EX-99.4 5 d202129dex994.htm EX-99.4 EX-99.4

Exhibit 99.4

RISK FACTORS

The following risk factors should be read in conjunction with, and amend and supplement, those included in the Annual Report on Form 20-F filed by Legend Biotech Corporation (“we”, “our”, “us” or the “Company”) on April 2, 2021 (the “Form 20-F”). Investing in the Company’s American Depositary Shares representing its ordinary shares (“ADSs”) and its ordinary shares involves a high degree of risk. You should carefully consider the risks described below, and all other information contained in or incorporated by reference in the Form 20-F, before making an investment decision regarding the Company’s securities.

Risks Related to Our Business

We are or may become subject to a variety of privacy and data security laws, policies and contractual obligations, and our failure or failure of our third-party vendors, collaborators, contractors or consultants to comply with existing or future laws and regulations related to privacy or data security could lead to government enforcement actions, which could include civil or criminal fines or penalties, private litigation, other liabilities, and/or adverse publicity. Compliance or the failure to comply with such laws could increase the costs, could limit their use or adoption, and could otherwise negatively affect our operating results and business.

We maintain and process, and our third-party vendors, collaborators, contractors and consultants maintain and process on our behalf, sensitive information, including confidential business and personal information, including but not limited to health information in connection with our preclinical and clinical studies and our employees, and are subject to laws and regulations governing the privacy and security of such information. Failure by us, our third- party vendors, collaborators, contractors and consultants to comply with any of these laws and regulations could result in enforcement action against us, including fines, imprisonment of company officials and public censure, claims for damages by affected individuals, damage to our reputation and loss of goodwill, any of which could have a material adverse effect on our business, financial condition, results of operations or prospects.

Regulatory authorities in China have implemented and are considering a number of legislative and regulatory proposals concerning data protection. On March 17, 2018, the General Office of the PRC State Council promulgated the Measures for the Management of Scientific Data (the Scientific Data Measures) which provide a broad definition of scientific data and relevant rules for the management of scientific data. According to the Scientific Data Measures, any scientific data involving state secret, state security, social public interests, commercial secret or personal privacy may not be open and shared; where openness is indeed needed, the purpose, user’s qualification, conditions of confidentiality and other factors shall be reviewed, and the informing scope shall be strictly controlled. Further, any researcher conducting research funded, at least in part, by the PRC government is required to submit relevant scientific data for management by the entity to which such researcher is affiliated before such data may be published in any foreign academic journal. China’s Cyber Security Law, which became effective in June 2017, created China’s national-level data protection for “network operators,” which may include all organizations in China that provide services over the internet or another information network. Numerous regulations, guidelines and other measures are expected to be adopted under the umbrella of the Cyber Security Law. Furthermore, the Opinions on Strictly Cracking Down on Illegal Securities Activities, which was issued by the General Office of the State Council and another authority on July 6, 2021, requires the speed-up of the revision of the provisions on strengthening the confidentiality and archives management related to overseas issuance and listing of securities, and improvement to the laws and regulations related to data security, cross-border data flow, and management of confidential information. China’s Data Security Laws, which was promulgated by the Standing Committee of PRC National People’s Congress, or the SCNPC, on June 10, 2021 and became effective on September 1, 2021, outlines the main system framework of data security protection. The Personal Information Protection Law promulgated by the SCNPC on August 20, 2021 and became effective on November 1, 2021, which outlines the main system framework of personal information protection and processing. Drafts of some of these measures have now been published, including the draft rules on the Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad published by the Cyberspace Administration of China, or the CAC, in 2017, which may, upon enactment, require security review before transferring human health-related data out of China. In addition, the draft amendment to the Measures for Cyber Security Review, or the Draft Measures, was published by the CAC on July 10, 2021 and was issued for soliciting public comment until July 25, 2021. Comparing with the current Measures for Cyber Security Review, the changes under the Draft Measures include without limitation the following aspects: (i) “data processing operators” are incorporated into the regulatory scope; (ii) the China Securities Regulatory Commission, or the CSRC, is included as one of the authorities for jointly establishing the state cyber security review working mechanism; (iii) an application for cyber security review must be made by an issuer who is a “critical information infrastructure operator” or a “data processing operator” as defined therein (each an “operator” as defined under the Draft Measures) before such issuer’s securities become listed in a foreign country if such issuer possesses personal information of more than 1 million users, (iv) the operators’ purchase of network products and services that affect or may affect national security will be subject to the

