Invitae (NVTAQ) Risk Analysis

In the ordinary course of our business, we collect and store sensitive data, including protected health information, or PHI, personally identifiable information, genetic information, credit card information, intellectual property and proprietary business information owned or controlled by ourselves or our customers, payers and other parties. We manage and maintain our applications and data utilizing a combination of on-site systems, managed data center systems and cloud-based systems. We also communicate PHI and other sensitive patient data through our various customer tools and platforms. In addition to storing and transmitting sensitive data that is subject to multiple legal protections, these applications and data encompass a wide variety of business-critical information including research and development information, commercial information, and business and financial information. We face a number of risks relative to protecting this critical information, including loss of access risk, inappropriate disclosure, inappropriate modification, and the risk of our being unable to adequately monitor and modify our controls over our critical information. Any technical problems that may arise in connection with our data and systems, including those that are hosted by third-party providers, could result in interruptions to our business and operations or exposure to security vulnerabilities. These types of problems may be caused by a variety of factors, including infrastructure changes, intentional or accidental human actions or omissions, software errors, malware, viruses, security attacks, ransomware fraud, spikes in customer usage and denial of service issues. There continues to be a significant level of ransomware and cyber security attacks related to the ongoing conflict between Russia and Ukraine, which could result in substantial harm to internal systems necessary for running our critical operations and revenue generating services. The secure processing, storage, maintenance and transmission of this critical information are vital to our operations and business strategy, and we devote significant resources to protecting such information. Although we take what we believe to be reasonable and appropriate measures, including a formal, dedicated enterprise security program, to protect sensitive information from various compromises (including unauthorized access, disclosure, or modification or lack of availability), our information technology and infrastructure may be vulnerable to attacks by hackers or viruses or breached due to employee error, malfeasance or other disruptions. For example, we have been subject to phishing incidents in the past, and we may experience additional incidents in the future. Any such breach or interruption could compromise our networks, and the information stored therein could be accessed by unauthorized parties, altered, publicly disclosed, lost or stolen. Unauthorized access, loss or dissemination could also disrupt our operations including our ability to conduct our analyses, provide test results, bill payers or patients, process claims and appeals, provide customer assistance, conduct research and development activities, collect, process and prepare company financial information, provide information about our tests and other patient and physician education and outreach efforts through our website, and manage the administrative aspects of our business. In addition to data security risks, we face privacy risks. Should we actually violate, or be perceived to have violated, any privacy commitments we make to patients or consumers, we could be subject to a complaint from an affected individual or interested privacy regulator, such as the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the FTC, a state Attorney General, an EU Member State Data Protection Authority, or a data protection authority in another international jurisdiction. This risk is heightened given the sensitivity of the data we collect. Any security compromise that causes an apparent privacy violation could also result in legal claims or proceedings and liability and penalties under federal, state, foreign, or multinational laws that regulate the privacy, security, or breach of personal information, such as but not limited to HIPAA, HITECH, the FTC Act, state UDAP data security and data breach notification laws, the GDPR and the UK Data Protection Act of 2018. There has been unprecedented activity in the development of data protection regulation around the world. As a result, the interpretation and application of consumer, health-related and data protection laws in the United States, Europe and elsewhere are often uncertain, contradictory and in flux. The GDPR took effect in May 2018. The GDPR applies to any entity established in the EU as well as extraterritorially to any entity outside the EU that offers goods or services to, or monitors the behavior of, individuals who are located in the EU. Among other requirements, the GDPR imposes strict rules on controllers and processors of personal data, including enhanced protections for "special categories" of personal data, which includes sensitive information such as health and genetic information of data subjects. Maximum penalties for violations of the GDPR are capped at 20.0 million euros or 4% of an organization's annual global revenue, whichever is greater. Additionally, the implementation of GDPR has led other jurisdictions to either amend or propose legislation to amend their existing data privacy and cybersecurity laws to resemble the requirements of GDPR. For example, in June 2018, California adopted the California Consumer Privacy Act of 2018, or the CCPA. The CCPA, is a comprehensive consumer privacy law that took effect in January 2020 and was further amended as of January 1, 2023. The CCPA regulates how certain for-profit businesses that meet one or more CCPA applicability thresholds collect, use, and disclose the personal information of natural persons who reside in California. The CCPA does not apply to personal information that is PHI under HIPAA. The CCPA also does not apply to a HIPAA-regulated entity to the extent that the entity maintains patient information in the same manner as PHI. In addition, de-identified data as defined under HIPAA is also exempt from the CCPA. Accordingly, we do not have CCPA compliance obligations with respect to most genetic testing and patient information we collect and process. However, we are required to comply with the CCPA insofar as we collect other categories of California consumers' personal information. Several other states in the United States have either recently enacted or are currently considering similar consumer data privacy laws, which could impact our operations if enacted. Some observers have noted that the CCPA could mark the beginning of a trend toward more stringent privacy legislation in the United States, which could increase our potential liability and adversely affect our business, results of operations, and financial condition. It is possible the GDPR, CCPA and other emerging United States and international data protection laws may be interpreted and applied in a manner that is inconsistent with our practices. If so, this could result in government-imposed fines or orders requiring that we change our practices, which could adversely affect our business. In addition, these privacy laws and regulations may differ from country to country and state to state, and our obligations under these laws and regulations vary based on the nature of our activities in the particular jurisdiction, such as whether we collect samples from individuals in the local jurisdiction, perform testing in the local jurisdiction, or process personal information regarding employees or other individuals in the local jurisdiction. Complying with these various laws and regulations could cause us to incur substantial costs or require us to change our business practices and compliance procedures in a manner adverse to our business. We can provide no assurance that we are or will remain in compliance with diverse privacy and data security requirements in all of the jurisdictions in which we do business. Failure to comply with privacy and data security requirements could result in a variety of consequences, including civil or criminal penalties, litigation, or damage to our reputation, any of which could have a material adverse effect on our business.

