CervoMed (CRVO) Risk Analysis

The global data protection landscape is rapidly evolving, and we are currently and may become subject to or impacted by a wide variety of provincial, state, national, and international laws and regulations applying to the collection, use, retention, protection, disclosure, transfer and other processing of personal data. These data protection and privacy-related laws and regulations are evolving and may result in increased regulatory and public scrutiny and escalating levels of enforcement and sanctions. Implementation standards and enforcement practices are likely to remain uncertain and unpredictable for the foreseeable future, which may create uncertainty in our business, affect our or our service providers' ability to operate in certain jurisdictions or to collect, store, transfer use and share personal data, result in liability or impose additional compliance or other costs on us. Failure to comply with data protection laws and regulations, where applicable, could result in government enforcement actions, which could include civil or criminal penalties, private litigation and/or adverse publicity and could negatively affect our operating results and business. In the US, numerous federal and state laws and regulations, including state data breach notification laws, state health information privacy laws and federal and state consumer protection laws govern the collection, use, disclosure and protection of health-related and other personal information. For example, the CCPA, which became effective in 2020, broadly defines personal information, gives California residents expanded individual privacy rights and protections and provides for civil penalties for violations and a private right of action for data breaches. Further, the CPRA, which became effective in 2023 and amends the CCPA, creates additional obligations with respect to processing and storing personal information. While there is limited exception for protected health information that is subject to HIPAA and clinical trial regulations, the CCPA may regulate or impact our processing of personal information depending on the context. Unlike other state privacy laws, the CCPA also regulates personal information collected in a business to business and in human resources contexts. Further, there continues to be some uncertainty about how provisions of the CCPA and the new regulations will be interpreted and how the law will be enforced. In addition to California, more US states have enacted and are continuing to enact similar legislation, increasing compliance complexity and increasing risks of failures to comply. The existence of differing comprehensive privacy laws in different states in the country may make our compliance obligations more complex and costly and may require us to modify our data processing practices and policies and to incur substantial costs and potential liability in an effort to comply with such legislation. Even when HIPAA does not apply, according to the FTC, failing to take appropriate steps to keep consumers' personal information secure, or failing to provide a level of security commensurate to promises made to individual about the security of their personal information (such as in a privacy notice), may constitute unfair or deceptive acts or practices in violation of Section 5(a) of the FTC Act. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Individually identifiable health information is considered sensitive data that merits stronger safeguards. The FTC's guidance for appropriately securing consumers' personal information is similar to what is required by the HIPAA Security Rule. The FTC and states' Attorneys Generals have brought enforcement actions and prosecuted some data breach cases as unfair and/or deceptive acts or practices under the FTC Act and comparable state laws. In addition, other federal and state laws establish additional requirements for protecting the privacy and security of health information that is not protected by HIPAA. For instance, Washington state passed the "My Health My Data" Act, which came into force in 2024 and regulates "consumer health data," which is broadly defined as "personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health." The "My Health My Data" Act provides exemptions for personal data used or shared in connection with certain research activities, including data subject to 45 C.F.R. Parts 46, 50 and 56. Notably, the "My Health My Data" Act contains a private right of action. In addition, Nevada enacted a consumer health data privacy bill, SB 370, which took effect in 2024, and regulates "consumer health data." SB 370 shares many similarities with Washington's "My Health My Data" Act, and Connecticut has amended its comprehensive privacy law to include heightened regulation of "consumer health data." Furthermore, several states, including Illinois, Texas, and Washington, have enacted biometric privacy laws that regulate the collection and use of biometric identifiers, which may be relevant to certain activities or research involving biometric data. Additional states are considering and may adopt health-specific privacy laws that could impact our business activities and our collection and handling of health-related data. Numerous other countries have, or are developing, laws governing the collection, use and transmission of personal information as well. For example, the European Parliament and the Council of the European Union adopted a comprehensive general data privacy framework called the GDPR which became fully effective in May 2018 and governs the collection and use of personal data in the European Union, including by companies outside of the European Union., The GDPR also imposes strict rules on the transfer of personal data out of the European Union to the US The GDPR imposes stringent data protection requirements and provides penalties for noncompliance of up to the greater of €20 million or four percent of worldwide annual turnover. The GDPR and many other laws and regulations relating to privacy and data protection are still being tested in courts, and they are subject to new and differing interpretations by courts and regulatory officials. The GDPR and other changes in laws or regulations associated with the enhanced protection of certain types of personal data, such as healthcare data or other sensitive information, could greatly increase our cost of providing our products and services or even prevent us from offering certain