Pyxis Oncology (PYXS) Risk Factors

The ability of the FDA to review and approve new products can be affected by a variety of factors, including government budget and funding levels, ability to hire and retain key personnel and accept the payment of user fees, and statutory, regulatory and policy changes. Average review times at the agency have fluctuated in recent years as a result. In addition, government funding of the SEC, and other government agencies on which our operations may rely, including those that fund research and development activities is subject to the political process, which is inherently fluid and unpredictable. Disruptions at the FDA and other agencies may also slow the time necessary for new drugs to be reviewed and/or approved by necessary government agencies, which would adversely affect our business. For example, in recent years, including in 2018 and 2019, the U.S. government shut down several times and certain regulatory agencies, such as the FDA and the SEC, had to furlough critical employees and stop critical activities. If a prolonged government shutdown occurs, it could significantly impact the ability of the FDA to timely review and process our regulatory submissions, which could have a material adverse effect on our business. Further, future government shutdowns could impact our ability to access the public markets and obtain necessary capital in order to properly capitalize and continue our operations. If a prolonged government shutdown occurs, or if global health concerns prevent the FDA or other regulatory authorities from conducting their regular inspections, reviews, or other regulatory activities, it could significantly impact the ability of the FDA or other regulatory authorities to timely review and process our regulatory submissions, which could have a material adverse effect on our business.