We depend on information technology and telecommunications systems for significant elements of our operations, including our laboratory information management system, our bioinformatics analytical software systems, our database of information relating to genetic variations and their role in disease process and drug metabolism, our patient data platform, our clinical report optimization systems, our customer-facing web-based software, our customer reporting, and our various customer tools and platforms. We have installed, and expect to expand, a number of enterprise software systems that affect a broad range of business processes and functional areas, including for example, systems handling human resources, financial controls and reporting, customer relationship management, regulatory compliance and other infrastructure operations. In addition, we intend to extend the capabilities of both our preventative and detective security controls by augmenting the monitoring and alerting functions, the network design, and the automatic countermeasure operations of our technical systems. These information technology and telecommunications systems support a variety of functions, including laboratory operations, test validation, sample tracking, quality control, customer service support, billing and reimbursement, research and development activities, scientific and medical curation, and general administrative activities, including financial reporting. Information technology and telecommunications systems are vulnerable to damage from a variety of sources, including telecommunications or network failures, malicious human acts and natural disasters. Moreover, despite network security and back-up measures, some of our servers are potentially vulnerable to physical or electronic break-ins, computer viruses and similar disruptive problems. Despite the precautionary measures we have taken to prevent unanticipated problems that could affect our information technology and telecommunications systems, failures or significant downtime of our information technology or telecommunications systems or those used by our third-party service providers could prevent us from conducting tests, preparing and providing reports to clinicians, billing payers, processing reimbursement appeals, handling physician or patient inquiries, conducting research and development activities, and managing the administrative and financial aspects of our business. Any disruption or loss of information technology or telecommunications systems on which critical aspects of our operations depend could have an adverse effect on our business and results of operations. Technical problems have arisen, and may arise in the future, in connection with our data and systems, including those that are hosted by third-party providers, which have in the past and may in the future result in interruptions in our business and operations. These types of problems may be caused by a variety of factors, including infrastructure changes, human or software errors, viruses, security attacks, fraud, spikes in customer usage and denial of service issues. From time to time, large third-party web hosting providers have experienced outages or other problems that have resulted in their systems being offline and inaccessible. Such outages could materially impact our business and operations.

