LENSAR (LNSR) Risk Analysis

The methods used in, and the facilities used for, the manufacture of our products must comply with the FDA's QSR, which is a complex regulatory scheme that covers the procedures and documentation of the design, testing, production, process controls, quality assurance, labeling, packaging, handling, storage, distribution, installation, servicing and shipping of medical devices. Furthermore, we are required to verify that our suppliers maintain facilities, procedures and operations that comply with our quality standards and applicable regulatory requirements. The FDA enforces the QSR through periodic announced or unannounced inspections of medical device manufacturing facilities, which may include the facilities of subcontractors. Our products are also subject to similar state regulations and various laws and regulations of foreign countries governing manufacturing. Our third-party manufacturers may not take the necessary steps to comply with applicable regulations, which could cause delays in the delivery of our products. In addition, failure to comply with applicable FDA (or other regulatory authorities) requirements or later discovery of previously unknown problems with our products or manufacturing processes could result in, among other things: warning letters or untitled letters; fines, injunctions or civil penalties; suspension or withdrawal of approvals or certifications; seizures or recalls of our products; total or partial suspension of production or distribution; administrative or judicially imposed sanctions; the FDA's (or foreign regulatory authorities' or notified bodies') refusal to grant pending or future clearances, certifications or approvals for our products; clinical holds; refusal to permit the import or export of our products; and criminal prosecution of us or our employees. Any of these actions could significantly and negatively affect supply of our products. If any of these events occurs, our reputation could be harmed, we could be exposed to product liability claims and we could lose customers and experience reduced sales and increased costs.

Securities class action lawsuits and derivative lawsuits are often brought against public companies that have entered into acquisition or merger agreements. Defending against and settling or otherwise resolving these types of claims can result in substantial costs, including costs associated with indemnification of directors and officers, and divert management time and resources. An adverse judgment in any such litigation relating to the Merger could result in monetary damages, which could have a negative impact on our financial condition. If a plaintiff is successful in obtaining an injunction prohibiting completion of the Merger, that injunction could delay or prevent the Merger from being completed, which could negatively impact our business, financial condition, results of operations or our stock price.

