Corcept Therapeutics (CORT) Risk Analysis

We are subject to oversight by the FDA and other regulatory authorities in the United States and elsewhere with respect to our research, testing, manufacturing, quality control, labeling, packaging, distribution, adverse event reporting, storage, advertising, promotion, recordkeeping and sales and marketing activities. These requirements include submissions of safety information, annual updates on manufacturing activities and continued compliance with FDA regulations, including cGMPs, good laboratory practices and good clinical practices ("GCPs"), all of which are subject to change without notice and at the regulators' sole discretion. Foreign regulatory authorities have comparable requirements and enforcement mechanisms, which are also subject to change. The FDA and other regulators enforce these regulations through inspections of us and the laboratories, manufacturers and clinical sites we use. Discovery of previously unknown problems with a product or product candidate, such as adverse events of unanticipated severity or frequency or deficiencies in manufacturing processes or management, as well as failure to comply with current or future FDA or other U.S. or foreign regulatory requirements, may subject us to substantial civil and criminal penalties, injunctions, holds on clinical trials, product seizure, refusal to permit the import or export of products, restrictions on product marketing, withdrawal of the product from the market, product recalls, total or partial suspension of production, refusal to approve pending new drug applications ("NDAs") or supplemental NDAs, and suspension or revocation of product approvals.

We are subject to statutes and regulations governing the promotion and sale of medicine. Although physicians are permitted to prescribe drugs for any indication they choose, manufacturers may only promote products for their FDA-approved use. All other uses are referred to as "off-label"; manufacturers are prohibited from engaging in any "off-label" promotion. In the United States, we market our Products to treat hyperglycemia secondary to hypercortisolism in adult patients with endogenous hypercortisolism who have type 2 diabetes mellitus or glucose intolerance and for whom surgery has failed or is not an option. Among other activities, we provide promotional materials and training programs to physicians covering the use of our Products for this indication. The FDA may change its policies or enact new regulations at any time that may restrict our ability to promote our Products, which could adversely impact our business. If the FDA or a law enforcement agency were to determine that we engaged in off-label promotion, we could be required to change our practices and be subject to regulatory enforcement actions, including issuance of a public "warning letter," untitled letter, injunction, seizure, civil fine or criminal penalties. Federal or state enforcement authorities may act if they believe that the alleged improper promotion led to the submission and payment of claims for an unapproved use, which could result in significant fines or penalties under other statutory authorities, such as laws prohibiting false claims for reimbursement. Even if it is determined that we are not in violation of these laws, we may receive negative publicity, incur significant expenses and be forced to devote management time to defending our position. In addition to laws prohibiting off-label promotion, we are also subject to federal and state healthcare fraud and abuse laws and regulations designed to prevent fraud, kickbacks, self-dealing and other abusive practices. The United States healthcare laws and regulations that may affect our ability to operate include, but are not limited to: - the federal Anti-Kickback Statute, which prohibits, among other things, knowingly and willfully soliciting, receiving, offering or paying remuneration, directly or indirectly, in exchange for or to induce either the referral of an individual for, or the purchase, order or recommendation of, any good or service for which payment may be made under federal health care programs such as Medicare and Medicaid. And, although we structure our applicable business arrangements in accordance with the safe harbors, it is difficult to determine exactly how the law will be applied in specific circumstances. Accordingly, it is possible that certain practices of ours may be challenged under the federal Anti-Kickback Statute. From a liability perspective, a person or entity does not need to have actual knowledge of the statute or specific intent to violate it in order to have committed a violation;- federal false claims laws, including, without limitation, the False Claims Act, which prohibit any person from knowingly presenting, or causing to be presented, a false claim for payment to the federal government, or knowingly making, or causing to be made, a false statement to get a false claim paid. The federal False Claims Act is unique in that it allows private individuals (whistleblowers) to bring actions on behalf of the federal government via qui tam actions. Importantly, under the False Claims Act the government may assert that a claim including items or services resulting from a violation of the federal Anti-Kickback Statute constitutes a false or fraudulent claim for purposes of the False Claims Act;- the federal Civil Monetary Penalties law, which prohibits, among other things, offering or transferring remuneration to a federal healthcare beneficiary