Biodexa Pharmaceuticals (BDRX) Risk Analysis

We are at a relatively early stage of our commercial development. To date, we have generated a minimal amount of revenue from our product candidates. Our ability to generate revenue and become and remain profitable depends, in part, on our ability to successfully find a licensing partner for our product candidates, or other product candidates we may in-license or acquire, and have such candidates successfully commercialized. Our current strategy is, once proof-of-concept of our product candidates has been established, to generate revenue via a partner, thereby earning royalty and/or milestone income; however, this is not expected to materialize in the foreseeable future, and there can be no guarantee we will be able to find a licensing partner for our product candidates. Even if our product candidates were to successfully achieve regulatory approval, we do not know when any of the product candidates will generate revenue, if at all. Our ability to generate revenue from our product candidates also depends on a number of additional factors, including our ability, and the ability of any licensing partners, to: - successfully complete development activities;- complete and submit new drug applications to the European Medicines Agency, or the EMA, the Medicines and Healthcare Products Regulatory Agency in the United Kingdom, or the MHRA, the FDA, and any other foreign regulatory authorities, and obtain regulatory approval for products for which there is a commercial market;- set a commercially viable price;- obtain commercial qualities of the products at acceptable cost levels;- develop and maintain a commercial organization capable of sales, marketing and distribution in the markets where the product is to be sold; and - obtain adequate reimbursement from third parties, including government, departments and healthcare payors. In addition, because of the numerous risks and uncertainties associated with product development, including that our product candidates may not advance through development or achieve the endpoints of applicable clinical trials, we are unable to predict the timing or amount of increased expenses, or when or if we will be able to achieve or maintain profitability. Even if we are able to complete the process described above, we anticipate incurring significant costs. Even if we are able to generate royalty and/or milestone revenues from the sale of product candidates, we may not become profitable and may need to obtain additional funding to continue operations. If we fail to become profitable or are unable to sustain profitability on a continuing basis, then we may be unable to continue our operations at planned levels and may be forced to cease or reduce our operations. There can be no assurance that we will operate profitably, produce a reasonable return, if any, on investment, or remain solvent. If our strategy proves unsuccessful, stockholders could lose all or part of their investment.

Under English law, shareholders usually have preemptive rights to subscribe on a pro rata basis in the issuance of new shares for cash. The exercise of preemptive rights by certain shareholders not resident in the United Kingdom may be restricted by applicable law or practice in the United Kingdom and overseas jurisdictions. We may from time to time distribute rights to our shareholders, including rights to acquire our securities. However, we cannot make rights available to shareholders in the United States unless we register the rights and the securities to which the rights relate under the Securities Act or an exemption from the registration requirements is available. Also, under the deposit agreement, the depositary bank will not make rights available to Depositary Share holders unless either both the rights and any related securities are registered under the Securities Act, or the distribution of them to Depositary Share holders is exempted from registration under the Securities Act. We are under no obligation to file a registration statement with respect to any such rights or securities or to endeavor to cause such a registration statement to be declared effective. Moreover, we may not be able to establish an exemption from registration under the Securities Act. If the Depositary does not distribute the rights, it may, under the deposit agreement, either sell them, if possible, or allow them to lapse. Accordingly, Depositary Share holders may be unable to participate in our rights offerings and may experience dilution in their holdings. We are also permitted under English law to disapply preemptive rights (subject to the approval of our shareholders by special resolution or the inclusion in our articles of association of a power to disapply such rights) and thereby exclude certain shareholders, such as overseas shareholders, from participating in a rights offering (usually to avoid a breach of local securities laws).

