Windtree Therapeutics (WINT) Risk Factors

We are increasingly dependent on sophisticated information technology for our infrastructure. Our information systems require an ongoing commitment of significant resources to maintain, protect and enhance existing systems. Despite our implementation of security measures, our information systems, like those of other companies, are vulnerable to damages from computer viruses, natural disasters, unauthorized access, cyber-attack, including ransomware, and other similar disruptions. Any system failure, accident or security breach could result in disruptions to our operations. For example, third parties may attempt to hack into systems and may obtain our proprietary information or other sensitive information, which could cause significant damage to our reputation, lead to claims against us and ultimately harm our business. We do not have redundant facilities. We perform substantially all of our research and development and back office activity in a small number of locations, including our headquarters in Warrington, Pennsylvania, and a research laboratory at Chang Gung University in Taiwan under a separate collaboration agreement. We also depend upon third-party manufacturers and laboratories to manufacture our drug product candidates, APIs and perform important API and drug product release testing and stability work. Our facilities, equipment and inventory would be costly to replace and could require substantial lead time to repair or replace. Our facilities and those of our third-party manufacturers and laboratories may be harmed or rendered inoperable by natural or man-made disasters, including, but not limited to, tornadoes, flooding, fire and power outages, which may render it difficult or impossible for us to perform our research, development and commercialization activities for some period of time. The inability to perform those activities, combined with the time it may take to rebuild our inventory of finished product, may result in the loss of customers or harm to our reputation. Although we have insurance for damage to our property and the disruption of our business, this insurance may not be sufficient to cover all of our potential losses and this insurance may not continue to be available to us on acceptable terms, or at all.

In the ordinary course of our business, we and our third-party contractors maintain sensitive data on our and their respective networks, including our intellectual property and proprietary or confidential business information relating to our business and that of our clinical trial participants and business partners and electronically stored work product, including clinical data, analyses, research, communications and other materials necessary to gain regulatory approval of our product candidates. The secure maintenance of this sensitive information is critical to our business and reputation. Despite the implementation of security measures, our internal computer systems and those of our third-party contractors are vulnerable to damage from cyber-attacks, computer viruses, unauthorized access, unintended loss, human error, natural disasters, terrorism, war and telecommunication and electrical failures. For information stored with our third-party contractors, we rely upon, and the integrity and confidentiality of such information is dependent upon, the risk mitigation and data preservation efforts such third-party contractors have in place. Our and our third-party contractors' respective network and storage applications and policies may not be sufficient to protect our sensitive business information and may be subject to loss, unauthorized access by hackers or breached due to operator error, malfeasance or other system disruptions. It is often difficult to anticipate or immediately detect such incidents and the damage caused by such incidents. Such incidents could compromise our intellectual property, expose sensitive business information, result in loss of data necessary to secure regulatory approval of our product candidates, cause interruptions in our operations, result in a material disruption of our operations, or require substantial expenditures of resources to remedy.

