Inari Medical (NARI) Risk Factors

We and our partners may be subject to federal, state, and foreign laws and regulations that govern data privacy and security. The legislative and regulatory landscape for privacy and data protection continues to evolve, and there has been an increasing focus on privacy and data protection issues, which may affect our business and may increase our compliance costs and exposure to liability. In the United States, numerous federal and state laws and regulations govern the collection, use, disclosure, and protection of personal information, including state data breach notification laws, federal and state health information privacy laws, and federal and state consumer protection laws. For example, HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and regulations implemented thereunder, or collectively HIPAA, imposes privacy, security and breach notification obligations on certain healthcare providers, health plans, and healthcare clearinghouses, known as covered entities, as well as their business associates that perform certain services that involve creating, receiving, maintaining or transmitting individually identifiable health information for or on behalf of such covered entities, and their covered subcontractors. HIPAA requires covered entities and business associates to develop and maintain policies with respect to the protection of, use and disclosure of PHI, including the adoption of administrative, physical and technical safeguards to protect such information, and certain notification requirements in the event of a breach of unsecured PHI. Most healthcare providers, including research institutions from which we obtain patient health information, are subject to privacy and security regulations promulgated under HIPAA. While we do not believe that we are currently acting as a covered entity or business associate under HIPAA and thus are not directly regulated under HIPAA, any person may be prosecuted under HIPAA's criminal provisions either directly or under aiding-and-abetting or conspiracy principles. Consequently, depending on the facts and circumstances, we could face substantial criminal penalties if we knowingly receive individually identifiable health information from a HIPAA-covered healthcare provider or research institution that has not satisfied HIPAA's requirements for disclosure of individually identifiable health information. Certain states have also adopted comparable privacy and security laws and regulations, which govern the privacy, processing and protection of health-related and other personal information. Such laws will be subject to varying interpretations by courts and government agencies, creating complex compliance issues. For example, the California Consumer Privacy Act of 2018, or the CCPA, went into effect on January 1, 2020, and creates individual privacy rights for California consumers and increases the privacy and security obligations of entities handling certain personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. Further, the California Privacy Rights Act, or the CPRA, recently passed in California. The CPRA significantly amends the CCPA and will impose additional data protection obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It also created a new California data protection agency that has issued substantive regulations that could result in increased privacy and information security obligations and enforcement. The majority of the provisions went into effect on January 1, 2023, and additional compliance investment and potential business process changes may be required. Similar laws have passed in Virginia, Connecticut, Utah and Colorado, and have been enacted or proposed in other states and at the federal level, reflecting a trend toward more stringent privacy legislation in the United States, particularly for health data that is considered sensitive and potentially subject to consent requirements and opt-out rights. In the event that we are subject to or affected by HIPAA, the CCPA, the CPRA or other domestic privacy and data protection laws, any liability from failure to comply with the requirements of these laws could adversely affect our financial condition. We are also or may become subject to rapidly evolving data protection laws, rules and regulations in foreign jurisdictions. For example, the European Union General Data Protection Regulation, or the GDPR, governs certain collection and other processing activities involving personal data about individuals in the European Economic Area, or the EEA. Among other things, the GDPR imposes requirements regarding the security of personal data, the rights of data subjects to access and delete personal data, requires having lawful bases on which personal data can be processed, includes requirements relating to the consent of individuals to whom the personal data relates, and requires detailed notices for clinical trial participants and investigators. The GDPR imposes substantial fines for breaches and violations (up to the greater of €20 million or 4% of our annual global revenue), and also confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies and obtain compensation for damages resulting from violations of the GDPR. In addition, the GDPR also regulates transfers of personal data subject to the GDPR to third countries that have not been found to provide adequate protection to such personal data, including the United States. Companies transferring the personal data of EU/EEA residents must comply with one of the recognized transfer mechanisms. In July 2020, the Court of Justice of the EU, or the CJEU, limited how organizations could lawfully transfer personal data from the EU/EEA to the United States by invalidating the Privacy Shield for purposes of international transfers and imposing further restrictions on the use of standard contractual clauses, or SCCs. The new EU-US Data Privacy Framework took effect on July 23, 2023 to replace the Privacy Shield to cover data transfer to the United States. On October 12, 2023, the UK approved the Data Bridge, which allows UK organizations to transfer personal data to US organizations that have self-certified to the EU-US Data Privacy Framework. The European Commission also issued revised SCCs on June 4, 2021 to account for the decision of the CJEU and recommendations made by the European Data Protection Board. The revised SCCs must be used for relevant new data transfers from September 27, 2021; existing SCC arrangements must be migrated to the revised clauses by December 27, 2022. The new SCCs apply only to the transfer of personal data outside of the EEA and not the UK. The UK's Information Commissioner's Office has published new data transfer standard contracts for transfers from the UK under the UK GDPR including the Standard Contractual Clauses with a UK Addendum) or the UK's International Data Transfer Agreement (the "IDTA"). This new documentation will be mandatory for relevant data transfers from September 21, 2022; existing SCC arrangements must be migrated to the new documentation by March 21, 2024. There is still some uncertainty around the extent to which the revised clauses can be used for all types of data transfers, particularly for data transfers to non-EEA entities subject to the GDPR. As supervisory authorities issue further guidance on personal data export mechanisms, including circumstances where the SCCs cannot be used, and/or start taking enforcement action, we could suffer additional costs, complaints and/or regulatory investigations or fines, and/or if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results. Further, from January 1, 2021, companies have been subject to the GDPR and also the UK GDPR, which, together with the amended UK Data Protection Act 2018, retains the GDPR in UK national law. The UK GDPR mirrors the fines under the GDPR, e.g. fines up to the greater of €20 million (£17.5 million) or 4% of global turnover. The European Commission has adopted an adequacy decision in favor of the UK, enabling data transfers from EU member states to the UK without additional safeguards. However, the UK adequacy decision will automatically expire in June 2025 unless the European Commission re-assesses and renews/extends that decision. In September 2021, the UK government launched a consultation on its proposals for wide-ranging reform of UK data protection laws following Brexit and the response to this consultation was published in June 2022. There is a risk that any material changes which are made to the UK data protection regime could result in the European Commission reviewing the UK adequacy decision, and the UK losing its adequacy decision if the European Commission deems the UK to no longer provide adequate protection for personal data. The relationship between the UK and the EU in relation to certain aspects of data protection law remains unclear, and it is unclear how UK data protection laws and regulations will develop in the medium to longer term, and how data transfers to and from the UK will be regulated in the long term. These changes may lead to additional costs and increase our overall risk exposure. Compliance with applicable data privacy and security laws, rules and regulations could require us to take on more onerous obligations in our contracts, require us to engage in costly compliance exercises, restrict our ability to collect, use and disclose data, or in some cases, impact our or our partners' ability to operate in certain jurisdictions. Each of these constantly evolving laws can be subject to varying interpretations. If we fail to comply with any such laws, rules or regulations, we may face government investigations and/or enforcement actions, fines, civil or criminal penalties, private litigation or adverse publicity that could adversely affect our business, financial condition and results of operations.

