Protara Therapeutics (TARA) Risk Analysis

Part of our strategy is to in-license and acquire product candidates and we may engage in other strategic transactions. Additional potential transactions that we may consider include a variety of different business arrangements, including spin-offs, strategic partnerships, joint ventures, restructurings, divestitures, business combinations and investments. Any such transaction may require us to incur non-recurring or other charges, may increase our near- and long-term expenditures and may pose significant integration challenges or disrupt our management or business, which could adversely affect our operations and financial results. Accordingly, there can be no assurance that we will undertake or successfully complete any transactions of the nature described above, and any transaction that we complete could harm our business, financial condition, operating results and prospects.

We face an inherent risk of product liability or similar causes of action as a result of the clinical testing of our product candidates and will face an even greater risk if we commercialize any products. This risk exists even if a product is approved for commercial sale by the FDA and manufactured in facilities licensed and regulated by the FDA or an applicable foreign regulatory authority and notwithstanding that we comply with applicable laws on promotional activity. Our products and product candidates are designed to affect important bodily functions and processes. Any side effects, manufacturing defects, misuse or abuse associated with our product candidates could result in injury to a patient or potentially even death. We cannot offer any assurance that we will not face product liability suits in the future, nor can we assure you that our insurance coverage will be sufficient to cover our liability under any such cases. In addition, a liability claim may be brought against us even if our product candidates merely appear to have caused an injury. Product liability claims may be brought against us by consumers, healthcare providers, pharmaceutical companies or others selling or otherwise coming into contact with our product candidates, among others, and under some circumstances even government agencies. If we cannot successfully defend ourselves against product liability or similar claims, we will incur substantial liabilities, reputational harm and possibly injunctions and punitive actions. In addition, regardless of merit or eventual outcome, product liability claims may result in: - withdrawal or delay of recruitment or decreased enrollment rates of clinical trial participants;- termination or increased government regulation of clinical trial sites or entire clinical trial programs;- the inability to commercialize our product candidates;- decreased demand for our product candidates;- impairment of our business reputation;- product recall or withdrawal from the market or labeling, marketing or promotional restrictions;- substantial costs of any related litigation or similar disputes;- distraction of management's attention and other resources from our primary business;- significant delay in product launch;- substantial monetary awards to patients or other claimants against us that may not be covered by insurance;- withdrawal of reimbursement or formulary inclusion; or - loss of revenue. We have obtained product liability insurance coverage for our clinical trials. Large judgments have been awarded in class action or individual lawsuits against other pharmaceutical companies based on drugs that had unanticipated side effects. Our insurance coverage may not be sufficient to cover all of our product liability-related expenses or losses and may not cover us for any expenses or losses we may suffer. Moreover, insurance coverage is becoming increasingly expensive, restrictive and narrow, and, in the future, we may not be able to maintain adequate insurance coverage at a reasonable cost, in sufficient amounts or upon adequate terms to protect us against losses due to product liability or other similar legal actions. We will need to increase our product liability coverage if any of our product candidates receive regulatory approval, which will be costly, and we may be unable to obtain this increased product liability insurance on commercially reasonable terms or at all and for all geographies in which we wish to launch. A successful product liability claim or series of claims brought against us, if judgments exceed our insurance coverage, could decrease our cash and harm our business, financial condition, operating results and future prospects.

