HilleVax, Inc (HLVX) Risk Analysis

On April 18, 2022, we entered into a Loan and Security Agreement (Loan Agreement) with Hercules Capital, Inc., as administrative and collateral agent, and the lenders party thereto, providing for term loans of up to $75.0 million in the aggregate (collectively, Term Loans). We borrowed $5.0 million on April 18, 2022, $10.0 million on December 15, 2022, and an additional $10.0 million on June 16, 2023. We have the right to borrow an additional $50.0 million in the aggregate subject to the achievement of certain specified financing and clinical development milestones (as described in the section titled "Management's discussion and analysis of financial condition and results of operations-Liquidity and capital resources-Term Loan Facility") and no event of default having occurred and be continuing. All obligations under the Term Loans are secured by a first priority lien on substantially all of our assets, including intellectual property and certain other assets. As a result, if we default on any of our obligations under the Loan Agreement, the lenders could foreclose on their security interest and liquidate some or all of the collateral, which would harm our business, financial condition and results of operations and could require us to reduce or cease operations. In order to service this indebtedness and any additional indebtedness we may incur in the future, we need to generate cash from our operating activities. Our ability to generate cash is subject, in part, to our ability to successfully execute our business strategy, as well as general economic, financial, competitive, regulatory and other factors beyond our control. Our business may not be able to generate sufficient cash flow from operations, and future borrowings or other financings may not be available to us in an amount sufficient to enable us to service our indebtedness and fund our other liquidity needs. To the extent we are required to use cash from operations or the proceeds of any future financing to service our indebtedness instead of funding working capital, capital expenditures or other general corporate purposes, we will be less able to plan for, or react to, changes in our business, industry and in the economy generally. This could place us at a competitive disadvantage compared to our competitors that have less indebtedness. The Loan Agreement contains certain customary affirmative and negative covenants and events of default. The affirmative covenants include, among others, covenants requiring us to maintain our legal existence and governmental approvals, deliver certain financial reports, maintain insurance coverage and satisfy certain requirements regarding our operating accounts. The negative covenants include, among others, limitations on our ability to incur additional indebtedness and liens, merge with other companies or consummate certain changes of control, acquire other companies or businesses, make certain investments, pay dividends, transfer or dispose of assets, amend certain material agreements, including the Takeda License, or enter into various specified transactions. While we believe we are currently in compliance with the covenants contained in the Loan Agreement, we may breach these covenants in the future. Our ability to comply with these covenants may be affected by events and factors beyond our control. In the event that we breach one or more covenants, the lenders may choose to declare an event of default and require that we immediately repay all amounts outstanding under the Loan Agreement, terminate any commitment to extend further credit and foreclose on the collateral. The occurrence of any of these events could have a material adverse effect on our business, financial condition and results of operations.

We and our service providers maintain and will maintain a large quantity of sensitive information, including confidential business and patient health information, in connection with our preclinical studies and clinical trials, and are subject to laws and regulations governing the privacy and security of such information. The global data protection landscape is rapidly evolving, and we and our service providers may be affected by or subject to new, amended or existing laws and regulations in the future, including as our operations continue to expand or if we operate in foreign jurisdictions. These laws and regulations may be subject to differing interpretations, which adds to the complexity of processing personal information. Guidance on implementation and compliance practices are often updated or otherwise revised. This may create uncertainty in our business, affect our ability to operate in certain jurisdictions or to collect, store, transfer, use, share and otherwise process personal information, necessitate the acceptance of more onerous obligations in our contracts, result in liability or impose additional costs on us. The cost of compliance with these laws, regulations and standards is high and is likely to increase in the future. Any failure or perceived failure by us to comply with federal, state or foreign laws or regulation, our internal policies and procedures or our contracts governing our processing of personal information could result in negative publicity, government investigations and enforcement actions, claims by third parties and damage to our reputation, any of which could have a material adverse effect on our operations, financial performance and business. As our operations and business grow, we may become subject to or affected by new or additional data protection laws and regulations and face increased scrutiny or attention from regulatory authorities. In the United States, numerous federal and state laws and regulations, including health information privacy laws, data breach notification laws and consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), that govern the collection, use, storage, transfer, disclosure, protection