Our success depends largely on the continued services of key members of our executive management team and others in key management positions. For example, the services of our Chief Executive Officer, Chief Financial Officer, and Chief Medical Officer are essential to driving adoption of our solutions, executing on our corporate strategy and ensuring the continued operations and integrity of financial reporting within our company. In addition, the services of our sales professionals are critical to driving the growth in sales of our solutions. Any of our employees may terminate their employment with us at any time. We do not currently maintain key person life insurance policies on any of our employees. If we lose one or more key employees, we may experience difficulties in competing effectively, developing our technologies and implementing our business strategy. In addition, our research and development programs, clinical operations and sales efforts depend on our ability to attract and retain highly skilled engineers and sales professionals. We may not be able to attract or retain qualified engineers and sales professionals in the future due to the competition for qualified personnel. We have from time to time experienced, and we expect to continue to experience, difficulty in hiring and retaining employees with appropriate qualifications. If we hire employees from competitors or other companies, their former employers may attempt to assert that these employees or we have breached legal obligations, resulting in a diversion of our time and resources and, potentially, damages. Further, many of our employees have become or will soon become vested in a substantial amount of our common stock or a number of common stock options. Our employees may be more likely to leave us if the shares they own have significantly appreciated in value relative to the original purchase prices of the shares, or if the exercise prices of the options that they hold are significantly below the market price of our common stock. Our future success also depends on our ability to continue to attract and retain additional executive officers and other key employees. If we fail to attract new personnel or fail to retain and motivate our current personnel, it will negatively affect our business, financial condition and results of operations.