Our business model assumes that we will be able to generate significant test volume, and we may not succeed in continuing to drive adoption of our tests to achieve sufficient volumes. Inasmuch as detailed genetic data from broad-based testing panels such as our tests have only recently become available at relatively affordable prices, the continued pace and degree of clinical acceptance of the utility of such testing is uncertain. Specifically, it is uncertain how much genetic data will be accepted as necessary or useful, as well as how detailed that data should be, particularly since medical practitioners may have become accustomed to genetic testing that is specific to one or a few genes. Given the substantial amount of additional information available from a broad-based testing panel such as ours, there may be distrust as to the reliability of such information when compared with more limited and focused genetic tests. To generate further demand for our tests, we will need to continue to make clinicians aware of the benefits of our tests, including the price, the breadth of our testing options, and the benefits of having additional genetic data available from which to make treatment decisions. A lack of or delay in clinical acceptance of broad-based panels such as our tests would negatively impact sales and market acceptance of our tests and limit our revenue growth and potential profitability. Genetic testing can be expensive and many potential customers may be sensitive to pricing. In addition, potential customers may not adopt our tests if adequate reimbursement is not available, or if we are not able to maintain low prices relative to our competitors. Also, we may not be successful in increasing demand for our tests through our direct channel, in which we facilitate the ordering of our genetic tests by consumers through an online network of physicians. If we are not able to generate demand for our tests at sufficient volume, or if it takes significantly more time to generate this demand than we anticipate, our business, prospects, financial condition and results of operations could be materially harmed. We have devoted a portion of our resources to research and development activities related to our Personalized Cancer Monitoring, or PCM, service for cancer monitoring. The demand for this service is unproven, and we may not be successful in achieving market awareness and demand for these services through our sales and marketing operations.

Adverse macroeconomic developments, including inflation, slowing growth, rising interest rates, or recession, may adversely affect our business and financial condition. These developments have caused, and could in the future cause, disruptions and volatility in global financial markets and increased rates of default and bankruptcy, and negatively affect business and consumer spending. Adverse economic conditions have and may continue to increase the costs of operating our business, including vendor, supplier and workforce expenses, and may limit our access to capital or may significantly increase our cost of capital. Management continues to evaluate the impact of macroeconomic events, including inflation, on our business and our future plans and intends to take appropriate measures to help alleviate their impact, but there can be no assurance that these efforts will be successful. A weak or declining economy also could strain our suppliers, possibly resulting in supply disruption, or cause our customers to delay making payments for our services. A severe or prolonged economic downturn, such as the global financial crisis, could also reduce our ability to raise additional capital when needed on acceptable terms, if at all. Presently, we have customers who have been adversely affected by Russia's invasion of Ukraine, and we have experienced some disruption in our engineering productivity as we have sought to assist contractors in both Ukraine and Russia who have been dislocated or who have chosen to flee Russia. Likewise, the capital and credit markets have been and may continue to be adversely affected by the invasion, the possibility of a wider European or global conflict, and global sanctions imposed in response to the invasion. We cannot predict the future trajectory of these risks, including how the macroeconomic environment will evolve or how it will continue to impact us. Specifically, difficult macroeconomic conditions, such as cost inflation, decreases in per capita income and level of disposable income, increased and prolonged unemployment or a decline in consumer confidence as a result of COVID-19 or otherwise, as well as limited or significantly reduced points of access of our tests, could have a material adverse effect on the demand for our tests. Under difficult economic conditions, consumers may seek to reduce discretionary spending by forgoing our tests. Decreased demand for our tests, particularly in the United States, has negatively affected and could continue to negatively affect our overall financial performance.

Doing business internationally involves a number of risks, including: - multiple, conflicting and changing laws and regulations such as privacy regulations, tax laws, export and import restrictions, employment laws, regulatory requirements, and other governmental approvals, permits and licenses;- failure by us or our distributors to obtain regulatory approvals for the use of our tests in various countries;- complexities and difficulties in obtaining protection and enforcing our intellectual property;- difficulties in staffing and managing foreign operations;- complexities associated with managing multiple payer reimbursement regimes, government payers or patient self-pay systems;- logistics and regulations associated with shipping samples, including infrastructure conditions, customs and transportation delays;- limits on our ability to penetrate international markets if we do not to conduct our tests locally;- natural disasters and outbreaks of disease, including the ongoing COVID-19 pandemic;- political and economic instability, including wars such as the current conflict in Ukraine, terrorism and political unrest, boycotts, curtailment of trade, government sanctions and other business restrictions;- inflationary pressures, such as those the global market is currently experiencing, which have and may increase costs for materials, supplies, and services; and - regulatory and compliance risks that relate to maintaining accurate information and control over activities that may fall within the purview of the U.S. Foreign Corrupt Practices Act, or FCPA, its books and records provisions, or its anti-bribery provisions. Any of these factors could significantly harm our international operations and, consequently, our revenue and results of operations. In addition, applicable export or import laws and regulations such as prohibitions on the export of samples imposed by countries outside of the United States, or international privacy or data restrictions that are different or more stringent than those of the United States, may require that we build additional laboratories or engage in joint ventures or other business partnerships in order to offer our tests internationally in the future. Any such restrictions would impair our ability to offer our tests in such countries and could have an adverse effect on our business, financial condition and results of operations.

