Ovid Therapeutics (OVID) Risk Analysis

We are increasingly dependent on information technology systems and infrastructure, including mobile technologies, to operate our business. In the ordinary course of our business, we collect, store, process and transmit large amounts of sensitive data, and, as a result, we and the third parties with whom we work face a variety of continuously evolving threats that have caused and could cause future security incidents. In addition, many of those third parties in turn subcontract or outsource some of their responsibilities to other third parties. While all information technology operations are inherently vulnerable to inadvertent or intentional security breaches, incidents, attacks and exposures, the accessibility and distributed nature of our information technology systems, and the sensitive data stored on those systems, make such systems vulnerable to unintentional or malicious, internal and external attacks on our technology environment. We have also outsourced elements of our operations (including elements of our information technology infrastructure) to third parties, and as a result, certain third parties with whom we work have access to our computer networks and/or our sensitive data. In addition, many of those third parties in turn subcontract or outsource some of their responsibilities to other third parties. Our ability to monitor the third parties' information security practices is limited, and these third parties may not have adequate information security measures in place. When the third parties with whom we work experience a security incident or other interruption, which has occurred in the past, we could experience adverse consequences. For example, in the third quarter of 2024, we were notified of a business email compromise impacting a development collaborator, which resulted in our payment being misdirected to a fraudulent account. The funds were fully recovered in January 2025. In the absence of recovery of funds or other remuneration, we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. In addition, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties' infrastructure in our supply chain or our third-party partners' supply chains have not been compromised. Increasing global tensions, including tensions between China and Taiwan and the ongoing wars involving Ukraine and Israel, among others, are likely to increase the frequency of cybersecurity attacks. In addition, hybrid work has increased risks to our information technology systems and data as our employees utilize network connections, computer and devices outside our premises or network, including working at home, while in transit and in public locations. Additionally, future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. Furthermore, we may discover security issues that were not identified during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. We take steps designed to detect, mitigate, and remediate vulnerabilities in our information systems (such as our hardware and/or software, including that of third parties upon which we rely); however, we may not detect and remediate all such vulnerabilities on a timely basis. Further, we may and have experienced delays in deploying remedial measures and patches designed to address identified vulnerabilities. For example, we have had situations in which a vulnerability has been identified, but the remediating patch download and installation was delayed due to the user being offline or the computer not being rebooted in a timely manner to finalize the installation. Non-remediated vulnerabilities could be exploited and result in a security incident. Cyberattacks, malicious internet-based activity, online and offline fraud, and other similar activities are increasing in their frequency, levels of persistence, sophistication and intensity, and are also being conducted by sophisticated and organized groups and individuals with a wide range of motives (including, but not limited to, industrial espionage) and expertise, including organized criminal groups, "hacktivists," nation states and others. Such attacks could include the deployment of harmful malware (including as a result of advanced persistent threat intrusions), ransomware attacks, denial-of-service attacks, credential stuffing and/or harvesting, social engineering (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks), supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of sensitive data or other information technology assets, adware, attacks enhanced or facilitated by artificial intelligence, telecommunications failures, earthquakes, fires, floods and other means to affect service reliability and threaten the confidentiality, integrity and availability of our information systems and sensitive data. In particular, severe ransomware attacks are becoming increasingly prevalent and can lead to significant interruptions in our operations, ability to provide our products or services, loss of sensitive data and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Significant disruptions of our, our third-party vendors' and/or business partners' information technology systems or other similar data security incidents could adversely affect our business operations and/or result in the loss, misappropriation, and/or unauthorized access, use or disclosure of, or the prevention of access to, sensitive data, which could result in financial, legal, regulatory, business and reputational harm to us. In addition, information technology system disruptions, whether from attacks on our technology environment or from computer viruses, natural disasters, terrorism,war and telecommunication and electrical failures, could result in a material disruption of our development programs and our business operations. For example, the loss of clinical trial data from completed or future clinical trials could result in delays in our regulatory approval efforts and significantly increase our costs to recover or reproduce the data. It may be difficult and/or costly to detect, investigate, mitigate, contain