SELLAS Life Sciences Group (SLS) Risk Factors

Our shares of common stock are currently listed on The Nasdaq Capital Market. If we fail to satisfy the continued listing requirements of Nasdaq, such as the corporate governance requirements, minimum bid price requirement or the minimum stockholder's equity requirement, The Nasdaq Stock Market LLC may take steps to delist our common stock. A delisting of our common stock from The Nasdaq Capital Market could materially reduce the liquidity of our common stock and result in a corresponding material reduction in the price of our common stock. In addition, delisting could harm our ability to raise capital through alternative financing sources on terms acceptable to us, or at all, and may result in the potential loss of confidence by investors, suppliers, customers and employees and fewer business development opportunities. On December 6, 2023, we received a letter from Nasdaq notifying us that we no longer met Nasdaq's requirements for continued listing on The Nasdaq Capital Market under Nasdaq Listing Rule 5550(b)(2), or the MVLS Rule, because, for a period of 30 consecutive business days, the market value of our common stock, calculated based upon the most recent total shares outstanding multiplied by the closing bid price per share, had not maintained a minimum of $35.0 million. In accordance with Nasdaq Listing Rule 5810(c)(3)(C), we were provided a period of 180 calendar days, or until June 3, 2024, in which to regain compliance with the MVLS Rule. To regain compliance, the market value of our common stock must meet or exceed $35.0 million for a minimum of 10 consecutive business days during the 180-day compliance period. If we have not regained compliance with the MVLS Rule by June 3, 2024, Nasdaq will provide notice to us that our securities will be subject to delisting, in which case we may appeal the delisting determination to a Nasdaq Hearings Panel. On March 5, 2024, we received a letter from Nasdaq stating that we have regained compliance under the MVLS Rule by maintaining a market value of our common stock of greater than $35 million for 10 consecutive business, and that the matter is now closed. On February 14, 2024, we received a letter from Nasdaq notifying us that we no longer met Nasdaq's requirements for continued listing on The Nasdaq Capital Market under Nasdaq Listing Rule 5550(a)(2), or the Minimum Bid Price Requirement, because, for the preceding 30 consecutive business days, our common stock did not maintain a minimum closing bid price of $1.00 per share. In accordance with Nasdaq Listing Rule 5810(c)(3)(A), we were provided a period of 180 calendar days, or until August 12, 2024, to regain compliance with the Minimum Bid Price Requirement. Compliance can be achieved automatically and without further action if the closing bid price of our common stock is at or above $1.00 for a minimum of 10 consecutive business days at any time during the 180-day compliance period, in which case Nasdaq will notify us of our compliance and the matter will be closed. If, however, we do not achieve compliance with the Minimum Bid Price Requirement by August 12, 2024, we may be eligible for additional time to comply. In order to be eligible for such additional time, we will be required to meet the continued listing requirement for market value of publicly held shares and all other initial listing standards for The Nasdaq Capital Market, with the exception of the Minimum Bid Price Requirement, and must notify Nasdaq in writing of our intention to cure the deficiency during the second compliance period, by effecting a reverse stock split, if necessary. On March 11, 2024, we received a letter from Nasdaq stating that we have regained compliance under the Minimum Bid Price Requirement by maintaining a minimum closing bid price of our common stock of $1.00 per share for 10 consecutive business days, from February 26, 2024 to March 8, 2024, and that the matter is now closed. Our common stock currently remains listed on The Nasdaq Capital Market under the symbol SLS.

Currently, we do not generate any revenues from product sales or otherwise. Even if we are able to successfully achieve regulatory approval for our product candidates, we do not know when we will generate revenues or become profitable, if at all. Our ability to generate revenues from product sales and achieve profitability will depend on our ability to successfully commercialize products, including our current product candidates, and other product candidates that we may develop, in-license or acquire in the future. Our ability to generate revenues and achieve profitability also depends on a number of additional factors, including our ability to: - successfully complete development activities, including the necessary clinical trials;- complete and submit BLAs and NDAs to the FDA and obtain U.S. regulatory approval for indications for which there is a commercial market;- complete and submit applications to foreign regulatory authorities in Europe, Asia and other jurisdictions;- obtain regulatory approval in territories with viable market sizes;- obtain coverage and adequate reimbursement from third parties, including government and private payors;- set commercially viable prices for our products, if any;- establish and maintain supply and manufacturing relationships with reliable third parties and/or build our own manufacturing facility and ensure adequate, legally globally compliant manufacturing of bulk drug substances and drug products to maintain that supply;- develop distribution processes for our product candidates;- develop commercial quantities of our product candidates, once approved, at acceptable cost levels;- obtain additional funding, if required to develop and commercialize our product candidates;- develop a commercial organization capable of sales, marketing and distribution for any products we intend to sell ourselves, in the markets in which we choose to commercialize on our own, and successfully enter into arrangements with third parties to sell, market, and distribute our products in markets where we choose not to commercialize on our own;- achieve market acceptance of our products;- attract, hire and retain qualified personnel; and - protect our rights in our intellectual property portfolio. Our revenues for any product candidate for which regulatory approval is obtained will be dependent, in part, upon the size of the markets in the territories for which it gains regulatory approval, the accepted price for the product, the ability to get reimbursement at any price, and whether we own the commercial rights for that territory. If the number of our addressable disease patients is not as significant as our estimates, the indication approved by regulatory authorities is narrower than we expect, or the reasonably accepted population for treatment is narrowed by competition, physician choice or treatment guidelines, we may not generate significant revenues from sales of such products, even if approved. In addition, we anticipate incurring significant costs associated with commercializing any approved product candidate. As a result, even if we generate revenues, we may not become profitable and may need to obtain additional funding to continue operations. If we fail to become profitable or are unable to sustain profitability on a continuing basis, then we may be unable to continue our operations at planned levels and may be forced to reduce our operations.

