Cidara Therapeutics (CDTX) Risk Factors

In the ordinary course of business, we process sensitive data, and as a result, our data processing activities subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations relating to data privacy and security. In the U.S., federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, HIPAA, as amended by HITECH, and their respective implementing regulations, impose requirements relating to the privacy, security and transmission of individually identifiable health information. In the past few years, at least ten U.S. states have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, or CPRA, collectively CCPA, applies to personal data of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. The CCPA provides for fines of up to $7,500 per intentional violation and allows private litigants affected by certain data breaches to recover significant statutory damages. Although the CCPA exempts some data processed in the context of clinical trials, the CCPA increases compliance costs and potential liability with respect to other personal data we maintain about California residents. Similar laws are being considered in several other states, as well as at the federal and local levels, and we expect more states to pass similar laws in the future. While these states, like the CCPA, may also exempt some data processed in the context of clinical trials, these developments may further complicate compliance efforts, and increase legal risk and compliance costs for us and the third parties upon whom we rely. Outside the U.S., an increasing number of laws, regulations, and industry standards may govern data privacy and security. For example, the EU's General Data Protection Regulation, or EU GDPR, the United Kingdom's GDPR, or UK GDPR, and Brazil's General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, or LGPD) (Law No. 13,709/2018) impose strict requirements for processing personal data. For example, under GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros under the EU GDPR, 17.5 million pounds sterling under the UK GDPR or, in each case, 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. In Canada, the Personal Information Protection and Electronic Documents Act, or PIPEDA, and various related provincial laws, as well as Canada's Anti-Spam Legislation, or CASL, may apply to our operations. In addition, we may be unable to transfer personal data from Europe and other jurisdictions to the U.S. or other countries due to data localization requirements or limitations on cross-border data flows. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area, or EEA, and the United Kingdom, or UK, have significantly restricted the transfer of personal data to the U.S. and other countries whose privacy laws it generally believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the U.S. in compliance with law, such as the EEA and UK's standard contractual clauses, the UK's International Data Transfer Agreement/Addendum, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allows for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the U.S. If there is no lawful manner for us to transfer personal data from the EEA, the UK, or other jurisdictions to the U.S., or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions (such as Europe) at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and UK to other jurisdictions, particularly to the U.S., are subject to increased scrutiny from regulators, individual litigants, and activities groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers of personal data out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. Regulators in the United States are also increasingly scrutinizing certain personal data transfers and have and may in the future impose certain personal data transfer and localization requirements. In addition to data privacy and security laws, we may be contractually subject to industry standards adopted by industry groups and may become subject to such obligations in the future. We are also bound by other contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. Our employees and personnel may use generative AI technologies to perform their work, and the disclosure and use of personal information in generative AI technologies is subject to various privacy laws and other privacy obligations. Governments have passed and are likely to pass additional laws regulating generative AI. Any use of this technology could result in additional compliance costs, regulatory investigations and actions, and consumer lawsuits. If we are unable to use generative AI, it could make our business less efficient and result in competitive disadvantages. We use AI and machine learning, or ML, to assist us in making certain decisions, which is regulated by certain privacy laws. Due to inaccuracies or flaws in the inputs, outputs, or logic of the AI/ML, the model could be biased and could lead us to make decisions that could bias certain individuals (or classes of individuals), and adversely impact their rights, employment, and ability to obtain certain pricing, products, services, or benefits. We publish privacy policies, marketing materials, and other statements, such as compliance with certain certifications or self-regulatory principles, regarding data privacy and security. If these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. Obligations related to data privacy and security (and consumers' data privacy expectations) are quickly changing, becoming increasingly stringent, and creating uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources and may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. We may at times fail (or be perceived to have failed) in our efforts to comply with our data privacy and security obligations. Moreover, despite our efforts, our personnel or third parties on whom we rely may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties on which we rely fail, or are perceived to have failed, to address or comply with applicable data privacy and security obligations, we could face significant consequences, including but not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class-action claims) and mass arbitration demands; additional reporting requirements and/or oversight; bans on processing personal data; and orders to destroy or not use personal data. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: loss of customers; interruptions or stoppages in our business operations (including, as relevant, clinical trials); inability to process personal data or to operate in certain jurisdictions (including in relation to clinical trials); limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or substantial changes to our business model or operations.

We face an inherent risk of product liability exposure related to the testing of our product candidates in human clinical trials and we face an even greater risk for our products that receive marketing approval. If we cannot successfully defend ourselves against claims that our product candidates and products caused injuries, we could incur substantial liabilities. Regardless of merit or eventual outcome, liability claims may result in: - decreased demand for any product candidates that we may develop;- injury to our reputation and significant negative media attention;- withdrawal of clinical trial participants;- significant costs and distraction of management to defend any related litigation;- the initiation of investigations by regulatory bodies;- substantial monetary awards to trial participants or patients;- loss of revenue;- product recalls, withdrawals or labeling, marketing or promotional restrictions; and - the inability to commercialize any products we may develop. Although we have product liability insurance for our clinical trials, such insurance may not be adequate to cover all liabilities that we may incur. We anticipate that we will need to increase our insurance coverage as we continue or expand our clinical trials and if we successfully commercialize any products. Insurance coverage is increasingly expensive. We may not be able to maintain insurance coverage at a reasonable cost or in an amount adequate to satisfy any liability that may arise.

