Nuvalent (NUVL) Risk Factors

Due to our public float as of June 30, 2023, we became a "large accelerated filer" as of December 31, 2023 and no longer qualify as an "emerging growth company", as defined in the JOBS Act. In addition, due to our public float as of June 30, 2023, we will be unable to take advantage of the scaled public disclosure requirements available to "smaller reporting companies", beginning with the filing of our quarterly report on Form 10-Q for the three-month period ending March 31, 2024. As a large accelerated filer, and because we no longer qualify as an emerging growth company and will soon be unable to take advantage of the scaled disclosures available to smaller reporting companies, we are subject to certain additional disclosure requirements applicable to other large accelerated filers and that were not applicable to us in the past, which will increase our legal, accounting and other expenses. These additional requirements include, among other things: - being required to comply with the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act of 2002, as amended (the Sarbanes-Oxley Act);- being required to comply with any requirement that may be adopted by the Public Company Accounting Oversight Board regarding mandatory audit firm rotation or a supplement to the auditor's report providing additional information about the audit and the financial statements;- additional disclosure obligations regarding executive compensation in our periodic reports and proxy statements; and - the requirements of holding nonbinding advisory stockholder votes on executive compensation and stockholder approval of any golden parachute payments not previously approved. Until our quarterly report on Form 10-Q for the three-month period ending March 31, 2024, we intend to take advantage of exemptions from various reporting requirements that are applicable to other public companies that are not smaller reporting companies, including: - being permitted to provide only two years of audited financial statements, in addition to any required unaudited interim financial statements, with correspondingly reduced "Management's Discussion and Analysis of Financial Condition and Results of Operations" disclosure in our periodic reports; and - reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements that are similar to those available for emerging growth companies. These scaled disclosures will no longer be applicable or available to us beginning with our quarterly report on Form 10-Q for the three-month period ending March 31, 2024.

We have never declared or paid any cash dividends on our common stock. We currently anticipate that we will retain future earnings for the development, operation and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to stockholders will therefore be limited to any appreciation in the value of their stock.

As of December 31, 2023, we had 92 full-time employees, including 66 employees engaged in research and development activities. In order to successfully implement our development and commercialization plans and strategies, and as we continue to grow as a public company, we expect to need significant additional managerial, operational, sales, marketing, financial and other personnel. Future growth will impose significant added responsibilities on members of management, including: - identifying, recruiting, integrating, maintaining, retaining and motivating our current and additional employees;- managing our internal development efforts effectively, including the preclinical, clinical, FDA, EMA and other comparable foreign regulatory authorities' review process for NVL-520, NVL-655, NVL-330 and our discovery programs, while complying with any contractual obligations to contractors and other third parties;- managing increasing operational and managerial complexity; and - improving our operational, financial and management controls, reporting systems and procedures. Our future financial performance and our ability to successfully develop and, if approved, commercialize NVL-520, NVL-655, NVL-330 and any future product candidates developed from our discovery programs and other product candidates will depend, in part, on our ability to effectively manage any future growth, and our management may also have to divert a disproportionate amount of its attention away from day-to-day activities in order to devote a substantial amount of time to managing these growth activities. We currently rely, and for the foreseeable future will continue to rely, in substantial part on certain independent organizations, advisors and consultants to provide certain services, including key aspects of research, clinical development and manufacturing. There can be no assurance that the services of independent organizations, advisors and consultants will continue to be available to us on a timely basis when needed, or that we can find qualified replacements. In addition, if we are unable to effectively manage our outsourced activities or if the quality or accuracy of the services provided by third-party service providers is compromised for any reason, our preclinical studies and clinical trials may be extended, delayed or terminated, and we may not be able to obtain marketing approval for any of our product candidates or otherwise advance our business. There can be no assurance that we will be able to manage our existing third-party service providers or find other competent outside contractors and consultants on economically reasonable terms, or at all. If we are not able to effectively expand our organization by hiring new employees and/or engaging additional third-party service providers, we may not be able to successfully implement the tasks necessary to further develop and commercialize NVL-520, NVL-655, NVL-330 or any future product candidate from our discovery programs and any of our other product candidates and, accordingly, may not achieve our research, development and commercialization goals.

