Verve Therapeutics (VERV) Risk Analysis

We will face an inherent risk of clinical trial and product liability exposure related to the testing of our product candidates in human clinical trials, and we will face an even greater risk if we commercially sell any products that we may develop. While we currently have no products that have been approved for commercial sale, the ongoing, planned and future use of product candidates by us in clinical trials, and the sale of any approved products in the future, may expose us to liability claims. These claims might be made by patients that use the product, healthcare providers, pharmaceutical companies or others selling such products. If we cannot successfully defend ourselves against claims that our product candidates or products caused injuries, we will incur substantial liabilities. Regardless of merit or eventual outcome, liability claims may result in: - decreased demand for any product candidates or products that we may develop;- termination of clinical trials;- injury to our reputation and significant negative media attention;- withdrawal of clinical trial participants;- significant costs to defend any related litigation;- substantial monetary awards to trial participants or patients;- loss of revenue;- reduced resources of our management to pursue our business strategy; and - the inability to commercialize any products that we may develop. We may need to obtain additional insurance coverage as we expand our clinical trials or if we commence commercialization of our product candidates. Insurance coverage is increasingly expensive. We may not be able to obtain and maintain insurance coverage at a reasonable cost or in an amount adequate to satisfy any liability that may arise. If a successful clinical trial or product liability claim or series of claims is brought against us for uninsured liabilities or in excess of insured liabilities, our assets may not be sufficient to cover such claims and our business operations could be impaired.

We are subject to data privacy and protection laws and regulations that apply to the collection, transmission, storage and use of personally-identifying information, which among other things, impose certain requirements relating to the privacy, security and transmission of personal information, including comprehensive regulatory systems in the United States, European Union and United Kingdom. The legislative and regulatory landscape for privacy and data protection continues to evolve in jurisdictions worldwide, and there has been an increasing focus on privacy and data protection issues with the potential to affect our business. Failure to comply with any of these laws and regulations could result in enforcement action against us, including fines, claims for damages by affected individuals, damage to our reputation and loss of goodwill, any of which could have a material adverse effect on our business, financial condition, results of operations or prospects. There are numerous U.S. federal and state laws and regulations related to the privacy and security of personal information. In particular, regulations promulgated pursuant to HIPAA establish privacy and security standards that limit the use and disclosure of individually identifiable health information, or protected health information, and require the implementation of administrative, physical and technological safeguards to protect the privacy of protected health information and ensure the confidentiality, integrity and availability of electronic protected health information. Determining whether protected health information has been handled in compliance with applicable privacy standards and our contractual obligations can be complex and may be subject to changing interpretation. These obligations may be applicable to some or all of our business activities now or in the future. If we are unable to properly protect the privacy and security of protected health information, we could be found to have breached certain contracts with our business partners. Further, if we fail to comply with applicable privacy laws, including applicable HIPAA privacy and security standards, we could face civil and criminal penalties. HHS enforcement activity can result in financial liability and reputational harm, and responses to such enforcement activity can consume significant internal resources. In addition, state attorneys general are authorized to bring civil actions seeking either injunctions or damages in response to violations that threaten the privacy of state residents. We cannot be sure how these regulations will be interpreted, enforced or applied to our operations. In addition to the risks associated with enforcement activities and potential contractual liabilities, our ongoing efforts to comply with evolving laws and regulations at the federal and state level may be costly and require ongoing modifications to our policies, procedures and systems. In addition to potential enforcement by HHS, we are also potentially subject to privacy enforcement from the Federal Trade Commission, or FTC. The FTC has been particularly focused on the unpermitted processing of health and genetic data through its recent enforcement actions and is expanding the types of privacy violations that it interprets to be "unfair" under Section 5 of the FTC Act, as well as the types of activities it views to trigger the Health Breach Notification Rule (which the FTC also has the authority to enforce). The agency is also in the process of developing rules related to commercial surveillance and data security that may impact our business. We will need to account for the FTC's evolving rules and guidance for proper privacy and data security practices in order to mitigate our risk for a potential enforcement action, which may be costly. If we are subject to a potential FTC enforcement