cybersecurity review, and (v) the risk of core data, material data or large volume of personal information being stolen, leaked, damaged, illegally used or cross-border transmitted and the risk of critical information infrastructure, core data, material data or large volume of personal information being influenced, controlled or used out of malevolence by the government of foreign country after relevant operators’ securities being listed on a stock exchange of a foreign country shall be considered as one of the factors for evaluating the national security risks that may be brought by procurement activities, data processing activities and overseas listing. Regulations on the Security Protection of Critical Information Infrastructure, which was promulgated by the State Council of the PRC on July 30, 2021 and became effective on September 1, 2021, or the CII Protection Regulations, stipulates the obligations and liabilities of the regulators, society and critical information infrastructure operators, or the CIIOs, in protecting the security of critical information infrastructure, or the CII. According to the CII Protection Regulations, regulators supervising specific industries shall formulate detailed guidance to recognize the CII in the respective sectors, and CIIOs shall take the responsibility to protect the CII’s security by performing certain prescribed obligations. For example, CIIOs are required to conduct network security test and risk assessment, report the assessment results to relevant regulatory authorities, and timely rectify the issues identified at least once a year. The draft Regulations for the Administration of Cyber Data Security, or the Draft Data Security Regulations, published by the CAC on November 14, 2021 for public comments until December 13, 2021 reiterates that a data processor who processes personal information of more than 1 million individuals shall go through the cyber security review if it intends to be listed in a foreign country, and if a data processor conducts any data processing activities that affect or may affect national security, an application for cyber security review shall also be made by such processor. And the Draft Data Security Regulations require data processors processing important data or being listed outside China shall carry out data security assessment annually by itself or through a third party data security service provider and submit assessment report to local agency of the CAC. The Draft Data Security Regulations provide a broad definition of data processing activities, including collection, storage, usage, processing, transfer, provision, publication, deletion and other activities, and the Draft Data Security Regulations also provide a broad definition of data processor as individuals and entities which autonomously determine the purpose and method during data processing activities. However, the Draft Data Security Regulations provide no further elaboration on what constitutes a situation that “affects or may affect national security” and are subject to further changes before being formally adopted and coming into effect.

As of the date of this prospectus supplement, no detailed rules or implementation of the Draft Measures or the Draft Data Security Regulations have been issued by the CAC, and the PRC governmental authorities may have wide discretion in the interpretation and enforcement of these laws and regulations. It also remains uncertain whether the future regulatory changes would impose additional restrictions on companies like us. We cannot predict the impact of the Draft Measures and/or the Draft Data Security Regulations, if any, at this stage, and we will closely monitor and assess any development in the rulemaking process. If the enacted version of the Draft Measures and/or the Draft Data Security Regulations requires any clearance of cybersecurity review and other specific actions to be completed by companies like us, we face uncertainties as to whether such clearance can be timely obtained, or at all. If we are not able to comply with the cybersecurity and data privacy requirements in a timely manner, or at all, we may be subject to government enforcement actions and investigations, fines, penalties, or suspension of our non-compliant operations, among other sanctions, which could materially and adversely affect our business and results of operations. We have been making constant efforts to comply with the relevant data protection laws and regulations in the PRC and will endeavor to comply with any update in the applicable laws, regulations or guidelines as issued by any relevant regulatory authorities in the PRC. However, we cannot assure you that we are able to comply with any applicable privacy and data security laws, regulations and guidelines in a timely manner, or at all.

In addition, certain industry-specific laws and regulations affect the collection and transfer of personal data in China. For example, the PRC State Council promulgated Regulations on the Administration of Human Genetic Resources (effective in July 2019), which require approval/filing from the Science and Technology Administration Department of the PRC State Council where human genetic resources are involved in any international collaborative project and additional approval, filing and backup for any export or cross-border transfer of the human genetic resources samples or associated data or for providing/offering access of the information on human genetic resources to foreign entities and the institutions established or actually controlled thereby. We cannot assure you that we have complied or will be able to comply with all applicable human genetic resources related regulations. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our practices, potentially resulting in confiscation of human genetic resources samples and associated data and administrative fines. As there are still uncertainties regarding the further enaction of new laws and regulations as well as the revision, interpretation and implementation of those existing laws and regulations, we cannot assure you that we will be able to comply with such regulations in all respects, and we may be ordered to make rectification and terminate any actions that are deemed illegal by the regulatory authorities and become subject to fines and/or other sanctions. As a result, we may be required to suspend our related businesses or face other penalties which may have material adverse effect on our business, operations and financial condition.

 

In May 2018, a new privacy regime, the General Data Protection Regulation, or the GDPR, took effect in the European Economic Area, or the EEA, into which we may expand our business. The GDPR governs the collection, use, disclosure, transfer or other processing of personal data of European persons. Among other things, the GDPR imposes requirements regarding the security of personal data and notification of data processing obligations to the competent national data processing authorities, changes the lawful bases on which personal data can be processed, expands the definition of personal data and requires changes to informed consent practices, as well as more detailed notices for clinical trial subjects and investigators. In addition, the GDPR increases the scrutiny of transfers of personal data from clinical trial sites located in the EEA to the United States and other jurisdictions that the European Commission does not recognize as having “adequate” data protection laws, and imposes substantial fines for breaches and violations (up to the greater of €20 million or 4% of our consolidated annual worldwide gross revenue). The GDPR also confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies and obtain compensation for damages resulting from violations of the GDPR. Further, while the United Kingdom enacted the Data Protection Act 2018 in May 2018 that supplements the GDPR and has publicly announced that it will continue to regulate the protection of personal data in the same way post-Brexit, Brexit has created uncertainty with regard to the future of regulation of data protection in the United Kingdom. Some countries also are considering or have passed legislation requiring local storage and processing of data, or similar requirements, which could increase the cost and complexity of delivering our products and services.

