Barinthus Biotherapeutics (BRNS) Risk Factors

We and our third-party CROs and other contractors and consultants rely extensively on information technology systems to conduct and manage our business. Despite the implementation of security measures, our internal computer systems and those of our current and future third-party providers are vulnerable to damage from computer viruses and unauthorized access. The risk of a security breach or disruption, particularly through cyberattacks or cyber intrusion, including by computer hackers, foreign governments, and cyber terrorists, has generally increased as the number, intensity and sophistication of attempted attacks and intrusions from around the world have increased. Cyberattacks could include wrongful conduct by hostile foreign governments, industrial espionage, wire fraud and other forms of cyber fraud, the deployment of harmful malware, denial-of-service, social engineering fraud or other means to threaten data security,confidentiality, integrity and availability. If such an event were to occur, it could result in the theft or destruction of intellectual property, data or other misappropriation of assets, or otherwise compromise our confidential or proprietary information and result in a material disruption of our development programs and our business operations, such as the loss of clinical trial data from completed or future clinical trials. Such loss could result in delays in our marketing authorization efforts and significantly increase our costs to recover or reproduce the data. Although we devote resources to protect our information systems, including organization-wide prevention software, we realize that cyberattacks are a threat, and there can be no assurance that our efforts will prevent information security breaches that would result in business, legal, financial or reputational harm to us, or would have a material adverse effect on our business, financial condition, results of operations and prospects. Likewise, we rely on third parties for the manufacture of our product candidates and to conduct clinical trials, and similar events relating to their computer systems could also have a material adverse effect on our business. We rely on our third-party providers to implement effective security measures and identify and correct for any such failures, deficiencies or breaches. Any breach in our or our third-party providers' information technology systems could lead to the unauthorized access, disclosure and use of non-public information, including information from our participant registry or other participant information, which is protected by HIPAA, and other laws. Any such access, disclosure, or other loss of information could result in legal claims or proceedings, liability under laws that protect the privacy of personal information, damage to our reputation and the further development and commercialization of our product candidates could be delayed. If we or our third-party providers fail to maintain or protect our information technology systems and data integrity effectively or fail to anticipate, plan for or manage significant disruptions to our information technology systems, we or our third-party providers could have difficulty preventing, detecting and controlling such cyberattacks and any such attacks could result in losses described above as well as disputes with physicians, participants and our partners, regulatory sanctions or penalties, increases in operating expenses, expenses or lost revenues or other adverse consequences, any of which could have a material adverse effect on our business, results of operations, financial condition, prospects and cash flows. If we are unable to prevent or mitigate the impact of such security or data privacy breaches, we could be exposed to litigation and governmental investigations, which could lead to a potential disruption to our business.

We and our collaborators and third-party providers are subject to national, supranational, federal or state laws and regulations, regulatory guidance and industry standards relating to data protection, privacy and information security. With respect to Europe, the collection and processing of personal data regarding (i) individuals in the EEA and UK, and/or (ii) carried out in the context of the activities of our establishments in the EEA or UK, is subject to the GDPR, as well as other national data protection legislation in force in relevant EEA member states and the UK, (including the UK Data Protection Act 2018). The GDPR is wide-ranging in scope and impose numerous obligations on companies that process personal data, including imposing special requirements in respect of the processing of health and other sensitive data, requiring that consent of individuals to whom the personal data relates is obtained in certain circumstances, requiring additional disclosures to individuals regarding data processing activities, requiring that safeguards are implemented to protect the security and confidentiality of personal data, creating mandatory data breach notification requirements in certain circumstances, requiring data protection impact assessments for high risk processing and requiring that certain measures (including contractual requirements) are put in place when engaging third-party processors. The GDPR also provides individuals with various rights in respect of their personal data, including rights of access, erasure, portability, rectification, restriction and objection. The GDPR defines personal data to include pseudonymized or coded data and require different informed consent practices and more detailed notices for clinical trial participants and investigators than applies to clinical trials conducted in the United States. We are required to apply GDPR standards to any clinical trials