that a person knows or should know is likely to influence the beneficiary's decision to order or receive items or services reimbursable by the government from a particular provider or supplier;- HIPAA, which created federal criminal laws that prohibit executing a scheme to defraud any health care benefit program or making false statements relating to health care matters; similar to the federal Anti-Kickback Statute, a person or entity does not need to have actual knowledge of the statute or specific intent to violate it in order to have committed a violation;- federal "sunshine" laws, including the federal Physician Payment Sunshine Act (or sometimes referred to as the Open PaymentsTM Program), that require transparency regarding financial arrangements with health care providers, such as the reporting and disclosure requirements imposed by the Patient Protection and Affordable Care Act ("ACA") on drug manufacturers regarding any "transfer of value" made or distributed to physicians, certain non-physician practitioners, teaching hospitals, and ownership or investment interests held by physicians and their immediate family members;- federal consumer protection and unfair competition laws, which broadly regulate marketplace activities and activities that potentially harm consumers;- state law equivalents of each of the above federal laws, such as anti-kickback and false claims laws which may apply to items or services reimbursed by any third-party payer, including commercial insurers; state laws that require pharmaceutical companies to comply with the pharmaceutical industry's voluntary compliance guidelines and the relevant compliance guidance promulgated by the federal government or otherwise restrict payments that may be made to healthcare providers; and - state laws that require drug manufacturers to report information related to payments and other transfers of value to physicians and other healthcare providers or marketing expenditures and pricing information. Because of the breadth of these laws and the narrowness of the statutory exceptions and safe harbors available under them, it is possible that some of our business activities, including our relationships with physicians and other healthcare providers (some of whom recommend, purchase and/or prescribe our Products) and the manner in which we promote our Products, could be subject to challenge and scrutiny. We are also exposed to the risk that our employees, independent contractors, principal investigators, consultants, vendors, distributors and contract research organizations ("CROs") may engage in fraudulent or other illegal activity. Although we have policies and procedures prohibiting such activity, it is not always possible to identify and deter misconduct and the precautions we take may not be effective in controlling unknown risks or in protecting us from governmental investigations or other actions or lawsuits stemming from a failure to comply with applicable laws and regulations. In November 2021, we received a records subpoena from the United States Attorney's Office for the District of New Jersey (the "NJ USAO") seeking documents relating to the sale and promotion of Korlym, our relationships with and payments to health care professionals who can prescribe or recommend Korlym and prior authorizations and reimbursement for Korlym. The NJ USAO has informed us that it is investigating whether any criminal or civil violations by us occurred in connection with the matters referenced in the subpoena. It has also informed us that it does not currently consider us a defendant but rather an entity whose conduct is within the scope of the government's investigation. We are cooperating with the investigation. Please see "Part I, Item 3, Legal Proceedings" for additional details. If we are found in violation of any of the laws described above or any other government regulations, we may be subject to civil and criminal penalties, damages, fines, exclusion from governmental health care programs, a corporate integrity agreement or other agreement to resolve allegations of non-compliance, individual imprisonment, and the curtailment or restructuring of our operations, any of which could adversely affect our financial results and ability to operate.

We cannot sell a product without the approval of the FDA, EMA or comparable regulatory authority. Obtaining such approval is difficult, uncertain, lengthy and expensive. Failure can occur at any stage. In order to receive FDA approval for a new drug, we must demonstrate to the FDA's satisfaction that the new drug is safe and effective for its intended use and that our manufacturing processes comply with cGMPs. Recent disruptions at the FDA and other government agencies caused by changing presidential administrations or funding shortages could hinder their ability to hire, retain or deploy key leadership and other personnel, prevent new or modified product candidates from being developed, reviewed, approved or commercialized in a timely manner or at all, which could negatively impact our business. In addition, policies, regulations, and the type and amount of clinical data that the regulatory authority views as necessary for approval may change during the course of a product candidate's clinical development and may vary among jurisdictions. Even if we believe the preclinical or clinical data for our product candidates are promising, such data may not be sufficient to support approval by the FDA or comparable foreign regulatory authorities. Our inability or the inability