Healthcare providers, physicians and third-party payors will play a primary role in the recommendation and prescription of any products for which we are able to obtain marketing approval. Any arrangements we have with healthcare providers, third-party payors and customers will subject us to broadly applicable fraud and abuse and other healthcare laws and regulations. The laws and regulations may constrain the business or financial arrangements and relationships through which we conduct clinical research, market, sell and distribute any products for which we obtain marketing approval. These include the following: - Anti-Kickback Statute. The federal Anti-Kickback Statute prohibits, among other things, persons and entities from knowingly and willfully soliciting, offering, receiving or providing remuneration (including any kickback, bribe or rebate), directly or indirectly, in cash or in kind, to induce or reward or in return for, either the referral of an individual for or the purchase, lease or order of a good, facility, item or service for which payment may be made under a federal healthcare program such as Medicare and Medicaid. - False Claims Laws. The federal false claims and civil monetary penalties laws, including the federal civil False Claims Act, impose criminal and civil penalties, including through civil whistleblower or qui tam actions against individuals or entities for, among other things, knowingly presenting or causing to be presented false or fraudulent claims for payment by a federal healthcare program or making a false statement or record material to payment of a false claim or avoiding, decreasing or concealing an obligation to pay money to the federal government, with potential liability including mandatory treble damages and significant per-claim penalties. - HIPAA. HIPAA imposes criminal and civil liability for, among other things, executing a scheme or making materially false statements in connection with the delivery of or payment for health care benefits, items or services. Additionally, HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act and its implementing regulations, also imposes obligations on covered entities and their business associates that perform certain functions or activities that involve the use or disclosure of protected health information on their behalf, including mandatory contractual terms and technical safeguards, with respect to maintaining the privacy, security and transmission of individually identifiable health information. - Transparency Requirements. The federal Physician Payments Sunshine Act requires certain manufacturers of drugs, devices, biologics and medical supplies for which payment is available under Medicare, Medicaid or the Children's Health Insurance Program, with specific exceptions, to report annually to CMS information related to payments or transfers of value made to physicians, other healthcare providers and teaching hospitals, as well as information regarding ownership and investment interests held by physicians and their immediate family members. - Analogous State and Foreign Laws. Analogous state and foreign fraud and abuse laws and regulations, such as state anti-kickback and false claims laws, can apply to sales or marketing arrangements and claims involving healthcare items or services reimbursed by non-governmental third-party payors and are generally broad and are enforced by many different federal and state agencies as well as through private actions. The provision of benefits or advantages to physicians to induce or encourage the prescription, recommendation, endorsement, purchase, supply, order or use of medicinal products is also prohibited in the EU. Infringement of these laws could result in substantial fines and imprisonment. Payments made to physicians in certain EU Member States must be publicly disclosed. Moreover, agreements with physicians often must be the subject of prior notification and approval by the physician's employer, his or her competent professional organization and/or the regulatory authorities of the individual EU Member States. These requirements are provided in the national laws, industry codes or professional codes of conduct applicable in the EU Member States. Our failure to comply with these requirements could result in reputational risk, public reprimands, administrative penalties, fines or imprisonment. Efforts to ensure that any business arrangements we have with third parties and our business generally will comply with applicable healthcare laws and regulations will involve substantial costs. It is possible that governmental authorities will conclude that our business practices may not comply with current or future statutes, regulations or case law involving applicable fraud and abuse or other healthcare laws and regulations. If our operations are found to be in violation of any of these laws or any other governmental regulations that may apply to us, we may be subject to significant civil, criminal and administrative penalties, damages, fines, individual imprisonment, additional reporting requirements and oversight if we become subject to a corporate integrity agreement or similar agreement to resolve allegations of non-compliance with these laws, exclusion of products from government funded healthcare programs, such as Medicare and Medicaid, disgorgement, contractual damages, reputational harm and the curtailment or restructuring of our operations.

The market price of our Class A common stock may be volatile and, in the past, companies that have experienced volatility in the market price of their stock have been subject to securities class action litigation. We may be the target of this type of litigation in the future. Securities litigation against us could result in substantial costs and divert our management's attention from other business concerns, which could seriously harm our business.