action, we may be subject to a settlement order that requires us to adhere to very specific privacy and data security practices, which may impact our business. We may also be required to pay fines as part of a settlement (depending on the nature of the alleged violations). If we violate any consent order that we reach with the FTC, we may be subject to additional fines and compliance requirements. States are also active in creating specific rules relating to the processing of personal information. In 2018, California passed into law the California Consumer Privacy Act, or the CCPA, which took effect on January 1, 2020 and imposed many requirements on businesses that process the personal information of California residents. Many of the CCPA's requirements are similar to those found in the General Data Protection Regulation, or the GDPR, including requiring businesses to provide notice to data subjects regarding the information collected about them and how such information is used and shared, and providing data subjects the right to request access to such personal information and, in certain cases, request the erasure of such personal information. The CCPA also affords California residents the right to opt-out of "sales" of their personal information. The CCPA contains significant penalties for companies that violate its requirements. In November 2020, California voters passed a ballot initiative for the California Privacy Rights Act, or the CPRA, which went into effect on January 1, 2023, and significantly expanded the CCPA to incorporate additional GDPR-like provisions including requiring that the use, retention, and sharing of personal information of California residents be reasonably necessary and proportionate to the purposes of collection or processing, granting additional protections for sensitive personal information, and requiring greater disclosures related to notice to residents regarding retention of information. The CPRA also created a new enforcement agency-the California Privacy Protection Agency-whose sole responsibility is to enforce the CPRA, which will further increase compliance risk. The provisions in the CPRA may apply to some of our business activities. In addition to California, a number of other states have passed comprehensive privacy laws similar to the CCPA and CPRA. These laws are either in effect or will go into effect sometime before the end of 2026. Like the CCPA and CPRA, these laws create obligations related to the processing of personal information, as well as special obligations for the processing of "sensitive" data (which includes health data in some cases). Some of the provisions of these laws may apply to our business activities. There are also states that are strongly considering comprehensive privacy laws during the 2024 legislative sessions. Other states will be considering these laws in the future, and Congress has also been debating passing a federal privacy law. There are also states that are specifically regulating health information that may affect our business. These laws may impact our business activities, including our identification of research subjects, relationships with business partners and ultimately the marketing and distribution of our products. Similar to the laws in the United States, there are significant privacy and data security laws that apply in Europe and other countries. The collection, use, disclosure, transfer, or other processing of personal data, including personal health data, regarding individuals who are located in the European Economic Area, or EEA, and the processing of personal data that takes place in the EEA, is regulated by the GDPR, which went into effect in May 2018 and imposes obligations on companies that operate in our industry with respect to the processing of personal data and the cross-border transfer of such data. The GDPR imposes onerous accountability obligations requiring data controllers and processors to maintain a record of their data processing and policies. If our or our partners' or service providers' privacy or data security measures fail to comply with the GDPR requirements, we may be subject to litigation, regulatory investigations, enforcement notices requiring us to change the way we use personal data and/or fines of up to 20 million Euros or up to 4% of the total worldwide annual turnover of the group of companies of the preceding financial year, whichever is higher, as well as compensation claims by affected individuals, negative publicity, reputational harm and a potential loss of business and goodwill. The GDPR places restrictions on the cross-border transfer of personal data from the European Union to countries that have not been found by the European Commission to offer adequate data protection legislation, such as the United States. There are ongoing concerns about the ability of companies to transfer personal data from the European Union to other countries. In July 2020, the Court of Justice of the European Union, or CJEU, invalidated the EU-U.S. Privacy Shield, one of the mechanisms used to legitimize the transfer of personal data from the EEA to the United States. The CJEU's decision also drew into question the long-term viability of an alternative means of data transfer, the standard contractual clauses, for transfers of personal data from the EEA to the United States. This CJEU decision has resulted in increased scrutiny on data transfers generally and may increase our costs of compliance with data privacy legislation as well as our costs of negotiating appropriate privacy and security agreements with our vendors and business partners. Additionally, in October 2022, President Biden signed an executive order to implement the EU-U.S. Data Privacy Framework, which serves as a replacement to the EU-U.S. Privacy Shield. The European Commission adopted the adequacy decision