The operation of our business depends on our information systems and in some cases the information systems of our service providers. We rely on our information systems to, among other things, effectively manage sales and marketing data, accounting and financial functions, inventory management, product development tasks, clinical data, customer service and technical support functions. Our information systems are vulnerable to a variety of cybersecurity incidents and cybersecurity threats, as well as other forms of attack, including attack, damage or interruption from earthquakes, fires, floods and other natural disasters, terrorist attacks, power losses, computer system or data network failures, security breaches, data corruption, and cyberattacks. Cyberattacks can include, but are not limited to, computer viruses, computer denial-of-service attacks, phishing attacks, ransomware attacks, worms, and other malicious software programs or other attacks, covert introduction of malware to computers and networks, social engineering or impersonation of authorized users, and efforts to discover and exploit any design flaws, bugs, security vulnerabilities, or security weaknesses, as well as intentional or unintentional acts by employees or other insiders with access privileges, intentional acts of vandalism by third parties and sabotage. A variety of our software systems are cloud-based data management applications, hosted by third-party service providers whose security and information systems are subject to similar risks. Attacks upon information systems are increasing in their frequency, levels of persistence, sophistication and intensity, and are being conducted by sophisticated and organized groups and individuals with a wide range of motives and expertise. We may also face increased cybersecurity risks due to our reliance on internet technology and the number of our employees who are working remotely, which may create additional opportunities for cybercriminals to exploit vulnerabilities. Furthermore, because the techniques used to obtain unauthorized access to, or to sabotage, information systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period. Even if identified, we may be unable to adequately investigate or remediate cybersecurity incidents or threats due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence. We and certain of our service providers are from time to time subject to cyberattacks and cybersecurity incidents and threats. While we do not believe that we have experienced any significant system failure, accident or material cybersecurity incident to date, if such an event were to occur and cause interruptions in our operations, it could result in decreased sales, result in liability claims or regulatory penalties, or lead to increased overhead costs, product shortages, loss or misuse of proprietary or confidential information, intellectual property, or sensitive or personal information, any of which could have a material adverse effect on our reputation, business, financial condition, and operating results. We maintain cybersecurity liability insurance; however, this insurance may not be sufficient to cover the financial, legal, business or reputational losses that may result from an interruption or breach of our information systems.

The medical device industry is highly competitive, subject to rapid change and significantly affected by the introduction of new technologies and other activities of industry participants. For our VTE solutions, we compete with manufacturers of thrombolytic drugs, such as Roche, and with medical device companies that manufacture thrombectomy devices and systems used to treat vascular blockages. These systems include water jets, ultrasonic acoustic field generators, aspirators, catheters and others. Our primary medical device competitors are divisions of Penumbra, Boston Scientific, Abbott, Medtronic, AngioDynamics, Becton Dickinson, and Phillips, and multiple smaller companies that have single products or a limited range of products. There is growing interest in the treatment of VTE disease with catheter-based solutions, and there are a significant number of approved thrombectomy devices available or entering the market in the near term. As this interest continues to grow, we anticipate that this competition will intensify. Competing technologies or therapies could demonstrate better safety, effectiveness, clinical results, lower costs or greater physician and market acceptance than our solutions. With respect to the LimFlow system, currently there are no commercially approved, comparable devices on the market. However, we currently compete with physicians' treatment decisions, such as amputation, and limited understanding of the availability of TADV as an FDA-approved treatment option. In addition, we compete, or may compete in the future, against other companies which have longer, more established operating histories and significantly greater financial, technical, marketing, sales, distribution and other resources, which may prevent us from achieving significant market penetration or improved operating results. These companies may enjoy several competitive advantages, including: established treatment patterns pursuant to which drugs are generally first-line or concurrent therapies for the treatment of VTE; established relationships with hospitals and physicians who prescribe their drugs or are familiar with existing interventional procedures for the treatment of VTE; established relationships with key stakeholders, including interventional cardiologists, interventional radiologists and vascular surgeons, referring physicians, pulmonologists, radiologists, general practitioners and administrators; greater financial and human capital resources; significantly greater name recognition; additional lines of products, and the ability to offer rebates or bundle offerings to offer greater discounts or incentives to gain a competitive advantage; and established sales, marketing and worldwide distribution networks. As one of the major hurdles to adoption of our solutions is overcoming established treatment patterns, because of the size of the market opportunity for the treatment of DVT and PE, we believe current and potential future competitors will dedicate significant resources to aggressively promote their products or develop new products or treatments. New treatment options may be developed that could compete more effectively with our solutions due to the prevalence of VTE and other complex diseases and the research and technological progress that exist within the market. With respect to our other solutions, including in Emerging Therapies, we are just entering the market and believe there are currently limited competitors offering purpose-built solutions.

