, lower gross margins, and excess inventory. Even if we are successful in anticipating consumer preferences, our ability to adequately react to and address them will partially depend upon our continued ability to develop and introduce innovative, high-quality product and services offerings. Development of new or enhanced products and services may require significant time and financial investment, which could result in increased costs and a reduction in our profit margins.

We rely, or will rely, on information technology systems to keep financial records and other sensitive business, information, including personal information about our employees, customers and other third parties, facilitate our research and development initiatives, manage our manufacturing operations, maintain quality control, communicate with customers, fulfill customer orders, maintain corporate records, communicate with staff and external parties and operate other critical functions. While we take measures to safeguard and protect this information, including using methods such as multi-layer firewalls, intrusion detection systems, content filtering, endpoint security, centralized logging and alerting, email security mechanisms, and access control mechanisms, threats to network and data security are increasingly diverse and sophisticated. We also continue to pursue independent third-party assessments and validations of our security and compliance capabilities, including through obtaining industry-standard certification like SOC 2. Despite our efforts and processes to prevent security breaches and incidents, our products and services, as well as our servers, computer systems, and those of third parties that we use in our operations are vulnerable to cybersecurity risks, including cyberattacks such as viruses and worms, phishing attacks and other forms of social engineering, denial-of-service attacks, ransomware attacks, physical or electronic break-ins, third-party or employee theft or misuse, and other negligent actions, errors or malfeasance by employees or other third parties, and similar disruptions from unauthorized tampering with our servers and computer systems or those of third parties that we use in our operations, which could lead to interruptions, delays, loss or corruption of critical data, unauthorized access to or acquisition of health-related and other personal information and loss of customer confidence. In addition, we may be the target of email scams and other social engineering attacks that attempt to acquire personal information or company assets or access to our systems. Despite our efforts to create security barriers to such threats, we may not be able to entirely mitigate these risks. Our third-party service providers face similar risks. Any cyberattack that attempts to obtain our or our customers' data or assets, disrupt our service, or otherwise access our systems, or those of third parties we use, or any other security breach or incident, could adversely affect our business, and financial condition and operating results, be expensive to remedy, and damage our reputation. We and our third-party service providers may face difficulties or delays in identifying or otherwise responding to any attacks or actual or potential security breaches or security incidents. We may incur significant costs and operational consequences of investigating, remediating, eliminating and putting in place additional tools and devices designed to prevent actual or perceived security breaches and other security incidents, including in response to any actual or perceived incident we may suffer, and substantial costs to comply with any notification or other legal obligations resulting from any security breaches or other security incidents. In addition, any such breaches or incidents, or the perception that they have occurred, may result in negative publicity, and adversely affect our brand and market perception of our platform and our company, impacting demand for our products and services, and could have an adverse effect on our business, financial condition and operating results. Although we maintain insurance coverage that may cover certain liabilities in connection with security breaches and other security incidents, we cannot be certain our insurance coverage will be adequate for liabilities actually incurred, that insurance will continue to be available to us on commercially reasonable terms, if at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, or denials of coverage, could have a material adverse effect on our business, including our financial condition, results of operations and reputation.

We face significant competition in the health and wellness market. Due to our comprehensive approach to health and wellness, we currently compete with different health and wellness companies in different markets, such as Nestle Health Science and Metagenics in the nutritional supplement market, Hims, 23andMe and Livongo in the health services and online testing market, and companies like Schrodinger and SEMA4 in the AI-driven healthcare market. We believe that the principal competitive factors in our market are product quality, consumer experience, brand awareness and loyalty, reliability and trust in the quality of our products and services. Some of our current competitors are large publicly-traded companies, or are divisions of large publicly-traded companies, and may enjoy a number of competitive advantages over us, including: - greater name and brand recognition;- greater financial and human resources;- broader and deeper product lines and services;- larger sales forces and more established distributor networks;- substantial intellectual property portfolios;- larger and more established customer bases and relationships;- greater research and development capacity; and - better established, larger scale and lower cost manufacturing capabilities. Our competitors may develop, or have already developed, products, features, services and technologies that are similar to ours or that achieve greater acceptance. They may undertake more successful product development efforts, create more compelling employment opportunities or marketing campaigns and may adopt more aggressive pricing policies. Our competitors may also develop or acquire, or have already developed or acquired, intellectual property rights that significantly limit or prevent our ability to compete effectively in the public marketplace. In addition, our competitors may have significantly greater resources than us, allowing them to identify and capitalize more efficiently upon opportunities in new markets and consumer preferences and trends, quickly transition and adapt their products and services, devote greater resources to marketing and advertising and be better positioned to withstand substantial price competition. We cannot assure investors that our products will compete favorably or that we will be successful in the face of increasing competition from products, services and technologies introduced by our existing or future competitors, or developed by our distributors or healthcare professionals. In addition, we cannot assure investors that our competitors do not have or will not develop products or services with better outcomes or at lower costs than ours. Any failure to compete effectively could materially and adversely affect our business, financial condition and operating results.

