Twist Bioscience (TWST) Risk Factors

The Federal Select Agent Program, or the FSAP, involves rules administered by the Centers for Disease Control and Prevention and Toxins and the Animal and Plant Health Inspection Service that regulate possession, use and transfer of biological select agents and toxins that have the potential to pose a severe threat to public, animal or plant health or to animal or plant products. We have established a comprehensive, biosecurity program under which we follow biosafety and biosecurity best practices and avoid DNA synthesis activities that implicate FSAP rules; however, we could inadvertently err in our observance of compliance program requirements in a manner that leaves us in noncompliance with FSAP or other biosecurity rules. In addition, authorities could promulgate new biosecurity requirements that restrictions our operations. One or more resulting legal penalties, restraints on our business or reputational damage could have material adverse effects on our business and financial condition.

We rely on several centralized information technology systems throughout our Company to provide products, keep financial records, process orders, manage inventory, process shipments to customers and operate other critical functions. In addition, we currently generate a growing portion of our revenue through sales on our e-commerce platform. We manage our website and e-commerce platform internally and as a result any compromise of our security or misappropriation of proprietary information could have a material adverse effect on our business, financial condition and results of operations. We rely on encryption and authentication technology licensed from third parties to provide the security and authentication necessary to effect secure Internet transmission of confidential information, such as credit and other proprietary information. In 2024, we received ISO 27001:2022 certification, the most advanced information security standard published by the International Organization for Standardization (ISO), the world's largest developer of voluntary international standards, and the International Electrotechnical Commission. Even though our information security management system received ISO 27001:2022 certification, our, and our partners' or suppliers', information technology systems have been and may still be susceptible to damage, disruptions or shutdowns due to power outages, hardware failures, computer viruses, cyberattacks such as phishing, social engineering, ransomware, denial-of-service and other malware attacks, telecommunication failures, user errors, catastrophes or other unforeseen events. Additionally, some actors are using artificial intelligence ("AI") technology to launch more automated, targeted and coordinated attacks. Our, or our partners' or suppliers' information technology systems also may experience interruptions, delays or cessations of service or produce errors in connection with system integration, software upgrades or system migration work that takes place from time to time. If we were to experience a prolonged system disruption in the information technology systems that involve our interactions with customers or suppliers, including negatively impacting our order fulfillment and order entry on our e-commerce platform, it could result in the loss of sales and customers and significant incremental costs, which could adversely affect our business. In addition, security breaches of our, or our partners' or suppliers', information technology systems could result in the misappropriation or unauthorized disclosure of confidential information belonging to us or to our employees, partners, customers or suppliers, including trade secrets or other intellectual property, proprietary business information, and personal information. Cybersecurity incidents, including phishing attacks and attempts to misappropriate or compromise confidential or proprietary information or sabotage enterprise IT systems are becoming increasingly frequent. While we have not, to our knowledge, experienced any material system failure, accident, or security breach to date, because techniques used to obtain unauthorized access to or to sabotage systems are constantly evolving and generally are not recognized until they are launched against a target, we cannot be sure that our continued data protection efforts and investment in information technology will prevent significant breakdowns, data leakages, breaches in our systems or the systems of our third party contractors and collaborators, or other cyber incidents in the future that could have a material adverse effect upon our reputation, business, operations, or financial condition. If such an event were to occur, it could materially disrupt our operations and programs, the development of our product candidates and production and shipment of our products. Any event that leads to unauthorized access, use, or disclosure of personal information, including personal information regarding our partners, suppliers or employees, could require us to comply with federal or state breach notification laws and foreign law equivalents, subject us to mandatory corrective action, and otherwise subject us to liability under laws and regulations that protect the privacy and security of personal information and harm our reputation. We would also be exposed to a risk of litigation and potential liability, which could materially adversely affect our business, results of operations and financial condition. In addition, the costs related to significant security breaches or disruptions could be material and exceed the limits of the cybersecurity insurance we maintain against such risks. As a result of any cyber incident, we could incur significant legal and financial exposure and reputational damages that could have a material adverse effect on our business. Threats involving the misuse of access to our network, systems, and information by our current or former employees, contractors, vendors, or partners, whether intentional or unintentional, also pose a risk to the security of our network, systems, and information and data. For example, we are subject to the risk that employees may inadvertently share confidential information with unintended third parties, or that departing employees may take, or create their own information based on, our confidential information upon leaving the Company. In addition, any such insiders may be the victims of social engineering attacks that enable third parties to access our network, systems, and information using an authorized person's credentials. We and our network, systems, and information are also vulnerable to malicious acts by insiders, including leaking, modifying, or deleting confidential information, or performing other acts that could materially interfere with our operations and business. While we provide regular training to our employees regarding cybersecurity threats and best practices, we cannot ensure that such training or other efforts will prevent unauthorized access to or sabotage of our network, systems, and information. In addition, we and our third-party providers are at heightened risk of theft or cyber attack of technology, data, and intellectual property through direct intrusion by private parties or foreign actors, including those affiliated with or controlled by nation-state actors. This includes attacks which could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our products and services. If any theft affects or attack our technology, data, or intellectual property, our efforts to protect and enforce our intellectual property rights around the world may be inadequate to obtain a significant commercial advantage from our intellectual property, and we may be at heightened risk of losing our proprietary intellectual property rights around the world, including outside of such countries, to the extent such theft, attack or intrusion destroys the proprietary nature of our intellectual property. While we implement security measures designed to reduce these risks, there is no guarantee these measures will be adequate to safeguard all systems and networks. Any failure to maintain performance, reliability, security and availability of our systems and networks may result in accidental or unlawful destruction, damage, loss, unavailability, alteration, impairment, misuse, unauthorized disclosure of, or unauthorized access to our data, including personal or proprietary information.

