Editas Medicine (EDIT) Risk Analysis

We face an inherent risk of product liability exposure related to the testing in human clinical trials of any of our product candidates and will face an even greater risk if we commercially sell any medicines that we may develop. If we cannot successfully defend ourselves against claims that our product candidates or medicines caused injuries, we could incur substantial liabilities. Regardless of merit or eventual outcome, liability claims may result in: - decreased demand for any product candidates or medicines that we may develop;- injury to our reputation and significant negative media attention;- withdrawal of clinical trial participants;- significant time and costs to defend the related litigation;- substantial monetary awards to trial participants or patients;- loss of revenue; and - the inability to commercialize any medicines that we may develop. Although we maintain product liability insurance coverage, it may not be adequate to cover all liabilities that we may incur. We anticipate that we will need to increase our insurance coverage if we successfully commercialize any medicine. Insurance coverage is increasingly expensive. We may not be able to maintain insurance coverage at a reasonable cost or in an amount adequate to satisfy any liability that may arise.

The ability of the FDA to review and approve new products can be affected by a variety of factors, including government budget and funding levels, ability to hire and retain key personnel and accept the payment of user fees, and statutory, regulatory and policy changes. Average review times at the agency have fluctuated in recent years as a result. Disruptions at the FDA and other agencies may also slow the time necessary for new product candidates to be reviewed and/or approved by necessary government agencies, which would adversely affect our business. In addition, government funding of the SEC and other government agencies on which our operations may rely, including those that fund research and development activities, is subject to the political process, which is inherently fluid and unpredictable. Disruptions at the FDA and other agencies may also slow the time necessary for new product candidates to be reviewed and/or approved by necessary government agencies, which would adversely affect our business. For example, over the last several years the U.S. government has shut down several times and certain regulatory agencies, such as the FDA and the SEC, have had to furlough critical FDA, SEC and other government employees and stop critical activities. In addition, disruptions may result from events similar to the COVID-19 pandemic. During the COVID-19 pandemic, a number of companies announced receipt of complete response letters due to the FDA's inability to complete required inspections for their applications. In the event of a similar public health emergency in the future, the FDA may not be able to continue its current pace and review timelines could be extended. Regulatory authorities outside the United States facing similar circumstances may adopt similar restrictions or other policy measures in response to a similar public health emergency and may also experience delays in their regulatory activities. Accordingly, if a prolonged government shutdown or other disruption occurs, it could significantly impact the ability of the FDA to timely review and process our regulatory submissions, which could have a material adverse effect on our business. Future shutdowns or other disruptions could also affect other government agencies such as the SEC, which may also impact our business by delaying review of our public filings, to the extent such review is necessary, and our ability to access the public markets.

We are subject to data privacy and protection laws and regulations that apply to the collection, transmission, storage and use of personally-identifying information, which among other things, impose certain requirements relating to the privacy, security and transmission of personal information, including comprehensive regulatory systems in the U.S., EU and UK. The legislative and regulatory landscape for privacy and data protection continues to evolve in jurisdictions worldwide, and there has been an increasing focus on privacy and data protection issues with the potential to affect our business. Failure to comply with any of these laws and regulations could result in enforcement action against us, including fines, claims for damages by affected individuals, damage to our reputation and loss of goodwill, any of which could have a material adverse effect on our business, financial condition, results of operations or prospects. There are numerous U.S. federal and state laws and regulations related to the privacy and security of personal information. In particular, regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") establish privacy and security standards that limit the use and disclosure of individually identifiable health information, or protected health information, and require the implementation of administrative, physical and technological safeguards to protect the privacy of protected health information and ensure the confidentiality, integrity and availability of electronic protected health information. Determining whether protected health information has been handled in compliance with applicable privacy standards and our contractual obligations can be complex and may be subject to changing interpretation. These obligations may be applicable to some or all of our business activities now or in the future. If we fail to comply with applicable privacy laws, including applicable HIPAA privacy and security standards, we could face civil and criminal penalties. HHS enforcement activity can result in financial liability and reputational harm, and responses to such enforcement activity can consume significant internal resources. In recent months, the Officer of Civil Rights ("OCR") has been especially active in enforcing the HIPAA rules. In addition, state attorneys general are authorized to bring civil actions seeking either injunctions or damages in response to violations that threaten the privacy of state residents. We cannot be sure how these regulations will be interpreted, enforced or applied to our operations. In addition to the risks associated with enforcement activities and potential contractual liabilities, our ongoing efforts to comply with evolving laws and regulations at the federal and state level may be costly and require