HTG MOLECULAR DIAGNOSTICS, INC

Our business requires collecting, processing, manipulating, analyzing, disclosing and storing large amounts of proprietary, confidential and sensitive data, including personal information about our employees and others, information we collect from samples we process, intellectual property, trade secrets, and proprietary business information owned or controlled by ourselves or other third parties. In addition, we rely on enterprise software systems and third-party service providers and sub-processors to operate and manage our business. The confidentiality, availability, integrity and protection of our data is critical to our business and relevant stakeholders have a high expectation that we will adequately protect confidential and sensitive data, including personal data. We also maintain personally identifiable information. Our business therefore depends on the continuous, effective, reliable and secure operation of our data, computer hardware, software, networks, internet servers and related infrastructure including those of our collaborators, service providers and contractors. To the extent that our hardware and software malfunction or access to our data is interrupted or otherwise compromised, our business could suffer. If we, our service providers, partners or other relevant third parties have experienced or in the future experience any security incident(s) that result in any data loss, deletion or destruction, unauthorized access to, loss of, unauthorized acquisition or disclosure of, or inadvertent exposure of sensitive information, or compromise related to the security, confidentiality, integrity or availability of our (or their) information technology, software, services, communications or data, it may result in a material adverse impact, including without limitation, regulatory investigations or enforcement actions, litigation, indemnity obligations, negative publicity and financial loss. Further, failures or significant downtime of our information technology or telecommunication systems or those used by our third-party service providers could cause significant interruptions in our operations, including preventing us from conducting tests or research and development activities and preventing us from managing the administrative aspects of our business.

The regulatory environment governing information, security and privacy laws is increasingly demanding and continues to evolve. Maintaining compliance with applicable security and privacy regulations may increase our operating costs. Although we have implemented physical, technical and administrative safeguards designed to protect our data, information technology systems and communications software, we are still vulnerable to natural or man-made hazards, such as natural disasters, fire, storm, flood, power loss, wind damage, terrorism, war, telecommunications failures, physical or software break-ins, inadvertent acts, malicious intrusion, malware, data leakage, viruses and similar events. Moreover, we are vulnerable to cyberattacks, malicious internet-based activity and online and offline fraud, which are prevalent and continue to increase. In addition to traditional computer “hackers,” threat actors, software bugs, malicious code (such as viruses and worms), employee theft or misuse, denial-of-service attacks (such as credential stuffing), and ransomware attacks, sophisticated nation-state and nation-state supported actors now engage in attacks (including advanced persistent threat intrusions). We may also be the subject of phishing attacks, viruses, malware installation, server malfunction, software or hardware failures, loss of data and other computer assets, adware or other similar issues. These events may result in damage to or the impairment of key business processes, or the loss or corruption of confidential information, including intellectual property, proprietary business information and personal data. Such disruptions and breaches of security could have a material adverse effect on our business, financial condition and results of operations. We could be required to expend significant resources, fundamentally change our business activities and practices or modify our services, software, operations or information technology in an effort to protect against security breaches and to mitigate, detect and remediate actual and potential vulnerabilities and security incidents. There can be no assurances that our security measures or those of our service providers, partners, and other third parties will be effective in protecting against all security breaches and the material adverse impacts that may arise from such breaches.

We are subject to or affected by numerous federal, state and foreign laws and regulations, as well as regulatory guidance, governing the collection, use, disclosure, retention, processing and security of personal data, such as information that we collect about employees and patients in the United States and abroad. The global data protection landscape is rapidly evolving, and implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future. This evolution may create uncertainty in our business, affect our or our collaborators’, service providers’ and contractors’ ability to operate in certain jurisdictions or to collect, store, transfer use and share personal data, necessitate the acceptance of more onerous obligations in our contracts, result in liability or impose additional costs on us. The cost of compliance with these laws, regulations and standards is high and is likely to increase in the future. We are also subject to the terms of our external and internal privacy and security policies, representations, certifications, standards, publications, frameworks, and contractual obligations related to our collection, processing, use and disclosure of personal data and/or other confidential information. Although we endeavor to comply with our published policies and other obligations, and take steps to ensure that our external and internal privacy and security policies and representations are not inaccurate, incomplete, deceptive, unfair, or misrepresentative of our actual practices, we may at times fail to do so or may be perceived to have failed to do so. Compliance with these and any other applicable privacy and data security laws, regulations and obligations is a rigorous and time-intensive process, and we may be required to put in place additional mechanisms, potentially at significant expense, to ensure compliance with the new data protection rules. Any failure or perceived failure by us or our collaborators, service providers and contractors to comply with federal, state or foreign laws or regulation, our internal policies and procedures, representations or our contracts governing processing, of personal data could result in negative publicity, disruptions or interruptions in our operations, fines, penalties (including changes to our data practices), lawsuits, liability, an inability to process personal data, diversion of management time and effort and proceedings against us by governmental entities or others, all of which could adversely affect our business, financial condition, results of operations and growth prospects. Furthermore, the laws are not consistent, and compliance in the event of a widespread data breach is costly. In many jurisdictions, enforcement actions and consequences for noncompliance are rising.

Other significant measures contained in the ACA include, for example, coordination and promotion of research on comparative clinical effectiveness of different technologies and procedures, initiatives to revise Medicare payment methodologies, such as bundling of payments across the continuum of care by providers and physicians, and initiatives to promote quality indicators in payment methodologies. The ACA also includes significant new fraud and abuse measures, including required disclosures of financial arrangements with physician customers, lower thresholds for violations and increasing potential penalties for such violations. However, the future of the ACA is uncertain. There have been executive, judicial and Congressional challenges to certain aspects of the ACA. For example, then-President Trump signed several Executive Orders and other directives designed to delay the implementation of certain provisions of the ACA or otherwise circumvent some of the requirements for health insurance mandated by the ACA. Congress considered legislation to repeal or repeal and replace all or part of the ACA. While Congress has not passed comprehensive repeal legislation, it has enacted laws that modify certain provisions of the ACA. For example, the Tax Act includes a provision that repealed, effective January 1, 2019, the tax-based shared responsibility payment imposed by the ACA on certain individuals who fail to maintain qualifying health coverage for all or part of a year that is commonly referred to as the “individual mandate”. In addition, the 2020 federal spending package permanently eliminated, effective January 1, 2020, the ACA-mandated medical device tax and “Cadillac” tax on high-cost employer-sponsored health coverage and, effective January 1, 2021, also eliminated the health insurer tax. On December 14, 2018, a Texas U.S. District Court Judge ruled that the ACA is unconstitutional in its entirety because the “individual mandate” was repealed by Congress as part of the Tax Act. Additionally, on December 18, 2019, the U.S. Court of Appeals for the 5th Circuit upheld the District Court ruling that the individual mandate was unconstitutional and remanded the case back to the District Court to determine whether the remaining provisions of the ACA are invalid as well. The U.S. Supreme Court is currently reviewing this case, although it is unclear when the Supreme Court will make a decision or how it will rule. On February 10, 2021, the Biden administration withdrew the federal government’s support for overturning the ACA. Although the U.S. Supreme Court has not yet ruled on the constitutionality of the ACA, on January 28, 2021, President Biden issued an executive order to initiate a special enrollment period for purposes of obtaining health insurance coverage through the ACA