in July 2023. The adequacy decision permits U.S. companies who self-certify to the EU-U.S. Data Privacy Framework to rely on it as a valid data transfer mechanism for data transfers from the European Union to the United States. However, some privacy advocacy groups have already suggested that they will be challenging the EU-U.S. Data Privacy Framework. If these challenges are successful, they may not only impact the EU-U.S. Data Privacy Framework, but also further limit the viability of the standard contractual clauses and other data transfer mechanisms. The uncertainty around this issue has the potential to impact our business internationally. Following the withdrawal of the United Kingdom from the European Union, the United Kingdom's Data Protection Act 2018 applies to the processing of personal data that takes place in the United Kingdom and includes parallel obligations to those set forth by GDPR. In relation to data transfers, both the United Kingdom and the European Union have determined, through separate "adequacy" decisions, that data transfers between the two jurisdictions are in compliance with the U.K.'s Data Protection Act 2018 and the GDPR, respectively. In October 2023, the United Kingdom and the United States implemented a U.S.-U.K. "data bridge," which functions similarly to the EU-U.S. Data Privacy Framework and provides an additional legal mechanism for companies to transfer data from the United Kingdom to the United States. Any changes or updates to these developments have the potential to impact our business. Beyond GDPR, there are privacy and data security laws in a growing number of countries around the world. While many loosely follow GDPR as a model, other laws contain different or conflicting provisions. These laws will impact our ability to conduct our business activities, including both our clinical trials and the sale and distribution of commercial products, through increased compliance costs, costs associated with contracting and potential enforcement actions. While we continue to address the implications of the recent changes to data privacy regulations, data privacy remains an evolving landscape at both the domestic and international level, with new regulations coming into effect and continued legal challenges, and our efforts to comply with the evolving data protection rules may be unsuccessful. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our practices. We must devote significant resources to understanding and complying with this changing landscape. Failure to comply with laws regarding data protection would expose us to risk of enforcement actions taken by data protection authorities in the EEA and elsewhere and carries with it the potential for significant penalties if we are found to be non-compliant. Similarly, failure to comply with federal and state laws in the United States regarding privacy and security of personal information could expose us to penalties under such laws. Any such failure to comply with data protection and privacy laws could result in government-imposed fines or orders requiring that we change our practices, claims for damages or other liabilities, regulatory investigations and enforcement action, litigation and significant costs for remediation, any of which could adversely affect our business. Even if we are not determined to have violated these laws, government investigations into these issues typically require the expenditure of significant resources and generate negative publicity, which could harm our reputation and our business, financial condition, results of operations or prospects.

Our programs involve editing the human genome. The clinical and commercial success of our product candidates will depend in part on public understanding and acceptance of the use of gene editing and gene regulation for the prevention or treatment of human diseases. Public attitudes may be influenced by claims that gene editing and gene regulation are unsafe, unethical or immoral, and, consequently, our product candidates may not gain the acceptance of the public or the medical community. Adverse public attitudes may adversely impact our ability to enroll clinical trials. Moreover, our success will depend upon physicians prescribing, and their patients being willing to receive, treatments that involve the use of product candidates we may develop in lieu of, or in addition to, existing treatments with which they are already familiar and for which greater clinical data may be available. In addition, responses by the U.S., state or foreign governments to negative public perception or ethical concerns may result in new legislation or regulations that could limit our ability to develop or commercialize any product candidates, obtain or maintain regulatory approval or otherwise achieve profitability. More restrictive government regulations or negative public opinion would have a negative effect on our business or financial condition and may delay or impair our development and commercialization of product candidates or demand for any products once approved. Adverse events in our preclinical studies or clinical trials or those of our licensors, partners or competitors or of academic researchers utilizing gene editing technologies, even if not ultimately attributable to product candidates we may identify and develop, and the resulting publicity could result in increased governmental regulation, unfavorable public perception, potential regulatory delays in the testing or approval of our product candidates, stricter labeling requirements for those product candidates that are approved and a decrease in demand for any such product candidates. Use of gene editing technology by a third party or government to develop biological agents or products that threaten U.S. national security could similarly result in such negative impacts to us.