and other processing of health-related and other personal information could apply to our operations or the operations of our collaborators and third-party providers. In addition, we may obtain health information from third parties (including research institutions from which we obtain clinical trial data) that are subject to privacy and security requirements under HIPAA. Depending on the facts and circumstances, we could be subject to significant penalties if we violate HIPAA. In addition, certain state laws govern the privacy and security of health-related and other personal information in certain circumstances. These laws are evolving rapidly and may differ from each other in significant ways and may not have the same effect, thus complicating compliance efforts. By way of example, the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020, gives California residents individual privacy rights to access and delete their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. The CCPA may increase our compliance costs and potential liability and many similar laws have been proposed at the federal level and in other states. Further, the California Privacy Rights Act (CPRA) passed in California and imposes additional data protection obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It also created a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement. The majority of the provisions of the CPRA went into effect on January 1, 2023, and additional compliance investment and potential business process changes may be required. Similar laws have passed in other states, and continue to be proposed at the state and federal level, reflecting a trend toward more stringent privacy legislation in the United States. In the event that we are subject to or affected by HIPAA, the CCPA, the CPRA or other domestic privacy and data protection laws, any liability from failure to comply with the requirements of these laws could adversely affect our financial condition. There also are a wide variety of privacy laws in other countries that may impact our operations, now or in the future. For example, in Europe, the General Data Protection Regulation (GDPR) imposes stringent requirements regarding the collection, use, disclosure, storage, transfer or other processing of personal data of individuals within the European Economic Area (EEA) or in the context of our activities taking place within the EEA. Companies that must comply with the GDPR face increased compliance obligations and risk, including more robust regulatory enforcement of data protection requirements and potential fines for noncompliance of up to €20 million or 4% of the annual global revenue of the noncompliant company, whichever is greater. In addition to fines, a breach of the GDPR may result in regulatory investigations, reputational damage, orders to cease/ change our data processing activities, enforcement notices, assessment notices (for a compulsory audit) and/ or civil claims (including class actions). Among other requirements, the GDPR regulates the transfer of personal data from the EEA to the United States and other jurisdictions that the European Commission does not recognize as having "adequate" data protection laws. Recent legal developments in Europe have created complexity and uncertainty regarding transfers of personal data from the EEA to the United States, and the efficacy and longevity of current transfer mechanisms between the EEA, and the United States remains uncertain. Case law from the Court of Justice of the European Union ("CJEU") states that reliance on the standard contractual clauses - a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism - alone may not necessarily be sufficient in all circumstances and that transfers must be assessed on a case-by-case basis. On October 7, 2022, President Biden signed an Executive Order on 'Enhancing Safeguards for United States Signals Intelligence Activities' which introduced new redress mechanisms and binding safeguards to address the concerns raised by the CJEU in relation to data transfers from the EEA to the United States and which formed the basis of the new EU-US Data Privacy Framework ("DPF"), as released on December 13, 2022. The European Commission adopted its Adequacy Decision in relation to the DPF on July 10, 2023, rendering the DPF effective as a GDPR transfer mechanism to U.S. entities self-certified under the DPF. The DPF also introduced a new redress mechanism for EU citizens which addresses a key concern in the previous CJEU judgments and may mean transfers under standard contractual clauses are less likely to be challenged in future. We currently rely on the EU standard contractual clauses and the UK Addendum to the EU standard contractual clauses as relevant to transfer personal data outside the EEA and the UK, including to the United States, with respect to both intragroup and third party transfers. We expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. In particular, we expect the DPF Adequacy Decision to be challenged and international transfers to the United States and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators. As supervisory authorities issue further guidance on personal data export mechanisms, including circumstances where the standard contractual clauses cannot be used, and/or start taking enforcement action, we could suffer additional costs, complaints and/or regulatory investigations or fines, and/or if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results. Further, following the withdrawal of the United Kingdom from the European Union and the EEA and the end of the transition period, from January 1, 2021, we have had to comply with the GDPR and separately the GDPR as implemented in the United Kingdom, which, together with the amended UK Data Protection Act 2018 (collectively, the "UK GDPR"), retains the GDPR in UK national law. The UK GDPR mirrors the fines under the GDPR and has the ability