Our performance, including our research and development programs and laboratory operations, largely depend on our continuing ability to identify, hire, develop, motivate and retain highly skilled personnel for all areas of our organization, including software developers, geneticists, biostatisticians, certified laboratory scientists and other scientific and technical personnel to process and interpret our genetic tests. In addition, we may need to continue to expand our sales force with qualified and experienced personnel. In July 2022, we initiated a strategic realignment of our operations and began implementing cost reduction programs that will ultimately reduce our workforce by approximately 1,000 employees. This reduction in workforce has and will continue to result in the loss of institutional knowledge and expertise and the reallocation of and combination of certain roles and responsibilities across the organization, all of which could adversely affect our operations. Further, the realignment has and may continue to yield unintended consequences, such as attrition beyond our intended workforce reduction and reduced employee morale. Competition in our industry for qualified employees is intense, and we may not be able to attract or retain qualified personnel in the future due to the competition for qualified personnel among life science and technology businesses as well as universities and public and private research institutions, particularly in the San Francisco Bay Area. In addition, our compensation arrangements, such as our equity award programs, may not always be successful in attracting new employees and retaining and motivating our existing employees. If the value of our common stock declines significantly, and remains depressed, as it has in the recent past, or if we do not have enough shares authorized to grant equity awards to new and existing employees, we may not be able to recruit and retain qualified employees. If we are not able to attract and retain the necessary personnel to accomplish our business objectives, we may experience constraints that could adversely affect our ability to scale our business and support our research and development efforts and our clinical laboratory. We believe that our corporate culture fosters innovation, creativity and teamwork. However, as our organization grows and evolves, we may find it increasingly difficult to maintain the beneficial aspects of our corporate culture. This could negatively impact our ability to retain and attract employees and our future success.

We rely on a limited number of suppliers, or, in some cases, sole suppliers, including Illumina, Integrated DNA Technologies Incorporated, QIAGEN N.V., Roche Holdings Ltd. and Twist Bioscience Corporation for certain laboratory substances used in the chemical reactions incorporated into our processes, which we refer to as reagents, as well as sequencers and other equipment and materials which we use in our laboratory operations. We do not have short- or long-term agreements with most of our suppliers, and our suppliers could cease supplying these materials and equipment at any time, or fail to provide us with sufficient quantities of materials or materials that meet our specifications. Our laboratory operations could be interrupted if we encounter delays or difficulties in securing these reagents, sequencers or other equipment or materials, and if we cannot obtain an acceptable substitute. Any such interruption could significantly affect our business, financial condition, results of operations and reputation. We rely on Illumina as the sole supplier of next generation sequencers and associated reagents and as the sole provider of maintenance and repair services for these sequencers. Any disruption in Illumina's operations could impact our supply chain and laboratory operations as well as our ability to conduct our tests, and it could take a substantial amount of time to integrate replacement equipment into our laboratory operations. We believe that there are only a few other manufacturers that are currently capable of supplying and servicing the equipment necessary for our laboratory operations, including sequencers and various associated reagents. The use of equipment or materials provided by these replacement suppliers would require us to alter our laboratory operations. Transitioning to a new supplier would be time consuming and expensive, may result in interruptions in our laboratory operations, could affect the performance specifications of our laboratory operations or could require that we revalidate our tests. We cannot assure you that we will be able to secure alternative equipment, reagents and other materials, and bring such equipment, reagents and materials online and revalidate them without experiencing interruptions in our workflow. In the case of an alternative supplier for Illumina, we cannot assure you that replacement sequencers and associated reagents will be available or will meet our quality control and performance requirements for our laboratory operations. If we encounter delays or difficulties in securing, reconfiguring or revalidating the equipment and reagents we require for our tests, our business, financial condition, results of operations and reputation could be adversely affected.