Obtaining and maintaining regulatory approval of our other product candidates in one jurisdiction does not guarantee that we will be able to obtain or maintain regulatory approval in any other jurisdiction, while a failure or delay in obtaining regulatory approval in one jurisdiction may have a negative effect on the regulatory approval process in others. For example, even if the FDA grants marketing approval of a product candidate, similar foreign regulatory authorities must also approve the manufacturing, marketing and promotion of the product candidate in those countries. Approval and licensure procedures vary among jurisdictions and can involve requirements and administrative review periods different from, and greater than, those in the United States, including additional nonclinical studies or clinical trials as clinical trials conducted in one jurisdiction may not be accepted by regulatory authorities in other jurisdictions. In many jurisdictions outside the United States, a product candidate must be approved for reimbursement before it can be approved for sale in that jurisdiction. In some cases, the price that we intend to charge for our products is also subject to approval. We may also submit marketing applications in other countries. Regulatory authorities in jurisdictions outside of the United States have requirements for approval of product candidates with which we must comply prior to marketing in those jurisdictions. Obtaining similar foreign regulatory approvals and compliance with similar foreign regulatory requirements could result in significant delays, difficulties and costs for us and could delay or prevent the introduction of our products in certain countries. We do not currently have any product candidates approved for sale in any jurisdiction, including international markets, and we do not have experience in obtaining regulatory approval in international markets. If we fail to comply with the regulatory requirements in international markets and/or receive applicable marketing approvals, our target market will be reduced and our ability to realize the full market potential of our product candidates will be harmed.

The market price of our Depositary Shares may be volatile, and in the past, some companies that have experienced volatility in the market price of their stock have been subject to securities class action litigation.  Any lawsuit to which we are a party, with or without merit, may result in an unfavorable judgment. We also may decide to settle lawsuits on unfavorable terms. Any such negative outcome could result in payments of substantial damages or fines, damage to our reputation or adverse changes to our business practices. Defending against litigation is costly and time consuming, and could divert our management's attention and our resources. Furthermore, during the course of litigation, there could be negative public announcements of the results of hearings, motions or other interim proceedings or developments, which could have a negative effect on the market price of our Depositary Shares.

Under current English law, the decisions of the English courts and the published practice of His Majesty's Revenue and Customs suggest that we are likely to be regarded as being a United Kingdom resident and should remain so if, as we intend that, (i) all major meetings of our Board of Directors and most routine meetings are held in the United Kingdom with a majority of directors present in the United Kingdom for those meetings; (ii) at those meetings there are full discussions of, and decisions are made regarding, the key strategic issues affecting us and our subsidiaries; (iii) those meetings are properly minuted; (iv) at least some of our directors, together with supporting staff, are based in the United Kingdom; and (v) we have permanent staffed office premises in the United Kingdom sufficient to discharge our functions. Even if we are considered by His Majesty's Revenue and Customs as resident in the United Kingdom for United Kingdom tax purposes, as expected, we would nevertheless not be treated as resident in the United Kingdom if (a) we were concurrently resident in another jurisdiction (applying the tax residence rules of that jurisdiction) that has a double tax treaty with the United Kingdom and (b) there is a tiebreaker provision in that tax treaty which allocates exclusive residence to that other jurisdiction. Because this analysis is highly factual and may depend on future changes in our management and organizational structure, there can be no assurance regarding the final determination of our tax residence. Should we be treated as resident for tax purposes in another jurisdiction other than the United Kingdom, we would be subject to taxation in such jurisdiction in accordance with such jurisdiction's laws, which could result in additional costs and expenses.

