identify other areas for further attention or improvement. Inferior internal controls could also cause investors to lose confidence in our reported financial information, which could have a negative effect on the trading price of our shares.
For as long as we are an “emerging growth company” under the JOBS Act, our independent registered public accounting firm will not be required to attest to the effectiveness of our internal controls over financial reporting pursuant to Section 404. We could be an “emerging growth company” for up to five years. An independent assessment of the effectiveness of our internal controls could detect problems that our management’s assessment might not. Undetected material weaknesses in our internal controls could lead to financial statement restatements and require us to incur the expense of remediation.
Our employees, independent contractors, principal investigators, CROs, consultants, vendors and partnership partners may engage in misconduct or other improper activities, including non-compliance with regulatory standards and requirements.
We are exposed to the risk that our employees, independent contractors, principal investigators, CROs, consultants, vendors and partnership partners may engage in fraudulent conduct or other illegal activities. Misconduct by these parties could include intentional, reckless and negligent conduct or unauthorized activities that violate, among other things: (i) the legal requirements or other requirements of the EMA, the FDA and comparable authorities, including those laws that require the reporting of true, complete and accurate information to such authorities; (ii) manufacturing standards; (iii) data privacy, security, fraud and abuse and other healthcare laws and regulations; or (iv) laws that require the reporting of true, complete and accurate financial information and data.
There is no certainty that all of our employees, agents, contractors, or partners, or those of our affiliates, will comply with all applicable laws and regulations, particularly given the high level of complexity of these laws. It is not always possible to identify and deter misconduct by employees and other third-parties, and the precautions we take to detect and prevent this activity may not be effective in controlling unknown or unmanaged risks or losses or in protecting us from governmental investigations or other actions or lawsuits stemming from a failure to comply with such laws or regulations. Additionally, we are subject to the risk that a person could allege such fraud or other misconduct, even if none occurred. If any such actions are instituted against us, and we are not successful in defending ourselves or asserting our rights, those actions could result in significant administrative, civil and criminal fines and sanctions against us, our officers, or our employees, the closing down of our facilities, requirements to obtain export licenses, cessation of business activities in sanctioned countries, exclusion from participation in federal healthcare programs including Medicare and Medicaid, implementation of compliance programs, integrity oversight and reporting obligations, and prohibitions on the conduct of our business. Any such violations could include prohibitions on our ability to offer our partners’ products in one or more countries and could materially damage our reputation, our brand, our international expansion efforts, our ability to attract and retain employees, and our business, prospects, operating results and financial condition.
Actual or perceived failures to comply with applicable data protection, privacy and security laws, regulations, standards and other requirements could adversely affect our business, results of operations, and financial condition. We receive and store increasing volumes of sensitive information, such as employee, personal and pseudonymized patient data as well as human biological materials. We are subject to a variety of local, state, national and international laws, directives and regulations that apply to the collection, use, storage, retention, protection, disclosure, transfer and other processing of personal data, collectively referred to as “data processing”, in the different jurisdictions in which we operate, including comprehensive regulatory systems in the United States and Europe. Legal requirements relating to data processing continue to evolve and may result in ever-increasing public scrutiny and escalating levels of enforcement, sanctions and increased costs of compliance.
As our operations and business grow, we may become subject to or affected by new or additional data protection laws and regulations and face increased scrutiny or attention from regulatory authorities. In the United
57