We believe that developing and maintaining our brand is important to our success and that our financial success is influenced by the perception of our brand by our customers. Furthermore, the importance of our brand recognition may become even greater to the extent that competitors offer more products similar to ours. Many factors, some of which are beyond our control, are important to maintaining our reputation and brand. These factors include our ability to comply with ethical, social, product, labor and environmental standards. Any actual or perceived failure in compliance with such standards could damage our reputation and brand.

Corporate tax reform, base-erosion efforts and tax transparency continue to be high priorities in many tax jurisdictions where we intend to have business operations. As a result, policies regarding corporate income and other taxes in numerous jurisdictions are under heightened scrutiny and tax reform legislation is being proposed or enacted in a number of jurisdictions. For example, the Tax Cuts and Jobs Act of 2017, or the Tax Act, signed into law on December 22, 2017, adopting broad U.S. corporate income tax reform, among other things, reduced the U.S. corporate income tax rate, but imposed base-erosion prevention measures on non-U.S. earnings of U.S. entities as well as a one-time mandatory deemed repatriation tax on accumulated non-U.S. earnings of U.S. entities. In addition, many countries are beginning to implement legislation and other guidance to align their international tax rules with the Organization for Economic Co-operation and Development's Base Erosion and Profit Shifting recommendations and action plan that aim to standardize and modernize global corporate tax policy, including changes to cross-border tax, transfer-pricing documentation rules, and nexus-based tax incentive practices. Such legislative initiatives may materially and adversely affect our plans to expand internationally and may negatively impact our financial condition and results of operations generally.

During our fiscal years ended September 30, 2024, 2023 and 2022, 40%, 40% and 41%, respectively, of our revenue was generated from customers located outside of the United States. In connection with our growth strategy, we intend to further expand in international markets. Conducting and launching operations on an international scale requires close coordination of activities across multiple jurisdictions and time zones and consumes significant management resources. If we fail to coordinate and manage these activities effectively, our business, financial condition or results of operations could be adversely affected. International sales entail a variety of risks, including longer payment cycles and difficulties in collecting accounts receivable outside of the United States, currency exchange fluctuations, challenges in staffing and managing foreign operations, tariffs and other trade barriers (including tariffs enacted and proposed by the U.S. government on various imports from China and by the Chinese government on certain U.S. goods), unexpected changes in legislative or regulatory requirements of foreign countries into which we sell our products, difficulties in obtaining export licenses or in overcoming other trade barriers, laws and business practices favoring local companies, political instability, including conflicts and tensions involving Russia and China and the Israel-Hamas war, economic instability, difficulties protecting or procuring intellectual property rights, and restrictions resulting in delivery delays and significant taxes or other burdens of complying with a variety of foreign laws. Changes in the value of the relevant currencies may affect the cost of certain items required in our operations. Changes in currency exchange rates may also affect the relative prices at which we are able to sell products in the same market. Our revenue from international customers may be negatively impacted as increases in the U.S. dollar relative to our international customers' local currency could make our products more expensive, impacting our ability to compete. Our costs of materials from international suppliers may increase if in order to continue doing business with us they raise their prices as the value of the U.S. dollar decreases relative to their local currency. Foreign policies and actions regarding currency valuation could result in actions by the United States and other countries to offset the effects of such fluctuations. The recent global financial downturn has led to a high level of volatility in foreign currency exchange rates and that level of volatility may continue, which could adversely affect our business, financial condition or results of operations.

Our headquarters in South San Francisco, California is located near known earthquake fault zones and is vulnerable to damage from earthquakes. Our primary manufacturing facility in Wilsonville, Oregon is vulnerable to extreme heat, wildfires, and severe weather events, all of which may be further exacerbated by the effects of climate change, as well as damage from earthquakes. An earthquake or other natural disaster or power shortages or outages could disrupt operations or impair critical systems at our headquarters or at any of our other facilities throughout the world. We, our suppliers, third-party service providers and customers are vulnerable to damage from natural disasters, including fire, floods or monsoons, power loss, communications failures, public health crises, such as pandemics and epidemics, political crises, such as terrorism, war, political instability or other conflict and similar events. If any disaster were to occur, our ability to operate our business at any of our facilities could be seriously, or potentially completely, impaired. In addition, the nature of our activities could cause significant delays in our research programs and commercial activities and make it difficult for us to recover from a disaster. The insurance we maintain may not be adequate to cover our losses resulting from disasters or other business interruptions. Accordingly, an earthquake or other disaster could materially and adversely harm our ability to conduct business. Furthermore, our in vivo antibody discovery services involve mice. In the past, vivarium sites have been shut down by animal activists, and any disturbance or shut down at the site where our in vivo antibody discovery work is being conducted could disrupt our business operations or harm our reputation.

Our international business activities must comport with U.S. export controls and other international trade restraints, including the U.S. Department of Commerce's Export Administration Regulations and economic sanctions regulations administered by the U.S. Treasury Department's Office of Foreign Assets Controls. We have established an international trade compliance program that encompasses best practices for preventing, detecting and addressing noncompliance with international trade restraints. Furthermore, to date our exports have not been licensable under export controls; however, we could fail to observe the compliance program requirements in a manner that leaves us in noncompliance with export controls or other international trade restraints. In addition, authorities could promulgate international trade restraints that impinge on our ability to pursue our business as planned. One or more of resulting legal penalties, restraints on our business or reputational damage could have material adverse effects on our business and financial condition.