and remediate a security incident. Our efforts to do so may not be successful. For example, we utilize a phishing reporting feature that allows our IT function to analyze and assess whether suspicious emails are phishing attempts. This system is reliant on artificial intelligence and employee awareness and diligence, both of which may be exploited or not always successful. Actions taken by us or the third parties with whom we work to detect, investigate, mitigate, contain and remediate a security incident could result in outages, data losses, and disruptions of our business. Threat actors may also gain access to other networks and systems after a compromise of our networks and systems. We have in the past and will in the future expend significant resources or modify our business activities to try to protect against current and constantly evolving security incidents. Additionally, certain data privacy and security obligations will require us to implement and maintain specific security measures or industry-standard or reasonable security measures to protect our information technology systems and sensitive data. Applicable data privacy and security obligations may require us to notify relevant stakeholders, including affected individuals, customers, regulators, and investors, of security incidents. Such disclosures are costly, and the disclosure or the failure to comply with such requirements could lead to adverse consequences. If we (or a third party with whom we work) experience a security incident or are perceived to have experienced a security incident, including but not limited to a security incident involving personal information regarding our patients or employees, we may experience adverse consequences, such as disruptions to our business, harm to our reputation, government enforcement actions (for example, investigations, fines, penalties, audits, and inspections), additional reporting requirements, and/or oversight, or we may otherwise be subject to liability under laws, regulations and contractual obligations, including those that protect the privacy and security of personal information. This could result in increased costs to us, and result in significant legal and financial exposure and/or reputational harm. In addition, any failure or perceived failure by us or our vendors or business partners to comply with our privacy, confidentiality or data security-related legal or other obligations to third parties, or any further security incidents or other inappropriate access events that result in the unauthorized access, release or transfer of sensitive data, may result in governmental investigations, enforcement actions, regulatory fines, litigation, or public statements against us by advocacy groups or others, and could cause third parties, including clinical sites, regulators or current and potential partners, to lose trust in us or we could be subject to claims by third parties that we have breached our privacy- or confidentiality-related obligations, which could materially and adversely affect our business and prospects. Moreover, data security incidents and other inappropriate access can be difficult to detect, and any delay in identifying them may lead to increased harm of the type described above. While we have implemented security measures intended to protect our information technology systems and infrastructure, there can be no assurance that such measures will be effective. Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our data privacy and security obligations. While we are seeking cybersecurity insurance coverage to cover certain aspects of the cyber risks described above, there is no guarantee that we will obtain cybersecurity insurance coverage sufficient to cover the risks described here. Furthermore, any losses suffered by the company may not be adequately covered by insurance or other contractual rights available to us. The successful assertion of one or more large claims against us that exceed or are not covered by our insurance coverage or changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could make us unable to acquire such insurance and may have an adverse effect on our business, financial condition, and results of operations. In addition to experiencing a security incident, third parties may gather, collect or infer sensitive information about us from public sources, data brokers or other means that reveal competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position. Additionally, sensitive company information could be leaked, disclosed or revealed as a result of or in connection with our employees', personnel's, or vendors' use of generative artificial intelligence technologies.

The ability of the FDA to review proposed clinical trials or approve new products can be affected by a variety of factors, including government budget and funding levels, statutory, regulatory, and policy changes, the FDA's ability to hire and retain key personnel and accept payment of user fees, and other events that may otherwise affect the FDA's ability to perform routine functions. In addition, government funding of other government agencies that fund research and development activities is subject to the political process, including executive and congressional priorities, the impacts of which are inherently fluid and unpredictable. Disruptions at the FDA and other agencies may slow the time necessary for new product candidates to be reviewed and/or approved, which would adversely affect our business. For example, over the last several years, the U.S. government has shut down several times and certain regulatory agencies, such as the FDA, have had to furlough critical FDA employees and stop critical activities. In addition, the current administration has proposed substantial reductions in force at various government agencies including the FDA, and has implemented layoffs at the FDA, which could significantly reduce the FDA's capacity to perform its functions in a manner consistent with its past practices and could delay reviews and negatively impact our business.