In the ordinary course of business, we collect, receive, store, process, use, generate, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share, or collectively, Process (or Processing of), personal data and other sensitive and confidential information, including information we collect about patients in connection with clinical trials, sensitive third-party data or, as necessary to operate our business, for legal and marketing purposes, and for other business-related purposes. Accordingly, we are, or may become, subject to numerous federal, state, local and international data privacy and security laws, regulations, guidance and industry standards as well as external and internal privacy and security policies, contracts and other obligations that apply to the Processing of personal data by us and on our behalf, collectively, Data Protection Requirements. The number and scope of Data Protection Requirements are changing, subject to differing applications and interpretations, and may be inconsistent between jurisdictions or in conflict with each other. If we fail, or are perceived to have failed, to address or comply with Data Protection Requirements, we could face significant consequences. These consequences may include, but are not limited to, government enforcement actions against us that could include investigations, fines, penalties, audits and inspections, additional reporting requirements and/or oversight, temporary or permanent bans on all or some Processing of personal data, orders to destroy or not use personal data. Further, individuals or other relevant stakeholders could bring a variety of claims against us for our actual or perceived failure to comply with the Data Protection Requirements. Any of these events could have a material adverse effect on our reputation, business, or financial condition, and could lead to a loss of actual or prospective customers, collaborators or partners; interrupt or stop clinical trials; result in an inability to Process personal data or to operate in certain jurisdictions; limit our ability to develop or commercialize our products; or require us to revise or restructure our operations, or each, a material adverse impact. We are, or may become, subject to U.S. privacy laws. For example, in the U.S., there are a broad variety of data protection laws and regulations that may apply to our activities such as state data breach notification laws, state personal data privacy laws (for example, the CCPA), state health information privacy laws, and federal and state consumer protection laws. A number of U.S. states have enacted data privacy laws. In particular, the CCPA, together with the CPRA, requires covered businesses that process personal data of California residents to disclose their data collection, use and sharing practices. Further, the CCPA provides California residents with new data privacy rights (including the ability to opt out of the sale of personal data), imposes new operational requirements for covered businesses, provides for civil penalties for violations (up to $7,500 per violation), as well as a private right of action for certain data breaches (that is expected to increase data breach class action litigation and result in significant exposure to costly legal judgements and settlements). The CPRA, among other things, gives California residents the ability to limit use of certain sensitive personal data, establishes restrictions on the retention of personal data, expands the types of data breaches subject to the CCPA's private right of action, and establishes a new California Privacy Protection Agency to implement and enforce the new law. Although there are limited exemptions for clinical trial data under the CCPA and the CPRA, the CCPA and the CPRA may increase compliance costs and potential liability with respect to other personal data we maintain about California residents. The federal government is also considering comprehensive privacy legislation. The DSP preventing access to bulk U.S. sensitive personal data by certain countries or persons is new, complex and only recently enforceable, and as such, there is a risk that our interpretation of its applicability, scope, and requirements is incorrect, incomplete, or misapplied. Compliance with the DSP may now, or in the future, require us to invest heavily in data security and compliance measures, such as implementing and complying with the Cybersecurity and Infrastructure Security Agency's guidelines and other burdensome recordkeeping, reporting, and auditing requirements. It may also require us to implement new processes, stop or restrict certain data transfers, alter the geographic scope of our operations, cease doing business with certain third parties or using certain tools or vendors, or change how data flows throughout our business, any of which could materially impact our business operations or hinder our ability to grow our business. Finally, non-compliance with the DSP could result in significant civil or criminal penalties, which could materially adversely affect our business, results of operations, and financial condition. Outside the U.S., an increasing number of laws, regulations, and industry standards apply to data privacy and security. For example, the European Union's General Data Protection Regulation, or EU GDPR, the United Kingdom's GDPR, or UK GDPR, Japan's Act on the Protection of Personal Information, or APPI, China's Personal Information Protection Law, or PIPL, and Brazil's General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, or LGPD) (Law No. 13,709/2018) impose strict requirements for processing personal data. Under the EU GDPR, government regulators may impose temporary or definitive bans on data processing, as well as fines of up to 20 million euros or 4% of annual global revenue, whichever is greater. Further, individuals may initiate litigation related to processing of their personal data. European data protection laws (including the EU GDPR and UK GDRP) are wide-ranging in scope and impose numerous, significant and complex compliance burdens in relation to the Processing of personal data, such as: limiting permitted Processing of personal data to only that which is necessary for specified, explicit and legitimate purposes; requiring the establishment of a legal basis for Processing personal data; broadening the definition of personal data; creating obligations for controllers and processors to appoint data protection officers in certain circumstances; increasing transparency obligations to data subjects; requiring data protection impact assessments in certain circumstances; establishing limitations on the collection and retention of personal data through "data minimization" and "storage limitation" principles; honoring data subject rights; formalizing a heightened standard to obtain data subject consent; establishing obligations to implement certain technical and organizational safeguards to protect the security and confidentiality of personal