to fine up to the greater of €20 million/£17 million or 4% of global turnover. On October 12, 2023, the UK Extension to the DPF came into effect (as approved by the UK Government), as a UK GDPR data transfer mechanism to U.S. entities self-certified under the UK Extension to the DPF. As we continue to expand into other foreign countries and jurisdictions, we may be subject to additional laws and regulations that may affect how we conduct business. In many jurisdictions, enforcement actions and consequences for noncompliance are rising. In the United States, these include enforcement actions in response to rules and regulations promulgated under the authority of federal agencies and state attorneys general and legislatures and consumer protection agencies. In addition, privacy advocates and industry groups have regularly proposed, and may propose in the future, self-regulatory standards that may legally or contractually apply to us. If we fail to follow these security standards, even if no personal information is compromised, we may incur significant fines or experience a significant increase in costs. Compliance with U.S. and international data protection laws and regulations could require us to take on more onerous obligations in our contracts, restrict our ability to collect, store, use, transfer, disclose and otherwise process data, update our data privacy and security policies and procedures, or in some cases, impact our ability to operate in certain jurisdictions. Failure by us or our collaborators and our service providers to comply with U.S. and international data protection laws and regulations could result in government enforcement actions (which could include civil or criminal penalties), private litigation and/or adverse publicity and could negatively affect our operating results and business. Moreover, clinical trial subjects about whom we or our potential collaborators obtain information, as well as the providers who share this information with us, may contractually limit our ability to use and disclose such information. Claims that we have violated individuals' privacy rights, failed to comply with data protection laws, or breached our contractual obligations, even if we are not found liable, could be expensive and time consuming to defend, could result in adverse publicity and adversely affect our business, financial condition, results of operations and prospects. Should any of these events occur, they could have a material adverse effect on our business, financial condition, results of operations, and prospects.

We do not carry insurance for all categories of risk that our business may encounter. Some of the policies we currently maintain include property, general liability, workers' compensation, clinical trials, and directors' and officers', employment practices and fiduciary liability insurance. We do not know, however, if we will be able to maintain insurance with adequate levels of coverage. Any significant uninsured liability may require us to pay substantial amounts, which would adversely affect our financial position and results of operations.

The global credit and financial markets have recently experienced extreme volatility and disruptions, including severely diminished liquidity and credit availability, declines in consumer confidence, declines in economic growth, inflationary pressure and interest rate changes, increases in unemployment rates and uncertainty about economic stability. The financial markets and the global economy may also be adversely affected by the current or anticipated impact of military conflict, including the conflicts between Russia and Ukraine and Israel and Hamas, terrorism or other geopolitical events. Sanctions imposed by the United States and other countries in response to such conflicts, including the one in Ukraine, may also adversely impact the financial markets and the global economy, and any economic countermeasures by the affected countries or others could exacerbate market and economic instability. More recently, the closures of Silicon Valley Bank and Signature Bank and their placement into receivership with the Federal Deposit Insurance Corporation (FDIC) created bank-specific and broader financial institution liquidity risk and concerns. Although the Department of the Treasury, the Federal Reserve, and the FDIC jointly released a statement that depositors at SVB and Signature Bank would have access to their funds, even those in excess of the standard FDIC insurance limits, under a systemic risk exception, future adverse developments with respect to specific financial institutions or the broader financial services industry may lead to market-wide liquidity shortages, impair the ability of companies to access near-term working capital needs, and create additional market and economic uncertainty. There can be no assurance that future credit and financial market instability and a deterioration in confidence in economic conditions will not occur. Our general business strategy may be adversely affected by any such economic downturn, liquidity shortages, volatile business environment or continued unpredictable and unstable market conditions. If the equity and credit markets deteriorate, or if adverse developments are experienced by financial institutions, it may cause short-term liquidity risk and also make any necessary debt or equity financing more difficult, more costly and more dilutive. Failure to secure any necessary financing in a timely manner and on favorable terms could have a material adverse effect on our growth strategy, financial performance and stock price and could require us to delay or abandon clinical development plans. In addition, there is a risk that one or more of our current service providers, financial institutions, manufacturers and other partners may be adversely affected by the foregoing risks, which could directly affect our ability to attain our operating goals on schedule and on budget.