We expect to expend substantial resources for the foreseeable future to continue the clinical development and manufacturing of GPS, in particular the Phase 3 study of GPS in AML, and SLS009. Our existing cash will not be sufficient to complete such development activities and obtain regulatory approval for our product candidates and, if we receive regulatory approval for our product candidates, commence commercialization activities, and we will need to raise significant additional capital to help us do so. In addition, our operating plan may change as a result of factors currently unknown to us, and we may need additional funds sooner than planned. If we are unable to obtain sufficient funding for our operations, we may be delayed in pursuing our development programs for GPS and SLS009. Our future capital requirements depend on many factors, including: - the scope, progress, results and costs of our ongoing and planned development programs for our product candidates, as well as any additional clinical trials we undertake to obtain data sufficient to seek marketing approval for our product candidates in any indication;- the timing of, and the costs involved in, obtaining regulatory approvals for our product candidates if our clinical trials are successful;- the cost of commercialization activities for our product candidates, if any of these product candidates are approved for sale, including marketing, sales and distribution costs;- the cost of manufacturing our product candidates for clinical trials in preparation for regulatory approval, including the cost and timing of process development, manufacturing scale-up and validation activities;- our ability to establish and maintain strategic licensing or other arrangements and the financial terms of such agreements;- the costs to in-license future product candidates or technologies;- the costs involved in preparing, filing, prosecuting, maintaining, expanding, defending and enforcing patent claims, including litigation costs and the outcome of such litigation;- the costs in defending and resolving future derivative and securities class action litigation;- our operating expenses; and - the emergence of competing technologies or other adverse market developments. Additional funds may not be available when we need them on terms that are acceptable to us, or at all. Moreover, global and domestic events, such as public health crises, geopolitical unrest and domestic political events, have caused and could continue to cause uncertainty and volatility in the capital markets which could impact our ability to raise capital. If adequate funds are not available to us on a timely basis, we may not be able to continue as a going concern or we may be required to delay, limit, reduce or terminate preclinical studies, clinical trials or other development activities for one or more of our product candidates or target indications, or delay, limit, reduce or terminate our establishment of sales and marketing capabilities or other activities that may be necessary to commercialize our product candidates.

As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, the Dodd-Frank Act, the listing requirements of Nasdaq and other applicable securities rules and regulations. Compliance with these rules and regulations has increased, and will likely continue to increase, our legal and financial compliance costs, make some activities more difficult, time-consuming or costly, and place significant strain on our personnel, systems and resources. In addition, changing laws, regulations and standards relating to corporate governance and public disclosure are creating uncertainty for public companies, increasing legal and financial compliance costs and making some activities more time consuming. These laws, regulations and standards are subject to varying interpretations, in many cases due to their lack of specificity, and, as a result, their application in practice may evolve over time. This could result in continuing uncertainty regarding compliance matters, higher administrative expenses and a diversion of management's time and attention. Further, if our compliance efforts differ from the activities intended by regulatory or governing bodies due to ambiguities related to practice, regulatory authorities may initiate legal proceedings against us and our business may be harmed. Being a public company that is subject to these rules and regulations also makes it more expensive for us to obtain and retain director and officer liability insurance, and we may in the future be required to accept reduced coverage or incur substantially higher costs to obtain or retain adequate coverage. These factors could also make it more difficult for us to attract and retain qualified members of our board of directors and qualified executive officers.