data; introducing the obligation to provide notice of certain significant personal data breaches to the relevant supervisory authority(ies) and affected individuals; and mandating the appointment of representatives in the UK and/or EU in certain circumstances. In particular, the Processing of "special categor[ies] [of] personal data" (such as personal data related to health and genetic information), which could be relevant to our operations in the context of our clinical trials, imposes heightened compliance burdens under European data protection laws and is a topic of active interest among relevant regulators. Certain jurisdictions have enacted data localization laws and cross-border personal data transfer laws, which could make it more difficult to transfer information across jurisdictions (such as transferring or receiving personal data that originates in the EU or in other foreign jurisdictions). Existing mechanisms that facilitate cross-border personal data transfers may change or be invalidated. For example, absent appropriate safeguards or other circumstances, the EU GDPR generally restricts the transfer of personal data to countries outside of the European Economic Area, or EEA, that the European Commission does not consider to provide an adequate level of data privacy and security, such as the U.S. The European Commission released a set of "Standard Contractual Clauses," or SCCs, that are designed to be a valid mechanism to facilitate personal data transfers out of the EEA to these jurisdictions. Currently, these SCCs are a valid mechanism to transfer personal data outside of the EEA, but there exists a possibility that the validity of SCCs will be challenged in European courts. Additionally, the SCCs impose additional compliance burdens, such as conducting transfer impact assessments to determine whether additional security measures are necessary to protect the at-issue personal data. In addition, Switzerland and the UK similarly restrict personal data transfers outside of those jurisdictions to countries that they do not consider to provide an adequate level of personal data protection, such as the U.S., and certain countries outside Europe (e.g., Brazil) have also passed or are considering laws requiring local data residency or otherwise impeding the transfer of personal data across borders, any of which could increase the cost and complexity of doing business. While we use SCCs for transfers of personal data from the EEA, UK and Switzerland to recipients in non-adequate countries, in the event we are unable to implement a valid compliance mechanism for cross-border data transfers (e.g., SCCs are invalidated), we may face increased exposure to regulatory actions, substantial fines, and injunctions against processing or transferring personal data from Europe or other foreign jurisdictions. Inability to import personal data to the U.S. may significantly and negatively impact our business operations, including by limiting our ability to conduct clinical trial activities in Europe and elsewhere; limiting our ability to collaborate with parties subject to European and other data protection laws or requiring us to increase our personal data processing capabilities in Europe and/or elsewhere at significant expense. These laws exemplify the vulnerability of our business to the evolving regulatory environment related to personal data and may require us to modify our Processing practices at substantial costs and expenses in an effort to comply. Given the breadth and evolving nature of Data Protection Requirements, preparing for and complying with these requirements is rigorous, time-intensive and requires significant resources and a review of our technologies, systems and practices, as well as those of any third-party collaborators, service providers, contractors or consultants that Process personal data on our behalf. We may publish privacy policies and other documentation regarding our Processing of personal data and/or other confidential, proprietary or sensitive information. Although we endeavor to comply with our published policies and other documentation, we may at times fail to do so or may be perceived to have failed to do so. Moreover, despite our efforts, we may not be successful in achieving compliance if our employees, third-party collaborators, service providers, contractors or consultants fail to comply with our policies and documentation. Such failures can subject us to potential regulatory action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. Moreover, subjects about whom we or our partners obtain information, as well as the providers who share this information with us, may contractually limit our ability to use and disclose the information. Claims that we have violated individuals' privacy rights or failed to comply with data protection laws or applicable privacy notices even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business or have other material adverse impacts.

Existing regulatory policies may change, and additional government regulations may be enacted that could prevent, limit or delay regulatory approval of any future product candidates we may develop, or affect pricing and third-party payment for our product candidates, which could negatively affect our business, financial condition and prospects. In the U.S., there have been and continue to be a number of legislative initiatives to contain healthcare costs. For example, in 2010, the ACA was enacted to broaden access to health insurance, reduce or constrain the growth of healthcare spending, enhance remedies against fraud and abuse, add new transparency requirements for health care and health insurance industries, impose new taxes and fees on the health industry and impose additional health policy reforms. Additionally, there has been increasing legislative and enforcement interest in the U.S. with respect to drug pricing practices since the ACA was enacted. For example, in November 2020, the HHS finalized a regulation removing safe harbor protection for price reductions from pharmaceutical manufacturers to plan sponsors under Part D, either directly or through pharmacy benefit managers, unless the price reduction is required by law. The rule also creates a new safe harbor for price reductions reflected at the point-of-sale, as well as a new safe harbor for certain fixed fee arrangements between pharmacy benefit managers and manufacturers. The implementation of the rule was delayed until January 1, 2032 by the IRA. In addition, under the American Rescue Plan Act of 2021, effective January 1, 2024, the statutory cap on Medicaid Drug Rebate Program rebates that manufacturers pay to state Medicaid programs has been eliminated. Elimination of this cap has, in some cases, required pharmaceutical manufacturers to pay more in rebates than they have received on the sale of products. In 2024, CMS issued a final rule that decreased Medicare reimbursement for physician services by 2.8%, effective January 