We began commercializing our FlowTriever and ClotTriever systems in the United States in 2017 and outside of the United States in 2021. We expect to continue to devote a substantial amount of resources to expand our commercialization efforts, drive increased adoption of our solutions and continue to develop new and improved solutions. To date, substantially all of our revenue has been derived, and we expect for the near term to continue to be significantly derived, from sales of our ClotTriever and FlowTriever systems. We believe these systems have the potential to become the standard of care for the DVT and PE, the two diseases making up venous thromboembolism or VTE. In November 2023, we completed the acquisition of LimFlow S.A., a medical device company focused on limb salvage for patients with no-option chronic limb-threatening ischemia (CLTI). The LimFlow system received FDA approval in September 2023 and launched commercially in the U.S. in October 2023. Our growth and profitability largely depend on our ability to increase physician and patient awareness of our solutions and on the willingness of physicians and hospitals to adopt our solutions. Even if we are able to raise awareness among physicians, they may be slow in changing their medical treatment practices and may be hesitant to select our solutions. Physicians and hospitals may not adopt our solutions unless they are able to determine, based on experience, clinical data, medical society recommendations and other analyses, that our solutions provide a safe and effective treatment alternative for VTE, other venous diseases and CLTI. In addition, our current and new solutions must often be approved for use by hospital value analysis committees, group purchasing organizations and integrated delivery networks, or the staff of hospitals or health systems. Such approvals or requirements could deter or delay the use of our solutions by physicians. We cannot provide assurance that our efforts to obtain such approvals and satisfy any other requirements or generate adoption will be successful or increase the use of our solutions, and if we are not successful, it could have a material adverse effect on our business, financial condition and results of operations. The rate of adoption and sales of our solutions is heavily influenced by clinical data. The primary sources of currently available clinical data regarding our solutions are the FlowTriever Pulmonary Embolectomy Clinical Study, or FLARE study, the ClotTriever Outcomes, or CLOUT, registry study, and the FlowTriever All-Comer Registry for Patient Safety and Hemodynamics, or FLASH, registry study, the ALPS and CLariTI registry studies, and the PROMISE series of studies of the LimFlow system for TADV in no-option CLTI patients. We previously announced the initiation of enrollment in two randomized controlled trials – PEERLESS, evaluating FlowTriever's performance in patients with intermediate risk PE compared to those treated with catheter-directed thrombolysis, and DEFIANCE, evaluating ClotTriever's performance in patients with moderate to severe iliofemoral DVT as compared to conservative medical management alone. In November 2023, we enrolled the first patient in PEERLESS II, a prospective, multicenter randomized controlled trial enrolling up to 1,200 patients at up to 100 centers that will compare the outcomes of patients with intermediate-risk PE treated with FlowTriever plus anticoagulation to those treated with traditional anticoagulation therapy alone. We plan to conduct additional clinical studies and trials to help drive increased awareness and adoption of our solutions with existing and new customers. The outcomes and updates resulting from these studies and trials, including interim results, may not be favorable which could limit the adoption of our solutions. In addition, our competitors and other third parties may also conduct clinical trials of our solutions without our participation. Unfavorable or inconsistent clinical data from existing or future clinical studies conducted by us, our competitors or other third parties, the interpretation of our clinical data or findings of new or more frequent adverse events, could subject us to mandatory or voluntary product recalls, suspension or withdrawal of FDA or other clearance, approval or certification, significant legal liability or harm to our business reputation and could have a material adverse effect on our business, financial condition and results of operations.