We are currently expanding our operations to other countries, which requires significant resources and management attention and subjects us to regulatory, economic, and political risks in addition to those we already face in our primary markets of the United States, Canada, the United Kingdom, Australia, China, and the European Union. There are significant risks and costs inherent in doing business in international markets, including: - difficulty establishing and managing international operations and the increased operations, travel, infrastructure, including establishment of local delivery service and customer service operations and legal compliance costs associated with locations in different countries or regions;- the need to vary pricing and margins to effectively compete in international markets;- marketing and brand recognition costs;- the need to adapt and localize products for specific countries, including obtaining rights to third-party intellectual property used in each country;- increased competition from local providers of similar products and services;- the ability to protect and enforce intellectual property rights abroad;- the need to offer customer support in various languages;- the challenges of negotiating with foreign distributors;- difficulties in understanding and complying with local laws, regulations and customs in other jurisdictions;- compliance with anti-bribery laws, such as the U.S. Foreign Corrupt Practices Act (FCPA), and the U.K. Bribery Act 2010 (U.K. Bribery Act), by us, our employees and our business partners;- complexity and other risks associated with current and future legal requirements in other countries, including legal requirements related to consumer protection, consumer product safety and data privacy and data protection frameworks,such as the E.U. General Data Protection Regulation (GDPR);- tariffs and other non-tariff barriers, such as quotas and local content rules, as well as tax consequences;- fluctuations in currency exchange rates and the requirements of currency control regulations, which might restrict or prohibit conversion of other currencies into U.S. dollars; and - political or social unrest or economic instability in a specific country or region in which we operate, including, for example, the effects of "Brexit," which could have an adverse impact on our operations in the United Kingdom and E.U. We have limited experience with international regulatory environments and market practices and may not be able to penetrate or successfully operate in the markets we choose to enter. In addition, we may incur significant expenses as a result of our international expansion, and we may not be successful. We may face limited brand recognition in certain parts of the world that could lead to non-acceptance or delayed acceptance of our products and services by customers in new markets. We may also face challenges to acceptance of our health and wellness content in new markets. Our failure to successfully manage these risks could harm our international operations and have an adverse effect on our business, financial condition and operating results.

Our business is vulnerable to damage or interruption from hurricanes, earthquakes, fires, floods, power losses, telecommunications failures, terrorist attacks, acts of war, human errors, break-ins, and similar events. The third-party systems and operations and manufacturers we rely on are subject to similar risks. For example, a significant natural disaster, such as a hurricane affecting our South Carolina facilities, an earthquake affecting our California facilities, or a fire, or flood, could have an adverse effect on our business, financial condition and operating results, and our insurance coverage may be insufficient to compensate us for losses that may occur. Acts of terrorism, which may be targeted at metropolitan areas that have higher population density than rural areas, such as New York City where our corporate headquarters is located, could also cause disruptions in our business or the economy as a whole. We may not have sufficient protection or recovery plans in some circumstances, such as natural disasters affecting locations that store significant inventory of our products, that house our servers, or from which we generate content. As we rely heavily on our computer and communications systems, and the internet to conduct our business and provide high-quality customer service, these disruptions could negatively impact our ability to run our business and either directly or indirectly disrupt suppliers' and manufacturers' businesses, which could have an adverse effect on our business, financial condition, and operating results. In addition, the COVID-19 pandemic and widespread shelter-in-place and other governmental restrictions have caused most of our employees to work remotely. Given these widespread remote work arrangements, if a natural disaster, power outage, connectivity issue, or other event occurs that impacts our employees' ability to work remotely, it may be difficult or, in certain cases, impossible, for us to continue our business and provide high-quality customer service for a substantial period of time.