In the ordinary course of business, we and the third parties with whom we work collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, process)personal data and other sensitive information, including proprietary and confidential business data, trade secrets, intellectual property, sensitive third-party data, business plans, transactions, clinical trial data and financial information (collectively, sensitive data). Our data processing activities subject us to laws and regulations covering data privacy and the protection of personal information and other sensitive data. The legislative and regulatory landscape for privacy and data protection continues to evolve, and there has been an increasing focus on privacy and data protection issues which may affect our business. In the United States, there are state security breach notification laws, state health information privacy laws and federal and state consumer protections laws which impose requirements for the collection, use, disclosure and transmission of personal information. Each of these laws is subject to varying interpretations by courts and government agencies. If we fail to comply with applicable laws and regulations we could be subject to penalties or sanctions, including criminal penalties if we knowingly obtain individually identifiable health information from a covered entity in a manner that is not authorized or permitted by HIPAA or for aiding and abetting the violation of HIPAA. Numerous U.S. states have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services if we become subject to these laws. For example, California enacted the California Consumer Privacy Act ("CCPA") which applies to personal information of consumers, business representatives, and employees, and requires businesses to provide specific disclosures in privacy notices and honor requests of California residents to exercise certain privacy rights The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches. Although there are limited exemptions for clinical trial data under the CCPA (and the other similar state privacy laws), the CCPA and other similar laws may impact (possibly significantly) our business activities depending on how it is interpreted, should we become subject to the CCPA and other state comprehensive privacy laws in the future. Numerous other countries have, or are developing, laws governing the collection, use and transmission of personal information as well. For example, the European Union's General Data Protection Regulation ("EU GDPR"), the United Kingdom's GDPR ("UK GDPR"), impose strict requirements for processing personal data. The EU GDPR provides for fines of up to 20 million Euros or 4% of annual global revenue, whichever is greater. In the ordinary course of business, we transfer personal data from Europe and other jurisdictions to the United States or other countries. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area (EEA) and the United Kingdom (UK) have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws it believes are inadequate. Other jurisdictions have and may continue to adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the United States in compliance with law, such as the EEA and UK's standard contractual clauses, these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA, the UK or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and UK to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. Additionally, the U.S. Department of Justice issued a rule entitled the Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, which places additional restriction on certain data transactions involving countries of concern (e.g., China, Russia, Iran) and covered individuals (i.e., individuals and entities located in or controlled by individuals or entities located in those jurisdictions) that may impact certain business activities such as vendor engagements, employment of certain individuals, and investor agreements. Violations of the rule could lead to significant civil and criminal fines and penalties. The rule applies regardless of whether data is anonymized, key-coded, pseudonymized, de-identified or encrypted, which presents particular challenges for companies like ours and may impact our ability to transfer data in connection with certain transactions or agreements. Our employees and personnel use generative artificial intelligence ("AI") technologies to perform their work, and the disclosure and use of personal data in generative AI technologies is subject to various privacy laws and other privacy obligations. Governments have passed and are likely to pass additional laws regulating generative AI. Our use of this technology could result in additional compliance costs, regulatory investigations and actions, and lawsuits. If we are unable to use generative AI, it could make our business less efficient and result in competitive disadvantages. In addition to data privacy and security laws, we are bound by certain contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. We also publish privacy policies, marketing materials, and other statements regarding data privacy and security. Regulators are increasingly scrutinizing these statements, and if these policies, materials, or statements are found to be deficient, lacking in transparency, deceptive, unfair, misleading or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. We may at times fail (or be perceived to have failed) in our efforts to comply with our data privacy and security obligations. Moreover, despite our efforts, our personnel or third parties with whom we work may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties with whom we work fail, or are perceived to have failed, to address or comply with applicable data privacy and security obligations, we could face significant consequences, including but not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits, inspections and similar); litigation (including class-action claims) and mass arbitration demands; additional reporting requirements and/or oversight; bans on processing personal data (including clinical trial data); and orders to destroy or not use personal data.

The development and commercialization of new drugs is highly competitive. We face competition with respect to our current drug candidates and will face competition with respect to any other drug candidates that we may seek to develop or commercialize in the future, from major pharmaceutical companies, specialty pharmaceutical companies and biotechnology companies worldwide. There are a number of large pharmaceutical and biotechnology companies that currently market and sell drugs or are pursuing the development of drug candidates for the treatment of the indications that we are pursuing. Potential competitors also include academic institutions, government agencies and other public and private research organizations that conduct research, seek patent protection and establish collaborative arrangements for research, development, manufacturing and commercialization. More established companies may have a competitive advantage over us due to their greater size, resources and institutional experience. In particular, these companies have greater experience and expertise in securing collaboration or partnering relationships, reimbursement, government contracts, relationships with key opinion leaders, conducting testing and clinical trials, obtaining and maintaining regulatory approvals and distribution relationships to market products, and marketing approved drugs. These companies also have significantly greater research and marketing capabilities than we do. If we are not able to compete effectively against existing and potential competitors, our business and financial condition may be harmed. As a result of these factors, our competitors may obtain regulatory approval of their drugs before we are able to, which may limit our ability to develop or commercialize our drug candidates. Our competitors may also develop therapies that are safer, more effective, more widely accepted and cheaper than ours, and may also be more successful than us in manufacturing and marketing their drugs. These appreciable advantages could render our drug candidates obsolete or non-competitive before we can recover the expenses of such drug candidates' development and commercialization. Mergers and acquisitions in the pharmaceutical and biotechnology industries may result in even more resources being concentrated among a smaller number of our competitors. Smaller and other early-stage companies may also prove to be significant competitors, particularly through collaborative arrangements with large and established companies. These third parties compete with us in recruiting and retaining qualified scientific, management and commercial personnel, establishing clinical trial sites and subject registration for clinical trials, as well as in acquiring technologies complementary to, or necessary for, our programs.

