Certara (CERT) Risk Factors

Market acceptance of our products depends upon the continuous, effective and reliable operation of our software and other biosimulation tools and models. New or enhanced products or services, whether developed internally or acquired through acquisitions, can require long development and testing periods, which may result in delays in scheduled introduction. Our software solutions and biosimulation tools and models are inherently complex and may contain defects or errors. The risk of errors is particularly significant when a new product is first introduced or when new versions or enhancements of existing software solutions are released, such as the integration of AI technology with our existing software products. Although we extensively test and conduct quality control on each new or enhanced biosimulation product before it is released to the market, there can be no assurance that significant errors will not be found in existing or future releases. As a result, in the months following the introduction of certain releases, we may need to devote significant resources to correct these errors. There can be no assurance, however, that all of these errors can be corrected. Many of our customers also require that new versions of our software be internally validated before implementing it, which can result in implementation delays or the decision to skip smaller updates altogether. Any errors, defects, disruptions or other performance problems with our products could hurt our reputation and may damage our customers' businesses. Any delays in the release schedule for new or enhanced products or services may delay market acceptance of these products or services and may result in delays in new customer orders for these new or enhanced products or services or the loss of customer orders, which may have a material adverse effect on our business, financial condition and results of operations. To the extent that defects or errors cause our software or other biosimulation tools to malfunction and our customers' use of our products is interrupted, or the data derived from the use of our products is incorrect or incomplete, our customers may delay or withhold payment to us, cancel their agreements with us or elect not to renew, make service credit claims, warranty claims or other claims against us, and we could lose future sales. The occurrence of any of these events could result in diminishing demand for our software, a reduction of our revenues, an increase in collection cycles for accounts receivable, and require us to increase our warranty provisions or incur the expense of litigation or substantial liability.

The evolution of technology systems introduces ever more complex security risks that are difficult to predict and defend against. An increasing number of companies, including those with significant online operations, have recently disclosed breaches of their security, some of which involved sophisticated tactics and techniques allegedly attributable to criminal enterprises or nation-state actors. While we believe that we have taken appropriate measures to prevent unintended access to the data we hold (including implementing security and privacy controls, training our workforce and implementing new technology) and we continue to improve and enhance our systems in this regard, our efforts may not always be successful. In addition, cybersecurity threats are constantly evolving, are becoming more frequent and more sophisticated and are being made by groups of individuals with a wide range of expertise and motives, which increases the difficulty of detecting and successfully defending against them. Accordingly, we do not know whether our current practices will be deemed sufficient under applicable laws or whether new regulatory requirements might make our current practices insufficient. Our solutions involve the collection, analysis and retention of our customers' proprietary information related to their drug development efforts, including clinical data. Unauthorized access to this information or data, whether deliberate or unintentional, could result in the loss of information, litigation, indemnity obligations, damage to our reputation and other liability. Our reliance on remote access to our information systems exposes us to potential cybersecurity breaches and the risk of loss or exposure of such information and data. Additionally, we rely on third parties and their security procedures for the secure storage, processing, maintenance, and transmission of information that is critical to our operations and such third- parties may also suffer cybersecurity incidents. Depending on their nature and scope, this could potentially result in the misappropriation, destruction, corruption or unavailability of critical data and confidential or proprietary information (our own or that of third parties, including information about our customers and employees) and the disruption of business operations. If there is a cybersecurity incident and we know or reasonably suspect that certain personal information has been subject to unauthorized or unlawful access or use, we may need to inform the affected individuals and may be subject to significant fines and penalties. Further, under certain regulatory schemes, such as the CCPA, individual California residents may bring private claims for our failure to deploy reasonable and appropriate cybersecurity controls and we also may be liable for statutory and multiple damages in California and other states. Further, if our technical and operational safeguards fail, our existing and prospective customers may lose confidence in our ability to maintain the confidentiality of their intellectual property and other proprietary data, we may be subject to breach of contract claims by our customers and we may suffer reputational and other harm as a result. Our insurance may not be adequate to cover losses associated with such events, and in any case, such insurance may not cover all of the types of costs, expenses and losses we could incur to respond to and remediate a security breach. Defending against investigations, claims or litigation based on any security breach or incident, regardless of their merit, will be costly and may cause reputation harm. The successful assertion of one or more large claims against us that exceed available insurance coverage, denial of coverage as to any specific claim, or any change or cessation in our insurance policies and coverages, including premium increases or the imposition of large deductible requirements, could have a material adverse effect on our reputation, business, financial condition and results of operations.