Even if we are successful in achieving regulatory approval to commercialize a biologic product candidate ahead of our competitors, our product candidates may face competition from biosimilar and generic products. Most biological products are licensed for marketing by FDA via a BLA, under authorities in the Public Health Service Act, or PHSA. Assuming that we receive positive data from the REGAL trial, we will file a BLA in order to obtain marketing authorization for GPS. In 2010, the BPCIA, enacted as Title VII of the ACA, established an abbreviated pathway under the PHSA for licensure of biosimilar biologics (i.e., biosimilars, sometimes referred to as follow-on biologics). A biosimilar is a biological product that is demonstrated to be "highly similar" (i.e., biosimilar), but not identical, to an FDA-licensed biological product (i.e., the reference product). The BPCIA also establishes periods of exclusivity for a brand-name biologic (the reference product), one with a duration of four years and the other with a duration of 12 years. These periods of regulatory exclusivity initiate upon licensure of the new biological product if certain requirements are met. During the four-year exclusivity period, an abbreviated BLA for a biosimilar referencing the protected brand-name biologic may not be submitted to FDA. During the 12-year exclusivity period, approval of an abbreviated BLA for a biosimilar referencing the protected brand-name biologic may not be made effective, which means FDA may not approve the biosimilar application until 12 years after the date on which the reference product was first licensed. In addition, the BPCIA provides for a process for disclosure and negotiation between the biosimilar applicant and reference product sponsor, sometimes referred to as the "patent dance." Although not mandatory on the party of the biosimilar applicant, the dance involves several rounds of informational exchanges concerning potential disputes over the biosimilar applicant's infringement of the reference product sponsor's patents. Also, biosimilar licensure under the BPCIA is not contingent upon resolution of patent disputes. Therefore, the FDA may approve a biosimilar despite unresolved patent issues between the reference product sponsor and the biosimilar applicant. We believe that GPS will qualify for four years of data exclusivity and 12 years of market exclusivity under the BPCIA. The law is complex and continues to be interpreted and implemented by the FDA. As a result, its ultimate impact, implementation, and meaning are subject to uncertainty. While it is uncertain when such processes intended to implement BPCIA may be fully adopted by the FDA, any such processes could have a material adverse effect on the future commercial prospects for our product candidates. There is also a risk that the U.S. Congress could amend the BPCIA to shorten the 12-year market exclusivity period or that the FDA will not consider our product candidates to be reference biological products pursuant to its interpretation of the exclusivity provisions of the BPCIA for competing products, potentially creating the opportunity for biosimilar competition sooner than anticipated after the expiration of our patent protection. Moreover, the extent to which a biosimilar, once approved, will be substituted for any reference product in a way that is similar to traditional generic substitution for non-biological products is not yet clear, and will depend on a number of marketplace and regulatory factors that are still developing. Under the BPCIA as well as state pharmacy laws, only interchangeable biosimilar products are considered substitutable for the reference biological product without the intervention of the health care provider who prescribed the original biological product. However, as with all prescribing decisions made in the context of a patient-provider relationship and a patient's specific medical needs, health care providers are not restricted from prescribing biosimilar products in an off-label manner. Even if, as we expect, GPS is considered to be reference products eligible for 12 years of exclusivity under the BPCIA, a competitor could decide to forego the abbreviated approval pathway available for biosimilar products and to submit a full BLA for product licensure after completing its own preclinical studies and clinical trials. In such a situation, any exclusivity to which we may be eligible under the BPCIA would not prevent the competitor from marketing its biological product as soon as it is approved. In Europe, the European Commission has granted marketing authorizations for several biosimilar products pursuant to a set of general and product class-specific guidelines for biosimilar approvals issued over the past few years. In addition, companies may be developing biosimilar products in other countries that could compete with our products, if approved. The regulatory, or non-patent, exclusivity available to drugs or biologics in some countries is less than that provided by the United States. For instance, Canada currently provides for an eight-year period of exclusivity for new biological products, and Mexico provides for a five-year period of exclusivity. Furthermore, in some countries outside of the United States, peptide vaccines, such as GPS, are regulated as chemical drugs rather than as biologics and may or may not be eligible for non-patent exclusivity. If competitors are able to obtain marketing approval for biosimilars referencing our therapeutic candidates, if approved, our future products may become subject to competition from such biosimilars, whether or not they are designated as interchangeable, with the attendant competitive pressure and potential adverse consequences. Such competitive products may be able to immediately compete with us in each indication for which our therapeutic candidates may have received approval.