ongoing modifications to our policies, procedures and systems. Additionally, the OCR is looking to amend the HIPAA Security Rule, which (if and when finalized) could create additional compliance obligations and risk for our business. In addition to potential enforcement by the HHS, we could also be potentially subject to privacy enforcement from the FTC. The FTC has been particularly focused on the unpermitted processing of health and genetic data through its recent enforcement actions and is expanding the types of privacy violations that it interprets to be "unfair" under Section 5 of the FTC Act, as well as the types of activities it views to trigger the Health Breach Notification Rule (which the FTC also has the authority to enforce). The agency is also in the process of developing rules related to commercial surveillance and data security. We will need to account for the FTC's evolving rules and guidance for proper privacy and data security practices in order to mitigate risk for a potential enforcement action, which may be costly. Finally, both the FTC and HHS's enforcement priorities (as well as those of other federal regulators) may be impacted by the change in administration and new leadership. These shifts in enforcement priorities may also impact our business. There are also increased restrictions at the federal level relating to transferring sensitive data outside of the U.S. to certain foreign countries. For example, in 2024, Congress passed H.B. 815, which included the Protecting Americans' Data from Foreign Adversaries Act of 2024. This law creates certain restrictions for entities that disclose sensitive data (including potential health data) to countries such as China. Failure to comply with these rules can lead to a potential FTC enforcement action. Additionally, the Department of Justice recently finalized a rule implementing Executive Order 14117, which creates similar restrictions related to the transfer of sensitive US data to countries such as China. These data transfer restrictions (and others that may pass in the future) may create operational challenges and legal risks for our business. In 2018, California passed into law the California Consumer Privacy Act (the "CCPA"), which took effect on January 1, 2020 and imposed many requirements on businesses that process the personal information of California residents. Many of the CCPA's requirements are similar to those found in the General Data Protection Regulation (the "GDPR"), including requiring businesses to provide notice to data subjects regarding the information collected about them and how such information is used and shared, and providing data subjects the right to request access to such personal information and, in certain cases, request the erasure of such personal information. The CCPA also affords California residents the right to opt-out of "sales" of their personal information. The CCPA contains significant penalties for companies that violate its requirements. In November 2020, California voters passed a ballot initiative for the California Privacy Rights Act (the "CPRA"), which went into effect on January 1, 2023 and significantly expanded the CCPA to incorporate additional GDPR-like provisions including requiring that the use, retention, and sharing of personal information of California residents be reasonably necessary and proportionate to the purposes of collection or processing, granting additional protections for sensitive personal information, and requiring greater disclosures related to notice to residents regarding retention of information. The CPRA also created a new enforcement agency – the California Privacy Protection Agency – whose sole responsibility is to enforce the CPRA, which will further increase compliance risk. The provisions in the CPRA may apply to some of our business activities. In addition to California, at least eighteen other states have passed comprehensive privacy laws similar to the CCPA and CPRA. These laws are either in effect or will go into effect sometime before the end of 2026. Like the CCPA and CPRA, these laws create obligations related to the processing of personal information, as well as special obligations for the processing of "sensitive" data, which includes health data in some cases. Some of the provisions of these laws may apply to our business activities. There are also states that are strongly considering or have already passed comprehensive privacy laws during the 2024 legislative sessions that will go into effect in 2025 and beyond. Other states will be considering similar laws in the future, and Congress has also been debating passing a federal privacy law. There are also states that are specifically regulating health information that may affect our business. For example, the state of Washington passed the My Health My Data Act in 2023 which specifically regulated health information that is not otherwise regulated by the HIPAA rules, and the law also has a private right of action, which further increases the relevant compliance risk. Connecticut and Nevada have also passed similar laws regulating consumer health data, and more states are considering such legislation in 2024. These laws may impact our business activities, including our identification of research subjects, relationships with business partners and ultimately the marketing and distribution of our products. Plaintiffs' lawyers are also increasingly using privacy-related statutes at both the state and federal level to bring lawsuits against companies for their data-related practices. In particular, there have been a significant number of cases filed against companies for their use of pixels and other web trackers. These cases often allege violations of the California Invasion of Privacy Act and other state laws regulating wiretapping, as well as the federal Video Privacy Protection Act. The rise in these types of lawsuits creates potential risk for our business. Similar to the laws in the U.S., there are significant privacy and data security laws that apply in Europe and other countries. The collection, use, disclosure, transfer, or other processing of personal data, including personal health data, regarding individuals who are located in the EEA, and the processing of personal data that takes place in the EEA, is regulated by the GDPR, which went into effect in May 2018 and which imposes obligations on companies that operate in our industry with respect to the processing of personal data and the cross-border transfer of such data. The GDPR imposes