We are subject to claims that arise in the ordinary course of business, such as claims in connection with commercial disputes, employment claims made by our current or former employees, or claims brought by third-parties for failure to adequately protect their personal data. Third parties may in the future assert intellectual property rights to technologies that are important to our business and demand back royalties or that we license their technology. Litigation may result in substantial costs and may divert management's attention and resources, which may seriously harm our business, overall financial condition and operating results. Insurance may not cover such claims, may not be sufficient for one or more of such claims and may not continue to be available on terms acceptable to us. A claim brought against us that is uninsured or underinsured could result in unanticipated costs, negatively affecting our business, financial condition and results of operations.

As of December 31, 2023, we had federal and state NOLs of approximately $1.6 million and $0.04 million, respectively, which are available to reduce future taxable income and expire between 2035 and 2036 and 2029 and 2040, respectively. We had federal and state R&D tax credit carryforwards of approximately $0.3 million and $0, respectively, to offset future income taxes, which expire between 2027 and 2028. We also had foreign tax credits of approximately $13.8 million, which will start t,o expire in 2027. These carryforwards that may be utilized in a future period may be subject to limitations based upon changes in the ownership of our stock in a future period. Additionally, we carried forward foreign NOLs of approximately $81.6 million which will start to expire in 2024, foreign R&D credits of $0.3 million which expire in 2029, and Canadian investment tax credits of approximately $3.8 million which expire between 2031 and 2041. Our carryforwards are subject to review and possible adjustment by the appropriate taxing authorities. In addition, in general, under Section 382 of the Internal Revenue Code of 1986, as amended (the "Code"), and corresponding provisions of state law, a corporation that undergoes an "ownership change," generally defined as a greater than 50 percentage point change (by value) in its equity ownership by certain stockholders over a three year period, is subject to limitations on its ability to utilize its pre-change NOLs, R&D tax credit carryforwards and disallowed interest expense carryforwards to offset future taxable income. We have performed an analysis for the period January 1, 2023 through December 31, 2023 and determined no ownership change occurred during this period. In addition, we determined that ownership changes occurred in prior periods and therefore our NOLs and R&D tax credit carryforwards reflect the amounts available after considering such limitations. We may experience further ownership changes in the future and/or subsequent changes in our stock ownership (which may be outside our control). As a result, if, and to the extent that, we earn net taxable income, our ability to use our pre-change NOLs, R&D tax credit carryforwards and disallowed interest expense carryforwards to offset such taxable income may be subject to limitations.