Health care providers, physicians and third-party payors will play a primary role in the recommendation and prescription of any product candidates for which we obtain regulatory approval. Our current and future arrangements with health care providers, health care entities, third-party payors and customers may expose us to broadly applicable fraud and abuse and other health care laws and regulations that may constrain the business or financial arrangements and relationships through which we research, develop and will market, sell and distribute our products. As a biopharmaceutical company, even though we do not and will not control referrals of health care services or bill directly to Medicare, Medicaid or other third-party payors, federal and state health care laws and regulations pertaining to fraud and abuse and patients' rights are applicable to our business. Restrictions under applicable federal and state health care laws and regulations that may affect our ability to operate include the following: - the federal health care Anti-Kickback Statute which prohibits, among other things, individuals and entities from knowingly and willfully soliciting, offering, receiving or providing remuneration, directly or indirectly, overtly or covertly, in cash or in kind, to induce or reward, or in return for, either the referral of an individual for, or the purchase, order or recommendation of, any good or service, for which payment may be made, in whole or in part, under a federal health care program such as Medicare or Medicaid;- federal civil and criminal false claims laws, including the FCA that can be enforced through civil whistleblower or qui tam actions, and civil monetary penalty laws, prohibit individuals or entities from knowingly presenting, or causing to be presented, to the federal government, including the Medicare and Medicaid programs, claims for payment or approval that are false or fraudulent or making a false statement to avoid, decrease or conceal an obligation to pay money to the federal government;- HIPAA, which imposes criminal and civil liability for executing a scheme to defraud any health care benefit program and also created federal criminal laws that prohibit knowingly and willfully falsifying, concealing or covering up a material fact or making any materially false statements in connection with the delivery of or payment for health care benefits, items or services, and further, as amended by HITECH, imposes obligations, including mandatory contractual terms, with respect to safeguarding the privacy, security and transmission of individually identifiable health information on entities subject to the law, such as certain health care providers, health plans, and health care clearinghouses, known as covered entities, and their respective business associates that perform services for them that involve the creation, use, maintenance or disclosure of, individually identifiable health information;- the federal physician sunshine requirements under the ACA which requires certain manufacturers of drugs, devices, biologics and medical supplies, with certain exceptions, to report annually to HHS information related to payments and other transfers of value to physicians, certain advanced non-physician health care practitioners, and teaching hospitals, and ownership and investment interests held by physicians and other health care providers and their immediate family members and applicable group purchasing organizations;- analogous state and foreign laws and regulations, such as state anti-kickback and false claims laws, which may apply to sales or marketing arrangements and claims involving health care items or services reimbursed by non-governmental third-party payors, including private insurers; some state laws which require pharmaceutical companies to comply with the pharmaceutical industry's voluntary compliance guidelines and the relevant compliance guidance promulgated by the federal government and may require drug manufacturers to report information related to payments and other transfers of value to physicians and other health care providers, marketing expenditures or pricing information; and certain state and local laws which require the registration of pharmaceutical sales representatives; and - state and foreign laws govern the privacy and security of health information in specified circumstances, including the GDPR, many of which differ from each other in significant ways and often are not preempted by HIPAA, thus complicating compliance efforts. Efforts to ensure that our business arrangements with third parties will comply with applicable health care laws and regulations will involve substantial costs. It is possible that governmental authorities will conclude that our business practices may not comply with current or future statutes, regulations or case law involving applicable fraud and abuse or other health care laws and regulations. If our operations are found to be in violation of any of these laws or any other governmental regulations that may apply to us, we may be subject to significant civil, criminal and administrative penalties, damages, fines, imprisonment, disgorgement, exclusion from government funded health care programs, such as Medicare and Medicaid, integrity oversight and reporting obligations, and the curtailment or restructuring of our operations. If any physicians or other health care providers or entities with whom we expect to do business are found to not be in compliance with applicable laws, they may be subject to criminal, civil or administrative sanctions, including exclusions from government funded health care programs. Many health care laws and regulations are rapidly changing and legislative bodies and regulatory agencies are regularly considering amendments and supplements to existing laws and regulations, and as a result interpretations of rules and confirmation of our compliance with such rules can be ambiguous.

As of December 31, 2023, we had federal and state net operating loss carryforwards of approximately $57.1 million and $3.6 million, respectively. Our NOLs generated in tax years ending on or prior to December 31, 2017 are only permitted to be carried forward for 20 years under applicable U.S. tax laws, and will begin to expire, if not utilized, beginning in 2027. These NOL carryforwards could expire unused and be unavailable to offset future income tax liabilities. Under the Tax Act, federal NOLs incurred in tax years ending after December 31, 2017 may be carried forward indefinitely, but the deductibility of such federal NOLs is limited. In addition, under Section 382 of the Internal Revenue Code of 1986, as amended, and certain corresponding provisions of state law, if a corporation undergoes an "ownership change," which is generally defined as a greater than 50% change, by value, in the ownership of its equity over a three-year period, the corporation's ability to use its pre-change NOL carryforwards and other pre-change tax attributes to offset its post-change income may be limited. The Merger constituted an ownership change and as such, our ability to use our NOL carryforwards is materially limited, which may harm our future operating results by effectively increasing our future tax obligations.