The global data protection landscape is rapidly evolving, and we are or may become subject to numerous state, federal and foreign laws, requirements and regulations governing the collection, use, disclosure, retention, and security of personal information, such as information that we may collect in connection with clinical trials. Implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact future laws, regulations, standards, or perception of their requirements may have on our business. This evolution may create uncertainty in our business, affect our ability to operate in certain jurisdictions or to collect, store, transfer use and share personal information, necessitate the acceptance of more onerous obligations in our contracts, result in liability or impose additional costs on us. The cost of compliance with these laws, regulations and standards is high and is likely to increase in the future. Any failure or perceived failure by us to comply with federal, state or foreign laws or regulations, our internal policies and procedures or our contracts governing our processing of personal information could result in negative publicity, government investigations and enforcement actions, claims by third parties and damage to our reputation, any of which could have a material adverse effect on our business, results of operation, and financial condition. Our business processes health-related and other personal information. When conducting clinical studies, we face risks associated with collecting trial participants' information, especially health information, in a manner consistent with applicable laws and regulations. We also face risks inherent in handling large volumes of Confidential Information and in protecting the security of such information. Data breaches could result in a violation of applicable U.S. and international privacy, data protection and other laws, and subject us to individual or consumer class action litigation and governmental investigations and proceedings by federal, state and local regulatory entities in the United States and by international regulatory entities, resulting in exposure to material civil or criminal liability, or both. Further, our general liability insurance and corporate risk program may not cover all potential claims to which we are exposed and may not be adequate to indemnify us for all liability that may be imposed. We may be subject to state, federal and foreign laws relating to data privacy and security in the conduct of our business, including state breach notification laws, the Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (collectively, "HIPAA"), the EU General Data Protection Regulation 2016/679 and applicable national supplementing laws ("EU GDPR"), and the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR") (collectively, "GDPR"), and the California Consumer Privacy Act, as amended by the California Privacy Rights Act(collectively, "CCPA"). In the United States, HIPAA imposes, among other things, certain standards relating to the privacy, security, transmission and breach reporting of individually identifiable health information on covered entities, including healthcare providers and research institutions, from which we obtain clinical trial data, as well as their business associates that perform certain services that involve creating, receiving, maintaining or transmitting such information for or on behalf of such covered entities, and their covered subcontractors. Depending on the facts and circumstances, we could be subject to regulatory investigation and enforcement action, including significant penalties, if we violate HIPAA. Certain states have also adopted comparable privacy and security laws and regulations, which govern the privacy, processing and protection of health-related and other personal information. Such laws and regulations will be subject to interpretation by various courts and other governmental authorities, thus creating potentially complex compliance issues for us and our future customers and strategic partners. For example, the CCPA requires covered businesses that process personal information of California residents to, among other things: provide certain disclosures to California residents regarding the business's collection, use, and disclosure of their personal information; receive and respond to requests from California residents to access, delete, and correct their personal information, or to opt-out of certain disclosures of their personal information; and enter into specific contractual provisions with service providers that process California resident personal information on the business's behalf. Similar laws have been passed in other states, and continue to be proposed at the state and federal level, reflecting a trend toward more stringent privacy legislation in the United States. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging. In the event that we are subject to or affected by HIPAA, the CCPA or other domestic privacy and data protection laws, any liability from failure to comply with the requirements of these laws could adversely affect our financial condition. Furthermore, the Federal Trade Commission, or FTC, and many state Attorneys General continue to enforce federal and state consumer protection laws against companies for online collection, use, dissemination and security practices that appear to be unfair or deceptive. The FTC has authority to initiate enforcement actions against entities that make deceptive statements about privacy and data sharing in privacy policies, fail to limit third-party use of personal health information, fail to implement policies to protect personal health information or engage in other unfair practices that harm customers. For example, according to the FTC, failing to take appropriate steps to keep consumers' personal information secure can constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. Additionally, federal and state consumer protection laws are increasingly being applied by FTC and state Attorneys General to regulate the collection, use, storage, and disclosure of personal or personally identifiable information, through websites or otherwise, and to regulate the presentation of website content. The GDPR comprehensively regulates our use of personal data of individuals from the European Economic Area, or EEA and/or the UK, or in the context of our activities within the EEA and/or the UK, including a principle of accountability and the obligation to demonstrate that appropriate legal bases are in place to justify data processing activities. Additionally, we are subject to laws and regulations regarding cross-border transfers of personal data out of the EEA and the UK. In addition, some of the personal data we process in respect of clinical trial participants is special category or sensitive personal data under the GDPR, and subject to additional compliance obligations and local law derogations. We may be subject to diverging requirements under EU Member State laws and UK law, such as whether consent can be used as the legal basis for processing and the roles, responsibilities, and liabilities as between CROs and sponsors. As these laws develop, we may need to make operational changes to adapt to these diverging rules, which could increase our costs and adversely affect our business, including laws relating to transfer of personal data subject to the GDPR to third countries that have not been found to provide adequate protection to such personal data, including the United States, and the efficacy and longevity of current transfer mechanisms between the EEA and the United States remains uncertain. Case law from the Court of Justice of the European Union, states that reliance on the standard contractual clauses, or SSCs, a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism, alone may not necessarily be sufficient in all circumstances and that transfers must be assessed on a case-by-case basis. The European Commission adopted its Adequacy Decision in relation to the new EU-U.S. Data Privacy Framework, or DPF, on July 10, 2023, rendering the DPF effective as a GDPR transfer mechanism to U.S. entities self-certified under the DPF. We currently rely on the SCCs to transfer personal data outside the EEA and the UK, including to the United States, with respect to both intragroup and third-party transfers. We expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. In particular, we expect the European Commission approval of the current EU-US Data Privacy Framework for data transfers to certified entities in the US to be challenged and international transfers to the United States and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators. As the regulatory guidance and enforcement landscape in relation to data transfers continue to develop, we could suffer additional costs, complaints and/or regulatory investigations or fines; we may have to stop using certain tools and vendors and make other operational changes; we may have to implement alternative data transfer mechanisms under the GDPR and/ or take additional compliance and operational measures; and/or it could otherwise adversely affect the manner in which we provide our services and could adversely affect our business, operations, and financial condition. Failure to comply with the GDPR could result in penalties for noncompliance. Penalties for certain breaches are up to the greater of EUR 20 million/GBP 17.5 million or 4% of our global annual turnover. Since we are subject to the supervision of relevant data protection authorities under multiple legal regimes (including under both the EU GDPR and the UK GDPR), we could be fined under those regimes independently in respect of the same breach. In addition to fines, a breach of the GDPR may result in regulatory investigations, reputational damage, orders to cease/change our data processing activities, enforcement notices, assessment notices (for a compulsory audit) and/ or civil claims (including class actions). As we continue to expand into other foreign countries and jurisdictions, we may be subject to additional laws and regulations that may affect how we conduct business. We expect that there will continue to be new laws, regulations and industry standards concerning privacy, data protection and information security proposed and enacted in various jurisdictions. For example, Washington State enacted the "My Health My Data Act," which broadly defines "consumer health data", creates a private right of action to allow individuals to sue for violations of the law, imposes stringent consent requirements and grants consumers certain rights with respect to their health data, including to request deletion of their information. Consumer health data is defined to include personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health status; consumer health data also includes information that is derived or extrapolated from non-health information, such as algorithms and machine learning. Other states, including Connecticut and Nevada, have also passed consumer health data laws, and given the increased focus on the use of health data by entities that are not subject to HIPAA, additional states are expected to pass consumer health privacy laws. Furthermore, these laws impose substantial requirements that require the expenditure of significant funds and employee time to comply, and additional states and countries are enacting new data privacy and security laws, which will require future expansion of our compliance efforts. We also rely on third parties in relation to the operation of our business, a number of which host or otherwise process personal data on our behalf. In some instances, these third parties have experienced immaterial failures to protect data privacy. There can be no assurances that the privacy and security-related measures and safeguards we have put in place in relation to these third parties will be effective to protect us and/or the relevant personal information from the risks associated with the third-party processing, storage, and transmission of such data. Any violation of data or security laws, or of our relevant measures and safeguards, by our third-party processors could have a material adverse effect on our business, result in applicable fines and penalties, damage our reputation, and/ or result in civil claims. We will need to expend additional resources and make significant investments to comply with data privacy and security laws. Our failure to comply with our posted privacy policies or with any federal, state, or international privacy and security laws, regulations, industry standards or other legal obligations relating to data privacy and information security or any failure to prevent security breaches of such data could result in significant liability under applicable laws, cause disruption to our business, harm our reputation, have a material adverse effect on our business, and may result in claims, complaints, liabilities, proceedings or actions against us by governmental entities or others, or may require us to change our operations. Any such claims, complaints, proceedings or actions could force us to incur significant expenses in defense of such proceedings or actions, distract our management, increase our costs of doing business, and result in the imposition of monetary penalties.