of our vendors to comply with applicable FDA and other regulatory requirements can result in delays in or denials of new product approvals, suspending or withdrawing our existing regulatory approvals, mandatory modifications to labeling or promotional materials, requirements to provide corrective information to healthcare professionals, warning letters, untitled letters, fines, consent decrees restricting or suspending manufacturing operations, injunctions, civil penalties, recall or seizure of products, product detention or refusing to permit import or export of our products, total or partial suspension of product sales and criminal prosecution. We may seek to commercialize our Products in international markets, which would require us to receive a marketing authorization and, in many cases, pricing approval, from the appropriate regulatory authorities. Approval procedures vary between countries and can require additional pre-clinical or clinical studies. Obtaining approval may take longer than it does in the United States. Although approval by the FDA does not ensure approval by regulatory authorities in other countries, and approval by one foreign regulatory authority does not ensure approval by others, failure or delay in obtaining regulatory approval in one country may have a negative effect on the regulatory process in others. Any of these or other regulatory actions could materially harm our business and financial condition. We submitted an NDA for relacorilant as a treatment for patients with hypercortisolism. On December 30, 2025, the FDA issued a CRL declining to approve relacorilant for the proposed use and stating that additional evidence of effectiveness was required. We plan to meet with the FDA to arrive at the best path to approval. We have also submitted an NDA for relacorilant as a treatment, in combination with the chemotherapy medication nab-paclitaxel, for patients with platinum-resistant ovarian cancer with a PDUFA date of July 11, 2026. We have also submitted to the EMA an MAA for relacorilant in combination with nab-paclitaxel as a treatment for patients with platinum-resistant ovarian cancer with a likely regulatory decision date in the fourth quarter of 2026. These applications may be delayed and there is no assurance that they will be approved. Even if we eventually complete clinical testing and receive approval or other marketing authorization from the FDA or comparable foreign regulatory authority, the FDA or the comparable foreign regulatory authority may grant approval or other marketing authorization contingent on the performance of costly additional clinical trials, including post-marketing clinical trials. The FDA or the comparable foreign regulatory authority also may approve or authorize for marketing a product candidate for a more limited indication or patient population than we originally propose, and the FDA or comparable foreign regulatory authority may not approve or authorize the labeling that we believe is necessary or desirable for the successful commercialization of a product candidate. Any delay in obtaining, or inability to obtain, applicable regulatory approval or other marketing authorization would delay or prevent commercialization of that product candidate and would materially and adversely impact our business and prospects. In addition, if we receive regulatory approval for a product candidate, we will be subject to ongoing requirements and oversight by the FDA and other regulatory authorities, such as continued safety and other reporting requirements and possibly post-approval marketing restrictions and additional costly clinical trials. If we are not able to maintain regulatory compliance, we may be required to stop development of a product candidate or to stop selling a product that has already been approved. We may also be subject to product recalls or seizures. Future governmental action or changes in regulatory authority policy or personnel may also result in delays or rejection of pending or anticipated product approvals. The FDA's and comparable foreign regulatory authorities' policies may change and additional government regulations may be enacted that could prevent, limit or delay regulatory approval of our product candidates. For example, the U.S. Supreme Court's June 2024 decision in Loper Bright Enterprises v. Raimondo overturned the longstanding Chevron doctrine, under which courts were required to give deference to regulatory agencies' reasonable interpretations of ambiguous federal statutes. The Loper decision could result in additional legal challenges to regulations and guidance issues by federal agencies, including the FDA, on which we rely. Any such legal challenges, if successful, could have a material impact on our business. The Loper decision also may result in increased regulatory uncertainty, inconsistent judicial interpretations, and other impacts to the agency rulemaking process, any of which could adversely impact our business and operations. We cannot predict the likelihood, nature or extent of government regulation that may arise from future legislation or administrative action, either in the United States or abroad. If we are slow or unable to adapt to changes in existing requirements or the adoption of new requirements or policies, or if we are not able to maintain regulatory compliance, we may lose any marketing approval that we may have obtained and we may not achieve or sustain profitability, which could adversely affect business, operating results, prospects or financial condition.