The ability of the FDA, EMA or comparable foreign regulatory authorities to review and approve new products can be affected by a variety of factors, including government budget and funding levels, ability to hire and retain key personnel and accept the payment of user fees, and statutory, regulatory, and policy changes. Average review times at the FDA and other regulators have fluctuated in recent years as a result. In addition, government funding of the SEC and other government agencies on which our operations may rely, including those that fund research and development activities, is subject to the political process, which is inherently fluid and unpredictable. Disruptions at the FDA, EMA and other agencies may also slow the time necessary for new drugs to be reviewed and/or approved by necessary government agencies, which would adversely affect our business. For example, in recent years, including in 2018 and 2019, the U.S. government shut down several times and certain regulatory agencies, such as the FDA and the SEC, had to furlough critical employees and stop critical activities. In addition, disruptions may result in events similar to the COVID-19 pandemic. During the COVID-19 pandemic, a number of companies announced receipt of complete response letters due to the FDA's inability to complete required inspections for their applications. In the event of a similar public health emergency in the future, the FDA may not be able to continue its current pace and review timelines could be extended. Regulatory authorities outside the U.S. facing similar circumstances may adopt similar restrictions or other policy measures in response to a similar public health emergency and may also experience delays in their regulatory activities. Accordingly, if a prolonged government shutdown occurs, it could significantly impact the ability of the FDA to timely review and process our regulatory submissions, which could have a material adverse effect on our business. Further, future government shutdowns could impact our ability to access the public markets and obtain necessary capital in order to properly capitalize and continue our operations.