We maintain a large quantity of sensitive information, including confidential business and personal information in connection with the conduct of our clinical trials and related to our employees, and we are subject to laws and regulations governing the privacy and security of such information. In the United States, there are numerous federal and state privacy and data security laws and regulations governing the collection, use, disclosure and protection of personal information, including federal and state health information privacy laws, federal and state security breach notification laws, and federal and state consumer protection laws. The legislative and regulatory landscape for privacy and data protection continues to evolve, and there has been an increasing focus on privacy and data protection issues, including with respect to regulatory enforcement and private litigation, which may affect our business and is expected to increase our compliance costs and exposure to liability. In the United States, numerous federal and state laws and regulations could apply to our operations or the operations of our partners, including state data breach notification laws, state health information privacy laws, and federal and state consumer protection laws and regulations, that govern the collection, use, disclosure, and protection of health-related and other personal information. In addition, we may obtain health information from third parties (including research institutions from which we obtain clinical trial data) that are subject to privacy and security requirements under HIPAA, as amended by HITECH and regulations promulgated thereunder. Depending on the facts and circumstances, we could be subject to significant penalties if we obtain, use, or disclose, or are subject to an actual or alleged data breach regarding, individually identifiable health information in a manner that is not authorized or permitted by HIPAA. In addition, various U.S. states have enacted privacy and security laws and regulations, and such laws and regulations vary from state to state, constantly evolve, and remain subject to significant change. In some cases, such laws and regulations can impose more restrictive requirements than HIPAA and other U.S. federal laws, thus complicating compliance efforts. By way of example, California has enacted the California Consumer Privacy Act, or CCPA, which went into effect in January of 2020. The CCPA established a new privacy framework for covered businesses by creating an expanded definition of personal information, establishing new data privacy rights for California residents, requiring covered business to provide new disclosures to California residents, and creating a new and potentially severe statutory damages framework for violations of the CCPA and for businesses that fail to implement reasonable security procedures and practices to prevent data breaches. Additionally in 2020, California voters passed the California Privacy Rights Act, or CPRA, which went into full effect on January 1, 2023. The CPRA significantly amends the CCPA, potentially resulting in further uncertainty, additional costs and expenses in an effort to comply and additional potential for harm and liability for failure to comply. Among other things, the CPRA established a new regulatory authority, the California Privacy Protection Agency, which is tasked with enacting new regulations under the CPRA and will have expanded enforcement authority. In addition to California, more U.S. states are enacting similar legislation, increasing compliance complexity, and increasing risks of failures to comply. In 2023, comprehensive privacy laws in Virginia, Colorado, Connecticut, and Utah all took effect, and laws in Montana, Oregon, and Texas will take effect in 2024. In addition, laws in other U.S. states are set to take effect beyond 2024, and additional U.S. states have proposals under consideration, all of which are likely to increase our regulatory compliance costs and risks, exposure to regulatory enforcement action and other liabilities. While these state privacy laws, like the CCPA, also exempt some data processed in the context of clinical trials (and most also exempt employee and business personal data), these developments further complicate compliance efforts, and increase legal risk and compliance costs for us and the third parties upon whom we rely. The scope and enforcement of these laws is uncertain and subject to rapid change. For example, increasing concerns about health information privacy have recently prompted the federal government to take a newly expansive view of the scope of existing privacy laws and regulations. Congress and some states are considering (and in some cases have passed) new laws and regulations that further and more broadly protect the privacy and security of personal health information. The interplay of federal and state laws may be subject to varying interpretations by courts and government agencies, creating complex compliance issues for us and our clients and potentially exposing us to additional expense, adverse publicity and liability. Further, as regulatory focus on privacy issues continues to increase and laws and regulations concerning the protection of personal information expand and become more complex, these potential risks to our business could intensify. In the European Union, the General Data Protection Regulation (EU) 2016/679, or GDPR, lays down the legal framework for data protection and privacy. The GDPR applies directly in all European Union member states (until December 31, 2020, this included the United Kingdom) and applies to companies with an establishment in the European Economic Area, or EEA, and to certain other companies not in the EEA that process personal data in relation to offering or providing goods or services to individuals located in the EEA, or monitor the behavior of individuals located in the EEA. In the United Kingdom, the GDPR has been implemented into United Kingdom domestic law, pursuant to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (as amended), which makes some minor technical amendments to ensure the GDPR is operable in the United Kingdom, or the UK GDPR. The UK GDPR is also supplemented by the Data Protection Act 2018. United Kingdom and European Union data protection law is therefore aligned. The GDPR and UK GDPR implement stringent operational requirements for both controllers and processors of personal data, including, for example, expanded disclosures about how personal information is to be used, limitations on retention of information, increased requirements pertaining to health data and pseudonymized (i.e., key-coded) data, increased cyber security requirements, new rights for individuals to be "forgotten" and rights to data portability, as well as enhanced current rights (e.g., access requests), mandatory data breach notification requirements and higher standards for controllers to demonstrate that they have obtained a valid legal basis for certain data processing activities. In particular, medical or health data, genetic data and biometric data are all classified as "special category" data under the GDPR and the UK GDPR, and afforded greater protection and require additional compliance obligations. Further, the GDPR provides that European Union member states may make their own further laws and regulations in relation to the processing of genetic, biometric or health data, which could result in differences between member states, limit our ability to use and share personal data or could cause our costs to increase, and harm our business and financial condition. The GDPR the UK GDPR also regulate the transfer of personal data subject to the GDPR or UK GDPR to so-called third countries that have not been found by the European Commission to provide an adequate level of data protection. The GDPR and UK GDPR only permit exports of personal data outside of the EU and UK, respectively, to "non-adequate" countries where there is a suitable data transfer mechanism in place to safeguard personal data. As from 2020, legal developments in Europe have created complexity and uncertainty regarding such transfers. For instance, on July 16, 2020, the Court of Justice of the European Union, or CJEU, invalidated, by means of the so-called Schrems II judgment, the E.U.-U.S. Privacy Shield Framework, or the Privacy Shield, under which personal data could be transferred from the EEA to U.S. entities who had self-certified under the Privacy Shield scheme. However, on July 10, 2023, the European Commission adopted an adequacy decision for a new mechanism for transferring data from the European Union to the United States – the E.U.-U.S. Data Privacy Framework, which provides E.U. individuals with several new rights, including the right to obtain access to their data, or obtain correction or deletion of incorrect or unlawfully handled data, and allows U.S. companies to self-certify to the U.S. Department of Commerce their compliance with a set of agreed privacy principles in order to freely receive E.U. personal data. The adequacy decision followed the signing of an executive order in the U.S. introducing new binding safeguards to address the points raised in the Schrems II judgment. Notably, the new obligations were geared to ensure that data can be accessed by U.S. intelligence agencies only to the extent necessary and proportionate and to establish an independent and impartial redress mechanism to handle complaints from Europeans concerning the collection of their data for national security purposes. The UK-US Data Bridge (the UK extension to the Data Privacy Framework) came into force shortly after the E.U. – U.S. Data Privacy Framework, and provides UK individuals with similar rights. Organizations that have not certified under the under the E.U. – U.S. Data Privacy Framework (or the UK-US Data Bridge) may utilize another data transfer mechanism, such as the EU Commission approved Standard Contractual Clauses, or the UK equivalent, respectively. The European Commission and the UK government will continually review developments in the United States along with their adequacy decisions. Consequently, there is some risk of any data transfers from the EU and UK being halted. In addition, in June of 2021, the European Commission issued a decision, which will sunset on June 27, 2025 without further action, that the United Kingdom ensures an adequate level of protection for personal data transferred under the E.U. GDPR from the E.U. to the United Kingdom. Adequacy decisions can be adapted or even withdrawn in the event of developments affecting the level of protection in the applicable jurisdiction. Failure to comply with European Union laws, including failure under the GDPR and UK GDPR, Data Protection Act 2018, ePrivacy Directive and other laws relating to the security of personal data may result in fines up to €20 million (or £17.5 million under the UK GDPR) or up to 4% of the total worldwide annual turnover of the preceding financial year, if greater, and other administrative penalties including criminal liability, which may be onerous and adversely affect our business, financial condition, results of operations and prospects. The GDPR and UK GDPR also confer a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of the GDPR and UK GDPR, respectively. Failure to comply with the GDPR, UK GDPR, and related laws may lead to increased risk of private actions from data subjects and consumer not-for-profit organizations, including a new form of class action that is available under the GDPR and UK GDPR. Further, if we have to rely on third parties to carry out services for us, including processing personal data on our behalf, we are required under GDPR and UK GDPR to enter into contractual arrangements to flow down or help ensure that these third parties only process such data according to our instructions and have sufficient security measures in place. Any security breach or non-compliance with our contractual terms or breach of applicable law by such third parties could result in enforcement actions, litigation, fines and penalties or adverse publicity and could cause customers to lose trust in us, which would have an adverse impact on our reputation and business. Future customers or other service providers may respond to these evolving laws and regulations by asking us to make certain privacy or data-related contractual commitments that we are unable or unwilling to make. This could lead to the loss of future customers or other business relationships.