The global data protection landscape is rapidly evolving, and we may be or become subject to or affected by numerous federal, state and foreign laws and regulations, as well as regulatory guidance, governing the collection, use, disclosure, transfer, security and processing of personal information, such as information that we collect about participants and healthcare providers in connection with clinical trials. Implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, which may create uncertainty in our business, affect our or our service providers' ability to operate in certain jurisdictions or to collect, store, transfer use and share personal data, result in liability or impose additional compliance or other costs on us. Any failure or perceived failure by us to comply with federal, state or foreign laws or self-regulatory standards could result in negative publicity, diversion of management time and effort and proceedings against us by governmental entities or others. As our operations and business grow, we may become subject to or affected by new or additional data protection laws and regulations and face increased scrutiny or attention from regulatory authorities. In the United States, most healthcare providers, including certain research institutions from which we may obtain patient health information, are subject to privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, which we collectively refer to as HIPAA. We are not currently acting as a covered entity or business associate under HIPAA and therefore are not directly regulated under HIPAA. However, any person may be prosecuted under HIPAA's criminal provisions either directly or under aiding-and-abetting or conspiracy principles. Consequently, depending on the facts and circumstances, we could face substantial criminal penalties if we knowingly receive individually identifiable health information from a HIPAA-covered healthcare provider or research institution that has disclosed individually identifiable health information in a manner that is not authorized or permitted under HIPAA. In addition, in the future, we may maintain sensitive personal information, including health-related information, that we receive throughout the clinical trial process, in the course of our research collaborations and/or directly from individuals (or their healthcare providers) who may enroll in patient assistance programs if we choose to implement these types of programs. As a result, we may be subject to data privacy and security laws protection such information, including state laws requiring notification of affected individuals and state regulators in the event of a breach of personal information, which is a broader class of information than the health information protected by HIPAA. Other federal and state laws establish additional requirements for protecting the privacy and security of personal information, including health information. In addition, certain states have proposed or enacted legislation. For instance, Washington state recently passed the "My Health My Data" Act, which will regulate "consumer health data," which is defined as "personal information that is linked or reasonably linked to a consumer and that identifies a consumer's past, present, or future physical or mental health." The "My Health My Data" Act provides exemptions for personal data used or shared in research, including data subject to 45 C.F.R. Parts 46, 50 and 56. Nevada also recently enacted a consumer health data privacy bill, and additional states may adopt health-specific privacy laws that could impact our business activities depending on how they are interpreted. The Federal Trade Commission, or the FTC, and many state attorney generals are interpreting existing federal and state consumer protection laws to impose evolving standards for the collection, use, dissemination and security of health-related and other personal information. Privacy laws require us to publish statements that describe how we handle personal information and choices individuals may have about the way we handle their personal information. Violating individuals' privacy rights, publishing false or misleading information about security practices, or failing to take appropriate steps to keep individuals' personal information secure may constitute unfair or deceptive acts or practices in violation of Section 5 of the FTC Act. Additionally, the FTC recently published an advance notice of proposed rule making on "commercial surveillance" and data security, and is seeking comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies (2) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive. Federal regulators, state attorneys general and plaintiffs' attorneys have been and will likely continue to be active in this space, and if we do not comply with existing or new laws and regulations related to patient health information, we could be subject to criminal or civil sanctions. Further, the California Consumer Privacy Act of 2018, or the CCPA, went into effect in January 2020, which creates individual data privacy rights for consumers and operational requirements for companies, including placing increased privacy and security obligations on entities handling certain personal information of consumers or households. These requirements could increase our compliance costs and potential liability. The CCPA gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. While there is currently an exception for protected health information maintained by a business associate or covered entity as well as an exception for clinical trial data, as currently written, the CCPA may impact certain of our business activities. Further, the California Privacy Rights Act, or CPRA, was passed in California in 2020 and modifies the CCPA. The CCPA (as modified by the CPRA) imposes additional data protection obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It also creates a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement. The majority of the provisions went into effect on January 1, 2023, and additional compliance investment and potential business process changes may be required. Similar laws have been adopted in other states or proposed in other states and at the federal level, and if passed, such laws may have potentially conflicting requirements that would make compliance challenging. While these new laws may include exemptions for health-related data such as clinical trial data, they add layers of complexity to compliance in the U.S. market, and could increase our compliance costs and adversely affect our business. In the event that we are subject to or affected by HIPAA, the CCPA (as modified by the CPRA), or other privacy and data protection laws, any liability from failure to comply with the requirements of these laws could adversely affect our financial condition. In addition, the European Union, or EU, General Data Protection Regulation, or EU GDPR, imposes strict requirements for the processing of personal data (i.e., data which identifies an individual or from which an individual is identifiable). The UK has implemented the EU GDPR into its national law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (known as the UK GDPR, and, together with the EU GDPR, the GDPR), which sits alongside the UK Data Protection Act 2018. The GDPR imposes a number of compliance obligations on controllers including inter alia: (i) accountability and transparency requirements, which require controllers to demonstrate and record compliance with the GDPR and to provide more detailed information to data subjects regarding processing; (ii) requirements to process personal data lawfully, including specific requirements for obtaining valid consent where consent is the lawful basis for processing; (iii) obligations to consider data protection as any new products or services are developed and designed, including to limit the amount of personal data processed; (iv) obligations to implement appropriate technical and organizational security measures to safeguard personal data and to report certain personal data breaches to the relevant supervisory authority without undue delay (and, in any event, no later than 72 hours, where feasible) and affected individuals where the personal data breach is likely to result in a high risk to their rights and freedoms; (v) obligations to comply with data protection rights of data subjects, including a right of access to and rectification of personal data, a right to obtain restriction of processing or to withdraw consent to processing, or to object to processing of personal data and a right to ask for a copy of personal data to be provided to a third-party in a useable format and a right to erasure of personal data in certain circumstances; and (vi) additional requirements around the processing of special categories of personal data (including health data and genetic data). In addition, the EU GDPR also prohibits transfers of personal data subject to the EU GDPR to countries outside of the EEA, unless such transfers are made to a country deemed to have adequate data privacy laws by the European Commission or specific safeguards have been implemented in accordance with the EU GDPR or a derogation under the EU GDPR can be relied on. The Court of Justice of the European Union issued a decision in July 2020 invalidating the EU-U.S. Privacy Shield framework as a data transfer mechanism (Schrems II) and imposing further restrictions on the use of EU standard contractual clauses, or EU SCCs, including a requirement for companies to carry out a transfer impact assessment, or TIA. A TIA, among other things, assesses laws governing access to personal data in the recipient country and considers whether supplementary measures that provide privacy protections additional to those provided under the EU SCCs will need to be implemented to ensure an "essentially equivalent" level of data protection to that afforded in the EU. The UK GDPR imposes similar restrictions on transfers of personal data from the UK to jurisdictions that the UK does not consider adequate. This may have implications for our cross-border data flows and may result in compliance costs. Further, on October 7, 2022, the U.S. President introduced an Executive Order to facilitate a new Trans-Atlantic Data Privacy Framework, or DPF, which will act as a successor to the invalidated Privacy Shield. On July 10, 2023, the European Commission adopted its Final Implementing Decision granting the U.S. adequacy, or Adequacy Decision, for EU-US transfers of personal data for entities self-certified to the DPF. Entities relying on EU SCCs for transfers to the U.S. are also able to rely on the analysis in the Adequacy Decision as support for their TIA regarding the equivalence of U.S. national security safeguards and redress. It should also be noted that the UK Government has published its own form of EU SCCs, known as the International Data Transfer Agreement and International Data Transfer Addendum to the new EU SCCs. The UK Information Commissioner's Office has also published its own version of the TIA and revised guidance on international transfers, although entities may choose to adopt either the EU or UK style TIA. Further, on September 21, 2023, the UK Secretary of State for Science, Innovation and Technology established a UK-US data bridge (i.e., a UK equivalent of the Adequacy Decision) and adopted UK regulations to implement the UK-US data bridge, or UK Adequacy Regulations. Personal data may now be transferred from the UK under the UK-US data bridge through the UK extension to the DPF to organizations self-certified under the UK extensions to the DPF. Companies subject to the EU GDPR may be subject to robust regulatory enforcement of data protection requirements and potential fines for noncompliance of up to €20 million (under the EU GDPR) or £17.5 million (under the UK GDPR) or 4% of the annual global turnover of the noncompliant company, whichever is greater. In addition, the EU GDPR confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies and obtain compensation for damages resulting from violations of the EU GDPR. Although we work to comply with applicable laws, regulations and standards, our contractual obligations and other legal obligations, these requirements are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another or other legal obligations with which we must comply. Any failure or perceived failure by us or our employees, representatives, contractors, consultants, collaborators, or other third parties to comply with such requirements or adequately address privacy and security concerns, even if unfounded, could result in additional cost and liability to us, damage our reputation, and adversely affect our business and results of operations.

