Although we maintain product liability insurance coverage in the amount of up to $10.0 million in the aggregate, including commercial product liability and clinical trial liability, this insurance may not fully cover potential liabilities that we may incur. The cost of any product liability litigation or other proceeding, even if resolved in our favor, could be substantial. In addition, insurance coverage is becoming increasingly expensive. If we are unable to maintain sufficient insurance coverage at an acceptable cost or to otherwise protect against potential product liability claims, it could prevent or inhibit the development and commercial production and sale of neffy or our current or future intranasal epinephrine technology product candidates, which could harm our business, financial condition, results of operations and prospects.
If our information technology systems or data, or those of third parties with whom we work, are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences.*
In the ordinary course of our business, we and the third parties with whom we work collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, “process”) personal data and other sensitive information, including proprietary and confidential business data, trade secrets, intellectual property, data we collect about trial participants in connection with clinical trials, sensitive third-party data, business plans, transactions, and financial information (collectively, “sensitive data”). As a result, we and such third parties face a variety of evolving threats, including but not limited to ransomware attacks, which could cause security incidents. Cyber-attacks, malicious internet-based activity, online and offline fraud, and other similar activities threaten the confidentiality, integrity, and availability of our sensitive data and information technology systems, and those of the third parties with whom we work. Such threats are prevalent and continue to rise, are increasingly difficult to detect, and come from a variety of sources, including traditional computer “hackers,” threat actors, “hacktivists,” organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation states, and nation-state-supported actors.
Some actors now engage and are expected to continue to engage in cyber-attacks, including without limitation nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we and the third parties with whom we work may be vulnerable to a heightened risk of these attacks, including retaliatory cyber-attacks, which could materially disrupt our systems and operations, supply chain, and ability to conduct our business.
We and the third parties with whom we work are subject to a variety of evolving threats, including but not limited to social-engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as a fake, and phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks, credential stuffing attacks, credential harvesting, personnel misconduct or error, ransomware attacks, supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other information technology assets, adware, telecommunications failures, earthquakes, fires, floods, attacks enhanced or facilitated by AI, and other similar threats.
In particular, severe ransomware attacks are becoming increasingly prevalent and can lead to significant interruptions in our operations, loss of sensitive data and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments.
It may be difficult and/or costly to detect, investigate, mitigate, contain, and remediate a security incident. Our efforts to do so may not be successful. Actions taken by us or the third parties with whom we work to detect, investigate, mitigate, contain, and remediate a security incident could result in outages, data losses, and disruptions of our business. Threat actors may also gain access to other networks and systems after a compromise of our networks and systems.
Remote work has become more common and has increased risks to our information technology systems and data, as more of our employees utilize network connections, computers, and devices outside our premises or network, including working at home, while in transit and in public locations. Additionally, future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities’ systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program.