We are exposed to the risk of employee fraud or other misconduct by our employees, principal investigators, consultants and commercial partners. Misconduct by such parties could include intentional failures to comply with applicable regulations, provide accurate information to regulatory authorities, comply with manufacturing standards, comply with healthcare fraud and abuse laws and regulations, report financial information or data accurately, or disclose unauthorized activities to us. In particular, sales, marketing and business arrangements in the healthcare industry are subject to extensive laws and regulations intended to prevent fraud, kickbacks, self-dealing and other abusive practices. These laws and regulations may restrict or prohibit a wide range of pricing, discounting, marketing and promotion, sales commission, customer incentive programs and other business arrangements. Such misconduct could also involve the improper use of information obtained in the course of clinical trials, which could result in regulatory sanctions and serious harm to our reputation. We have adopted a Code of Business Conduct and Ethics, but it is not always possible to identify and deter employee misconduct, and the precautions we have taken to detect and prevent this activity may not be effective in controlling unknown or unmanaged risks or losses or in protecting us from governmental investigations or other actions or lawsuits stemming from a failure to be in compliance with such laws or regulations. If any such actions are instituted against us and we are not successful in defending ourselves or asserting our rights, those actions could have a significant impact on our business and results of operations, including the imposition of significant fines or other sanctions.