Our business processes personal data, including some data related to health. When conducting clinical trials, we face risks associated with collecting trial participants' data, especially health data, in a manner consistent with applicable laws and regulations. We also face risks inherent in handling large volumes of data and in protecting the security of such data. We could be subject to attacks on our systems by outside parties or fraudulent or inappropriate behavior by our service providers or employees. Third parties may also gain access to users' accounts using stolen or inferred credentials, computer malware, viruses, spamming, phishing attacks or other means, and may use such access to obtain users' personal data or prevent use of their accounts. Data breaches could subject us to individual or consumer class action litigation and governmental investigations and proceedings by federal, state and local regulatory entities in the U.S. and by international regulatory entities, resulting in exposure to material civil and/or criminal liability. Further, our general liability insurance and corporate risk program may not cover all potential claims to which we are exposed and may not be adequate to indemnify us for all liability that may be imposed. Our business requires that we and our third-party service providers collect and store sensitive data, including legally protected health information, personally identifiable information about patients, credit card information, and our proprietary business and financial information. As a covered entity, we must comply with the HIPAA privacy and security regulations, which may increase our operational costs. Furthermore, the privacy and security regulations provide for significant fines and other penalties for wrongful use or disclosure of protected health information, or PHI, including potential civil and criminal fines and penalties. We face a number of risks relative to our protection of, and our service providers' protection of, this critical information, including loss of access, fraudulent modifications, inappropriate disclosure and inappropriate access, as well as risks associated with our ability to identify and audit such events. The secure processing, storage, maintenance and transmission of this critical information is vital to our operations and business strategy, and we devote significant resources to protecting such information. Although we take measures to protect sensitive information from unauthorized access or disclosure, our information technology and infrastructure may be vulnerable to attacks by hackers or viruses or otherwise breached due to employee error, malfeasance or other activities. If such event would occur and cause interruptions in our operations, our networks would be compromised and the information we store on those networks could be accessed by unauthorized parties, publicly disclosed, modified without our knowledge, lost or stolen. Additionally, we share PHI with third-party contractors who are contractually obligated to safeguard and maintain the confidentiality of PHI. Unauthorized persons may be able to gain access to PHI stored in such third-party contractors' computer networks. Any wrongful use or disclosure of PHI by us or our third-party contractors, including disclosure due to data theft or unauthorized access to our or our third-party contractors' computer networks, could subject us to fines or penalties that could adversely affect our business and results of operations. Although the HIPAA statute and regulations do not expressly provide for a private right of damages, we also could incur damages under state laws to private parties for the wrongful use or disclosure of confidential health information or other private personal information by us or our third-party contractors. Unauthorized access, loss, modification or dissemination could disrupt our operations, including our ability to process tests, provide test results, bill payers or patients, process claims, provide customer assistance services, conduct research and development activities, collect, process and prepare company financial information, provide information about our solution and other patient and physician education and outreach efforts through our website, manage the administrative aspects of our business and damage our reputation, any of which could adversely affect our business. In addition, the interpretation and application of consumer, health-related and data protection laws in the U.S. are often uncertain, contradictory and in flux. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our practices. Complying with these various laws could cause us to incur substantial costs or require us to change our business practices, systems and compliance procedures in a manner adverse to our business. As our operations and business grow, we may become subject to or affected by new or additional data protection laws and regulations and face increased scrutiny or attention from regulatory authorities, including various domestic and international privacy and security regulations. The legislative and regulatory landscape for privacy and data protection continues to evolve. In the U.S., certain states may adopt privacy and security laws and regulations that may be more stringent than applicable federal law. A number of US states have proposed new privacy laws. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. The existence of comprehensive privacy laws in different states in the country would make our compliance obligations more complex and costly and may increase the likelihood that we may be subject to enforcement actions or otherwise incur liability for noncompliance. Our international operations are subject to international laws and regulations, regulatory guidance, and industry standards relating to data protection, privacy, and information security. This includes the EU General Data Protection Regulation, or GDPR, as well as other national data protection legislation in force in relevant EU member states (including the GDPR in such form as incorporated into the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 and any regulations thereunder and the UK Data Protection Act 2018, or UK GDPR. The GDPR and UK GDPR are wide-ranging in scope and impose numerous additional requirements on companies that process personal data, including imposing special requirements in respect of the processing of health and other sensitive data, requiring that consent of individuals to whom the personal data relates is obtained in certain circumstances, requiring additional disclosures to individuals