onerous accountability obligations requiring data controllers and processors to maintain a record of their data processing and policies. If our or our partners' or service providers' privacy or data security measures fail to comply with the GDPR requirements, we may be subject to litigation, regulatory investigations, enforcement notices requiring us to change the way we use personal data and/or fines of up to 20 million Euros or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, as well as compensation claims by affected individuals, negative publicity, reputational harm and a potential loss of business and goodwill. The GDPR places restrictions on the cross-border transfer of personal data from the EU to countries that have not been found by the EC to offer adequate data protection legislation, such as the U.S. There are ongoing concerns about the ability of companies to transfer personal data from the EU to other countries. In July 2020, the Court of Justice of the European Union (the "CJEU") invalidated the EU-U.S. Privacy Shield, one of the mechanisms used to legitimize the transfer of personal data from the EEA to the U.S. The CJEU decision also drew into question the long-term viability of an alternative means of data transfer, the standard contractual clauses, for transfers of personal data from the EEA to the U.S. While we were not self-certified under the Privacy Shield, this CJEU decision may lead to increased scrutiny on data transfers from the EEA to the U.S. generally and increase our costs of compliance with data privacy legislation as well as our costs of negotiating appropriate privacy and security agreements with our vendors and business partners. In October 2022, President Biden signed an executive order to implement the EU-U.S. Data Privacy Framework, which serves as a replacement to the EU-U.S. Privacy Shield. The EC adopted the adequacy decision on July 10, 2023. The adequacy decision permits U.S. companies who self-certify to the EU-U.S. Data Privacy Framework to rely on it as a valid data transfer mechanism for data transfers from the EU to the U.S. However, some privacy advocacy groups have already suggested that they will be challenging the EU-U.S. Data Privacy Framework. If these challenges are successful, they may not only impact the EU-U.S. Data Privacy Framework, but also further limit the viability of the standard contractual clauses and other data transfer mechanisms. The uncertainty around this issue has the potential to impact our business. Following the withdrawal of the UK from the EU, the UK Data Protection Act 2018 applies to the processing of personal data that takes place in the UK and includes parallel obligations to those set forth by GDPR. In relation to data transfers, both the UK and the EU have determined, through separate "adequacy" decisions, that data transfers between the two jurisdictions are in compliance with the UK Data Protection Act and the GDPR, respectively. The UK and the U.S. have also agreed to a U.S.-UK "Data Bridge", which functions similarly to the EU-U.S. Data Privacy Framework and provides an additional legal mechanism for companies to transfer data from the UK to the U.S. Following Brexit, there are open questions about how personal data will be protected in the U.K. and whether personal information can transfer from the EU to the U.K. Following the withdrawal of the U.K. from the EU, the U.K. Data Protection Act 2018 applies to the processing of personal data that takes place in the U.K. and includes parallel obligations to those set forth by GDPR. While the Data Protection Act of 2018 in the U.K. that "implements" and complements the GDPR has achieved Royal Assent on May 23, 2018 and is now effective in the U.K., it is unclear whether transfer of data from the EEA to the U.K. will remain lawful under the GDPR. The U.K. government has already determined that it considers all European Union 27 and EEA member states to be adequate for the purposes of data protection, ensuring that data flows from the U.K. to the EU/EEA remain unaffected. In addition, a recent decision from the European Commission appears to deem the U.K. as being "essentially adequate" for purposes of data transfer from the EU to the U.K., although this decision may be re-evaluated in the future. The UK and the United States also have agreed on a framework for personal data to be transferred between the UK and the United States, called the U.K.-U.S. Data Bridge. The U.K.-U.S. Data Bridge may be challenged in the future. Beyond GDPR, there are privacy and data security laws in a growing number of countries around the world. While many loosely follow GDPR as a model, other laws contain different or conflicting provisions. These laws will impact our ability to conduct our business activities, including both our clinical trials and the sale and distribution of commercial products, through increased compliance costs, costs associated with contracting and potential enforcement actions. While we continue to address the implications of the recent changes to data privacy regulations, data privacy remains an evolving landscape at both the domestic and international level, with new regulations coming into effect and continued legal challenges, and our efforts to comply with the evolving data protection rules may be unsuccessful. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our practices. We must devote significant resources to understanding and complying with this changing landscape. Failure to comply with laws regarding data protection would expose us to risk of enforcement actions taken by data protection authorities in the EEA and elsewhere and carries with it the potential for significant penalties if we are found to be non-compliant. Similarly, failure to comply with federal and state laws in the U.S. regarding privacy and security of personal information could expose us to penalties under such laws. Any such failure to comply with data protection and privacy laws could result in government-imposed fines or orders requiring that we change our practices, claims for damages or other liabilities, regulatory investigations and enforcement action, litigation and significant costs for remediation, any of which could adversely affect our business. Even if we are not determined to have violated these laws, government investigations into these issues typically require the expenditure of significant resources and generate negative publicity, which could harm our business, financial condition, results of operations or prospects.