We operate in an industry with significant price competition, and we can give no assurance that we will be able to achieve satisfactory prices for our current or any new solutions or maintain prices at the levels we have historically achieved. Any decline in the amount that payors reimburse our customers for our solutions could make it difficult for customers to continue using, or to adopt, our solutions and could create additional pricing pressure for us. If we are forced to lower the price we charge for our solutions (including as a result of regulation in domestic or international markets), if we add more components to our systems or bundle solutions, our gross margins will decrease, which will adversely affect our ability to invest in and grow our business. If we are unable to maintain our prices, including during any international expansion, or if our costs increase and we are unable to offset such increase with an increase in our prices, our margins could erode. We will continue to be subject to significant pricing pressure, which could harm negatively affect our business, financial condition and results of operations.

Various macroeconomic factors could adversely affect our business, financial condition and results of operations, including changes in inflation, interest rates and overall economic conditions and uncertainties, including those resulting from political instability (including workforce uncertainty), trade disputes between nations and the current and future conditions in the global financial markets. For example, if inflation or other factors were to significantly increase our business costs, we may be unable to pass through price increases to our customers. Interest rates and the ability to access credit markets could also adversely affect the ability of our customers to purchase our products. Similarly, these macroeconomic factors could affect the ability of our current or potential future manufacturers, sole source or single source suppliers, licensors or licensees to remain in business, or otherwise manufacture or supply components, materials or services relevant to our products. Failure by any of them to remain in business could affect our ability to manufacture products or meet demand for our products. Also, as a result of the current geopolitical tensions and conflict between Russia and Ukraine, and the recent invasion by Russia of Ukraine, the governments of the United States, European Union, Japan and other jurisdictions have recently announced the imposition of sanctions on certain industry sectors and parties in Russia and certain impacted regions, as well as enhanced export controls on certain products and industries. These and any additional sanctions and export controls, as well as any counter responses by the governments of Russia or other jurisdictions, could adversely affect, directly or indirectly, the global supply chain, with negative implications on the availability and prices of raw materials and components, as well as the on global financial markets and financial services industry.

Our long-term strategy is to increase our international presence, including securing regulatory approvals or certifications in targeted countries internationally. Doing business internationally involves a number of risks, including: - Difficulties in staffing and managing our international operations;- Multiple, conflicting and changing laws and regulations such as tax laws, privacy laws, export and import restrictions, employment laws, regulatory requirements and other governmental approvals, permits and licenses;- Reduced or varied protection for intellectual property rights in some countries;- Obtaining regulatory clearance or certification where required for our solutions in various countries;- Requirements to maintain data and the processing of that data on servers located within such countries;- Complexities associated with managing multiple payor reimbursement regimes, government payors or patient self-pay systems;- Limits on our ability to penetrate international markets if we are required to manufacture our solutions locally;- Financial risks, such as longer payment cycles, difficulty collecting accounts receivable, foreign tax laws and complexities of foreign value-added tax systems, the effect of local and regional pricing, market and financial pressures on demand and payment for our products and exposure to foreign currency exchange rate fluctuations;- Restrictions on the site-of-service for use of our solutions and the economics related thereto for physicians, providers and payors;- Natural disasters, political and economic instability, including wars, terrorism, political unrest, outbreak of disease, boycotts, curtailment of trade and other market restrictions; and - Regulatory and compliance risks that relate to maintaining accurate information and control over activities subject to regulation under the United States Foreign Corrupt Practices Act of 1977, or FCPA, U.K. Bribery Act of 2010 and comparable laws and regulations in other countries. Any of these factors could significantly harm our international expansion and operations or could increase our costs and, consequently, have a material adverse effect on our business, financial condition and results of operations.

We are subject to risks associated with pandemics, epidemics and outbreaks of infectious disease. For example, the COVID-19 pandemic adversely impacted nearly all aspects of our business and markets, including our workforce and operations and the operations of our customers, suppliers, and business partners. Other future public health crises could have a similar impact. The extent to which our financial condition is impacted by any such crisis will depend on future developments, which are highly uncertain and are difficult to predict. To the extent a future health crisis adversely affects our business and financial results, it may also have the effect of heightening many of the other risks described in this "Risk Factors" section.