regarding data processing activities, requiring that safeguards are implemented to protect the security and confidentiality of personal data, creating mandatory data breach notification requirements in certain circumstances, requiring data protection impact assessments for high risk processing and requiring that certain measures (including contractual requirements) are put in place when engaging third-party processors. The GDPR and the UK GDPR also provide individuals with various rights in respect of their personal data, including rights of access, erasure, portability, rectification, restriction and objection. The GDPR and UK GDPR impose strict rules on the transfer of personal data to countries outside the European Economic Area, including the U.S. The UK and Switzerland have adopted similar restrictions. Although the UK is regarded as a third country under the EU's GDPR, the EC has now issued a decision recognizing the UK as providing adequate protection under the EU GDPR and, therefore, transfers of personal data originating in the EU to the UK remain unrestricted. Like the EU GDPR, the UK GDPR restricts personal data transfers outside the UK to countries not regarded by the UK as providing adequate protection. The UK government has confirmed that personal data transfers from the UK to the EEA remain free flowing. To enable the transfer of personal data outside of the EEA or the UK, adequate safeguards must be implemented in compliance with European and UK data protection laws. On June 4, 2021, the EC issued new forms of standard contractual clauses for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR). The new standard contractual clauses replace the standard contractual clauses that were adopted previously under the EU Data Protection Directive. The UK is not subject to the EC's new standard contractual clauses but has published a draft version of a UK-specific transfer mechanism, which, once finalized, will enable transfers from the UK. We will be required to implement these new safeguards when conducting restricted data transfers under the EU and UK GDPR and doing so will require significant effort and cost. The GDPR and UK GDPR may increase our responsibility and liability in relation to personal data that we process where such processing is subject to the GDPR and UK GDPR. Implementing legislation in applicable EU member states and the UK, including by seeking to establish appropriate lawful bases for the various processing activities we carry out as a controller or joint controller, reviewing security procedures and those of our vendors and collaborators, and entering into data processing agreements with relevant vendors and collaborators, we cannot be certain that our efforts to achieve and remain in compliance have been, and/or will continue to be, fully successful. Given the breadth and depth of changes in data protection obligations, preparing for and complying with the GDPR and UK GDPR and similar laws' requirements are rigorous and time intensive and require significant resources and a review of our technologies, systems and practices, as well as those of any third-party collaborators, service providers, contractors or consultants that process or transfer personal data. Other countries around the world in which we conduct business have also enacted strict privacy and data protection laws. Further, in addition to general privacy and data protection requirements, many jurisdictions around the world have adopted legislation that regulates how businesses operate online and enforces information security, including measures relating to privacy, data security and data breaches. Many of these laws require businesses to notify data breaches to the regulators and/or to data subjects. These laws are not consistent, and compliance in the event of a widespread data breach is costly and burdensome. In many jurisdictions, enforcement actions and consequences for non-compliance with protection, privacy and information security laws and regulations are rising. In the EU and the UK, data protection authorities may impose large penalties for violations of the data protection laws, including potential fines of up to €20 million (£17.5 million in the UK) or 4% of annual global revenue, whichever is greater. The authorities have shown a willingness to impose significant fines and issue orders preventing the processing of personal data on non-compliant businesses. Data subjects also have a private right of action, as do consumer associations, to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of applicable data protection laws. The risk of our being found in violation of these laws is increased by the fact that the in interpretation and enforcement of them is not entirely clear. Efforts to ensure that our business arrangements with third parties will comply with applicable healthcare laws and regulations will involve substantial costs. Any action against us for violation of these laws, even if we successfully defend against it, could cause us to incur significant legal expenses and divert our management's attention from the operation of our business. The shifting compliance environment and the need to build and maintain robust and expandable systems to comply with multiple jurisdictions with different compliance and/or reporting requirements increases the possibility that a healthcare company may run afoul of one or more of the requirements. Compliance with data protection laws and regulations could require us to take on more onerous obligations in our contracts, restrict our ability to collect, use and disclose data, or in some cases, impact our ability to operate in certain jurisdictions. It could also require us to change our business practices and put in place additional compliance mechanisms, may interrupt or delay our development, regulatory and commercialization activities and increase our cost of doing business. Failure by us or our collaborators and third-party providers to comply with data protection laws and regulations could result in government enforcement actions (which could include civil or criminal penalties and orders preventing us from processing personal data), private litigation and result in significant fines and penalties against us. Claims that we have violated individuals' privacy rights, failed to comply with data protection laws or breached our contractual obligations, even if we are not found liable, could be expensive and time-consuming to defend, could result in adverse publicity and could have a material adverse effect on our business, financial condition, results of operations and prospects.