services in jurisdictions that we may operate in. The GDPR may increase our responsibility and liability in relation to personal data that we process where such processing is subject to the GDPR, and we may be required to put in place additional mechanisms to ensure compliance with the GDPR, including as implemented by individual countries. Ensuring our continued compliance with the GDPR is a rigorous and time-intensive process that may increase our cost of doing business or require us to change our business practices, and despite those efforts, there is a risk that we may be subject to fines and penalties, litigation, and reputational harm in connection with our European activities. Many jurisdictions outside of US and Europe are also considering and/or enacting comprehensive data protection legislation that could have an impact on market expansion and clinical trials as well. Additionally, following the United Kingdom's withdrawal from the European Union (i.e., Brexit), and the expiry of the Brexit transition period, which ended on December 31, 2020, the GDPR has been implemented in the United Kingdom (as the UK GDPR). The UK GDPR sits alongside the UK Data Protection Act 2018 which implements certain derogations in the GDPR into UK law. Under the UK GDPR, companies not established in the UK but who process personal data in relation to the offering of goods or services to individuals in the UK, or to monitor their behavior will be subject to the UK GDPR – the requirements of which are (at this time) largely aligned with those under the EU GDPR and as such, may lead to similar compliance and operational costs with potential fines of up to £17.5 million or 4% of global turnover. Transfers of personal data to certain countries outside of the EEA and the UK are also highly regulated under the GDPR and UK GDPR. For example, the GDPR only permits exports of personal data outside of the EEA to "non-adequate" countries where there is a suitable data transfer mechanism in place to safeguard personal data (e.g., the European Commission approved Standard Contractual Clauses or certification under European Union-US the Data Privacy Framework). On July 10, 2023, the European Commission adopted an adequacy decision for a new mechanism for transferring data from the EEA to the certain US organizations, the EU-US Data Privacy Framework, which provides European Union individuals with several new rights, including the right to obtain access to their data, or obtain correction or deletion of incorrect or unlawfully handled data. The adequacy decision followed the signing of an executive order introducing new binding safeguards to address transfers of personal data from the European Union to the US. Notably, the new obligations were geared to ensure that data can be accessed by US intelligence agencies only to the extent necessary and proportionate and to establish an independent and impartial redress mechanism to handle complaints from Europeans concerning the collection of their data for national security purposes. The European Commission will continually review developments in the US along with its adequacy decision. Adequacy decisions can be adapted or even withdrawn in the event of developments affecting the level of protection in the applicable jurisdiction. Additionally, the Data Privacy Framework may be subject to legal challenges, and there can be no assurance that it will remain a valid transfer mechanism. Prior transfer frameworks, including the European Union-US Privacy Shield, were invalidated by the Court of Justice of the European Union in its July 2020 decision in Maximilian Schrems vs. Facebook (Case C-311/18) (Schrems II), which also heightened the burden on companies to assess US national security laws and implement supplementary measures when relying on standard contractual clauses. Consequently, there is some risk that data transfers from the EEA could be challenged or halted. Future actions of European Union data protection authorities are difficult to predict. Some customers or other service providers may respond to these evolving laws and regulations by asking us to make certain privacy or data-related contractual commitments that we are unable or unwilling to make. This could lead to the loss of current or prospective customers or other business relationships. Because the interpretation and application of many privacy and data protection laws (including laws in the US and the GDPR), commercial frameworks, and standards are uncertain, it is possible that these laws, frameworks, and standards may be interpreted and applied in a manner that is inconsistent with our existing data management practices and policies. If so, in addition to the possibility of fines, lawsuits, breach of contract claims, and other claims and penalties, we could be required to fundamentally change our business activities and practices or modify our solutions, which could have an adverse effect on our business. Any inability to adequately address privacy and security concerns, even if unfounded, or comply with applicable privacy and security or data security laws, regulations, and policies, could result in additional cost and liability to us, damage our reputation, inhibit our ability to conduct trials, and adversely affect our business. Applicable data privacy and data protection laws may conflict with each other, and by complying with the laws or regulations of one jurisdiction, we may find that we are violating the laws or regulations of another jurisdiction. Despite our efforts, we may not have fully complied in the past and may not in the future. That could require us to incur significant expenses, which could significantly affect our business. Failure to comply with data protection laws or to protect personal data or other data we process or maintain may expose us to risk of enforcement actions taken by data protection authorities or other regulatory agencies, private rights of action in some jurisdictions, potential significant fines, penalties and other liabilities if we are found to be non-compliant, and damage to our reputation, any of which could materially affect our business, financial condition, results of operations and prospects. Furthermore, the number of government investigations related to data security incidents and privacy violations continue to increase and government investigations typically require significant resources and generate negative publicity, which could harm our business and reputation.