We are, and may continue to be, reliant on other parties for the successful development and commercialization of many of our product candidates. We rely upon CROs and clinical investigators for the conduct of our clinical trials and upon contract laboratories for execution of our preclinical studies, and we control only certain aspects of their activities. Nevertheless, we are responsible for ensuring that each of our studies and trials is conducted in accordance with the applicable protocol and legal, regulatory and scientific standards, and our reliance on the CROs or collaboration partners does not relieve us of our regulatory responsibilities. We also rely on third parties to assist in conducting our preclinical studies in accordance with good laboratory practices, or GLP, and requirements with respect to animal welfare. We and our CROs or collaboration or licensing partners are required to comply with GCP, which are regulations and guidelines enforced by the MHRA, the FDA, the EMA and comparable foreign regulatory authorities for all of our products in clinical development. Regulatory authorities enforce GCP regulations, and other regulations applicable to clinical trials and investigational drug or biological products, through periodic inspections of trial sponsors, CROs, principal investigators and trial sites. If we or any of our CROs or partners fail to comply with applicable GCP regulations or other clinical trial regulations, the data generated in our clinical trials may be deemed unreliable and the EMA, the MHPA, the FDA or comparable foreign regulatory authorities may require us to perform additional clinical trials before approving our marketing applications. We cannot be assured that upon inspection by a given regulatory authority, that such regulatory authority will determine that any of our clinical trials comply with GCP requirements or other applicable regulations. In addition, our clinical trials must be conducted with product produced under cGMP requirements. Failure to comply with these regulations may require us to repeat preclinical and clinical trials, which would delay the regulatory approval process. Our CROs and other contractors or collaborators are not our employees, and except for remedies available to us under such agreements with such CROs, we cannot control whether or not they devote sufficient time and resources to our on-going or future clinical or nonclinical programs, as applicable. If CROs do not successfully carry out their contractual duties or obligations or meet expected deadlines or if the quality or accuracy of the clinical data they obtain is compromised due to the failure to adhere to our clinical protocols, regulatory requirements or for other reasons, then our clinical trials may be extended, delayed or terminated and we may not be able to obtain regulatory approval for or successfully commercialize our product candidates. As a result, our results of operations and the commercial prospects for our product candidates would be harmed, our costs could increase and our ability to generate revenues could be delayed. If any of our relationships with these third parties terminate, we may not be able to enter into arrangements with alternative third parties on commercially reasonable terms, or at all. Entering into arrangements with alternative CROs, clinical trial investigators or other third parties involves additional cost and requires management focus and time, in addition to requiring a transition period when a new CRO, clinical trial investigator or other third party begins work. If third parties do not successfully carry out their contractual duties or obligations or meet expected deadlines, if they need to be replaced or if the quality or accuracy of the clinical data they obtain are compromised due to the failure to adhere to our clinical protocols, regulatory requirements or for other reasons, any clinical trials such third parties are associated with may be extended, delayed or terminated, and we may not be able to obtain marketing approval for or successfully commercialize our product candidates. As a result, we believe that our financial results and the commercial prospects for our product candidates in the subject indication would be harmed, our costs could increase and our ability to generate revenue could be delayed. Because we have relied on third parties, our internal capacity to perform these functions is limited. Outsourcing these functions involves risk that third parties may not perform to our standards, may not produce results in a timely manner or may fail to perform at all. In addition, the use of third-party service providers requires us to disclose our proprietary information to these parties, which could increase the risk that this information will be misappropriated. We currently have a small number of employees, which limits the internal resources we have available to identify and monitor our third-party providers. To the extent we are unable to identify and successfully manage the performance of third-party service providers in the future, our business may be adversely affected. Though we carefully manage our relationships with our CROs, there can be no assurance that we will not encounter similar challenges or delays in the future or that these delays or challenges will not have a material adverse impact on our business, financial condition and prospects.