The impact of the COVID-19 pandemic resulted in, and may in the future result in, significant disruptions to the global economy, as well as businesses and capital markets around the world. Efforts to contain the spread of COVID-19 have intensified at times to manage surges in the infection rate and deaths, and many countries have at times implemented severe travel restrictions, social distancing, and delays or cancellations of elective surgeries at different times. Notwithstanding the introduction of effective vaccines, COVID-19 may in the future affect our ability and the ability of our employees, contractors, suppliers, and other partners in the U.S. and abroad to conduct normal business activities from time to time, including due to shutdowns that may be requested or mandated by governmental authorities. The spread of COVID-19 globally has previously adversely impacted trial conduct and operations and may do so again in the future. We have, in the past, initiated several clinical trials for istaroxime in the EU and other worldwide locations impacted by the COVID-19 outbreak. Our clinical trials have suffered delays and interruptions and our previous decision to cease enrollment in the AEROSURF clinical trial was partially due to such delays and escalating expenses. Our efforts to conduct trials could be materially delayed in the future by governmental restrictions and enrollment difficulties as hospitals reduce and divert staffing, divert resources to patients suffering from the infectious disease and limit hospital access for nonpatients. Similarly, there is a risk that clinical supplies of our product candidates may be significantly delayed or may become unavailable as a result of COVID-19 and the resulting impact on our suppliers' labor forces and operations, including as a result of governmental restrictions on business operations and the movement of people and goods in an effort to curtail the spread of the virus. There can be no assurance that we would be able to timely implement any mitigation plans. Disruptions in our supply chain, whether as a result of restricted travel, quarantine requirements or otherwise, could negatively impact clinical supplies of our product candidates, which could materially adversely impact our clinical trial and development timelines. The effects of COVID-19 or any other pandemic, including identification of potential new variants, has led and may in the future lead to periodic disruption and volatility in the global capital markets, which could increase our cost of capital and adversely affect our ability to access the capital markets in the future. It is possible that the spread of COVID-19 in the future could cause an economic slowdown or recession or cause other unpredictable events, each of which could adversely affect our business, results of operations or financial condition. The extent to which COVID-19 or any other pandemic impacts our financial results going forward will depend on future developments, which are highly uncertain and cannot be predicted, including new information which may emerge concerning the severity of the COVID-19 outbreak, the rise of variants, which may be more contagious and potentially more lethal, and the actions recommended to contain the outbreak or treat its impact, among others. Moreover, the COVID-19 outbreak has had and may in the future have indeterminable adverse effects on general commercial activity and the world economy, and our business and results of operations could be adversely affected to the extent that COVID-19 or any other pandemic harms the global economy generally.

Our industry is highly competitive and subject to rapid technological innovation and evolving industry standards. We compete with numerous existing companies in many ways. We need to successfully introduce new products to achieve our strategic business objectives. If we cannot successfully introduce new products, adapt to changing technologies or anticipate changes in our current and potential customers' requirements, our product candidates may become obsolete, and our business could suffer. Many of our competitors' companies have substantially greater research and development, manufacturing, marketing, financial, and technology personnel and managerial resources than we have. In addition, many of these competitors, either alone or with their collaborative partners, have significantly greater experience than we do in developing products, preclinical testing and human clinical trials management, obtaining FDA approval and other regulatory approvals, and manufacturing and marketing products. Accordingly, our competitors may succeed in receiving FDA or foreign regulatory approval or commercializing products and obtaining patent protection before us. Our competitors may successfully secure regulatory exclusivities in various markets, which could have the effect of barring us or limiting our ability to market our product candidates, if approved, in such markets. In addition, developments by our competitors may render our drug product candidates obsolete or noncompetitive. We also face, and will continue to face, competition from colleges, universities, governmental agencies and other public and private research organizations. These competitive forces frequently and aggressively seek patent protection and licensing arrangements to collect royalties for technologies that they develop. Some of these technologies may compete directly with the technologies that we are developing. These institutions will also compete with us in recruiting highly qualified scientific personnel.