New laws and regulations, as well as changes to existing laws and regulations, including statutes and regulations concerning taxes and the development, approval, marketing and pricing of medications, the provisions of the ACA requiring the reporting of aggregate spending related to health care professionals, the provisions of the Sarbanes-Oxley Act of 2002, the Dodd Frank Act of 2010 and rules adopted by the SEC and by The Nasdaq Stock Market LLC have and will likely continue to increase our cost of doing business and divert management's attention from revenue-generating activities. We and our partners are subject to federal, state and foreign laws and regulations concerning data privacy and security, including HIPAA and the EU General Data Protection Regulation ("GDPR"). These and other regulatory frameworks are evolving rapidly as new rules are enacted and existing ones updated and made more stringent. In the United States, numerous federal and state laws and regulations, including state data breach notification laws, state health information privacy, laws, and federal and state consumer protection laws and regulations (e.g., Section 5 of the Federal Trade Commission Act), that govern the collection, use, disclosure, and protection of health-related and other personal information could apply to our operations or the operations of our partners. In addition, we may obtain health information from third parties (including research institutions from which we obtain clinical trial data) that are subject to privacy and security requirements under HIPAA. Depending on the facts and circumstances, we could be subject to criminal penalties if we knowingly obtain, use, or disclose individually identifiable health information maintained by a HIPAA-covered entity in a manner that is not authorized or permitted by HIPAA. Requirements for compliance under HIPAA are also subject to change, as the U.S. Department of Health and Human Services Office of Civil Rights issued a proposed rule that would amend certain security compliance requirements for covered entities and business associates. Even when HIPAA does not apply, according to the Federal Trade Commission (the "FTC"), violating consumers' privacy or failing to take appropriate steps to keep consumers' personal information secure may constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Individually identifiable health information is considered sensitive data that merits stronger safeguards. In 2024, the FTC also finalized its rulemaking on additional data privacy rules and requirements, which may add additional complexity to compliance obligations going forward. The DOJ issued a rule in 2025 entitled, "Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons," and known less formally as the "Bulk Transfer Rule." The Bulk Transfer Rule is codified at 28 CFR part 202 and prohibits and restricts bulk transfers of sensitive personal data (including genetic and health data) to countries of concern, such as China, Russia, and Iran to prevent access by foreign adversaries. It restricts our ability to engage in certain cross-border transactions involving genomic or biological samples and related data, which may increase compliance costs, lead to increased regulatory scrutiny or liability, and may require additional contractual negotiations, which may adversely impact our business, financial condition, and operating results. In addition, certain state laws govern the privacy and security of health-related and other personal information in certain circumstances, some of which may be more stringent, broader in scope or offer greater individual rights with respect to protected health information than HIPAA and many of which may differ from each other in significant ways and may not have the same effect, thus complicating compliance efforts. Failure to comply with these laws, where applicable, can result in the imposition of significant civil and/or criminal penalties and private litigation. For example, the California Confidentiality of Medical Information Act imposes restrictive requirements regulating the use and disclosure of health information and other personally identifiable information. Further, the California Consumer Privacy Act (the "CCPA"), revised and amended by the California Privacy Rights Act (the "CPRA" and collectively, the "CCPA"), created individual privacy rights for California consumers and increased the privacy and security obligations of entities handling certain personal information as well as limitation on data uses, audit requirements for higher risk data, and opt outs for certain uses of sensitive data. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. The CCPA is enforced by the California Privacy Protection Agency, which is authorized to issue substantive regulations resulting in increased privacy and information security enforcement. The CCPA may increase our compliance costs and potential liability. Several other states have implemented similar comprehensive privacy laws that took effect in the past year or will take effect in the near future, and states have implemented or are considering laws that specifically focus on the processing of personal data related to individuals' health, including Washington's My Health My Data Act and California's Confidentiality of Medical Information Act. As a result, additional compliance investment and potential business process changes may be required. In the event that we are subject to or affected by HIPAA, the CCPA or other domestic privacy and data protection laws, any liability from failure to comply with the requirements of these laws could adversely affect our financial condition. Additional legislation proposed at the federal level and in other states, along with increased regulatory action, reflect a trend toward more stringent privacy legislation in the United States. Outside the United States, many jurisdictions have or are in the process of enacting extensive data privacy regulations. In Europe, the GDPR took effect in 2018, and is imposing stringent data protection requirements for controllers and processors of personal data of individuals within the EEA, particularly with respect to clinical trials. The GDPR provides that EEA member states may make further laws and regulations limiting the processing of health data, which could limit our ability to use and share personal data or could cause our costs to increase and harm our business and financial condition. In addition, the GDPR increases the scrutiny that clinical trial sites located in the EEA should apply to transfers of personal data from such sites to countries that are considered to lack an adequate level of data protection, such as the United States. Legal developments have added complexity and compliance uncertainty regarding certain transfers of information from the EEA to the United States. Following EU court decisions, updated standard contractual clauses ("SCCs") were adopted to account for these judicial decisions, imposing new requirements on data transfers. The revised SCCs must be used for relevant new data transfers from September 27, 2021, and existing SCC arrangements were required to be retired by December 27, 2022. As supervisory authorities issue further guidance on personal data export mechanisms, and/or start taking enforcement action, we could suffer additional costs, complaints and/or regulatory investigations or fines, and/or if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results. Further, on July 10, 2023, the European Commission adopted its adequacy decision on the E.U.