Zevra Therapeutics (ZVRA) Risk Analysis

The secure processing, storage, maintenance, and transmission of sensitive personal information is vital to our operations and business. We are, and may increasingly become, subject to various laws and regulations, as well as contractual obligations, governing the collection, use, disclosure, retention, and security of personal information in the jurisdictions in which we operate. The regulatory environment related to data privacy and security is increasingly rigorous, with new and constantly changing requirements applicable to our business, and enforcement practices are likely to remain uncertain for the foreseeable future. These laws and regulations may be interpreted and applied differently over time and from jurisdiction to jurisdiction, and it is possible that they will be interpreted and applied in ways that may have a material adverse effect on our business, financial condition, results of operations and prospects. In the United States, various federal and state regulators, including governmental agencies like the Federal Trade Commission, have adopted, or are considering adopting, laws and regulations concerning personal information and data security. Certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to personal information than federal, international, or other state laws, and such laws may differ from each other, all of which may complicate compliance efforts. For example, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"), requires covered businesses that process the personal information of California residents to, among other things: (i) provide certain disclosures to California residents regarding the business's collection, use, and disclosure of their personal information; (ii) receive and respond to requests from California residents to access, delete, and correct their personal information, or to opt out of certain disclosures of their personal information; and (iii) enter into specific contractual provisions with service providers that process California resident personal information on the business's behalf. Additional compliance investment and potential business process changes may also be required. Similar laws have been passed in other states, and are continuing to be proposed at the state and federal level, reflecting a trend toward more stringent privacy legislation in the United States. These and future laws and regulations may increase our compliance costs and potential liability. The Health Insurance Portability and Accountability Act of 1996, and regulations promulgated thereunder ("HIPAA") imposes privacy, security and breach notification obligations on certain healthcare providers, health plans and healthcare clearinghouses, known as covered entities, as well as their business associates that perform certain services that involve creating, receiving, maintaining or transmitting individually identifiable health information for or on behalf of such covered entities, and their covered subcontractors. Among other requirements, HIPAA requires business associates to develop and maintain policies with respect to the protection of, use and disclosure of protected health information ("PHI"), including the adoption of administrative, physical and technical safeguards to protect such information, certain notification requirements in the event of a breach of unsecured PHI, and requirements to report breaches of unsecured PHI to covered entities within 60 days of discovery of the breach by the business associate or its agents. Depending on the facts and circumstances, we could be subject to significant civil, criminal and administrative fines and penalties and/or additional reporting and oversight obligations if found to be in violation of HIPAA. Foreign data protection laws may also apply to health-related and other personal data that we process, including personal data relating to clinical trial participants. European data protection laws impose strict obligations on the ability to process health-related and other personal data of data subjects in Europe, including standards relating to the privacy and security of personal data. For example, in Europe, the European Union General Data Protection Regulation, or the "EU GDPR", and in the United Kingdom, the United Kingdom General Data Protection Regulation and Data Protection Act 2018, or the "UK GDPR" (together with the EU GDPR, referred to as the "GDPR") imposes strict requirements for processing the personal data of individuals within the European Economic Area, or the EEA, or in the context of our activities within the EEA. Companies that must comply with the GDPR face increased compliance obligations and risk, including more robust regulatory enforcement of data protection requirements and potential fines for noncompliance under both the EU GDPR and UK GDPR of up to €20 million/GBP 17.5 million or 4% of the annual global revenues of the noncompliant company, whichever is greater. In addition to fines, a breach of the GDPR may result in regulatory investigations, reputational damage, orders to cease/ change our data processing activities, enforcement notices, assessment notices (for a compulsory audit) and/ or civil claims (including class actions). Among other requirements, the GDPR regulates transfers of personal data subject to the GDPR to third countries that have not been found to provide adequate protection to such personal data, including the United States, and the efficacy and longevity of current transfer mechanisms between the EEA and the United States remains uncertain. Case law from the Court of Justice of the European Union ("CJEU") states that reliance on the standard contractual clauses – a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism – alone may not necessarily be sufficient in all circumstances and that transfers must be assessed on a case-by-case basis. On July 10, 2023, the European Commission adopted its Adequacy Decision in relation to the new EU-US Data Privacy Framework ("DPF"), rendering the DPF effective as a GDPR transfer mechanism to U.S. entities self-certified under the DPF. In relation to such cross border transfers of personal data, we expect the existing legal complexity and uncertainty regarding international personal data transfers to continue, and international transfers to the United States, China, and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators. As the regulatory guidance and enforcement landscape in relation to data transfers continue to develop, we could suffer additional costs, complaints and/or regulatory investigations or fines; we may have to stop using certain tools and vendors and make other operational changes; we may have to implement alternative data transfer mechanisms under the GDPR and/ or take additional compliance and operational measures; and/or it could otherwise affect the manner in which we operate our business, and could adversely affect our business, operations and financial condition. Failure, or perceived failure, to comply with foreign data protection laws and regulations, privacy policies, contracts and other data protection obligations could result in government investigations and enforcement actions (which could include civil or criminal penalties, fines, or sanctions), private litigation, a diversion of management's attention, adverse publicity and other negative effects on our operating results and business. Although we work to comply with applicable laws, regulations and standards, our contractual obligations and other legal obligations, these requirements are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another or other legal obligations with which we must comply. Any failure or perceived failure by us or our employees, representatives, contractors, consultants, collaborators, or other third parties to comply with such requirements or adequately address privacy and security concerns, even if unfounded, could result in additional cost and liability to us, damage our reputation, and adversely affect our business and results of operations.