In the normal course of our business, we collect, process, use and disclose information about individuals, including protected health information and other patient data, as well as information relating to health professionals and our employees. The collection, processing, use, disclosure, disposal and protection of such information is highly regulated both in the U. S. and other jurisdictions, including but not limited to, under HIPAA, as amended by HITECH; United States state privacy, security and breach notification and healthcare information laws; the European Union's GDPR, UK GDPR, and other European and UK privacy laws, as well as the expanding number of privacy laws around the world, including China and Canada. These laws are complex and their interpretation is rapidly evolving, making implementation and enforcement, and thus compliance requirements, uncertain and potentially inconsistent. In addition, our collection, use, disclosure, protection and other processing of information is subject to related contractual requirements. Compliance with such laws and related contractual requirements may require changes to our information processing practices, and may thereby increase compliance costs. Failure to comply with such laws and/or related contractual obligations could result in regulatory enforcement or claims against us for breach of contract, or may lead third parties to terminate their contracts with us and/or choose not to work with us in the future. Should this occur, there could be a material adverse effect on our reputation, business, financial condition, and results of operations. These regulations often govern the handling of information about individuals, including personal health information and require the use of standard contracts, privacy and security standards and other administrative simplification provisions. In relation to HIPAA, we do not consider our service offerings to generally cause us to be subject as a covered entity; however, in certain circumstances, we are subject to HIPAA as a business associate and may enter into business associate agreements. Additionally, the FTC and many state attorneys general are interpreting existing federal and state consumer protection laws to impose evolving standards for the online collection, use, dissemination and security of information about individuals, including health-related information. Courts may also adopt the standards for fair information practices promulgated by the FTC, which concern consumer notice, choice, security and access. Consumer protection laws require us to publish statements that describe how we handle information about individuals and choices individuals may have about the way we handle their information. If such information that we publish is considered untrue, we may be subject to government claims of unfair or deceptive trade practices, which could lead to significant liabilities and consequences. Furthermore, according to the FTC, violating consumers' privacy rights or failing to take appropriate steps to keep information about consumers secure may constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the FTC Act. In addition, certain states have adopted robust privacy and security laws and regulations. Such laws and regulations will be subject to interpretation by various courts and other governmental authorities, thus creating potentially complex compliance issues for us and our future customers and strategic partners. For example, the CCPA, imposes obligations and restrictions on businesses regarding their collection, use, and sharing of personal information and provides new and enhanced data privacy rights to California residents, such as affording them the right to access and delete their personal information and to opt out of certain sharing of personal information. Protected health information that is subject to HIPAA is excluded from the CCPA, however, information we hold about individuals that is not subject to HIPAA would be subject to the CCPA. It is unclear how HIPAA and the other exceptions may be applied under the CCPA. The CCPA may increase our compliance costs and potential liability. Many similar privacy laws have been proposed at the federal level and in other states. The GDPR and the UK GDPR regulate our processing of personal data, and imposes stringent requirements. Failure to comply with the GDPR or UK GDPR may result in fines up to the greater of €20 million or 4.0% of worldwide gross annual revenue and applies to services providers such as us under each of GDPR and UK GDPR. There is uncertainty regarding transfers of personal data from the EEA to the United States, including regarding the status and enforceability of the EU-US Privacy Shield Framework ("Privacy Shield") under which personal data could be transferred from the EEA to U.S. entities who had self-certified under the Privacy Shield scheme. While the Court of Justice of the European Union (CJEU) upheld the adequacy of the standard contractual clauses (a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism, and potential alternative to the Privacy Shield), it made clear that reliance on them alone may not necessarily be sufficient in all circumstances; and the validity of the standard contractual clauses as a transfer mechanism remains uncertain. We have previously relied on our own Privacy Shield certification and our relevant customers' and third parties' Privacy Shield certification(s) for the purposes of transferring personal data from the EEA to the United States in compliance with the GDPR's data export conditions. We also currently rely on the standard contractual clauses to transfer personal data outside the EEA, including to the United States. If all or some jurisdictions within the European Union or the United Kingdom determine that the standard contractual clauses do not provide sufficient safeguards to transfer personal data to the United States, our ability to effect cross-border transfers of personal data will be severely limited or cause us to need to establish systems to maintain certain data in the EEA or UK, and thereby divert resources from other aspects of our operations, all of which may adversely affect our business or we may face governmental enforcement actions, litigation, fines and penalties or adverse publicity, which could have an adverse effect on our reputation and business. We believe we maintain adequate processes and systems in compliance with the requirements of the GDPR and UK GDPR, but it is possible that we could fail to comply or that we could incur liability due to the acts or omissions of our vendors. In the event we are not able to secure indemnification or the indemnification and any insurance coverage is inadequate to cover our losses, we could suffer significant financial, operational, reputational and other harm and our business, results of operations, financial condition and/or cash flows could be materially adversely affected. Furthermore, as supervisory authorities issue further guidance on personal data export mechanisms, including circumstances where the standard contractual clauses cannot be used, and/or start taking enforcement action, we could suffer additional costs, complaints and/or regulatory investigations or fines, and/or if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results. Privacy and data security laws are rapidly evolving both in the United States and internationally, and the future interpretation of those laws is somewhat uncertain. Additional legislation or regulation might, among other things, require us to implement new security measures and processes or bring within the legislation or regulation de-identified health or other information about individuals, each of which may require substantial expenditures or limit our ability to offer some of our services.