We are or may become subject to many cybersecurity, privacy and data protection laws in the U.S. and around the world. In the U.S., we are subject to numerous federal and state laws governing the collection, processing, use, transmission, disclosure, and sale (collectively, Processing) of personal data (which may also be referred to as personal information, personally identifiable information, and/or non-public personal information). There are a broad variety of data protection laws that are applicable to our activities, and a wide range of enforcement agencies at both the state and federal levels that can review companies for privacy and data security concerns based on general consumer protection laws. The Federal Trade Commission (FTC) and state Attorneys General all are aggressive in reviewing privacy and data security protections for consumers. New laws also are being considered at both the state and federal levels. For example, the FTC has been particularly focused on the unpermitted processing of health and genetic data through its recent enforcement actions and is expanding the types of privacy violations that it interprets to be "unfair" under Section 5 of the Federal Trade Commission Act, as well as the types of activities it views to trigger the Health Breach Notification Rule (which the FTC also has the authority to enforce). The FTC is also in the process of developing rules related to commercial surveillance and data security that may impact our business. We will need to account for the FTC's evolving rules and guidance for proper privacy and data security practices in order to mitigate our risk for a potential enforcement action, which may be costly. If we are subject to a potential FTC enforcement action, we may be subject to a settlement order that requires us to adhere to very specific privacy and data security practices, which may impact our business. We may also be required to pay fines as part of a settlement (depending on the nature of the alleged violations). If we violate any consent order that we reach with the FTC, we may be subject to additional fines and compliance requirements. New laws also are being considered at the state level. For example, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and established a new privacy framework for covered businesses such as ours. The CCPA imposed many requirements on businesses that process the personal information of California residents. Many of the CCPA's requirements are similar to those found in the GDPR, including requiring businesses to provide notice to data subjects regarding the information collected about them and how such information is used and shared, and providing data subjects the right to request access to such personal information and, in certain cases, request the erasure of such personal information. The CCPA also affords California residents the right to opt-out of "sales" of their personal information. The CCPA contains significant penalties for companies that violate its requirements. Further, in November 2020, California voters passed the California Privacy Rights Act (CPRA), which significantly expanded the CCPA to incorporate additional GDPR-like provisions including requiring that the use, retention, and sharing of personal information of California residents be reasonably necessary and proportionate to the purposes of collection or processing, granting additional protections for sensitive personal information, and requiring greater disclosures related to notice to residents regarding retention of information. The CPRA also created a new enforcement agency – the California Privacy Protection Agency – whose sole responsibility is to enforce the CPRA, which will further increase compliance risk. While certain of our business activities will not be subject to these laws, it remains unclear how various provisions of the CCPA and CPRA will be interpreted and enforced. In addition to California, at least eleven other states have passed comprehensive privacy laws similar to the CCPA and CPRA. These laws are either in effect or will go into effect sometime before the end of 2026. Like the CCPA and CPRA, these laws create obligations related to the processing of personal information, as well as special obligations for the processing of "sensitive" data (which includes health data in some cases). Some of the provisions of these laws may apply to our business activities. There are also states that are strongly considering or have already passed comprehensive privacy laws during the 2024 legislative sessions that will go into effect in 2024 and beyond, including New Hampshire and New Jersey. Other states will be considering these laws in the future, and Congress has also been debating passing a federal privacy law. There are also states that are specifically regulating health information that may affect our business. For example, Washington state passed a health privacy law in 2023 that will regulate the collection and sharing of health information, and the law also has a private right of action, which further increases the relevant compliance risk. Connecticut and Nevada have also passed similar laws regulating consumer health data and additional states (including Vermont) are considering such legislation for 2024. These laws may impact our business activities, including our identification of research subjects, relationships with business partners and ultimately the marketing and distribution of our products. In addition, outside of the U.S., we are subject to foreign rules and regulations. Many countries outside of the U.S. maintain rigorous laws governing the privacy and security of personal information. The collection, use, disclosure, transfer, or other processing of personal data, including personal health data, regarding individuals who are located in the EEA, and the processing of personal data that takes place in the EEA, is subject to the GDPR, which became effective on May 25, 2018. This provision expanded the scope of data protection in the EU to foreign companies who process the personal data of EU residents, imposed a strict data protection compliance regime with stringent penalties for noncompliance and included new rights for data subjects such as the "portability" of personal data. In particular, under the GDPR, fines of up to €20 million, or up to 4% of the annual global revenue of the noncompliant company, whichever is greater, could be imposed for violations of certain