Missfresh (MFLTY) Risk Analysis

A significant challenge to the neighborhood retail industry is the secure storage of confidential information and its secure transmission over public networks. In addition, with the rapid development of our AI, big data and cloud technologies and services, we have accumulated a large volume of data through the use of our previous mobile application by our previous users, which covers consumer's browsing and consumption behavior information, product manufacturing and sales information, warehousing and distribution information, customer service information, among others. We also formed strategic partnerships with some leading mobile internet companies to leverage their powerful big data resources, massive user bases and AI-driven technologies. We adopted security policies and measures, including encryption technology, to protect our proprietary data and user information. However, advances in technology, the expertise of hackers, improper use or sharing of data, new discoveries in the field of cryptography or other events or developments could result in a compromise or breach of the technology that we use to protect confidential information. We may not be able to prevent third parties, especially hackers or other individuals or entities engaging in similar activities, from illegally obtaining such confidential or private information we hold. Such individuals or entities obtaining our users' confidential or private information may further engage in various other illegal activities using such information. In addition, we have limited control or influence over the security policies or measures adopted by business partners including strategic partners or third-party providers of online payment services through which some of our consumers and previous users of our mobile application may choose to make payment for purchases. Any negative publicity on our privacy protection mechanisms and policies, and any claims asserted against us or fines imposed upon us as a result of actual or perceived failures, could have a material and adverse effect on our public image, reputation, financial condition and results of operations. If we give third parties greater access to our technology platform in the future as part of providing more technology services to third parties and others, it may become more challenging for us to ensure the security of our systems. Any compromise of our information security or the information security measures of our previous contracted third-party couriers or third-party online payment service providers or other business partners could have a material and adverse effect on our reputation, business, prospects, financial condition and results of operations. Practices regarding the collection, use, storage, transmission and security of personal information by companies operating over the internet and mobile platforms are under increased public scrutiny. As the regulations regarding data privacy and cybersecurity are quickly evolving in China and globally, we may become subject to new laws and regulations applying to the solicitation, collection, processing or use of personal or consumer information that could affect how we store, process and share data with our user, suppliers and third-party service subscribers. For example, in December 2012, the Standing Committee of the National People's Congress promulgated the Decision on Strengthening Network Information Protection, or the Network Information Protection Decision, to enhance the legal protection of information security and privacy on the internet. The Network Information Protection Decision also requires internet operators to take measures to ensure confidentiality of information of users. In July 2013, the Ministry of Industry and Information Technology, or the MIIT, promulgated the Provisions on Protection of Personal Information of Telecommunication and Internet Users to regulate the collection and use of users' personal information in the provision of telecommunication service and internet information service in China. In August 2015, the Standing Committee of the National People's Congress promulgated the Ninth Amendment to the Criminal Law, which became effective in November 2015 and amended the standards of crime of infringing citizens' personal information and reinforced the criminal culpability of unlawful collection, transaction, and provision of personal information. It further provides that any internet content provider that fails to fulfill the obligations related to internet information security administration as required by applicable laws and refuses to rectify upon orders will be subject to criminal liability. In November 2016, the Standing Committee of the National People's Congress promulgated the Cyber Security Law, which requires, among others, that network operators take security measures to protect the network from unauthorized interference, damage and unauthorized access and prevent data from being divulged, stolen or tampered with. Network operators are also required to collect and use personal information in compliance with the principles of legitimacy, properness and necessity, and strictly within the scope of authorization by the subject of personal information unless otherwise prescribed by laws or regulations. Significant capital, managerial and human resources are required to comply with legal requirements, enhance information security and to address any issues caused by security failures. The Civil Code promulgated in 2020 also provides specific provisions regarding the protection of personal information. On June 10, 2021, the Standing Committee of the National People's Congress promulgated the Data Security Law, which took effect in September 2021. The Data Security Law, among others, provides for data security and privacy obligations on entities and individuals carrying out data processing activities, introduces a data classification and hierarchical protection system based on the importance of data in economic and social development, as well as the degree of harm it will cause to nation security, public interests, or legitimate rights and interests of individuals or organizations when such data is tampered with, destroyed, leaked, or illegally acquired or used, provides for a national security review procedure for those data activities