Many of our employees and consultants were previously employed at or engaged by other medical device or other biotechnology companies, including our competitors or potential competitors. Some of these employees, consultants, and contractors may have executed proprietary rights, non-disclosure, and non-competition agreements in connection with such previous employment. Our efforts to ensure that our employees and consultants do not use the intellectual property, proprietary information, know-how, or trade secrets of others in their work for us may not be successful, and we may be subject to claims that we or these individuals have, inadvertently or otherwise, misappropriated the intellectual property or disclosed the alleged trade secrets or other proprietary information of these former employers or competitors. Additionally, we may be subject to claims from third parties challenging our ownership interest in intellectual property we regard as our own, based on claims that our employees or consultants have breached an obligation to assign inventions to another employer, to a former employer, or to another person or entity. Litigation may be necessary to defend against any other claims, and it may be necessary or we may desire to enter into a license to settle any such claim; however, there can be no assurance that we would be able to obtain a license on commercially reasonable terms, if at all. If our defense to those claims fails, in addition to paying monetary damages, a court could prohibit us from using technologies or features that are essential to our products, if such technologies or features are found to incorporate or be derived from the trade secrets or other proprietary information of the former employers. An inability to incorporate technologies or features that are important or essential to our products could have a material adverse effect on our business, financial condition, and results of operations, and may prevent us from selling our products. In addition, we may lose valuable intellectual property rights or personnel. Even if we are successful in defending against these claims, litigation could result in substantial costs and could be a distraction to management. Any litigation or the threat thereof may adversely affect our ability to hire employees or contract with independent sales representatives. A loss of key personnel or their work product could hamper or prevent our ability to commercialize our products, which could have an adverse effect on our business, financial condition, and results of operations.