The tax regimes to which we are subject or under which we operate are unsettled and may be subject to significant change. The issuance of additional guidance related to existing or future tax laws, or changes to tax laws or regulations proposed or implemented by the current or a future U.S. presidential administration, Congress, or taxing authorities in other jurisdictions, including jurisdictions outside of the U.S., could materially affect our tax obligations and effective tax rate. To the extent that such changes have a negative impact on us, including as a result of related uncertainty, these changes may adversely impact our business, financial condition, results of operations, and cash flows. The amount of taxes we pay in different jurisdictions depends on the application of the tax laws of various jurisdictions, including the U.S., to our international business activities, tax rates, new or revised tax laws, or interpretations of tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions pursuant to our intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest, and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows, and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency. Similarly, a taxing authority could assert that we are subject to tax in a jurisdiction where we believe we have not established a taxable connection, often referred to as a "permanent establishment" under international tax treaties, and such an assertion, if successful, could increase our expected tax liability in one or more jurisdictions. Effective January 1, 2022, the Tax Act eliminated the option to deduct R&D expenses for tax purposes in the year incurred and requires taxpayers to capitalize and subsequently amortize such expenses over five years for research activities conducted in the U.S. and over 15 years for research activities conducted outside the U.S. Although there have been legislative proposals to repeal or defer the capitalization requirement to later years, there can be no assurance that the provision will be repealed or otherwise modified. Future guidance from the Internal Revenue Service and other tax authorities with respect to such legislation may affect us, and certain aspects of such legislation could be repealed or modified in future legislation.

Before obtaining marketing approval from regulatory authorities for the sale of our product candidates, we must complete preclinical development and then conduct extensive clinical trials to demonstrate the safety and efficacy of our product candidates in humans. Clinical testing is expensive, difficult to design and implement, can take many years to complete and is uncertain as to outcome. A delay in starting or completing our clinical trials would materially impact our timelines and our ability to complete development of our product candidates in a timely manner or at all. A failure of one or more clinical trials could occur at any stage of testing. The outcome of preclinical testing and early clinical trials may not be predictive of the success of later clinical trials, and interim results of a particular clinical trial do not necessarily predict final results of that trial. Moreover, preclinical and clinical data are often susceptible to multiple interpretations and analyses. Many companies that have believed their product candidates performed satisfactorily in preclinical studies and clinical trials have nonetheless failed to obtain marketing approval of their products. For example, the historically observed high rate of correlation for clinical efficacy for anti-infectives based on preclinical data may not apply for our current or future product candidates, and any of the potential benefits that we anticipate for human clinical use may not be realized. We do not know whether clinical trials of CD388 will be completed on schedule. We may experience numerous unforeseen events that could delay or prevent our ability to commence or complete our clinical trials, which could then delay or prevent our ability to receive marketing approval or commercialize CD388, including: - regulators or institutional review boards may not authorize us or our investigators to commence a clinical trial on our expected timeline, or at all, or conduct a clinical trial at a prospective trial site or in a given country;- regulators may disagree with our interpretation of preclinical data, which may impact our ability to commence our trials on our expected timeline or at all;- regulators may require that trials or studies be conducted, or sized or otherwise designed in ways, that were unforeseen in order to begin planned studies or to obtain marketing authorization;- we may have delays in reaching or fail to reach agreement on acceptable clinical trial contracts or clinical trial protocols with prospective trial sites;- clinical trials of our product candidates may produce negative or inconclusive results, and we may decide, or regulators may require us, to conduct additional clinical trials, modify planned clinical trial designs or abandon product development programs;- the number of patients required for clinical trials of our product candidates may be larger than we anticipate;- enrollment in these clinical trials may be slower than we anticipate, clinical sites may drop out of our clinical trials or participants may drop out of these clinical trials at a higher rate than we anticipate;- our third-party contractors may fail to comply with regulatory requirements or meet their contractual obligations to us in a timely manner, or at all;- regulators, institutional review boards or the data safety monitoring board assembled by us to oversee our clinical trials may require that we or our investigators suspend or terminate clinical research for various reasons, including noncompliance with regulatory requirements or a finding that the participants are being exposed to unacceptable health risks due to serious and unexpected side effects;- the cost of clinical trials of our product candidates may be greater than we anticipate;- the FDA or comparable foreign regulatory authorities could require that we perform more studies than, or evaluate clinical endpoints other than, those that we currently expect;- the supply of our product candidates or other materials necessary to conduct clinical trials of our product candidates may be delayed or insufficient, or the quality of such materials may be inadequate; and - we may be required to delay or terminate studies due to financial constraints. If we are required to conduct additional clinical trials, or other tests of our product candidates beyond those that we currently contemplate, if we are unable to complete clinical trials of our product candidates or other tests successfully or in a timely manner, if the results of these trials or tests are not positive or are only modestly positive or if there are safety concerns, we may: - be delayed in obtaining marketing approval for our product candidates;- not obtain marketing approval at all;- obtain approval for indications or patient populations that are not as broad as intended or desired;- obtain approval with labeling that includes significant use or distribution restrictions or safety warnings, including boxed warnings;- be subject to additional post-marketing testing requirements;- be subject to significant restrictions on reimbursement from public and/or private payors; or - have the product removed from the market after obtaining marketing approval. Product development costs will also increase if we experience delays in testing or in receiving marketing approvals. We do not know whether any clinical trials will begin as planned, will need to be restructured or will be completed on schedule, or at all. Significant clinical trial delays also could shorten any periods during which we may have the exclusive right to commercialize our product candidates, could allow our competitors to bring products to market before we do, could increase competition from generics of the same class, and could impair our ability to successfully commercialize our product candidates, any of which may harm our business and results of operations.