New privacy and data security laws have been proposed in more than half of the states in the United States and in the U.S. Congress, reflecting a trend toward more stringent privacy legislation in the U.S., which trend may accelerate with increasing concerns about individual privacy. The existence of comprehensive privacy laws in different states in the U.S. may make our compliance obligations more complex and costly, may require us to modify our data processing practices and policies, and may require us to incur substantial costs and potential liability in an effort to comply. In California, the CCPA, which became effective in 2020, broadly defines personal information, gives California residents expanded individual privacy rights and protections, provides for civil penalties for violations, and gives California residents a private right of action for data breaches in certain cases. Further, the California Privacy Rights Act, or the CPRA, which became effective in 2023 and amends the CCPA, imposes additional obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It also created a new California Privacy Protection Agency authorized to issue substantive regulations and is expected to result in increased privacy and information security enforcement. The CPRA also extends the provisions of both the CCPA and the CPRA to the personal information of California-based employees. While there is an exception for certain health information, including protected health information that is subject to HIPAA, and clinical trial data, the CCPA may impact our business activities if we become a "Business" regulated by the CCPA. Further, there continues to be some uncertainly about how certain provisions of the CCPA will be interpreted and how some areas of the law will be enforced. We will continue to monitor developments related to the CCPA and anticipate additional costs and expenses associated with compliance. In addition to the CCPA, broad consumer privacy laws recently went into effect in Virginia on January 1, 2023, in Colorado and Connecticut on July 1, 2023, and in Utah on December 31, 2023. New privacy laws will also become effective in Florida, Montana, Oregon, and Texas in 2024, in Delaware, Iowa, New Hampshire, New Jersey, and Tennessee in 2025, and in Indiana in 2026. In addition, numerous other states are considering new comprehensive privacy laws. Other U.S. states, such as New York and Massachusetts have enacted stringent data security laws and numerous other states have proposed similar laws. Additionally, various states, such as California and Massachusetts, have implemented similar privacy laws and regulations, such as the California Confidentiality of Medical Information Act, that impose restrictive requirements regulating the use and disclosure of health information and other personally identifiable information. These laws and regulations are not necessarily preempted by HIPAA, particularly if a state affords greater protection to individuals than HIPAA. Where state laws are more protective, we have to comply with the stricter provisions. In addition to fines and penalties imposed upon violators, some of these state laws also afford private rights of action to individuals who believe their personal information has been misused. California's patient privacy laws, for example, provide for penalties of up to $250,000 and permit injured parties to sue for damages. Similarly, as discussed above, the CCPA allows consumers a private right of action when certain personal information is subject to unauthorized access and exfiltration, theft or disclosure due to a business' failure to implement and maintain reasonable security procedures. Furthermore, over the past few years, the number of privacy-related enforcement actions in the U.S., and in many cases the fines, have steadily increased. Failure to comply with these current and future laws, policies, industry standards, or legal obligations. or any data breach involving personal information, may result in government enforcement actions, litigation, fines, and penalties, private litigation, or adverse publicity, and could cause our customers, business partners, and investors to lose trust in us which could have a material adverse impact on our business, results of our operations, and our financial condition. We continue to face uncertainty as to the exact interpretation of the new requirements on our clinical trials and we may be unsuccessful in implementing all measures required by data protection authorities or courts in interpretation of the new law. The interplay of federal and state laws may be subject to varying interpretations by courts and government agencies, creating complex compliance issues for us and data we receive, use and share, potentially exposing us to additional expense, adverse publicity and liability. Further, as regulatory focus on privacy issues continues to increase and laws and regulations concerning the protection of personal information expand and become more complex, these potential risks to our business could intensify. Changes in laws or regulations associated with the enhanced protection of certain types of sensitive data, for the treatment of genetic data, along with increased customer demands for enhanced data security infrastructure, could greatly increase our cost of providing our products, decrease demand for our products, reduce our revenues and/or subject us to additional liabilities. In many activities, including the conduct of clinical trials and our regulatory and commercial operations in the EEA and the United Kingdom, or UK, we are subject to international laws and regulations governing data privacy and the protection of health-related and other personal information. The regulatory framework for collecting, using, safeguarding, sharing, transferring and other processing of information worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. The withdrawal of the UK from the EU and the subsequent separation of the data protection regimes of these territories means we are required to comply with separate data protection laws in the EU and the UK, which may lead to additional compliance costs and could increase our overall risk. Similar laws and regulations govern our processing of personal data, including the collection, access, use, analysis, modification, storage, transfer, security breach notification, destruction and disposal of personal data. For example, the collection, use, disclosure, transfer, or other processing of personal data regarding individuals in the EU, including personal health data, is subject to the GDPR, which took effect across all Member States of the EEA on May 25, 2018, and as still in effect in the UK as the UK GDPR. On June 28, 2021, the EU Commission adopted decisions on the UK's adequacy under the EU GDPR, and the UK continues to operate under this adequacy decision. The GDPR applies to any company established in the EU as well as to those outside the EU that process personal data in connection with the offering of goods or services to individuals in the EU or the monitoring of their behavior. We currently conduct clinical trials and engage in regulatory and commercial operations in the EEA and the UK. As a result, we are subject to privacy laws, including the GDPR and UK GDPR. The GDPR imposes a broad range of data protection obligations on controllers and/or processors, as applicable, that must be complied with when processing personal data subject to the GDPR, including, for example, providing expanded disclosures about how their personal data will be used; higher standards for organizations to demonstrate that they have obtained valid consent or have another legal basis in place to justify their data processing activities; the obligation to appoint data protection officers in certain circumstances; new rights for individuals to be "forgotten" and rights to data portability, as well as enhanced current rights (e.g., access requests); the principal of accountability and demonstrating compliance through policies, procedures, training and audit; limitations on retention of information; mandatory data breach notification requirements; ; safeguards to protect the security and confidentiality of personal data; restrictions on transfers of personal