We develop and use artificial intelligence, or AI, machine learning, and automated decision-making technologies, including proprietary AI and machine learning algorithms and models, (collectively "AI Technologies"), throughout our business, and are making significant investments in this area. For example, we use AI Technologies in our ALLY System to register and analyze patients' eyes and determine eye surface and cataract density, which helps optimize laser patterns and energy settings in cataract procedures, with the goal of minimizing the overall energy delivered in the eye for quicker visual recovery and better patient outcomes. We expect that increased investment will be required in the future to continuously improve our use of AI Technologies. As with many technological innovations, there are significant risks involved in developing, maintaining, and deploying these technologies and there can be no assurance that the usage of or our investments in such technologies will always enhance our products or services or be beneficial to our business, including our efficiency or profitability. In particular, if the models underlying our AI Technologies are, for example: incorrectly designed or implemented; trained or reliant on incomplete, inadequate, inaccurate, biased, or otherwise poor quality data, or on data to which we do not have sufficient rights or in relation to which we and/or providers of such data have not implemented sufficient legal compliance measures; used without sufficient oversight and governance to ensure their responsible use; and/or adversely impacted by unforeseen defects, technical challenges, cybersecurity threats, or material performance issues, the performance of our products, services, and business, as well as our reputation and the reputations of our customers, could suffer, or we could incur liability resulting from the violation of laws or contracts to which we are a party or civil claims. We are in varying stages of development in relation to our products and internal business processes involving AI Technologies. The continuous development, maintenance and operation of our AI Technologies is expensive and complex and may involve unforeseen difficulties including, without limitation, material performance problems, undetected defects, or errors. We may be unsuccessful in our ongoing development and maintenance of these technologies in the face of novel and evolving technical factors. Further, our ability to continue to develop or use such technologies may be dependent on access to specific third-party software, services, and infrastructure, such as processing hardware, and we cannot control the availability or pricing of such third-party software and infrastructure, especially in a highly competitive environment.

We have benefited substantially from the leadership and performance of our senior management as well as certain key employees. Our success will depend on our ability to retain our current management and key employees, and to attract and retain qualified personnel in the future. Competition for senior management and key employees in our industry is intense, and we cannot guarantee that we will be able to retain our personnel or attract new, qualified personnel, or that we will be able to do so without incurring substantial additional costs. We have experienced increases in compensation levels in connection with our recruitment and retention efforts, which may increase further in the future. The loss of services of certain members of our senior management or key employees could prevent or delay the implementation and completion of our strategic objectives, or divert management's attention to seeking qualified replacements. Each member of senior management as well as our key employees may terminate employment without notice and without cause or good reason. The members of our senior management are not subject to non-competition agreements. Accordingly, the adverse effect resulting from the loss of certain members of senior management could be compounded by our inability to prevent them from competing with us. In addition to competing for market share for our products, we also compete against our competitors for personnel, including qualified sales representatives that are necessary to grow our business. Universities and research institutions also compete with us for scientific personnel that are important to our research and development efforts. We also rely on consultants and advisors in our research, operations, clinical and commercial efforts to implement our business strategies. Our consultants and advisors may be employed by employers other than us and may have commitments under consulting or advisory contracts with other entities that may limit their availability to us. Our strategic plan requires us to continue growing our sales, marketing, clinical and operational infrastructure in order to generate, and meet, the demand for our products. If we fail to retain or attract these key personnel, we could fail to take advantage of the market for our products, adversely affecting our business, financial condition and results of operation.