Our industry is characterized by rapidly advancing technologies, intense competition and a strong emphasis on proprietary products. We will face competition and potential competition from a number of sources, including pharmaceutical and biotechnology companies, specialty pharmaceutical companies, generic drug companies, drug delivery companies and academic and research institutions. Our competitors may develop or market drugs that are more effective, more convenient, more widely used and less costly or have a better safety profile than our products or product candidates, and these competitors may also have significantly more resources than us and be more successful than us in manufacturing and marketing their products. See Part I. Item 1. "Business-Competitors" of this Annual Report on Form 10-K for additional information regarding our competitors.

We are focused on diseases with a small patient population. A key component of the successful commercialization of an approved product for these indications includes identification of patients and a targeted prescriber base for such product. Due to small patient populations for our products and product candidates, we believe that we would need to have significant market penetration to achieve meaningful revenues and identifying patients and targeting the prescriber base are key to achieving significant market penetration. Typically, drugs for conditions with small prevalence have higher prices in order to generate a return on investment, and as a result, the per-patient prices at which we sell our products are relatively high in order for us to generate an appropriate return for the investment in these product development programs and achieve meaningful gross margins. There can be no assurance that we will be successful in achieving a sufficient degree of market penetration and/or obtaining or maintaining high per-patient prices for products for diseases with small patient populations. Further, even if we obtain significant market share for our products, because the potential target populations are very small, we may not be able to maintain profitability despite obtaining such significant market share. Additionally, patients who discontinue therapy or do not fill prescriptions are not easily replaced by new patients, given the limited patient population.