An important element of a biotechnology company's strategy for developing, manufacturing and commercializing our drug candidates may be to enter into strategic alliances with pharmaceutical companies or other industry participants to advance our programs and enable us to maintain our financial and operational capacity. Biotechnology companies at our stage of development sometimes rely upon collaborative arrangements or strategic alliances to complete the development and commercialization of drug candidates, particularly after the Phase 2 stage of clinical testing. To date, we have not entered into any collaborative arrangements or strategic alliances, and we may face significant competition in seeking such relationships. In addition, such arrangements may place the development of our drug candidates outside our control, require us to relinquish important rights, or may otherwise be on terms unfavorable to us. We may not be able to negotiate collaborations and alliances on acceptable terms, if at all. If we enter into a collaborative arrangement and it proves to be unsuccessful, we may have to delay, or limit the size or scope of, certain of our drug development activities. Alternatively, if we elect to fund drug development or research programs on our own, we will have to increase our expenditures and will need to obtain additional funding, which may not be available to us on acceptable terms, if at all.

The biotechnology and pharmaceutical industries are highly competitive and subject to significant and rapid technological change. If neflamapimod is approved, we will face intense competition from a variety of businesses, including large, fully integrated pharmaceutical companies, specialty pharmaceutical companies, biopharmaceutical companies in the US and other jurisdictions, academic institutions and governmental agencies and public and private research institutions. These organizations may have significantly greater resources than we do. They may also conduct similar research, seek patent protection, and establish collaborative arrangements for research, development, manufacturing and marketing of products that may compete with neflamapimod. Currently, there are a limited number of companies developing treatments specifically for DLB. However, given the potential market opportunity for the treatment of DLB and other neurodegenerative diseases, an increasing number of established pharmaceutical firms and smaller biotechnology/biopharmaceutical companies are pursuing a range of potential therapies for these diseases in various stages of clinical development. In addition to these current and potential competitors, we anticipate that more companies will enter the DLB market in the future. Our potential competitors could have significantly greater financial resources, as well as drug development, manufacturing, marketing, and sales expertise. They may also be able to develop and commercialize products that are safer, more effective, less expensive, more convenient, easier to administer, or have fewer severe effects, than existing treatments or, if it is ultimately approved, neflamapimod. Competitors may also obtain FDA or other regulatory approval for their product candidates more rapidly than we may obtain approval for neflamapimod, which could result in their establishing or strengthening a commercial position before we are able to enter the market. The highly competitive nature of the biotechnology and pharmaceutical industries, as well as the rapid technological changes in those fields, could limit our ability to advance neflamapimod commercially. If we are unable to compete effectively, this could have a material adverse effect on our business and results of operations.

We intend to initially focus our product candidate development on treatments for various CNS and neurodegenerative indications, in particular DLB. The addressable patient populations that may benefit from treatment with our product candidates, if approved, are based on our estimates. These estimates, which have been derived from a variety of sources, including scientific literature, surveys of clinics, patient foundations and market research, may prove to be incorrect. Further, new studies may change the estimated incidence or prevalence of these CNS and neurodegenerative diseases. Any regulatory approval of our product candidates would be limited to the therapeutic indications examined in our clinical trials and as determined by the FDA, which would not permit us to market our products for any other therapeutic indications not expressly reviewed and approved as safe and effective. In DLB, in particular, prevalence estimates among experts and practitioners vary greatly, as do estimates of the percentage of DLB patients that have AD co-pathology. Additionally, the potentially addressable patient population for our product candidates may not ultimately be amenable to treatment with our product candidates. Even if we receive regulatory approval for any of our product candidates, such approval could be conditioned upon label restrictions that materially limit the addressable patient population. Our market opportunity may also be limited by future competitor treatments that enter the market. If any of our estimates prove to be inaccurate, the market opportunity for any product candidate that we or our strategic partners develop could be significantly diminished and have an adverse material impact on our business.

Our operations could be significantly adversely affected by the effects of a widespread outbreak of epidemics, pandemics or other health crises, including COVID-19. We cannot accurately predict the impact of epidemics and pandemics would have on our operations and the ability of third parties to meet their obligations under contracts or arrangements with us, including uncertainties relating to the ultimate geographic spread of epidemics and pandemics, the severity of the underlying diseases, the duration of outbreaks, and the length of travel and quarantine restrictions imposed by governments of affected countries. In addition, a significant outbreak of contagious diseases in the human population could result in a widespread health crisis that could adversely affect the economies and financial markets of many countries, resulting in an economic downturn that could further affect our operations and ability to finance our operations.