-U.S. Data Privacy Framework ("DPF"). The decision, which took effect on the day of its adoption, concludes that the United States ensures an adequate level of protection for personal data transferred from the EEA to companies certified to the DPF. It is currently unclear how the future of DPF will evolve and what impact it will have on our international activities. The GDPR imposes substantial fines for breaches of data protection requirements, which can be up to four percent of global revenue for the preceding financial year or €20 million, whichever is greater, and it also confers a private right of action on data subjects for breaches of data protection requirements. Compliance with European data protection laws is a rigorous and time intensive process that may increase our cost of doing business, and despite those efforts, there is a risk that we may be subject to fines and penalties, litigation and reputational harm in connection with our European activities. From January 1, 2021, we have had to comply with the GDPR and separately the UK GDPR, which, together with the amended UK Data Protection Act 2018, retains the GDPR in UK national law, each regime having the ability to fine up to the greater of €20 million/£17.5 million or 4 percent of global turnover. It is unclear how UK data protection laws and regulations will develop in the medium to longer term and these changes may lead to additional costs and increase our overall risk exposure. In addition, on June 19, 2025, the UK's Data (Use and Access) Act 2025 (the "DUAA") was granted Royal Assent, implementing various measures concerning data usage in the UK and reforming data protection laws. The provisions within the DUAA will come into force through 2026, and it is currently unclear how the DUAA will be implemented and what impact it will have on our international activities. Preparing for and complying with U.S. and foreign privacy and security laws and regulations is complex and costly as it is rigorous and time intensive and requires significant resources and a review of our technologies, systems and practices, as well as those of any third-party collaborators, service providers, CROs, contractors or consultants that process or transfer personal data collected in the EU. The GDPR and other changes in laws or regulations associated with the enhanced protection of certain types of sensitive data, such as healthcare data or other personal data from our clinical trials, and access to certain data such as the European Health Data Space Regulation, could require us to change our business practices and put in place additional compliance mechanisms, may interrupt or delay our development, regulatory and commercialization activities and increase our cost of doing business, and could lead to government enforcement actions, private litigation and significant fines and penalties against us and could have a material adverse effect on our business, financial condition or results of operations. Similarly, failure to comply with federal and state laws regarding privacy and security of personal data could expose us to fines and penalties under such laws. Even if we are not determined to have violated these laws, government investigations into these issues typically require the expenditure of significant resources and generate negative publicity, which could harm our reputation and our business.

Patients in clinical trials report changes in their health, including new illnesses, injuries and discomforts, to their study doctor. Often, it is not possible to determine whether or not these conditions were caused by the drug candidate being studied or something else. As we test our product candidates in larger, longer and more extensive clinical trials, or as use of them becomes more widespread if we receive regulatory approval, patients may report serious adverse events that did not occur or went undetected in previous trials. Many times, serious side effects are only detected in large-scale, Phase 3 clinical trials or following commercial approval. Adverse events reported in clinical trials can slow or stop patient recruitment, prevent enrolled patients from completing a trial and could give rise to liability claims. Regulatory authorities could respond to reported adverse events by interrupting or halting our clinical trials or limiting the scope of, delaying or denying marketing approval. If we elect, or are required by authorities, to delay, suspend or terminate a clinical trial or commercialization efforts, the commercial prospects of the affected product candidates or products may be harmed and our ability to generate product revenues from them may be delayed or eliminated. If one of our product candidates receives marketing approval, and we or others later identify undesirable side effects or adverse events, potentially significant negative consequences could result, including but not limited to: - we may discontinue marketing of the product candidate, or decide to remove it from the marketplace;- regulatory authorities may suspend, limit or withdraw approvals of such product;- regulatory authorities may require additional warnings on the label, including "boxed" warnings, or issue safety alerts and other safety information about the product;- we may be required to change the way the product is administered or conduct additional studies or clinical trials;- we may need to conduct a recall;- we may be required to create a Risk Evaluation and Mitigation Strategy, which could include a medication guide outlining the risks of such side effects for distribution to patients, a communication plan for healthcare providers and/or other elements to assure safe use;- the product may become less competitive;- we may not be able to achieve or maintain third-party payor coverage or adequate reimbursement;- we may be subject to fines, injunctions or the imposition of criminal penalties; and - we could be sued and held liable for harm caused to patients. Any of these events could seriously harm our business.