Periodic maintenance fees, renewal fees, annuity fees and various other governmental fees on patents and/or applications will be due to be paid to the USPTO and various foreign or jurisdictional governmental patent agencies in several stages over the lifetime of the patents and/or applications. We have systems in place to remind us to pay these fees, and we employ an outside firm to pay these fees due to foreign patent agencies. The USPTO and various foreign governmental patent agencies require compliance with a number of procedural, documentary, fee payment and other similar provisions during the patent application process. We employ reputable law firms and other professionals to help us comply, and in many cases, an inadvertent lapse can be cured by payment of a late fee or by other means in accordance with the applicable rules. However, there are situations in which noncompliance can result in abandonment or lapse of the patent or patent application, resulting in partial or complete loss of patent rights in the relevant jurisdiction. Noncompliance events that could result in abandonment or lapse of a patent or patent application include, but are not limited to, failure to respond to official actions within prescribed time limits, non-payment of fees and failure to properly legalize and submit formal documents. Such noncompliance events are outside of our direct control for (1) non-U.S. patents and patent applications owned by us and, (2) if applicable in the future, patents and patent applications licensed to us by another entity. In such an event, our competitors might be able to enter the market, which would have a material adverse effect on our business.

We have received confidential and proprietary information from third parties. In addition, we employ individuals who were previously employed at other biotechnology or pharmaceutical companies, including our competitors or potential competitors, and academic or research institutions. We may be subject to claims that we or our employees, consultants or independent contractors have inadvertently or otherwise used or disclosed confidential information of these third parties or our employees' former employers. Litigation may be necessary to defend against these claims. Even if we are successful in defending against these claims, litigation could result in substantial cost and be a distraction to our management and employees.

We currently rely and expect to continue to rely on third parties, such as CROs, contract manufacturers of clinical supplies, clinical data management organizations, medical institutions and clinical investigators, to conduct our clinical trials and to conduct some aspects of our research and preclinical testing. Many of these third parties may terminate their engagements with us at any time. If these third parties do not successfully carry out their contractual duties, meet expected deadlines or conduct our studies in accordance with regulatory requirements or our stated protocols, we will not be able to obtain, or may be delayed in obtaining, marketing approvals for our product candidates and will not be able to, or may be delayed in our efforts to, successfully commercialize our product candidates. Furthermore, these third parties may also have relationships with other entities, some of which may be our competitors. If we need to enter into alternative arrangements, it would delay our product development activities. Our reliance on these third parties for R&D activities will reduce our control over these activities but will not relieve us of our responsibilities. For example, we will remain responsible for ensuring that each of our clinical trials is conducted in accordance with the general investigational plan and protocols for the trial. Moreover, the FDA and other international regulatory authorities require us to comply with standards, commonly referred to as Good Clinical Practices, for conducting, recording and reporting the results of clinical trials to assure that data and reported results are credible and accurate and that the rights, integrity and confidentiality of trial participants are protected. We also are required to register ongoing clinical trials and post the results of completed clinical trials on a government-sponsored database, available at www.clinicaltrials.gov, within certain timeframes. Failure to do so can result in fines, adverse publicity and civil and criminal sanctions.

Any of our product candidates that receive marketing approval may nonetheless fail to gain sufficient market acceptance by hospitals and hospital pharmacies, physicians, patients, third-party payors and others in the medical community for us to achieve commercial success. If our product candidates do not achieve an adequate level of acceptance, we may not generate sufficient product revenue to become profitable. The degree of market acceptance of our product candidates, if approved for commercial sale, will depend on a number of factors, including: - the efficacy and potential advantages compared to alternative therapies;- the size of the markets in the countries in which approvals are obtained;- terms, limitations or warnings contained in any labeling approved by the FDA or other regulatory authority;- our ability to offer any approved products for sale at competitive prices;- convenience and ease of administration compared to alternative treatments;- the willingness of the target patient population to try new therapies or dosing regimens;- the willingness of physicians to prescribe these therapies;- the strength of marketing and distribution support;- the success of competing products and the marketing efforts of our competitors;- sufficient third-party payor coverage and adequate reimbursement; and - the prevalence and severity of any side effects.