Following the result of a referendum in 2016, the United Kingdom left the European Union on January 31, 2020, commonly referred to as Brexit. Pursuant to the formal withdrawal arrangements agreed between the United Kingdom and the European Union, the United Kingdom was subject to a transition period until December 31, 2020, during which European Union rules continued to apply. The Trade and Cooperation Agreement between the United Kingdom and the European Union, which outlines the future trading relationship between the United Kingdom and the European Union, was agreed in December 2020. The impact of the new trade agreement on the general and economic conditions in the United Kingdom remains uncertain. There may be, for example, additional costs in materials and equipment sourced from the European Union and/or delays that could have a material adverse effect on our business, financial condition and results of operations. From a regulatory perspective, the United Kingdom's withdrawal from the European Union could bear significant complexity and risks.  A basic requirement of European Union law relating to the grant of a marketing authorization for a medicinal product in the European Union is that the applicant is established in the European Union. Following the withdrawal of the United Kingdom from the European Union, marketing authorizations previously granted to applicants established in the United Kingdom may no longer be valid.  Moreover, the scope of a marketing authorization for a medicinal product granted by the European Commission pursuant to the centralized procedure might not, in the future, include the United Kingdom. In these circumstances, an authorization granted by competent United Kingdom authorities would be required to place medicinal products on the United Kingdom market. Any of these factors could significantly increase the complexity of our activities in the European Union and in the United Kingdom, could depress our economic activity and restrict our access to capital, which could have a material adverse effect on our business, financial condition and results of operations and reduce the price of our Ordinary Shares and Depositary Shares.

We currently conduct a portion of our operations outside of the United Kingdom. Because we use the British pound sterling as our financial statement reporting currency, changes in currency exchange rates have had and could have a significant effect on our operating results when our operating results are translated from the local currency into the British pound sterling. Exchange rate fluctuations between local currencies and the British pound sterling create risk in several ways, including the following: weakening of the British pound sterling, as seen, for example, following the results of the Brexit referendum, may increase the British pound sterling cost of overseas research and development expenses and the cost of sourced product components outside the United Kingdom; strengthening of the British pound sterling may decrease the value of our revenues denominated in other currencies; the exchange rates on non-sterling transactions and cash deposits can distort our financial results; and commercial pricing and profit margins are affected by currency fluctuations. Future changes in currency exchange rates could have a material adverse effect on our financial results.

There can be no assurance that any of our product candidates currently in development will be successfully developed into any commercially viable product or products and/or be manufactured in commercial quantities at an acceptable cost or be marketed successfully and profitably. If we, or our partners, encounter delays at any stage, and fail successfully to address such delays, it may have a material adverse effect on our business, financial condition and prospects. In addition, our success will depend on the market's acceptance of these products and there can be no guarantee that this acceptance will be forthcoming or that our technologies will succeed as an alternative to competing products. If a market fails to develop or develops more slowly than anticipated, we may be unable to recover the costs we may have incurred in the development of particular products and may never achieve profitable royalty or licensing revenues from that product.