that our EEA and UK established businesses carry out anywhere in the world. The GDPR impose strict rules on the transfer of personal data to countries outside the EEA and UK, including the United States in certain circumstances, unless a derogation exists or we incorporate a GDPR transfer mechanism (such as the European Commission approved standard contractual clauses ("SCCs") or the UK International Data Transfer Addendum ("IDTA")) into our agreements with third parties to govern such transfers of personal data and carry out transfer impact assessments to assess whether the data importer can ensure sufficient guarantees for safeguarding the personal information under the GDPR, including an analysis of the laws in the recipient's country. Carrying out such restricted transfers, therefore, comes with a significant compliance burden, requiring significant effort and expense to overcome. Failure to implement valid mechanisms for personal data transfers from Europe may result in increased exposure to regulatory actions, substantial fines, and injunctions against processing personal data from Europe. If we are unable to export personal data, this may also restrict our activities outside of Europe and require us to increase processing capabilities within Europe at significant expense or otherwise segregate our systems and operations. Switzerland has adopted similar transfer restrictions as under the GDPR. Although the UK is regarded as a third country under the EU GDPR, the European Commission issued a decision recognizing the UK as providing adequate protection under the EU GDPR and, therefore, transfers of personal data originating in the EEA to the UK remain unrestricted. Personal data transfers from the UK to the EEA remain free flowing by virtue of a UK government adequacy decision. The GDPR may increase our responsibility and liability in relation to personal data that we process where such processing is subject to the GDPR. While we have taken steps to comply with the GDPR, and implementing legislation in applicable EEA member states and the UK, including by seeking to establish appropriate lawful bases for the various processing activities we carry out as a controller or joint controller, reviewing our security procedures and those of our vendors and collaborators, and entering into data processing agreements with relevant vendors and collaborators, we cannot be certain that our efforts to achieve and remain in compliance have been, and/or will continue to be, fully successful. Given the breadth and depth of the applicable obligations, complying with the GDPR and similar data protection laws' requirements are rigorous and time intensive and require significant resources and a review of our technologies, systems and practices, as well as those of any third-party collaborators, service providers, contractors or consultants that process or transfer personal data. The UK's data protection regime is independent from but aligned to the EU's data protection regime. However following the Brexit, there will be increasing scope for divergence in application, interpretation and enforcement of the data protection laws between these territories. For example, the UK has recently introduced a new Data Protection & Digital Information (No. 2) Bill, or the Data Reform Bill into the UK legislative process with the intention for this bill to reform the UK's data protection regime following Brexit. if passed, the Data Reform Bill could reshape the UK's data protection regime, distancing it from the EU's data protection regime and threaten the UK's adequacy decision from the EC. This lack of clarity on future UK laws and regulations and their interaction with those of the EU could add legal risk, uncertainty, complexity, and cost to our handling of European personal data and our privacy and security compliance programs; and any resulting divergence in laws could increase our risk profile and may require us to implement different compliance measures for the UK and EEA. In the United States, numerous federal and state laws and regulations, including federal health information privacy laws, state data breach notification laws, state health information privacy laws and federal and state consumer protection laws (e.g., Section 5 of the FTCA), that govern the collection, use, disclosure and protection of health-related and other personal information could apply to our operations or the operations of our collaborators and third-party providers. For example, California recently enacted the CCPA which became effective on January 1, 2020. The CCPA gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. US states are constantly amending existing laws, requiring attention to frequently changing regulatory requirements. At this time, we do not collect personal data on residents of California but should we begin to do so, and in the context of doing so, become subject to the CCPA, the CCPA will impose new and burdensome privacy compliance obligations on our business and will raise new risks for potential fines and class actions. In addition to the CCPA, a California ballot initiative, the CPRA, was passed in November 2020. Effective as of January 1, 2023, the CPRA imposes additional obligations on companies covered by the legislation and will significantly modify the CCPA, including by expanding consumers' rights with respect to certain sensitive personal information. The CPRA also created a new state agency vested with authority to implement and enforce the CCPA and the CPRA. The effects of the CCPA and the CPRA are potentially significant and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply and increase our potential exposure to regulatory enforcement and/or litigation. Some observers have noted that the CCPA and CPRA could mark the beginning of a