The market for our biosimulation products and related services for the biopharmaceutical industry is competitive and highly fragmented. In biosimulation software, we compete with other scientific software providers, technology companies, in-house development by biopharmaceutical companies, and certain open source solutions. In the technology-driven services market, we compete with specialized companies, in-house teams at biopharmaceutical companies, and academic and government institutions. In some standard biosimulation services, and in regulatory, and market access, we also compete with contract research organizations. Some of our competitors and potential competitors have longer operating histories in certain segments of our industry than we do and could have greater financial, technical, marketing, R&D and other resources. Some of our competitors offer products and services directed at more specific markets than those we target, enabling these competitors to focus a greater proportion of their efforts and resources on those specific markets. Some competing products are developed and made available at lower cost by government organizations and academic institutions, and these entities may be able to devote substantial resources to product development. Some clinical research organizations or technology companies may decide to enter into or expand their offerings in the biosimulation area, whether through acquisition or internal development. We also face competition from open source software initiatives, in which developers provide software and intellectual property free of charge, such as R and PK-Sim software. In addition, some of our customers spend significant internal resources in order to develop their own solutions. Our current or potential competitors may develop products, services or technologies that are comparable, or superior to, or will render obsolete, the products, services and technologies we offer. In addition, our competitors may adapt more quickly than we do to technological advances and customer demands, thereby increasing such competitors' market share relative to ours. Any material decrease in demand for our technologies or services may have a material adverse effect on our business, financial condition and results of operations.

One of our strategic goals is to increase the breadth and utilization of products and services we provide to our existing customers, such as increasing the number of user licenses for our software products, selling licenses for new software products and expanding the number and scope of services we provide to individual customers. As the total annual expenditure from a particular customer increases, we may experience pricing pressure, often from the customer's procurement department, in the form of requests for discounts or rebates, price freezes and less favorable payment terms. This could have an adverse impact on our profitability.

The services we provide to biopharmaceutical companies and other customers are complex and subject to contractual requirements, regulatory standards and ethical considerations. For example, some of our services must adhere to the regulatory requirements of the FDA governing our activities relating to preclinical studies and clinical trials, including GLP and GCP. Additionally, we are subject to compliance with FDA's regulations set forth in part 11 of title 21 of the Code of Federal Regulations, which relates to the creation, modification,maintenance, storage, retrieval, or transmittal of electronic records submitted to the FDA. FDA may also issue or finalize guidance documents that may have implications for our customers and our products, platforms, and services. We may be subject to inspection by regulatory authorities in connection with our customers' marketing applications and other regulatory submissions. If we fail to perform our services in accordance with regulatory requirements, regulatory authorities may take action against us or our customers for failure to comply with applicable regulations governing the development and testing of therapeutic products. Regulatory authorities may also disqualify certain data or analyses from consideration in connection with applications for regulatory approvals, which would result in our customers not being able to rely on our services in connection with their regulatory submissions and may subject our customers to additional or repeat clinical trials and delays in the development and regulatory approval process. Mistakes in providing services to our customers, such as dosing models, could affect medical decisions for patients in clinical trials and create liability for personal injury. Such actions may include sanctions, such as warning or untitled letters, injunctions, or failure of such regulatory authorities to grant marketing approval of products, delay, suspension, or withdrawal of approvals, license revocation, loss of accreditation; product seizures or recalls; operational restrictions; civil or criminal penalties or prosecutions, damages or fines. Customers may also bring claims against us for breach of our contractual obligations or errors in the outcomes of our products or services, may terminate their contracts with us and/or may choose not to award further work to us. Any such action could have a material adverse effect on our reputation, business, financial condition and results of operations.