Reliable shipping is essential to our operations. We rely on providers of transport services for reliable and secure point-to-point transport of our products to our customers and for tracking of these shipments. Should a carrier encounter delivery performance issues such as loss, damage or destruction of any of our products, it could be costly to replace such products in a timely manner and such occurrences may damage our reputation and lead to decreased demand for our products and increased cost and expense to our business. In addition, any significant increase in shipping rates could adversely affect our operating margins and results of operations. Similarly, strikes, severe weather, natural disasters or other service interruptions affecting delivery services we use would adversely affect our ability to deliver our products (or any other products we commercialize in the future) on a timely basis.

Payment for a standard cataract procedure is typically covered by Medicare, private insurance or other third-party payors. However, a cataract patient seeking a greater and more versatile visual outcome may desire an advanced cataract procedure involving a laser system such as ours. The patient is typically responsible for the additional costs associated with the use of these premium technologies in the physician's practice, hospital outpatient surgical facilities, in-office surgical suites and ambulatory surgery centers. Due to this additional cost, patients may not elect to have such a procedure and our business may not grow as anticipated. Our future success depends in part upon patients achieving better visual outcomes from procedures using our Systems, or procedures involving similar laser systems that meets their expectations. If patients are not adequately satisfied with the results of such procedures, they or their surgeons may be less willing to recommend these procedures to other patients. Additionally, weak or uncertain economic conditions may cause individuals to be less willing to pay for advanced cataract procedures. Our Systems' procedures are not covered by or reimbursable through government or other third-party payors. A decline in economic conditions in the United States or in international markets could result in a decline in demand for the procedures in which our Systems are used and could have a material adverse effect on our business, financial condition and results of operations.

In connection with the Merger, certain purported stockholders of the Company have sent demand letters (the "Demands") alleging deficiencies and/or omissions regarding the disclosures made in the preliminary proxy statement filed by the Company with the SEC on May 7, 2025 or the definitive proxy statement filed by the Company with the SEC on May 19, 2025. The purported stockholders may not view the Company's cooperative actions in response to the Demands, such as the Company's additional disclosure filed with the SEC on June 25, 2025, as sufficient. In addition, we have received a demand from a purported stockholder seeking to inspect certain corporate books and records, in order to investigate, among other things, purported breaches of fiduciary duty by members of the Company's board of directors in connection with the Merger. These actions could have the effect of increasing the Company's costs, diverting our management's attention and resources, delaying or adversely affecting the Merger or resulting in the payment of damages, which could result in a material adverse effect on our business, financial condition and results of operations.

Customers may lease our Systems or finance the system through the product utilization, and we believe there has been an increase in demand for these types of customer leasing in recent years, especially in the United States. We may experience loss from a customer's failure to make payments according to the contractual lease terms or some other material decrease in the practice revenues and surgical procedure volume. Our exposure to the credit risks relating to our lease financing arrangements may increase if our customers are adversely affected by changes in healthcare laws, economic pressures or uncertainty, or other customer-specific factors. In addition, our credit risk may be highly concentrated, as we rely exclusively on a network of independent distributors to generate sales outside of the United States. Further, ongoing consolidation among distributors, retailers and healthcare provider organizations could increase the concentration of credit risk. The factors affecting our customers' ability to make timely payments according to the contractual lease terms are out of our control, and as a result, exposes us to additional risks that may materially and adversely affect our business and results of operations. The occurrence of any such factors affecting our customers may cause delays in payments or, in some cases, defaults on payment obligations, which could result in material losses. The programs we have designed to monitor and mitigate the associated risk may not be successful. There can be no assurance that such programs will be effective in reducing credit risks relating to these lease financing arrangements. If the level of credit losses we experience in the future exceed our expectations, such losses could have a material adverse effect on our business, financial condition and results of operations or adversely affect our ability to sell such assets as part of our monetization strategy.