data outside of the EU to third countries deemed to lack adequate privacy protections (such as the U.S.), and onerous new obligations and liabilities on services providers or data processors. .In particular, medical or health data, genetic data and biometric data are all classified as "special category" data under the GDPR and afford greater protection and require additional compliance obligations. Further, the UK and EU member states have a broad right to impose additional conditions-including restrictions-on these data categories. This is because the GDPR allows EU member states to derogate from the requirements of the GDPR mainly in regard to specific processing situations (including special category data and processing for scientific or statistical purposes). Non-compliance with the GDPR may result in monetary penalties of up to €20 million or 4% of worldwide revenue, whichever is greater. Moreover, data subjects can claim damages resulting from infringement of the GDPR. The GDPR further grants non-profit organizations and consumer organizations the right to bring claims on behalf of data subjects. The GDPR and other changes in laws or regulations associated with the enhanced protection of certain types of personal data, such as healthcare data or other sensitive information, could greatly increase our cost of providing our products and services or even prevent us from offering certain services in jurisdictions that we may operate in. The GDPR may increase our responsibility and liability in relation to personal data that we process where such processing is subject to the GDPR, and we may be required to put in place additional mechanisms to ensure compliance with the GDPR, including as implemented by individual EU Member States. Compliance with the GDPR is a rigorous and time-intensive process that may increase our cost of doing business or require us to change our business practices, and despite those efforts, there is a risk that we may be subject to fines and penalties, litigation, and reputational harm in connection with our EU activities. Further, as referenced above, following the UK's withdrawal from the EU (i.e., Brexit), and the expiry of the Brexit transition period, which ended on December 31, 2020, the EU GDPR has been implemented in the UK (as the UK GDPR). The UK GDPR sits alongside the UK Data Protection Act 2018 which implements certain derogations in the EU GDPR into UK law. Under the UK GDPR, companies not established in the UK but who process personal data in relation to the offering of goods or services to individuals in the UK, or to monitor their behavior will be subject to the UK GDPR – the requirements of which are (at this time) largely aligned with those under the EU GDPR and as such, may lead to similar compliance and operational costs. Non-compliance with the UK GDPR may result in monetary penalties of up to £17.5 million or 4% of worldwide revenue, whichever is higher. In addition, we may be unable to transfer personal data from the EU, UK, and other jurisdictions to U.S or other countries due to limitations on cross-border data flows. In particular, the EEA and the UK have significantly regulated the transfer of personal data to the U.S and other countries whose privacy laws it believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and the UK to the U.S. in compliance with law, such as the EEA and UK's standard contractual clauses and the newly-adopted Data Privacy Framework, these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the U.S.. If there is no lawful manner for us to transfer personal data from the EEA, the UK or other jurisdictions to the U.S., or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and the UK to other jurisdictions, particularly to the U.S., are subject to increased scrutiny from regulators, individual litigants, and activist groups. If we are investigated by an EEA or UK data protection authority, we may face fines and other penalties, which could have a negative effect on our existing business and on our ability to attract and retain new clients or pharmaceutical partners. We may also experience hesitancy, reluctance, or refusal by EEA, UK, or multi-national clients or pharmaceutical partners to continue to use our products due to the potential risk exposure because of the current (and future) data protection obligations imposed on them by certain data protection authorities in interpretation of current law, including the GDPR and UK GDPR. Such clients or pharmaceutical partners may also view any alternative approaches to compliance as being too costly, too burdensome, too legally uncertain, or otherwise objectionable and therefore decide not to do business with us. Any of the foregoing could materially harm our business, prospects, financial condition, and results of operations. In addition, many jurisdictions outside of the EEA and the UK are also considering and/or enacting comprehensive data protection legislation. For example, as of August 2020, the Brazilian General Data Protection Law imposes stringent requirements similar to GDPR with respect to personal information collected from individuals in Brazil. In China, there have also been recent significant developments concerning privacy and data security. The Data Security Law of the People's Republic of China (Data Security Law), which took effect on September 1, 2021, requires data processing (which includes the collection, storage, use, processing, transmission, provision and publication of data), to be conducted in a legitimate and proper manner. The Data Security Law imposes data security and privacy obligations on entities and individuals carrying out data processing activities and also introduces a data classification and hierarchical protection system based on the importance of data in economic and social development and the degree of harm it may cause to national security, public interests, or legitimate rights and interests of individuals or organizations if such data are tampered with, destroyed, leaked, illegally acquired or illegally used. The appropriate level of protection measures is required to be taken for each respective category of data. Also in China, the Personal Information Protection Law, which took effect on November 1, 2021, introduced stringent protection requirements for processing personal information, which are in many ways akin to the requirements of the GDPR. We may be required to make further significant adjustments to our business practices to comply with the personal information protection laws and regulations in China including the Personal Information Protection Law. We also continue to see jurisdictions imposing data localization laws. These regulations may interfere with our intended business activities, inhibit our ability to expand into those markets or prohibit us from continuing to offer services in those markets without significant additional costs. Because the interpretation and application of many domestic and international privacy and data protection laws, commercial frameworks, and standards are uncertain, it is possible that these laws, frameworks, and standards may be interpreted and applied in a manner that is inconsistent with our existing data management practices and policies. It is also possible that by complying with one law, we may be violating another. In addition to the possibility of fines, lawsuits, breach of contract claims, and other claims and penalties, we could be required to fundamentally change our business activities and practices or modify our solutions, which could have an adverse effect on our business. Failure to comply with current and future privacy and data protection laws and regulations could result in government enforcement actions (including the imposition of significant penalties), criminal and civil liability for us and our officers and directors, private litigation and/or adverse publicity that negatively affects our business. Any inability to adequately respond to privacy and security concerns, even if unfounded, or to comply with applicable privacy and data protection laws, regulations, and policies, could result in additional cost and liability to us, damage our reputation, inhibit our ability to conduct trials, and adversely affect our business.