We outsource substantially all of the infrastructure relating to our hosted software solutions to third-party hosting services. Customers of our hosted software solutions need to be able to access our software platform at any time, without interruption or degradation of performance, and we provide them with service-level commitments with respect to uptime. Our hosted software solutions depend on protecting the virtual cloud infrastructure hosted by third-party hosting services by maintaining its configuration, architecture, features and interconnection specifications, as well as the information stored in these virtual data centers, which is transmitted by third-party internet service providers. Any limitation on the capacity of our third-party hosting services could impede our ability to onboard new customers or expand the usage of our existing customers, which could adversely affect our business, financial condition and results of operations. In addition, any incident affecting our third-party hosting services' infrastructure that may be caused by cyber-attacks, natural disasters, fire, flood, severe storm, earthquake, power loss, telecommunications failures, terrorist or other attacks or other similar events beyond our control could negatively affect our cloud-based solutions. Work- from-home and other flexible work arrangements have impacted our third-party vendors by increasing operational challenges and risks, including vulnerabilities to cybersecurity and information technology infrastructure threats. A prolonged service disruption affecting our cloud-based solutions for any of the foregoing reasons would negatively impact our ability to serve our customers and could damage our reputation with current and potential customers, expose us to liability, cause us to lose customers or otherwise harm our business. We may also incur significant costs for using alternative equipment or taking other actions in preparation for, or in reaction to, events that damage the third-party hosting services we use. In the event that our service agreements with our third-party hosting services are terminated, or there is a lapse of service, elimination of services or features that we utilize, interruption of internet service provider connectivity or damage to such facilities, we could experience interruptions in access to our platform as well as significant delays and additional expense in arranging or creating new facilities and services and/or re-architecting our hosted software solutions for deployment on a different cloud infrastructure service provider, which could adversely affect our business, financial condition and results of operations.

We maintain insurance coverage for protection against many risks of liability, including directors and officers liability, professional errors and omissions, breach of fiduciary duty, and cybersecurity risks. The extent of our insurance coverage is under continuous review and is modified as we deem it necessary. Despite this insurance, it is possible that claims or liabilities against us may not have been fully insured, or our insurance carriers may contest coverage, which could have a material adverse impact on our financial position or results of operations. In addition, we may not be able to obtain any insurance coverage, or adequate insurance coverage on attractive terms, or at all, when our existing insurance coverage expires and the cost of obtaining such insurance coverage may materially increase.

We derive limited revenue from contracts with U. S. government, including the FDA and the Center for Disease Control and Prevention within the Department of Health and Human Services. We have also accepted limited grant funds from governmental entities, whereby we are reimbursed for certain expenses incurred, subject to our compliance with the specific requirements of the applicable grant, including rigorous documentation requirements. We may enter into further contracts with the U.S. or foreign governments in the future, or accept additional grant funds. These subject us to statutes and regulations applicable to companies doing business with the government. These types of contracts customarily contain provisions that give the government substantial rights and remedies, many of which are not typically found in commercial contracts and which are unfavorable to contractors, including provisions that allow the government to unilaterally terminate or modify our federal government contracts, in whole or in part, at the government's convenience or in the government's best interest, including if funds become unavailable to the applicable government agency. Under general principles of government contracting law, if the government terminates a contract for convenience, the terminated company may generally recover only its incurred or committed costs and settlement expenses and profit on work completed prior to the termination. If the government terminates a contract for default, the defaulting company may be liable for any extra costs incurred by the government in procuring undelivered items from another source. Further, the laws and regulations governing the procurement of goods and services by the U.S. government provide procedures by which other bidders and interested parties may challenge the award of a government contract at the U.S. Government Accountability Office ("GAO") or in federal court. If we are awarded a government contract, such challenges or protests could be filed even if there are not any valid legal grounds on which to base the protest. If any such protests are filed, the government agency may decide to suspend our performance under the contract while such protests are being considered by the GAO or the applicable federal court, thus potentially delaying delivery of payment. In addition, government contracts and grants normally contain additional requirements that may increase our costs of doing business, reduce our profits, and expose us to liability for failure to comply with these terms and conditions. These requirements include, for example: - compliance with complex regulations for procurement, formation, administration, and performance of government contracts under the Federal Acquisition Regulations, agency-specific regulations supplemental to the Federal Acquisition Regulations, and regulations specific to the administration of grants by the U.S. government;- specialized disclosure and accounting requirements unique to government contracts and grants;- mandatory financial and compliance audits that may result in potential liability for price or cost adjustments, recoupment of government funds after such funds have been spent, civil and criminal penalties, or administrative sanctions such as suspension or debarment from doing business with the U.S. government;- public disclosures of certain contract, grant, and company information; and - mandatory socioeconomic compliance requirements, including labor requirements, non-discrimination and affirmative action programs and environmental compliance requirements. Government contracts and grants are also generally subject to greater scrutiny by the government, which can unilaterally initiate reviews, audits and investigations regarding our compliance with government contract and grant requirements. In addition, if we fail to comply with government contract laws, regulations and contract or grant requirements, our contracts and grants may be subject to termination or suspension, and we may be subject to financial and/or other liability under our contracts or under the Federal Civil False Claims Act. The False Claims Act's "whistleblower" provisions allow private individuals, including present and former employees, to sue on behalf of the U.S. government. The False Claims Act statute provides for treble damages and other penalties and, if our operations are found to be in violation of the False Claims Act, we could face other adverse action, including suspension or prohibition from doing business with the United States government. Any penalties, damages, fines, suspension, or damages could adversely affect our ability to operate our business and our financial results.