Our future growth may depend, in part, on our ability to develop and commercialize HIL-214 and any other vaccine candidates in foreign markets, particularly Europe. We are not permitted to market or promote any vaccine candidate before we receive regulatory approval from applicable regulatory authorities in foreign markets, and we may never receive such regulatory approvals for HIL-214 or any other vaccine candidates. To obtain separate regulatory approval in many other countries we must comply with numerous and varying regulatory requirements regarding safety and efficacy and governing, among other things, clinical trials, commercial sales, pricing and distribution of HIL-214 and any other vaccine candidates. Approval procedures may be more onerous than those in the United States and may require that we conduct additional preclinical studies or clinical trials. If we obtain regulatory approval of vaccine candidates and ultimately commercialize our products in foreign markets, we would be subject to additional risks and uncertainties, including: - different regulatory requirements for approval of drugs in foreign countries;- reduced protection for intellectual property rights;- the existence of additional third-party patent rights of potential relevance to our business;- pricing pressure from vaccine procurement organizations;- determinations by NITAGs not to include our vaccine products in immunization schedules for our target patient populations;- unexpected changes in tariffs, trade barriers and regulatory requirements;- economic weakness, including inflation, or political instability in particular foreign economies and markets;- compliance with tax, employment, immigration and labor laws for employees living or traveling abroad;- compliance with export control and import laws and regulations;- foreign currency fluctuations, which could result in increased operating expenses and reduced revenue, and other obligations incident to doing business in another country;- foreign reimbursement, pricing and insurance regimes;- workforce uncertainty in countries where labor unrest is common;- differing regulatory requirements with respect to manufacturing of vaccine products;- production shortages resulting from any events affecting raw material supply or manufacturing capabilities abroad;- business interruptions resulting from geopolitical actions, including war and terrorism, or natural disasters including earthquakes, typhoons, floods and fires; and - disruptions resulting from the impact of public health pandemics or epidemics (including, for example, the COVID-19 pandemic).

HIL-214 and any other vaccine candidates may not be commercially successful. Even if HIL-214 or any other vaccine candidates receive regulatory approval, they may not gain market acceptance among healthcare providers, individuals within our target population, healthcare payors, NITAGs or the medical community. The commercial success of any of HIL-214 or any other vaccine candidates will depend significantly on the broad adoption and use of the resulting product by these individuals and organizations for approved indications. The degree of market acceptance of our products will depend on a number of factors, including: - demonstration of clinical efficacy and safety;- the indications for which our vaccine candidates are approved;- any anti-vaccine sentiments within our targeted patient population;- the limitation of our targeted population and other limitations or warnings contained in any FDA-approved labeling;- acceptance of a competing vaccine for the relevant indication by healthcare providers and their patients;- acceptance of, and preference for, a therapeutic that treats the condition our vaccine targets, by healthcare providers and their patients;- the pricing and cost-effectiveness of our products, as well as the cost of treatment with our products in relation to alternative treatments and therapies;- our ability to obtain and maintain sufficient third-party coverage and adequate reimbursement from government healthcare programs, including Medicare and Medicaid, private health insurers and other third-party payors;- receiving recommendations from the ACIP or other foreign NITAGs for use, as well as placement of our vaccine candidates on national immunization programs, which may impact the likelihood of third-party coverage and extent of healthcare provider acceptance;- the willingness of pediatricians and healthcare professionals generally to recommend that patients receive our vaccine;- the willingness of vaccine recipients to pay all, or a portion of, out-of-pocket costs associated with our products in the absence of sufficient third-party coverage and adequate reimbursement;- any restrictions on the use of our products, and the prevalence and severity of any adverse effects;- potential product liability claims;- the timing of market introduction of our products as well as competitive drugs;- the effectiveness of our sales and marketing strategies; and - unfavorable publicity relating to the product. In the United States, the ACIP develops vaccine recommendations, and there are similar NITAG agencies in other jurisdictions around the world that develop vaccine recommendations. To develop its recommendations, the ACIP forms working groups that gather, analyze and prepare scientific information. The ACIP also considers many of the factors above, as well as myriad additional factors such as the value of vaccination for the target population regarding the outcomes, health economic data and implementation issues. The ACIP recommendations are also made within categories, such as in an age group or a specified risk group, and vaccines that receive a preferred ACIP recommendation are generally widely adopted in the United States. Following completion of our Phase 2b and 3 clinical trials of HIL-214 in infants, if achieved, ACIP may decline to recommend our vaccine. In addition, the failure of any other developer of norovirus vaccine candidates to secure such an ACIP recommendation, or any limitations of any ACIP recommendations secured by any other developers, may limit the market opportunity of HIL-214 or any other vaccine candidates. If HIL-214 or any other vaccine candidate is approved but does not achieve an adequate level of acceptance by physicians, hospitals, healthcare payors or patients, we may not generate sufficient revenue from that product and may not become or remain profitable.