Aerovate Therapeutics (AVTE) Risk Factors

We rely on information technology systems that we or our third-party providers operate to process, transmit and store electronic information in our day-to-day operations. In connection with our product discovery efforts, we may collect and use a variety of personal data, such as names, mailing addresses, email addresses, phone numbers and clinical trial information. A successful cyberattack or other cybersecurity incident could result in the theft or destruction of this personal data, intellectual property, other data, or other misappropriation of assets, or otherwise compromise our confidential or proprietary information and disrupt our operations. Cybersecurity incidents are increasing in their frequency, sophistication, level of persistence and intensity, and are being conducted by sophisticated and organized groups and individuals with a wide range of motives and expertise. Cyberattacks could include wrongful conduct by hostile foreign governments, industrial espionage, wire fraud and other forms of cyber fraud, the deployment of harmful malware, denial-of-service, ransomware, social engineering fraud or other means to threaten data security, confidentiality, integrity and availability. We may also face increased cybersecurity risks due to our reliance on internet technology and the number of our employees who are working remotely, which may create additional opportunities for cybercriminals to exploit vulnerabilities. Furthermore, because the techniques used to obtain unauthorized access to, or to sabotage, systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. We may also experience cybersecurity incidents that may remain undetected for an extended period. A successful cyberattack could cause serious negative consequences for us, including, without limitation, the disruption of operations, the misappropriation of confidential business information, including financial information, trade secrets, financial loss and the disclosure of corporate strategic plans. Although we devote resources to protect our information systems, we realize that cybersecurity incidents are a threat, and there can be no assurance that our efforts will prevent cybersecurity incidents that would result in business, legal, financial or reputational harm to us, or would have a material adverse effect on our results of operations and financial condition. We maintain cybersecurity insurance in the event of a cybersecurity incident; however, the coverage may not be sufficient to cover all financial losses. Any failure to prevent or mitigate cybersecurity incidents or improper access to, use of, or disclosure or compromise of our clinical data or patients' personal data could result in significant liability under state (e.g., state breach notification laws), federal, and international law and may cause a material adverse impact to our reputation, affect our ability to conduct new studies and potentially disrupt our business. We rely on our third-party providers to implement effective security measures and identify and correct for any such failures, deficiencies or breaches. If we or our third-party providers fail to maintain or protect our information technology systems and data integrity effectively or fail to anticipate, plan for or manage significant disruptions to our information technology systems, we or our third-party providers could have difficulty preventing, detecting and controlling such cyber-attacks and any such incidents could result in the losses described above as well as disputes with physicians, patients and our partners, regulatory sanctions or penalties, increases in operating expenses, other expenses or lost revenues or other adverse consequences, any of which could have a material adverse effect on our business, results of operations, financial condition, prospects and cash flows. Any failure by such third parties to prevent or mitigate cybersecurity incidents or improper access to or disclosure or compromise of such information could have similarly adverse consequences for us. If we are unable to prevent or mitigate the impact of such cybersecurity incidents, we could be exposed to litigation and governmental investigations, which could lead to a potential disruption to our business. By way of example, the California Consumer Privacy Act as amended by the California Privacy Rights Act, or CCPA, provides a private right of action for data breaches impacting California residents.

We are subject to or affected by numerous federal, state and foreign laws and regulations, as well as regulatory guidance, governing the collection, use, disclosure, retention, and security of personal information, such as information that we collect about patients and healthcare providers in connection with clinical trials in the United States and abroad. The global data protection landscape is rapidly evolving, and implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future. This evolution may create uncertainty in our business, affect our or any service providers', contractors' or future collaborators' ability to operate in certain jurisdictions or to collect, store, transfer, use and share personal information, necessitate the acceptance of more onerous obligations in our contracts, result in liability or impose additional costs on us. The cost of compliance with these laws, regulations and standards is high and is likely to increase in the future. Any failure or perceived failure by us or our collaborators, service providers and contractors to comply with federal, state or foreign laws or regulations, our internal policies and procedures or our contracts governing processing of personal information could result in negative publicity, diversion of management time and effort and proceedings against us by governmental entities or others. In many jurisdictions, enforcement actions and consequences for noncompliance are rising. As our operations and business grow, we may become subject to or affected by new or additional data protection laws and regulations and face increased scrutiny or attention from regulatory authorities. In the United States, HIPAA imposes, among other things, certain standards relating to the privacy, security, transmission and breach reporting of individually identifiable health information. Certain states have also adopted comparable privacy and security laws and regulations, some of which may be more stringent than HIPAA. Such laws and regulations will be subject to interpretation by various courts and other governmental authorities, thus creating potentially complex compliance issues for us and our future customers and strategic partners. For example, the CCPA gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches. The CCPA may increase our compliance costs and potential liability. Following the amendment of the CCPA by the California Privacy Rights Act, or CPRA, the CCPA is implemented and enforced by a new California data protection agency, which may result in increased regulatory scrutiny of California businesses in the areas of data protection and security. The effects of the CCPA, as amended by the CPRA, are potentially significant and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply and increase our potential exposure to regulatory enforcement and/or litigation. Certain other state laws impose similar privacy obligations and we also anticipate that more states will increasingly enact legislation similar to the CCPA. Already, laws similar to the CCPA have been passed in numerous other states. While these laws incorporate many similar concepts of the CCPA, there are also several key differences in the scope, application, and enforcement of the laws that will change the operational practices of regulated entities. In addition, Washington state recently passed a comprehensive health information privacy law. Proposed and newly enacted legislation may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. Our operations abroad