which may affect national security and imposes export restrictions on certain data and information. Furthermore, the General Office of the Central Committee of the Communist Party of China and the General Office of the State Council jointly promulgated the Opinions on Strictly Scrutinizing Illegal Securities Activities in Accordance with the Law, which were available to the public on July 6, 2021 and further emphasized to strengthen the cross-board regulatory collaboration, to improve relevant laws and regulations on data security, cross-border data transmission, and confidential information management, and provided that efforts will be made to revise the regulations on strengthening the confidentiality and file management relating to the offering and listing of securities overseas, to implement the responsibility on information security of overseas listed companies, and to strengthen the standardized management of cross-border information provision mechanisms and procedures. However, these opinions were newly issued, and there were no further explanations with respect to such opinions, and there are still uncertainties regarding the interpretation and implementation of these opinions. On July 30, 2021, the state council promulgated the Regulations on Protection of Critical Information Infrastructure, which became effective on September 1, 2021. Pursuant to the Regulations on Protection of Critical Information Infrastructure, critical information infrastructure shall mean any important network facilities or information systems of the important industry or field such as public communication and information service, energy, transportation, water conservation, finance, public services, e-government affairs and national defense science, which may endanger national security, people's livelihood and public interest in case of damage, function loss or data leakage. As of the date of this annual report, no detailed rules or implementation has been issued by any authority and we have not been informed as a critical information infrastructure operator by any government authorities. Furthermore, the exact scope of "critical information infrastructure operators" under the current regulatory regime remains unclear, and the PRC government authorities may have wide discretion in the interpretation and enforcement of these laws. Therefore, it is uncertain whether we would be deemed as a critical information infrastructure operator under PRC law. If we are deemed as a critical information infrastructure operator under the PRC cybersecurity laws and regulations, we must fulfill certain obligations as required under the PRC cybersecurity laws and regulations, including, among others, storing personal information and important data collected and produced within the PRC territory during our operations in China, which we have fulfilled in our business, and we may be subject to review when purchasing internet products and services. On November 14, 2021, the CAC released the Regulations on the Network Data Security (Draft for Comments), or the Draft Regulations, for public comments. The Draft Regulations provide that data processors refer to individuals or organizations that autonomously determine the purpose and the manner of processing data. In accordance with the Draft Regulations, data processors shall apply for a cybersecurity review for the following activities: (i) merger, reorganization or division of Internet platform operators that have acquired a large number of data resources related to national security, economic development or public interests to the extent that affects or may affect national security; (ii) listing abroad of data processors which process over one million users' personal information; (iii) the listing of data processors in Hong Kong which affects or may affect national security; or (iv) other data processing activities that affect or may affect national security. However, there have been no clarifications from the authorities as of the date of this annual report as to the standards for determining such activities that "affects or may affect national security." See "Item 4. Information on the Company-B. Business Overview-Regulation-Regulation Related to Internet Security and Privacy Protection." The anticipated adoption or effective date of the Draft Regulations may be subject to change with substantial uncertainty. The Draft Regulations remains unclear on whether the relevant requirements will be applicable to companies that have been listed in the United States, such as us. We cannot predict the impact of the Draft Regulations, if any, at this stage, and we will closely monitor and assess any development in the rule-making process. If the enacted versions of the Draft Regulations mandate clearance of cybersecurity review and other specific actions to be completed by China-based companies listed on a U.S. stock exchange, such as us, we face uncertainties as to whether such clearance can be timely obtained, or at all. As of the date of this annual report, we have not been involved in any formal investigations on cybersecurity review made by the CAC on such basis. However, if we are not able to comply with the cybersecurity and network data security requirements in a timely manner, or at all, we may be subject to government enforcement actions and investigations, fines, penalties, suspension of our non-compliant operations, among other sanctions, which could materially and adversely affect our business and results of operations. In addition to the cybersecurity review, the Draft Regulations requires that data processors processing "important data" or listed overseas shall conduct an annual data security assessment by itself or commission a data security service provider to do so, and submit the assessment report of the preceding year to the municipal cybersecurity department by the end of January each year. If a final version of the Draft Regulations is adopted, we may be subject to review when conducting data processing activities and annual data security assessment and may face challenges in addressing its requirements and make necessary changes to our internal policies and practices in data processing. On August 20, 2021, the Standing Committee of the National People's Congress of China promulgated the Personal Information Protection Law, which integrates the