If the manufacturing facilities of the CMOs we rely on for clinical supply or the equipment in them is damaged or destroyed, we may not be able, quickly or inexpensively, to replace such manufacturing capacity or replace it at all. In the event of a temporary or protracted loss of a facility or equipment, we might not be able to transfer manufacturing to another CMO. Even if we could transfer manufacturing to another CMO, the shift would likely be expensive and time-consuming, particularly because the new facility would need to comply with the necessary regulatory requirements, and we would need FDA approval before selling any products manufactured at that facility. Such an event could delay our clinical trials or reduce our product sales. Although we currently maintain insurance coverage against damage to our property and to cover business interruption and research and development restoration expenses, our insurance coverage may not reimburse us, or may not be sufficient to reimburse us, for any expenses or losses we may suffer. In addition, our clinical trials insurance coverage has exclusions for global conflict and unrest of the type currently ongoing in Ukraine. We may be unable to meet our requirements for our product candidates if there were a catastrophic event or failure of our current manufacturing facility or processes.

We are exposed to the risk of employee fraud or other misconduct, including intentional failures to comply with FDA regulations or similar regulations of comparable foreign regulatory authorities, provide accurate information to the FDA or comparable foreign regulatory authorities, comply with manufacturing standards we have established, comply with federal and state health care fraud and abuse laws and regulations and similar laws and regulations established and enforced by comparable foreign regulatory authorities, report financial information or data accurately or disclose unauthorized activities to us. Employee misconduct could also involve the improper use of information obtained in the course of clinical trials, which could result in regulatory sanctions and serious harm to our reputation. It is not always possible to identify and deter employee misconduct, and the precautions we take to detect and prevent this activity may not be effective in controlling unknown or unmanaged risks or losses or in protecting us from governmental investigations or other actions or lawsuits stemming from a failure to be in compliance with such laws or regulations. If any such actions are instituted against us, and we are not successful in defending ourselves or asserting our rights, those actions could have a significant impact on our business and results of operations, including the imposition of significant civil, criminal and administrative penalties, damages, fines, imprisonment, exclusion from government funded health care programs, such as Medicare and Medicaid, and integrity oversight and reporting obligations.

We expect to depend on collaborators, partners, licensees, clinical research organizations and other third parties to support our discovery efforts, to formulate product candidates, to manufacture our product candidates, to conduct clinical trials for some or all of our product candidates and to commercialize our product candidates if approved. For example, in December 2020 we entered into an Exclusive License Agreement with 3D Medicines pursuant to which we granted commercialization rights in Greater China to 3D Medicines. In accordance with the 3D Medicines Agreement and Side Letter, we expected that 3D Medicines would begin enrolling patients in mainland China in the REGAL study in the second half of 2023. To date, no patients have been enrolled in mainland China. However, patients were enrolled in the REGAL study in Taiwan, which is part of the Greater China territory, prior to the second half of 2023. Thus, we and 3D Medicines are currently engaged in a dispute regarding, among other things, the trigger and payment of the relevant milestone payments due to us as well as 3D Medicines' failure to use commercially reasonable best efforts to develop GPS in the Greater China territory, and particularly in mainland China. Over the last three to four months of 2023, we attempted to resolve the aforementioned matters in good faith under the dispute resolution provisions of the 3D Medicines Agreement with 3D Medicines but we were unable to reach a resolution. Accordingly, we commenced a binding arbitration proceeding administered by the Hong Kong International Arbitration Centre governed by New York State law as per the 3D Medicines Agreement in December 2023. We are unable at this time to predict with certainty the outcome of the arbitration proceeding, or the timing of the receipt of any milestone payments and other damages it is seeking in the arbitration proceeding, if at all. Additionally, we cannot guarantee that we will be able to successfully negotiate future agreements for or maintain relationships with collaborators, partners, licensees, clinical investigators, vendors and other third parties on favorable terms, if at all. Our ability to successfully negotiate such agreements will depend on, among other things, potential partners' evaluation of the superiority of our technology over competing technologies and the quality of the preclinical and clinical data that we have generated, and the perceived risks specific to developing our product candidates. If we are unable to obtain or maintain these agreements, we may not be able to clinically develop, formulate, manufacture, obtain regulatory approvals for or commercialize our product candidates. We cannot necessarily control the amount or timing of resources that our contract partners, including 3D Medicines, will devote to our research and development programs, product candidates or potential product candidates, and we cannot guarantee that these parties will fulfill their obligations to us under these arrangements in a timely fashion, if at all. We may not be able to readily terminate any such agreements with contract partners even if such contract partners do not fulfill their obligations to us. In addition, we may receive notices from third parties from time to time alleging that our technology or product candidates infringe upon the intellectual property rights of those third parties. Any assertion by third parties that our activities or product candidates infringe upon the intellectual property rights of third parties may adversely affect our ability to secure strategic partners or licensees for our technology or product candidates or our ability to secure or maintain manufacturers for our compounds.