In order to conduct clinical trials of our product candidates, we will need to manufacture them in large quantities. Quality issues may arise during scale-up activities. Our reliance on a limited number of CDMOs, the complexity of drug manufacturing and the difficulty of scaling up a manufacturing process could cause the delay of clinical trials, regulatory submissions, required licensure, or commercialization of our product candidates, cause us to incur higher costs and prevent us from commercializing our product candidates successfully. Furthermore, if our CDMOs fail to deliver the required commercial quality and quantities of materials on a timely basis and at commercially reasonable prices, and we are unable to secure one or more replacement CDMOs capable of production in a timely manner at a substantially equivalent cost, then testing and clinical trials of that product candidate may be delayed or infeasible, and regulatory licensure or commercial launch of any resulting product may be delayed or not obtained, which could significantly harm our business.

Our success depends in part on our continued ability to attract, retain and motivate highly qualified management and clinical and scientific personnel. We are highly dependent upon members of our senior management, including Lara Sullivan, M.D., our President and Chief Executive Officer, and Pamela Connealy, our Chief Financial Officer and Chief Operating Officer, as well as our senior scientists and other members of our senior management team. The loss of services of any of these individuals could delay or prevent the successful development of our product pipeline, the initiation and completion of our clinical trials or the commercialization of product candidates or any future product candidates. Competition for qualified personnel in the pharmaceutical, biopharmaceutical and biotechnology field is intense due to the limited number of individuals who possess the skills and experience required by our industry. We will need to hire additional personnel as we expand our clinical development and if we initiate commercial activities. We may not be able to attract and retain quality personnel on acceptable terms, or at all. In addition, to the extent we hire personnel from competitors, we may be subject to allegations that they have been improperly solicited or that they have divulged proprietary or other confidential information, or that their former employers own their research output.