1, 2025. If federal spending is further reduced, anticipated budgetary shortfalls may also impact the ability of relevant agencies, such as the FDA, to continue to function at current levels. Amounts allocated to federal grants and contracts may be reduced or eliminated. These reductions may also impact the ability of relevant agencies to timely review and approve research and development, manufacturing, and marketing activities, which may delay our ability to develop, market and sell any products we may develop. Additionally, several healthcare reform initiatives culminated in the enactment of the IRA in 2022, which, among other things, eliminated, beginning in 2025, the coverage gap under Medicare Part D by significantly lowering the enrollee maximum out-of-pocket costs and requiring manufacturers to subsidize, through a newly established manufacturer discount program, 10% of Part D enrollees' prescription costs for brand drugs below the out-of-pocket limit, and 20% once the out-of-pocket limit has been reached. The IRA also extended enhanced subsidies for individuals purchasing health insurance coverage in ACA marketplaces through plan year 2025, but those subsidies expired at the end of 2025. The IRA also allows HHS to directly negotiate the selling price of a statutorily specified number of drugs and biologics each year that CMS reimburses under Medicare Part B and Part D. The negotiated price may not exceed a statutory ceiling price. Only high-expenditure single-source biologics that have been approved for at least 11 years (seven years for single-source drugs) are eligible to be selected by CMS for negotiation, with the negotiated price taking effect two years after the selection year. For 2026, the first year in which negotiated prices become effective, CMS selected 10 high-cost Medicare Part D products in 2023, negotiations began in 2024, and the negotiated maximum fair price for each product has been announced. These negotiations resulted in significant price reductions for the products from their 2023 list prices, ranging from 38 to 79 percent, with an average price reduction of 59.4 percent. In addition, CMS has selected and announced the negotiated maximum fair price for 15 additional Medicare Part D drugs which will become effective in 2027. For 2028, CMS has selected an additional 15 drugs, comprised of drugs covered under Medicare Part D and, for the first time, drugs under Medicare Part B. For 2029 and subsequent years, 20 Part B or Part D drugs will be selected. A drug or biological product that has an ODD for only one rare disease or condition are excluded from the IRA's price negotiation requirements, but will lose that exclusion if it receives designations for more than one rare disease or condition, or if is approved for an indication that is not within that single designated rare disease or condition, unless such additional designation or such disqualifying approvals are withdrawn by the time CMS evaluates the drug for selection for negotiation. The negotiated prices have represented, and will continue to represent, a significant discount from average prices to wholesalers and direct purchasers. The IRA also imposes rebates on Medicare Part B and Part D drugs whose prices have increased at a rate greater than the rate of inflation, and in 2024, CMS finalized regulations for the Medicare Part B and Part D inflation rebates. The IRA permits the Secretary of HHS to implement many of these provisions through guidance, as opposed to regulation, for the initial years. Manufacturers that fail to comply with the IRA may be subject to various penalties, including civil monetary penalties. These provisions may be subject to legal challenges. For example, the provisions related to the negotiation of selling prices of high-expenditure single-source drugs and biologics have been challenged in multiple lawsuits brought by pharmaceutical manufacturers. Although full economic effect of the IRA on our business and the pharmaceutical industry in general is unknown at this time, it will likely have a significant impact on the pharmaceutical industry and the pricing of our products and product candidates. Similarly, the adoption of restrictive price controls in new jurisdictions, more restrictive controls in existing jurisdictions or the failure to obtain or maintain timely or adequate pricing could also reduce our profitability. We expect pricing pressures will continue globally. The current federal administration is pursuing policies to reduce regulations and expenditures across government including at HHS, which include the FDA and CMS, and related agencies. These actions included, for example, directives to reduce agency workforce which include the FDA and CMS, and related agencies. In addition, on May 12, 2025, President Trump issued an Executive Order that, among other things, required HHS, within 30 days, to establish and communicate to drug manufacturers MFN price targets designed to bring drug prices for American patients in line with those in comparably developed nations. If significant progress towards MFN pricing is not achieved, the Executive Order requires HHS to propose a rulemaking to implement MFN pricing. Recently, on December 23, 2025, CMS issued proposed regulations to establish, under CMMI, two mandatory MFN demonstration models under Medicare Parts B and D, respectively. If these rules or other MFN pricing rules are finalized, they are likely to reduce prices of at least some drugs in the U.S., if they are also sold in comparably developed countries. Even if we do not market drugs in such countries, we will be indirectly affected if our drugs competed with drugs whose prices were reduced as a result of MFN pricing initiatives. At the state level, legislatures are increasingly enacting legislation and implementing regulations designed to control pharmaceutical and biological product pricing, including price or patient reimbursement constraints, discounts, restrictions on certain product access and marketing cost disclosure and transparency measures, and, in some cases, designed to encourage importation from other countries and bulk purchasing. In addition, the FDA released a final rule in 2020 providing guidance for states to build and submit importation proposals for drugs from Canada. The FDA authorized the first such plan in Florida in 2024, but the implementation of Florida's plan has been extended. It is unclear how this program will be implemented, including which drugs will be chosen, and whether it will be subject to legal challenges in the U.S. or Canada. Other states have also submitted proposals that are pending review by the FDA. We expect that additional state and federal healthcare reform measures will be adopted in the future, any of which could limit the amounts that federal and state governments will pay for healthcare products and services, which could result in reduced demand for our product candidates if approved or additional pricing pressures.