Sales of pharmaceutical products depend in significant part on the availability of coverage and adequate reimbursement by third-party payors, such as state and federal governmental authorities, including those that administer the Medicare and Medicaid programs, and private managed care organizations and health insurers. Decisions regarding the extent of coverage and amount of reimbursement to be provided for each of our products and product candidates is and will be made on a plan-by-plan basis. One payor's determination to provide coverage for a product does not assure that other payors will also provide coverage, and adequate reimbursement, for the product. Each third-party payor determines whether or not it will provide coverage for a drug, what amount it will pay providers for the drug, and on what tier of its formulary the drug will be placed. These decisions are influenced by the existence of multiple drug products within a therapeutic class and the net cost to the plan, including the amount of the prescription price, if any, rebated by the drug's manufacturer. Typically, generic versions of drugs are placed in a preferred tier. The position of a drug on the formulary generally determines the co-payment that a patient will need to make to obtain the drug and can strongly influence the adoption of a drug by patients and physicians. Patients who are prescribed treatments for their conditions and providers performing the prescribed services generally rely on third-party payors to reimburse all or part of the associated healthcare costs. Patients are unlikely to use our products unless coverage is provided, and reimbursement is adequate to cover a significant portion of the cost of our products. Additionally, a third-party payor's decision to provide coverage for a drug does not imply that an adequate reimbursement rate will be approved. Also, third-party payors are developing increasingly sophisticated methods of controlling healthcare costs. As a result, coverage, reimbursement and placement determinations are complex and are often the subject of extensive negotiations between the payer and the manufacturer of the drug. Increasingly, both purchasers and payors are also conducting comparative clinical and cost effectiveness analyses involving application of metrics, including data on patient outcomes, provided by manufacturers. Within the Medicare program, as self-administered drugs, our product and product candidates would be reimbursed under the expanded prescription drug benefit known as Medicare Part D. This program is a voluntary Medicare benefit administered by private plans that operate under contracts with the federal government. These plans develop formularies that determine which products are covered and what co-pay will apply to covered drugs. The plans have considerable discretion in establishing formularies and tiered co-pay structures, negotiating rebates with manufacturers and placing prior authorization and other restrictions on the utilization of specific products, subject to review by the Centers for Medicare & Medicaid Services ("CMS"), for discriminatory practices. These Part D plans negotiate discounts with drug manufacturers, which are passed on, in whole or in part, to each of the plan's enrollees through reduced premiums. In order for reimbursement to be available for our products under Medicare or Medicaid, we participate in and have rebate obligations under the Medicaid Drug Rebate Program and are enrolled in the 340B drug pricing program, as well as the U.S. Department of Veterans Affairs Federal Supply Schedule pricing program. The programs we participate in, as well as our obligations under these programs, are described under the risk factor "If we fail to comply with our reporting and payment obligations under the Medicaid Drug Rebate Program or other governmental pricing programs in which we participate, we could be subject to additional reimbursement requirements, penalties, sanctions and fines." Third-party payers, including the U.S. government, continue to apply downward pressure on the reimbursement of pharmaceutical products. Also, the trend towards managed health care in the United States and the concurrent growth of organizations such as health maintenance organizations may result in lower reimbursement for pharmaceutical products. We expect that these trends will continue as these payors implement various proposals or regulatory policies, including various provisions of the recent health reform legislation that affect reimbursement of these products. There are currently, and we expect that there will continue to be, a number of federal, state and foreign proposals to implement controls on reimbursement and pricing, directly and indirectly. In international markets, reimbursement and healthcare payment systems vary significantly by country, and many countries have instituted price ceilings on specific products and therapies. For example, in the EU, pricing and reimbursement schemes vary widely from country to country. Some countries may require the completion of additional studies that compare the cost-effectiveness of a particular medicinal product candidate to currently available therapies. This Health Technology Assessment ("HTA") which is currently governed by the national laws of the individual EU member states, is the procedure according to which the assessment of the public health impact, therapeutic impact and the economic and societal impact of use of a given medicinal product in the national healthcare systems of the individual country is conducted. The outcome of HTA regarding specific medicinal products will often influence the pricing and reimbursement status granted to these medicinal products by the competent authorities of individual EU member states. The downward pressure on healthcare costs in general, particularly prescription medicines, has become very intense. Pharmaceutical products may face competition from lower-priced products in foreign countries that have placed price controls on pharmaceutical products and may also compete with imported foreign products. Furthermore, there is no assurance that a product will be considered medically reasonable and necessary for a specific indication, will be considered cost-effective by third-party payors, that an adequate level of reimbursement will be established even if coverage is available or that the third-party payors' reimbursement policies will not adversely affect the ability for manufacturers to sell products profitably. Historically, products launched in the EU do not follow the price structures which prevail in the United States, and generally, prices tend to be significantly lower.

Trade policies, geopolitical disputes and other international conflicts can result in tariffs, sanctions and other measures that restrict international trade, and can materially adversely affect our business, particularly if these measures affect regions where manufacturing and product development activities take place or raw materials are sourced. The extent and duration of any tariffs and the resulting impact on general economic conditions and on our business are uncertain and depend on various factors, such as negotiations between the United States and other countries, the response of such countries, and exemptions or exclusions that may be granted. Countries may also adopt other measures, such as controls on imports or exports of goods, technology or data, that could adversely impact supply chains. As these tensions continue to rise, more targeted approaches on certain products, industries or companies could significantly impact our development and commercialization efforts. Further, such actions by the United States could result in other retaliatory actions by those countries which could impact our ability to profitably commercialize our products in those jurisdictions. As a result, our business, operations, and financial condition could be materially harmed.