Our results of operations could be adversely affected by general conditions in the global economy and in the global financial markets and uncertainty about economic stability. The global economy and financial markets may also be adversely affected by the current or anticipated impact of military conflict, including the ongoing war between Israel and Hamas, the ongoing war between Russia and Ukraine, terrorism or other geopolitical events. Sanctions imposed by the United States and other countries in response to such conflicts, including the sanctions relating to Russia, may also adversely impact the financial markets and the global economy, and the economic countermeasures by the affected countries or others could exacerbate market and economic instability. There can be no assurance that further deterioration in credit and financial markets and confidence in economic conditions will not occur. A severe or prolonged economic downturn could result in a variety of risks to our business, including weakened demand for any product candidates we may develop and our ability to raise additional capital when needed on acceptable terms, if at all. A weak or declining economy could also strain our suppliers, possibly resulting in supply disruption. If the equity and credit markets deteriorate, it may make any necessary debt or equity financing more difficult, more costly, and more dilutive. Failure to secure any necessary financing in a timely manner and on favorable terms could impair our ability to achieve our growth strategy, could harm our financial performance and stock price and could require us to delay or abandon clinical development plans. In addition, there is a risk that our current or future service providers, manufacturers or other collaborators may not survive such difficult economic times, which could directly affect our ability to attain our operating goals on schedule and on budget. We cannot anticipate all of the ways in which the current economic climate and financial market conditions could adversely impact our business.

Our future profitability will depend, in part, on our ability to commercialize our product candidates in markets outside of the United States. If we commercialize our product candidates in foreign markets, we will be subject to additional risks and uncertainties, including: - economic weakness, including inflation, or political instability in particular economies and markets;- the burden of complying with complex and changing foreign regulatory, tax, accounting and legal requirements, many of which vary between countries;- different medical practices and customs in foreign countries affecting acceptance in the marketplace;- tariffs and trade barriers, as well as other governmental controls and trade restrictions;- other trade protection measures, import or export licensing requirements or other restrictive actions by U.S. or foreign governments;- longer accounts receivable collection times;- longer lead times for shipping;- compliance with tax, employment, immigration and labor laws for employees living or traveling abroad;- workforce uncertainty in countries where labor unrest is common;- language barriers for technical training;- reduced protection of intellectual property rights in some foreign countries, and related prevalence of biosimilar alternatives to therapeutics;- foreign currency exchange rate fluctuations and currency controls;- differing foreign reimbursement landscapes;- uncertain and potentially inadequate reimbursement of our products; and - the interpretation of contractual provisions governed by foreign laws in the event of a contract dispute. If risks related to any of these uncertainties materializes, it could have a material adverse effect on our business.

Our business and operations could be adversely affected by public health epidemics or pandemics, including the recent COVID-19 pandemic, impacting the markets and industries in which we and our collaborators operate. We and our contract manufacturing organizations, or CMOs, and contract research organizations, or CROs, had experienced a reduction in the capacity to undertake research-scale production and to execute some preclinical studies, and we have faced and may in the future face disruptions that affect our ability to initiate and complete preclinical studies and clinical trials, and disruptions in procuring items that are essential for our research and development activities, including: - raw materials and supplies used in the production and purification of messenger RNA, or mRNA, nucleic acids as well as lipids used in the production of lipid nanoparticles, or LNPs;- raw materials and supplies used in the manufacture of any product candidates we may develop;- laboratory supplies used in our preclinical studies and clinical trials; and - animals that are used for preclinical testing for which there may be shortages. We and our CROs and CMOs may in the future face manufacturing disruptions and disruptions related to the ability to obtain necessary institutional review board, or IRB, institutional biosafety committee, or IBC, or other necessary site approvals, as well as other delays at clinical trial sites. Moreover, the Biden Administration ended the public health emergency declarations related to the COVID-19 pandemic in May 2023 and the FDA ended a number of COVID-related policies. The FDA has retained a number of COVID-related policies but with appropriate changes, as applicable. It is unclear how, if at all, these policies will impact our efforts to develop and commercialize our product candidates. We may in the future face impediments or delays to regulatory meetings and approvals due to any pandemic measures. We cannot be certain what the overall impact of such pandemics will be on our business, although for the reasons described above such pandemics have the potential to adversely affect our business, financial condition, results of operations and prospects.