of the GDPR's requirements. If we were found to be in breach of the GDPR, the potential penalties we might face could have a material adverse impact on our business, financial condition,results of operations, and cash flows. Compliance with the GDPR requires time and expense and may require us to make changes to our business operations. While the GDPR applies uniformly across the EU, each EU Member State is permitted to issue nation-specific data protection legislation, which has created inconsistencies on a country-by-country basis. Brexit has created further uncertainty and could result in the application of new data privacy and protection laws and standards to our operations in the U.K., our handling of personal data of users located in the U.K., and transfers of personal data between the EU and the U.K. Following the withdrawal of the U.K. from the EU, the U.K. Data Protection Act 2018 applies to the processing of personal data that takes place in the U.K. and includes parallel obligations to those set forth by GDPR. While the Data Protection Act of 2018 in the U.K. that "implements" and complements the GDPR has achieved Royal Assent on May 23, 2018, and is now effective in the U.K., it is still unclear whether and for how long transfer of data from the EEA to the U.K. will remain lawful under GDPR. The U.K. government has already determined that it considers all EU and EEA Member States to be adequate for the purposes of data protection, ensuring that data flows from the U.K. to the EU/EEA remain unaffected. In addition, a recent decision from the European Commission appears to deem the U.K. as being "essentially adequate" for purposes of data transfer from the EU to the U.K., although this decision may be re-evaluated in the future. There are ongoing concerns about the ability of companies to transfer personal data from the EU to other countries. On July 16, 2020, the European Court of Justice invalidated the EU-U.S. Privacy Shield Framework, a mechanism under which personal data could be transferred from the EEA to U.S. entities that had self-certified under the Privacy Shield Framework. The Court also called into question the Standard Contractual Clauses (SCCs), noting adequate safeguards must be met for SCCs to be valid. European regulatory guidance regarding these issues continues to evolve, and EU regulators across the EU Member States have taken different positions regarding continued data transfers to the U.S. In the future, SCCs and other data transfer mechanisms will face additional challenges. In October 2022, President Biden signed an executive order to implement the EU-U.S. Data Privacy Framework, which would serve as a replacement to the EU-U.S. Privacy Shield. The EU initiated the process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework in December 2022 and the European Commission adopted the adequacy decision on July 10, 2023. The adequacy decision will permit U.S. companies who self-certify to the EU-U.S. Data Privacy Framework to rely on it as a valid data transfer mechanism for data transfers from the EU to the U.S. However, some privacy advocacy groups have already suggested that they will be challenging the EU-U.S. Data Privacy Framework. If these challenges are successful, they may not only impact the EU-U.S. Data Privacy Framework, but also further limit the viability of the standard contractual clauses and other data transfer mechanisms. The uncertainty around this issue has the potential to impact our business at the international level. Furthermore, while the Data Protection Act of 2018 in the U.K. that "implements" and complements the GDPR has achieved Royal Assent on May 23, 2018, and is now effective in the U.K., it is still unclear whether transfer of data from the EEA to the U.K. will remain lawful under the GDPR. The Agreement provides for a transitional period during which the U.K. will be treated like an EU member state in relation to processing and transfers of personal data for four months from January 1, 2021. This may be extended by two further months. After such period, the U.K. will be a "third country" under the GDPR unless the European Commission adopts an adequacy decision in respect of transfers of personal data to the U.K. The U.K. has already determined that it considers all of the EU and EEA member states to be adequate for the purposes of data protection, ensuring that data flows from the U.K. to the EU/EEA remain unaffected. Beyond GDPR, there are privacy and data security laws in a growing number of countries around the world. While many loosely follow GDPR as a model, other laws contain different or conflicting provisions. These laws will impact our ability to conduct our business activities, including both our clinical trials and any eventual sale and distribution of commercial products. Such laws may have potentially conflicting requirements or burdensome obligations that would make compliance challenging or expensive. Such changes may also require us to modify our products and features, and may limit our ability to make use of the data that we collect, may require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. Compliance with U.S. and international data protection laws and regulations could require us to take on more onerous obligations in our contracts, restrict our ability to Process data (including personal data), or in some cases, impact our ability to operate in certain jurisdictions. Any actual or alleged failure to comply with U.S. or international laws and regulations relating to privacy, data protection, and data security could result in governmental investigations, proceedings and enforcement actions (which could include civil or criminal penalties), private litigation or adverse publicity, harm to our reputation, and could negatively affect our operating results and business. Moreover, clinical trial subjects about whom we or our potential collaborators obtain information, as well as the providers who share this information with us, may contractually limit our ability to Process the information or impose other obligations or restrictions in connection with our Processing of information, and we may otherwise face contractual restrictions applicable to our Processing of information. Claims that we have violated individuals' privacy rights, failed to comply with data protection laws, or breached our contractual obligations, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business.