Identifying and qualifying patients to participate in clinical trials of our current and future product candidates is essential to our success. The timing of our clinical trials depends in part on the rate at which we can recruit patients to participate in clinical trials of our product candidates, and we may experience delays in our clinical trials if we encounter difficulties in enrollment. If we experience delays in our clinical trials, the timeline for obtaining regulatory approval of our product candidates will most likely be delayed. Many factors may affect our ability to identify, enroll and maintain qualified patients, including the following: - shortages of personnel at our clinical sites;- eligibility criteria of our ongoing and planned clinical trials with specific characteristics appropriate for inclusion in our clinical trials;- design of the clinical trial;- size and nature of the patient population;- patients' perceptions as to risks and benefits of the product candidate under study and the participation in a clinical trial generally in relation to other available therapies, including any new drugs that may be approved for the indications we are investigating;- the availability and efficacy of competing therapies and clinical trials;- pendency of other trials underway in the same patient population;- willingness of physicians to participate in our planned clinical trials;- severity of the disease under investigation;- proximity of patients to clinical sites;- patients who do not complete the trials for personal reasons; and - issues with contract research organizations, or CROs, and/or with other vendors that handle our clinical trials. The indication being studied in our Phase 3 clinical trial for GPS, i.e., patients with AML who have achieved CR2, is an orphan indication. In addition, only those CR2 patients who meet specific inclusion criteria are eligible to participate in the study. Primary entry restrictions include demonstrating adequate hematologic recovery and not being candidates for bone marrow transplants. The estimated prevalence of newly diagnosed AML patients is approximately 20,000 cases in the United States annually (across all ages) with only a subset of this group having achieved CR2 and only a further subset of the CR2 subset satisfying the enrollment criteria for our AML Phase 3 clinical trial. We may not be able to initiate or continue to support clinical trials of our product candidates for one or more indications, or any future product candidates if we are unable to locate and enroll a sufficient number of eligible participants in these trials as required by the FDA or other regulatory authorities. Even if we are able to enroll a sufficient number of patients in our clinical trials, if the pace of enrollment is slower than we expect, the development costs for our product candidates may increase and the completion of our trials may be delayed or our trials could become too expensive to complete. Congress also recently amended the FDCA to require sponsors of a Phase 3 clinical trial, or other "pivotal study" of a new drug or biologic to support marketing authorization, to design and submit a diversity action plan for such clinical trial. The action plan must describe appropriate diversity goals for enrollment, as well as a rationale for the goals and a description of how the sponsor will meet them. Our Phase 3 REGAL trial of GPS for AML patients who have achieved CR2 was initiated before this requirement became effective, but for any future Phase 3 trials we plan to conduct, including any registrational study for SLS009, we must submit a diversity action plan to the FDA by the time we submit plans for such Phase 3, or pivotal study, protocol to the agency for review as part of an IND, unless we are able to obtain a waiver for some or all of the requirements for a diversity action plan. It is unknown at this time how the diversity action plan may affect the planning and timing of any future Phase 3 trial for our product candidates or what specific information FDA will expect in such plans. However, initiation of such trials may be delayed if the FDA objects to our proposed diversity action plans for any future Phase 3 trial for our product candidates, and we may experience difficulties recruiting a diverse population of patients in attempting to fulfill the requirements of any approved diversity action plan. If we experience delays in the completion of, or termination of, any clinical trials of our current or future product candidates, the commercial prospects of our product candidates could be harmed, and our ability to generate product revenue from any of these product candidates could be delayed or prevented. In addition, any delays in completing our clinical trials would likely increase our overall costs, impair product candidate development and jeopardize our ability to obtain regulatory approval relative to our current plans. Any of these occurrences may harm our business, financial condition, and prospects significantly.