scattered rules with respect to personal information rights and privacy protection and took effect on November 1, 2021. The Personal Information Protection Law provides rules for processing sensitive personal information. Sensitive personal information refers to personal information that, once leaked or illegally used, could easily lead to the infringement of human dignity or harm to the personal or property safety of an individual, including biometric recognition, religious belief, specific identity, medical and health, financial account, personal whereabouts and other information of an individual, as well as any personal information of a minor under the age of 14. Only where there is a specific purpose and sufficient necessity, and under circumstances where strict protection measures are taken, may personal information processors process sensitive personal information. A personal information processor shall inform the individual of the necessity of processing such sensitive personal information and the impact thereof on the individual's rights and interests. Our mobile apps and websites only collected basic user personal information that is necessary to provide the corresponding services. We did not collect any sensitive personal information or other excessive personal information that is not related to the corresponding services. We updated our privacy policies from time to time to meet the applicable regulatory requirements of the CAC and other authorities and adopt technical measures to protect data and ensure cybersecurity in a systematic way. Nonetheless, the Personal Information Protection Law raises the protection requirements for processing personal information, and many specific requirements of the Personal Information Protection Law remain to be clarified by the CAC, other regulatory authorities, and courts in practice. As uncertainties remain regarding the interpretation and regulatory authorities, we may be required to make further adjustments to our business practices to comply with the personal information protection laws and regulations. See "Item 4. Information on the Company-B. Business Overview-Regulation-Regulation Related to Internet Security and Privacy Protection." On December 28, 2021, the CAC, the NDRC, the MIIT, and several other administrations jointly promulgated the Cybersecurity Review Measures, or the Review Measures, which became effective on February 15, 2022. The Review Measures has replaced its previous version promulgated on April 13, 2020. According to the Review Measures, (i) when the purchase of network products and services by a critical information infrastructures operator or the data processing activities conducted by a network platform operator affect or may affect national security, a cybersecurity review shall be conducted pursuant to the Review Measures. The aforesaid operators shall file for a cybersecurity review with Cybersecurity Review Office under the CAC if their behavior affects or may affect national security; (ii) an application for cybersecurity review shall be made by an issuer who is a network platform operator holding personal information of more than one million users before such issuer applies to list securities on a foreign stock exchange; and (iii) the relevant PRC governmental authorities may initiate cybersecurity review if such governmental authorities determine that the issuer's network products or services, or data processing activities affect or may affect national security. On the bases that (i) the Review Measures was promulgated recently, (ii) the exact scope of "network platform operator" under the Review Measures remains unclear, and (iii) there are substantial uncertainties on the interpretation and application of the Review Measures, there can be no assurance that we would be required to apply for such cybersecurity review for our offshore offerings. Although the Review Measures and other relevant regulations do not explicitly require the completion of cybersecurity review for follow-on offering or other equivalent offering activities, there is chance that the CAC or other competent PRC governmental authorities may initiate such cybersecurity review. We recently entered into a Standby Equity Purchase Agreement with YA II PN, LTD., to sell up to US$300 million of our Class B ordinary shares, in our sole discretion and at our request based on our funding requirement at any time during the 36 months following the date of the Standby Equity Purchase Agreement, following the effectiveness of a registration statement with the SEC registering the Class B ordinary shares issuable pursuant to the Standby Equity Purchase Agreement and other customary closing conditions. Such issuance of shares in accordance with the Standby Equity Purchase Agreement may be subject to cybersecurity review in accordance with the Review Measures. Any failure in completion of a cybersecurity review may result in administrative penalties, including fines, a shut-down of our business, revocation of requisite licenses, as well as reputational damage or legal proceedings or actions against us, which may have material adverse effects on our business, financial condition and results of operations. As of the date of this annual report, we have not been involved in any formal investigations on cybersecurity review made by the CAC on such basis. The Cyber Security Law, the Cybersecurity Review Measures, the Data Security Law and the Civil Code are relatively new and subject to interpretation by the regulators. Although we only gain access to user information that is necessary for, and relevant to, the services provided, the data we obtain and use may include information that is deemed as "personal information", "network data" or "important data" under the Cyber Security Law, the Civil Code and related data privacy and protection laws and regulations. As such, we have adopted a series of measures to ensure that we comply with relevant laws and regulations in the collection, use, disclosure, sharing, storage, and security of user information and other data. The Data Security Law also stipulates that the relevant authorities will formulate the catalogues for important data and strengthen the protection of important data, and state core data, i.e., data having a bearing on national security, the lifelines of national economy, people's