trend toward more stringent privacy legislation in the United States, which could increase our potential liability and adversely affect our business. For example, on January 1, 2023, the CDPA became effective. Further, many additional United States state privacy laws will go into effect throughout 2023: the CPA (July 1, 2023); the CTDPA (July 1, 2023); and the UCPA (December 31, 2023). The CDPA, CPA, CTDPA, and UCPA are substantially similar in scope and contain many of the same requirements and exceptions as the CCPA, including a general exemption for clinical trial data and information governed by HIPAA. Any of these laws may broaden their scope in the future, and similar laws have been proposed on both a federal level and in more than half of the states in the United States. While the CDPA, CPA, CTDPA, and UCPA incorporate many similar concepts of the CCPA and CPRA, there are also several key differences in the scope, application, and enforcement of the laws that will change the operational practices of regulated businesses. The new laws will, among other things, impact how regulated businesses collect and process personal sensitive data, conduct data protection assessments, transfer personal data to affiliates, and respond to consumer rights requests. A number of other states have proposed new privacy laws, some of which are similar to the above discussed recently passed laws. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. The existence of comprehensive privacy laws in different states in the country would make our compliance obligations more complex and costly and may increase the likelihood that we may be subject to enforcement actions or otherwise incur liability for noncompliance. In addition to general privacy and data protection requirements, many jurisdictions around the world have adopted legislation that regulates how businesses operate online and enforces information security, including measures relating to privacy, data security and data breaches. Many of these laws require businesses to notify data breaches to the regulators and/or data subjects. These laws are not consistent, and compliance in the event of a widespread data breach is costly and burdensome. In many jurisdictions, enforcement actions and consequences for non-compliance with protection, privacy and information security laws and regulations are rising. In the EU and the UK, data protection authorities may impose large penalties for violations of the data protection laws, including potential fines of up to €20 million (£17.5 million in the UK) or 4% of annual global revenue, whichever is greater. The authorities have shown a willingness to impose significant fines and issue orders preventing the processing of personal data on non-compliant businesses. Data subjects also have a private right of action, as do consumer associations, to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of applicable data protection laws. In the United States, possible consequences for non-compliance include enforcement actions in response to rules and regulations promulgated under the authority of federal agencies and state attorneys general and legislatures and consumer protection agencies. In addition, privacy advocates and industry groups have regularly proposed, and may propose in the future, self-regulatory standards that may legally or contractually apply to us. If we fail to follow these security standards, even if no customer information is compromised, we may incur significant fines or experience a significant increase in costs. The risk of our being found in violation of these laws is increased by the fact that the interpretation and enforcement of them is not entirely clear. Efforts to ensure that our business arrangements with third parties will comply with applicable healthcare laws and regulations will involve substantial costs. Any action against us for violation of these laws, even if we successfully defend against it, could cause us to incur significant legal expenses and divert our management's attention from the operation of our business. The shifting compliance environment and the need to build and maintain robust and expandable systems to comply with multiple jurisdictions with different compliance and/or reporting requirements increases the possibility that a healthcare company may run afoul of one or more of the requirements. Compliance with data protection laws and regulations could require us to take on more onerous obligations in our contracts, restrict our ability to collect, use and disclose data, or in some cases, impact our ability to operate in certain jurisdictions. It could also require us to change our business practices and put in place additional compliance mechanisms, may interrupt or delay our development, regulatory and commercialization activities and increase our cost of doing business. Failure by us or our collaborators and third-party providers to comply with data protection laws and regulations could result in government enforcement actions (which could include civil or criminal penalties and orders preventing us from processing personal data), private litigation and result in significant fines and penalties against us. Moreover, clinical trial participants about whom we or our potential collaborators obtain information, as well as the providers who share this information with us, may contractually limit our ability to use and disclose the information. Claims that we have violated individuals' privacy rights, failed to comply with data protection laws or breached our contractual obligations, even if we are not found liable, could be expensive and time-consuming to defend, could result in adverse publicity and could have a material adverse effect on our business, financial condition, results of operations and prospects.