may also be subject to increased scrutiny or attention from data protection authorities. Many countries in these regions have established or are in the process of establishing privacy and data security legal frameworks with which we, our collaborators, service providers, including our CROs, and contractors must comply. For example, the European Union General Data Protection Regulation (with regards to the European Economic Area, or EEA, and the UK GDPR (with regards to the UK), as well as applicable national data protection legislation and requirements. In this document, GDPR refers to both EU GDPR and the UK GDPR, unless specified otherwise. The GDPR is wide-ranging in scope and imposes numerous requirements on companies that process personal information, including requirements relating to having a legal basis for processing personal data, stricter requirements relating to the processing of sensitive data (such as health sensitive data), where required by GDPR obtaining consent of the individuals to whom the personal data relates, providing information to individuals regarding data processing activities, implementing safeguards to protect the security and confidentiality of personal data, providing notification of data breaches, requirements to conduct data protection impact assessments for high risk processing and taking certain measures when engaging third-party processors. Failure to comply with the requirements of the GDPR may result in warning letters, mandatory audits, orders to cease/change the use of data, and financial penalties, including fines of up to 4% of global revenues, or 20,000,000 Euro (£17.5 million for the UK), whichever is greater. The GDPR also confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of the GDPR. The GDPR provides that EEA Member States may make their own further laws and regulations in relation to the processing of genetic, biometric or health data, which could result in differences between Member States, limit our ability to use and share personal data or could cause our costs to increase, and harm our business and financial condition. The GDPR also includes restrictions on cross-border transfers of personal data to countries outside the EEA and UK that are not considered by the European Commission or UK Government as providing adequate protection to personal data, including the United States, unless a valid GDPR mechanism (for example, the European Commission approved Standard Contractual Clauses, or SCCs, and the UK International Data Transfer Agreement/Addendum, or UK IDTA) has been put in place. Where relying on the SCCs or UK IDTA for data transfers, we may also be required to carry out transfer impact assessments to assess whether the recipient is subject to local laws which allow public authority access to personal data. Further, the EU and United States have adopted its adequacy decision for the EU-U.S. Data Privacy Framework, or the Framework, which entered into force on July 11, 2023. This Framework provides that the protection of personal data transferred between the EU and the United States is comparable to that offered in the EEA. This provides a further avenue to ensuring transfers to the United States are carried out in line with GDPR. There has been an extension to the Framework to cover UK transfers to the United States. The Framework could be challenged like its predecessor frameworks. The international transfer obligations under the EEA and UK data protection regimes will require significant effort and cost, and may result in us needing to make strategic considerations around where EEA and UK personal data is transferred and which service providers we can utilize for the processing of EEA and UK personal data. Although the UK is regarded as a third country under the EU GDPR, the European Commission has issued a decision recognizing the UK as providing adequate protection under the EU GDPR, or Adequacy Decision, and, therefore, transfers of personal data originating in the EEA to the UK remain unrestricted. The UK government has confirmed that personal data transfers from the UK to the EEA remain free flowing. The UK Government has also now introduced a Data Protection and Digital Information Bill, UK Bill, into the UK legislative process. The aim of the UK Bill is to reform the UK's data protection regime following Brexit. If passed, the final version of the UK Bill will have the effect of further altering the similarities between the UK and EEA data protection regime and threaten the UK Adequacy Decision from the European Commission. This may lead to additional compliance costs and could increase our overall risk. The respective provisions and enforcement of the EU GDPR and UK GDPR may further diverge in the future and create additional regulatory challenges and uncertainties. In addition, many jurisdictions outside of Europe are also considering and/or enacting comprehensive data protection legislation. For example, as of August 2020, the Brazilian General Data Protection Law imposes stringent requirements similar to GDPR with respect to personal information collected from individuals in Brazil. In China, there have also been recent significant developments concerning privacy and data security. On June 10, 2021, the Standing Committee of the PRC National People's Congress published the Data Security Law of the People's Republic of China, or the Data Security Law, which took effect on September 1, 2021. The Data Security Law requires data processing (which includes the collection, storage, use, processing, transmission, provision and publication of data), to be conducted in a legitimate and proper manner. The Data Security Law imposes data security and privacy obligations on entities and individuals carrying out data processing activities and also introduces a data classification and hierarchical protection system based on the importance of data in economic and social development and the degree of harm it may cause to national security, public interests, or legitimate rights and interests of individuals or organizations if such data are tampered with, destroyed, leaked, illegally acquired or illegally used. The appropriate level of protection measures is required to be taken for each respective category of data. Also in China, on August 20, 2021, the Standing Committee of the National People's Congress of the PRC promulgated the Personal Information Protection Law, or PIPL, which took effect on November 1, 2021. PIPL raises the protection requirements for processing personal information, and many specific requirements of the PIPL remain to be clarified. Fines for PIPL violations range from $7.7 million to up to 5% of the infringing company's previous year's revenues. We may be required to make further significant adjustments to our business practices to comply with the personal information protection laws and regulations in China. Although we work to comply with applicable laws, regulations and standards, our contractual obligations and other legal obligations, because the interpretation and application of many privacy and data protection laws (including the GDPR), commercial frameworks, and standards are uncertain, it is possible that these laws, frameworks, and standards may be interpreted and applied in a manner that is inconsistent with our existing data management practices and policies. If so, in addition to the possibility of fines, lawsuits, breach of contract claims, and other claims and penalties, we could be required to fundamentally change our business activities and practices or modify our solutions, which could have an adverse effect on our business. Any inability to adequately address privacy and security concerns, even if unfounded, or comply with applicable privacy and security or data security laws, regulations, and policies, could result in additional cost and liability to us, damage our reputation, inhibit our ability to conduct trials, and adversely affect our business and results of operations.