Our potential therapeutic products involve editing the human genome. The clinical and commercial success of our potential products will depend in part on public understanding and acceptance of the use of genome editing therapy for the prevention or treatment of human diseases. To date, only one genome editing therapy has been approved for sale by the FDA. Public attitudes may be influenced by claims that genome editing is unsafe, unethical, or immoral, and, consequently, our products may not gain the acceptance of the public or the medical community. Adverse public attitudes may adversely impact our ability to enroll eligible patients in clinical trials. Moreover, our success will depend upon physicians prescribing, and their patients being willing to receive, treatments that involve the use of product candidates we develop in lieu of, or in addition to, existing treatments with which they are already familiar and for which greater clinical data may be available. In addition, genome editing technology is subject to public debate and heightened regulatory scrutiny due to ethical concerns relating to the application of genome editing technology to human embryos or the human germline. For example, academic scientists in several countries, including the United States, have reported on their attempts to edit the genome of human embryos as part of basic research and, in November 2018, Dr. Jiankui He, a Chinese biophysics researcher who was an associate professor in the Department of Biology of the Southern University of Science and Technology in Shenzhen, China, announced he had created the first human genetically edited babies, twin girls and helped create a second gene-edited pregnancy. The announcement was negatively received by the public, in particular by those in the scientific community. In the United States, germline editing for clinical application has been expressly prohibited since enactment of a December 2015 U.S. FDA ban on such activity. Prohibitions are also in place in the United Kingdom (the "UK"), across most of Europe, in China, and many other countries around the world. In the United States, the NIH has announced that it would not fund any use of genome editing technologies in human embryos, noting that there are multiple existing legislative and regulatory prohibitions against such work, including the Dickey-Wicker Amendment, which prohibits the use of appropriated funds for the creation of human embryos for research purposes or for research in which human embryos are destroyed. Laws in the UK prohibit genetically modified embryos from being implanted into women, but embryos can be altered in research labs under license from the Human Fertilisation and Embryology Authority. Basic research on embryos is more tightly controlled in many other European countries. Although we do not use our technologies to edit human embryos or the human germline, such public debate about the use of genome editing technologies in human embryos and heightened regulatory scrutiny could prevent or delay our development of product candidates. More restrictive government regulations or negative public opinion would have a negative effect on our business or financial condition and may delay or impair our development and commercialization of product candidates or demand for any products we may develop.

Significant outbreaks of contagious diseases, and other adverse public health developments, could have a material impact on our business operations and operating results. Any public health crises or related healthcare staffing shortages, supply chain restrictions, or other issues, may result in disruptions that could adversely impact our operations, research and development, including preclinical studies, clinical trials and manufacturing activities, including: - delays or disruptions in clinical trials that we may be conducting, including patient screening, patient enrollment, patient dosing, clinical trial site activation, and study monitoring;- delays or disruptions in preclinical experiments and IND- and clinical trial application-enabling studies due to restrictions related to our staff being on site;- interruption or delays in the operations of the FDA, EMA and comparable foreign regulatory agencies;- interruption of, or delays in, receiving, supplies of drug substance and drug product from our CMOs or delays or disruptions in our pre-clinical experiments or clinical trials performed by CROs due to staffing shortages, production and research slowdowns or stoppages and disruptions in delivery systems or research;- limitations imposed on our business operations by local, state, or federal authorities to address such pandemics or similar public health crises could impact our ability to conduct preclinical or clinical activities, including conducting IND- and clinical trial application-enabling studies or our ability to select future development candidates; and - business disruptions caused by potential workplace, laboratory and office closures and an increased reliance on employees working from home, disruptions to or delays in ongoing laboratory experiments and operations, staffing shortages, travel limitations, cyber security and data accessibility, or communication or mass transit disruptions, any of which could adversely impact our business operations or delay necessary interactions with local regulators, ethics committees, manufacturing sites, research or clinical trial sites and other important agencies and contractors. Timely completion of preclinical activities and initiation of planned clinical trials for product candidates is dependent upon the availability of, for example, preclinical and clinical trial sites, researchers and investigators, regulatory agency personnel, and materials, which may be adversely affected by a public health crisis and related government responses. We cannot presently predict the scope and severity of any potential business shutdowns or disruptions. If we or any of the third parties with whom we engage, however, were to experience shutdowns or other business disruptions, our ability to conduct our business in the manner and on the timelines presently planned could be materially and negatively affected, which could have a material adverse impact on our business and our results of operation and financial condition.