Manufacturing drugs, especially in large quantities, is complex and may require the use of innovative technologies. Each lot of an approved drug product must undergo thorough testing for identity, strength, quality, purity and potency. Manufacturing drugs requires facilities specifically designed for and validated for this purpose, as well as sophisticated quality assurance and quality control procedures. Slight deviations anywhere in the manufacturing process, including filling, labelling, packaging, storage and shipping and quality control and testing, may result in lot failures, product recalls or spoilage. When changes are made to the manufacturing process, we may be required to provide preclinical and clinical data showing the comparable identity, strength, quality, purity or potency of the products before and after such changes. If microbial, viral or other contaminations are discovered at the facilities of our manufacturers, such facilities may need to be closed for an extended period of time to investigate and remedy the contamination, which could delay clinical trials and adversely harm our business. Contaminations can also lead to allegations of harm, including infections or allergic reactions, or closure of product facilities due to possible contamination. If our third-party manufacturers are unable to produce sufficient quantities for clinical trials or for commercialization as a result of these challenges, or otherwise, our development and commercialization efforts would be impaired, which would have an adverse effect on our business, financial condition, results of operations and growth prospects.

We are exposed to the risk that our employees, independent contractors, consultants, commercial collaborators, principal investigators, CROs, suppliers and vendors may engage or may have engaged in misconduct or other improper activities. Misconduct by these parties could include failures to comply with FDA, EMA or comparable foreign regulatory authority regulations, provide accurate information to the FDA, EMA or comparable foreign regulatory authorities, comply with federal and state health care fraud and abuse laws and regulations, accurately report financial information or data or disclose unauthorized activities to us. In particular, research, sales, marketing and business arrangements in the health care industry are subject to extensive laws and regulations intended to prevent fraud, misconduct, kickbacks, self-dealing and other abusive practices. These laws and regulations may restrict or prohibit a wide range of pricing, discounting, marketing and promotion, sales commission, customer incentive programs and other business arrangements. Misconduct by these parties could also involve the improper use of information obtained in the course of clinical trials, which could result in regulatory sanctions and serious harm to our reputation. We have adopted a code of conduct and engage contractors that agree to undertake certain measures with respect to their employees, but it is not always possible to identify and deter misconduct by these parties, and the precautions we take to detect and prevent this activity may not be effective in controlling unknown or unmanaged risks or losses or in protecting us from governmental investigations or other actions or lawsuits stemming from a failure to comply with these laws or regulations. If any such actions are instituted against us, and we are not successful in defending ourselves or asserting our rights, those actions could have a significant impact on our business, including the imposition of significant penalties, including civil, criminal and administrative penalties, damages, fines, disgorgement, imprisonment, exclusion from participation in government funded healthcare programs, such as Medicare and Medicaid, integrity oversight and reporting obligations, contractual damages, reputational harm, diminished profits and future earnings and the curtailment or restructuring of our operations.

Our research and development activities involve the controlled use of potentially hazardous substances, including chemical materials, by our third-party manufacturers. Our manufacturers are subject to federal, state and local laws and regulations in the U.S. and local laws in other foreign jurisdictions governing the use, manufacture, storage, handling and disposal of medical and hazardous materials. Although we believe that our manufacturers' procedures for using, handling, storing and disposing of these materials comply with legally prescribed standards, we cannot completely eliminate the risk of contamination or injury resulting from medical or hazardous materials. As a result of any such contamination or injury, we may incur liability or local, city, state, federal or foreign authorities may curtail the use of these materials and interrupt our business operations. In the event of an accident, we could be held liable for damages or penalized with fines, and the liability could exceed our resources. We do not have any insurance for liabilities arising from medical or hazardous materials. Compliance with applicable environmental laws and regulations is expensive, and current or future environmental regulations may impair our research, development and production efforts, which could harm our business, prospects, financial condition or results of operations.

Even if our product candidates receive regulatory approval, they may not gain adequate market acceptance among physicians, patients, third-party payors and others in the medical community. The degree of market acceptance of any of our approved product candidates will depend on a number of factors, including: - the efficacy and safety profile as demonstrated in clinical trials compared to alternative treatments;- the timing of market introduction of the product candidate as well as competitive products;- the clinical indications for which a product candidate is approved;- restrictions on the use of product candidates in the labelling approved by regulatory authorities, such as boxed warnings or contraindications in labelling, or a REMS, if any, which may not be required of alternative treatments and competitor products;- the potential and perceived advantages of our product candidates over alternative treatments;- the cost of treatment in relation to alternative treatments;- the availability of coverage and adequate reimbursement by third-party payors, including government authorities;- willingness of physicians to use our product candidates, if approved, in lieu of (or in conjunction with) other approved therapies;- the availability of an approved product candidate for use as a combination therapy;- relative convenience and ease of administration;- the willingness of the target patient population to try new therapies and undergo required diagnostic screening to determine treatment eligibility and of physicians to prescribe these therapies and diagnostic tests;- the effectiveness of sales and marketing efforts;- unfavorable publicity relating to our product candidates; and - the approval of other new therapies for the same indications. If any of our product candidates are approved but do not achieve an adequate level of acceptance by physicians, hospitals, healthcare payors and patients, we may not generate or derive sufficient revenue from that product candidate and our financial results could be negatively impacted.

Our corporate headquarters are located in Cambridge, Massachusetts. We have not undertaken a systematic analysis of the potential consequences to our business and financial results from a major flood, fire, earthquake, power loss, telecommunications failure, terrorist activity, pandemics or other disasters and do not have a recovery plan for such disasters. In addition, we do not carry sufficient insurance to compensate us for actual losses from interruption of our business that may occur, and any losses or damages incurred by us could harm our business. The occurrence of any of these business disruptions could seriously harm our operations and financial condition and increase our costs and expenses.