Our operations, and those of our CROs, CMOs and other contractors and consultants, could be subject to earthquakes, power shortages, telecommunications failures, water shortages, floods, hurricanes, typhoons, fires, extreme weather conditions, medical epidemics, pandemics and other natural or man-made disasters or business interruptions, for which we are predominantly self-insured. The occurrence of any of these business disruptions could seriously harm our operations and financial condition and increase our costs and expenses. We rely on third-party manufacturers to produce our product candidates. Our ability to obtain clinical supplies of our product candidates could be disrupted if the operations of these suppliers are affected by a man-made or natural disaster or other business interruption.

We do not carry insurance for all categories of risk that our business may encounter. Some of the policies we currently maintain include general liability, employment practices liability, property, umbrella, and directors' and officers' insurance. Insurance coverage is becoming increasingly expensive and in the future we may not be able to maintain insurance coverage at a reasonable cost or in sufficient amounts to protect us against losses due to liability. We do not carry specific biological or hazardous waste insurance coverage, and our property, casualty and general liability insurance policies specifically exclude coverage for damages and fines arising from biological or hazardous waste exposure or contamination. Accordingly, in the event of contamination or injury, we could be held liable for damages or be penalized with fines in an amount exceeding our resources, and our clinical trials or marketing authorizations could be suspended. We also expect that operating as a public company will make it more difficult and more expensive for us to obtain director and officer liability insurance, and we may be required to accept reduced policy limits and coverage or incur substantially higher costs to obtain the same or similar coverage. As a result, it may be more difficult for us to attract and retain qualified people to serve on our board of directors, our board committees or as executive officers. We do not know, however, if we will be able to maintain existing insurance with adequate levels of coverage. Any significant uninsured liability may require us to pay substantial amounts, which would adversely affect our cash position and results of operations.

Cancer therapies are sometimes characterized by line of therapy (first line, second line, third line, fourth line, etc.), and the regulatory authorities, including the FDA, often approve new therapies initially only for a particular line or lines of use. When cancer is detected early enough, first line therapy is sometimes adequate to cure the cancer or prolong life without a cure. Whenever first line therapy, usually chemotherapy, antibody drugs, tumor-targeted small molecules, hormone therapy, radiation therapy, surgery, or a combination of these, proves unsuccessful, second line therapy may be administered. Second line therapies often consist of more chemotherapy, radiation, antibody drugs, tumor-targeted small molecules, or a combination of these. Third line therapies can include chemotherapy, antibody drugs and small molecule tumor-targeted therapies, more invasive forms of surgery and new technologies. We expect to seek approval of VTP-600 as a component of first line therapy but we expect to seek approval of our other oncology product candidates initially as second or third line therapy, for use in patients with relapsed or refractory metastatic cancer. Subsequently, for those product candidates that prove to be sufficiently safe and beneficial as third line or second line therapies, if any, we would expect to seek approval as earlier line therapies, but there is no guarantee that our product candidates, even if approved as a second or third line of therapy, would be approved for an earlier line of therapy, and, prior to any such approvals, we may have to conduct additional clinical trials. Our projections of both the number of people who have the infectious diseases and cancers we are targeting, as well as the subset of people with these infectious diseases and cancers in a position to receive a particular line of therapy and who have the potential to benefit from treatment with our product candidates, are based on our beliefs and estimates. These estimates have been derived from a variety of sources, including scientific literature, commissioned reports, surveys of clinics, patient foundations or market research, and may prove to be incorrect. Further, new therapies may change the estimated incidence or prevalence of these cancers and chronic infections. The number of patients may turn out to be lower than expected. Additionally, the potentially addressable patient population for our product candidates may be limited or may not be amenable to treatment with our product candidates. Even if we obtain significant market share for our product candidates within our addressable patient population, because the potential target populations are small, we may never achieve profitability without obtaining marketing authorization for additional indications, including use as first or second line therapy.