We derive a significant portion of our total revenue from our operations in international markets. During the years ended December 31, 2023 and 2022, 27% and 26%, respectively, of our revenues were transacted in foreign currencies, the majority of which included the British Pound Sterling, the Euro and Japanese Yen. Our global business may be affected by local economic conditions, including inflation, recession and currency exchange rate fluctuations. Changes in the value of the U.S. dollar relative to other currencies could result in material foreign currency exchange rate fluctuations and, as a result, our revenue and net earnings could be materially adversely affected. In addition, political and economic changes, including international conflicts and terrorist acts, throughout the world may interfere with our or our customers' activities in particular locations and result in a material adverse effect on our business, financial condition and operating results. Although we do not believe the current conflicts between Russia and Ukraine in Europe and Israel and Hamas in the Middle East pose any immediate material impact to our business, if the conflict intensifies or expands beyond Ukraine or Gaza, it could have an adverse impact on our business, particularly our operations in Poland and our ability to use consultants in that region of the world. We could also experience a delay or cancellation of work orders to the extent they rely on clinical trials being conducted in Ukraine. Potential trade restrictions, exchange controls, adverse tax consequences and legal restrictions may affect our revenue from customers located outside the United States and the repatriation of funds into the United States. Also, we could be subject to unexpected changes in regulatory requirements, the difficulties of compliance with a wide variety of foreign laws and regulations, potentially negative consequences from changes in or interpretations of U.S. and foreign tax laws, import and export licensing requirements and longer accounts receivable cycles in certain foreign countries. Foreign currency exchange rate hedges, transactions, re-measurements, or translations could also materially impact our financial results. These risks, individually or in the aggregate, could have an adverse effect on our operating and financial results.

We may be subject to risks related to natural disasters, epidemic diseases, pandemics, and public health crises, which could adversely impact supply chain interruptions, disruptions or delays to pipeline development and clinical trials and interruptions or delays in regulatory approvals. These and other adverse impacts on our customers and economic conditions may cause our customers to delay or cancel projects or significantly scale back their operations or R&D spending and limit the use of third parties, which could have a material adverse effect on our business. Public health crises, such as the COVID 19 pandemic, could also impact the health of our employees and cause extensive absences from work, which may delay the completion of internal projects and lower our consultant utilization rates. Even if we follow what we believe to be best practices, we may not be able to prevent the transmission of disease between employees. Any incidents of actual or perceived transmission may expose us to liability claims and adversely impact employee productivity and morale. Our business could be negatively impacted by other natural disasters, such as new disease epidemics, significant weather events, the outbreak of war or acts of terrorism, such as the war between Russia and Ukraine, or other "acts of God," each of which may be exacerbated by the effects of global climate change. We are a global company with offices in many countries. Disruptions in the infrastructure, either on a local or global scale, caused by these types of events could adversely affect our ability to serve our customers. Although we have disaster recovery plans, carry business interruption insurance policies and typically have provisions in our contracts that protect us in certain force majeure type events, our coverage might not be adequate to compensate us for all losses that may occur.