We focus our research and drug development on treatments for brain conditions with significant unmet need. This specifically includes medicines to treat symptoms of excess neural excitation such as seizures and psychoses that manifest in specific epilepsies, psychiatric, neurodegenerative and neurodevelopmental conditions. We are developing medicines for both rare and broader conditions. As a result of the disorders that we are targeting for drug development, our eligible patient population and pricing estimates may differ significantly from the actual market addressable by our drug candidates. Our projections of both the number of people who have these disorders, as well as the subset of people with these disorders who have the potential to benefit from treatment with our drug candidates, are based on our beliefs and estimates. These estimates have been derived from a variety of sources, including scientific literature, patient foundations, or market research, and may prove to be incorrect. Further, new studies may change the estimated incidence or prevalence of these disorders. The number of patients may turn out to be lower than expected. Likewise, the potentially addressable patient population for each of our drug candidates may be limited or may not be amenable to treatment with our drug candidates, and new patients may become increasingly difficult to identify or gain access to, which would adversely affect our results of operations and our business.

The global economy, including credit and financial markets, has experienced extreme volatility and disruptions, including, among other things, severely diminished liquidity and credit availability, declines in consumer confidence, declines in economic growth, supply chain shortages, fluctuations in inflation and interest rates, and uncertainty about economic stability. For example, during 2022 and 2023, the Federal Reserve raised interest rates multiple times in response to concerns about inflation. Higher interest rates, coupled with reduced government spending, tariffs, and volatility in financial markets may increase economic uncertainty and affect consumer spending. Similarly, geopolitical tensions including between China and Taiwan and the ongoing wars involving Ukraine and Israel have created volatility in the global capital markets and are expected to have further global economic consequences, including disruptions of the global supply chain and energy markets. Increased inflation may result in increased operating costs (including labor costs) and may affect our operating budgets. In addition, the U.S. Federal Reserve has raised interest rates in response to concerns about inflation. Trade disputes, tariffs, restrictions and other political tensions between the U.S. and other countries may also exacerbate unfavorable macroeconomic conditions, including inflationary pressures, foreign exchange volatility, financial market instability, and economic recessions or downturns, which may also limit our access to capital, or otherwise negatively impact our business and operations. Recently, the U.S. government has enacted, and continues to enact, a series of new tariffs, including a tariff on all imports and additional "reciprocal" tariffs targeting imports from specified countries. Additionally, current or future tariffs will result in increased research and development expenses, including with respect to increased costs associated with APIs, raw materials, laboratory equipment and research materials and components. In addition, such tariffs will increase our supply chain complexity and could also potentially disrupt our existing supply chain. Trade policies, geopolitical disputes and other trade restrictions affecting the import of materials necessary for clinical trials could result in delays to our development timelines. With the current administration in the U.S., additional and higher tariffs and sanctions may be imposed on goods imported from other countries which could increase the cost of goods needed to commercialize our products and continue development of our product candidates. Further, such actions by the U.S. could result in retaliatory action by those countries which could impact our ability to profitably commercialize our products in those jurisdictions. As a result, our business, operations and financial condition could be materially harmed. Any such volatility and disruptions may adversely affect our business or the third parties on whom we rely. If the equity and credit markets deteriorate, including as a result of political unrest or war, it may make any necessary debt or equity financing more difficult to obtain in a timely manner or on favorable terms, more costly or more dilutive. Increased inflation rates can adversely affect us by increasing our costs, including labor and employee benefit costs. The ultimate impact of current or future tariffs and trade restrictions remains uncertain and could materially and adversely affect our business, financial condition, and prospects. While we actively monitor these risks, any prolonged economic downturn, escalation in trade tensions, or deterioration in international perception of U.S.-based companies could materially and adversely affect our business, ability to access the capital markets or other financing sources, results of operations, financial condition and prospects. In addition, tariffs and other trade developments have and may continue to heighten the risks related to the other risk factors described elsewhere in this Quarterly Report on Form 10-Q.