key livelihood and major public interests, shall be subject to stricter management system. See "Regulations." The exact scopes of important data and state core data remain unclear and may be subject to further interpretation. If any data that we are in possession of constitutes important data or state core data, we may be required to adopt stricter measures for protection and management of such data. On July 7, 2022, the CAC released the Measures on Security Assessment of Cross-border Data Transfer, which took effect from September 1, 2022. Such measures requires that any data processor which exports personal information exceeding certain volume threshold under such measures shall apply for security assessment by the CAC before transferring any personal information abroad. The security assessment requirement also applies to any transfer of important data outside of China. As the measures are newly issued and uncertainties remain regarding to what extent we would be subject to such measures, we cannot assure you that we will be able to comply with such regulations in all respects, and we may be ordered to rectify or terminate any actions that are deemed illegal by regulatory authorities. In addition, we may need to comply with increasingly complex and rigorous regulatory standards enacted to protect business and personal data in the U.S., Europe and elsewhere. For example, the European Union adopted the General Data Protection Regulation, or the GDPR, which became effective on May 25, 2018. The GDPR imposes additional obligations on companies regarding the handling of personal data and provides certain individual privacy rights to persons whose data is stored. Compliance with existing, proposed and recently enacted laws (including implementation of the privacy and process enhancements called for under GDPR) and regulations can be costly; any failure to comply with these regulatory standards could subject us to legal and reputational risks. We generally comply with industry standards and are subject to the terms of our own privacy policies. Compliance with any additional laws could be expensive, and may place restrictions on the conduct of our business and the manner in which we interact with our users. Any failure to comply with applicable regulations could also result in regulatory enforcement actions against us, and misuse of or failure to secure personal information could also result in violation of data privacy laws and regulations, proceedings against us by governmental authorities or other authorities, damage to our reputation and credibility and could have a negative impact on revenues and profits. Significant capital and other resources may be required to protect against information security breaches or to alleviate problems caused by such breaches or to comply with our privacy policies or privacy-related legal obligations. The resources required may increase over time as the methods used by hackers and others engaged in online criminal activities are increasingly sophisticated and constantly evolving. Any failure or perceived failure by us to prevent information security breaches or to comply with privacy policies or privacy-related legal obligations, or any compromise of security that results in the unauthorized release or transfer of personally identifiable information or other user data, could cause our users to lose trust in us and could expose us to legal claims.

We do not have effective control over and oversight of suppliers and business partners for our business. Consumers may associate suppliers or business partners with us and hold us accountable for any misconduct by the suppliers or the business partners. We may be subject to lawsuits or reputational harm if, for example, a supplier or business partner conducts any wrongdoings or otherwise violates applicable laws. While we have implemented policies and procedures designed to govern conducts of our suppliers and business partners to comply with the regulatory regime in China and protect our goodwill, there can be no assurance that suppliers or business partners will comply with the policies and procedures. Violations by suppliers or business partners of applicable law or of the policies and procedures could reflect negatively on our products and operations and harm our business reputation. While we have not experienced any significant problems affecting our products, operations or business reputation caused by violations by suppliers or business partners of the policies and procedures, we cannot assure you that we will not face such problems in the future.

We experience seasonality in our business, reflecting seasonality patterns associated with neighborhood retail in particular. Overall, the historical seasonality of our business has been relatively mild. However, our financial condition and results of operations for future periods may continue to fluctuate. As a result, the trading price of our shares may fluctuate from time to time due to seasonality.

We launched our private label products in January 2023 to revolutionize the neighborhood retail business. In the future, we plan to focus on providing digital marketing solutions services and the private label product retail business, leveraging our extensive market know-how on the ecommerce industry and the grocery supply chain. Our expansion of new businesses may result in unseen risks, challenges and uncertainties. We may incur additional capital expenditure to support the development of our private label products. In addition, due to the limited operating history of the newly launched businesses, there is no guarantee that we may increase our revenues generated from such new businesses. Also, our failure to manage costs and expenses and evaluate consumer demands with respect to such new business could materially and adversely affect the prospects of us achieving overall profitability of and recouping our investments in the new businesses. Moreover, the new businesses may require significant managerial, financial, operational and other resources. We may also face higher regulatory, legal and counterparty risks from entering into contracts with third-party e-commerce platforms. If we fail to manage the development of the new businesses successfully, our prospect, business and results of operations may be materially and adversely affected.