The potentially addressable patient population for our current programs or future product candidates may be limited and the number of patients who have the cancers we are targeting may turn out to be lower than expected. Potentially addressable patient populations for our product candidates are only estimates. These estimates could prove to be incorrect, and the estimated number of potential patients in the United States and elsewhere could be lower than expected. It may also be that such patients may not be otherwise amenable to treatment with our product candidates, or patients could become increasingly difficult to identify and access, any of which could materially adversely affect our business, financial condition, results of operations and growth prospects. Our estimated addressable markets and market opportunities for our product candidates are based on a variety of inputs, including data published by third parties, our own market insights and internal market intelligence, and internally generated data and assumptions. We have not independently verified any third-party information and cannot be assured of its accuracy or completeness. Market opportunity estimates, whether obtained or derived from third-party sources or developed internally, are subject to significant uncertainty and are based on assumptions and estimates that may prove not to be accurate. Although we believe our market opportunity estimates are reasonable, such information is inherently imprecise. In addition, our assumptions and estimates of market opportunities are necessarily subject to a high degree of uncertainty and risk due to a variety of factors, including but not limited to those described in this Quarterly Report on Form 10-Q. If this third-party or internally generated data prove to be inaccurate or if we make errors in our assumptions based on that data, our actual market may be more limited than we estimate it to be. In addition, these inaccuracies or errors may cause us to misallocate capital and other critical business resources, which could harm our business.

We may seek regulatory approval or licensure of our product candidates outside of the United States. Accordingly, we expect that we will be subject to additional risks related to operating in foreign countries if we obtain the necessary approvals or licenses, including: - differing regulatory requirements and reimbursement regimes in foreign countries;- unexpected changes in tariffs, trade barriers, price and exchange controls and other regulatory requirements;- economic weakness, including inflation, or political instability in particular foreign economies and markets;- compliance with tax, employment, immigration and labor laws for employees living or traveling abroad;- foreign taxes, including withholding of payroll taxes;- foreign currency fluctuations, which could result in increased operating expenses and reduced revenues, and other obligations incident to doing business in another country;- difficulties staffing and managing foreign operations;- workforce uncertainty in countries where labor unrest is more common than in the United States;- potential liability under the FCPA or comparable foreign regulations;- challenges enforcing our contractual and intellectual property rights, especially in those foreign countries that do not respect and protect intellectual property rights to the same extent as the United States;- production shortages resulting from any events affecting raw material supply or manufacturing capabilities abroad; and - business interruptions resulting from geo-political actions, including war and terrorism. These and other risks associated with our international operations may materially adversely affect our ability to attain or maintain profitable operations.

Any unplanned event, such as flood, fire, explosion, earthquake, extreme weather condition, medical epidemics or pandemics, power shortage, telecommunication failure or other natural or manmade accidents or incidents that result in us being unable to fully utilize our facilities, or the manufacturing facilities of our third-party contract manufacturers, may have a material and adverse effect on our ability to operate our business, particularly on a daily basis, and have significant negative consequences on our financial and operating conditions. Loss of access to these facilities may result in increased costs, delays in the development of our product candidates or interruption of our business operations. Earthquakes, wildfires or other natural disasters could further disrupt our operations, and have a material and adverse effect on our business, financial condition, results of operations and prospects. If a natural disaster, power outage or other event prevented us from using all or a significant portion of our headquarters, damaged critical infrastructure, such as our research facilities or the manufacturing facilities of our third-party contract manufacturers, or otherwise disrupted operations, it may be difficult or, in certain cases, impossible, for us to continue our business for a substantial period of time. The disaster recovery and business continuity plans we have in place may prove inadequate in the event of a serious disaster or similar event. We may incur substantial expenses as a result of the limited nature of our disaster recovery and business continuity plans, which could have a material adverse effect on our business. As part of our risk management policy, we maintain insurance coverage at levels that we believe are appropriate for our business. However, in the event of an accident or incident at these facilities, we cannot assure you that the amounts of insurance will be sufficient to satisfy any damages and losses. If our facilities, or the manufacturing facilities of our third-party contract manufacturers, are unable to operate because of an accident or incident or for any other reason, even for a short period of time, any or all of our research and development and discovery programs may be harmed. Any business interruption may have a material and adverse effect on our business, financial condition, results of operations and prospects.