In the United States, there are numerous federal and state privacy and data security laws and regulations governing the collection, use, disclosure and protection of personal information, including federal and state health information privacy laws, federal and state security breach notification laws, and federal and state consumer protection laws. Each of these constantly evolving laws can be subject to varying interpretations. For example, regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996, or HIPAA, establish privacy and security standards that limit the use and disclosure of individually identifiable health information, or protected health information, and require the implementation of administrative, physical and technological safeguards to protect the privacy of protected health information and ensure the confidentiality, integrity and availability of electronic protected health information. Determining whether protected health information has been handled in compliance with applicable privacy standards and our contractual obligations can be complex and may be subject to changing interpretation. The U.S. Department of Health and Human Services, or HHS, has the discretion to impose penalties without attempting to first resolve violations. HHS enforcement activity can result in financial liability and reputational harm, and responses to such enforcement activity can consume significant internal resources.

In addition, states are constantly adopting new laws or amending existing laws, requiring attention to frequently changing regulatory requirements. For example, California enacted the California Consumer Privacy Act, or the CCPA, on June 28, 2018, which took effect on January 1, 2020 and has been dubbed the first “GDPR- like” law in the United States. The CCPA gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used by requiring covered companies to provide new disclosures to California consumers (as that term is broadly defined and can include any of our current or future employees who may be California residents) and provide such residents new ways to opt-out of certain sales of personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. As we expand our operations and trials (both preclinical or clinical), the CCPA may increase our compliance costs and potential liability. Some observers have noted that the CCPA could mark the beginning of a trend toward more stringent privacy legislation in the United States. Other states are beginning to pass similar laws.

Many statutory requirements, both in the United States and abroad, include obligations for companies to notify individuals of security breaches involving certain personal information, which could result from breaches experienced by us or our third-party service providers. For example, laws in all 50 U.S. states and the District of Columbia require businesses to provide notice to consumers whose personal information has been disclosed as a result of a data breach. These laws are not consistent, and compliance in the event of a widespread data breach is difficult and may be costly. Moreover, states have been frequently amending existing laws, requiring attention to changing regulatory requirements. We also may be contractually required to notify customers or other counterparties of a security breach. Any contractual protections we may have from our third-party service providers, contractors or consultants may not be sufficient to adequately protect us from any such liabilities and losses, and we may be unable to enforce any such contractual protections.

We expect that there will continue to be new proposed laws and regulations concerning data privacy and security, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. New laws, amendments to or re-interpretations of existing laws, regulations, standards and other obligations may require us to incur additional costs and restrict our business operations. Because the interpretation and application of health-related and data protection laws, regulations, standards and other obligations are still uncertain, and often contradictory and in flux, it is possible that the scope and requirements of these laws may be interpreted and applied in a manner that is inconsistent with our practices and our efforts to comply with the evolving data protection rules may be unsuccessful. If so, this could result in government- imposed fines or orders requiring that we change our practices, which could adversely affect our business. In addition, these privacy regulations may differ from country to country, and may vary based on whether testing is performed in the United States or in the local country and our operations or business practices may not comply with these regulations in each country.

Compliance with these and any other applicable privacy and data security laws and regulations is a rigorous and time-intensive process, and we may be required to put in place additional mechanisms ensuring compliance with the new data protection rules. If we or our third-party vendors, collaborators, contractors and consultants fail to comply with any such laws or regulations, we may face regulatory investigations, significant fines and penalties, reputational damage or be required to change our business practices, all of which could adversely affect our business, financial condition and results of operations.

Risks Related to Doing Business in China

The approval of the China Securities Regulatory Commission or other governmental authority may be required.

On August 8, 2006, six PRC regulatory agencies, including the China Securities Regulatory Commission, or the CSRC, promulgated the Provisions on the Merger or Acquisition of Domestic Enterprises by Foreign Investors, or the M&A Rules, which became effective on September 8, 2006 and was amended on June 22, 2009. The M&A Rules, among other things, requires offshore SPVs formed for the purpose of an overseas listing and controlled by PRC companies or individuals, to obtain the CSRC approval prior to listing their securities on an overseas stock exchange. The application of this regulation remains unclear. Our PRC legal counsel has advised us that, based on their understanding of the current PRC laws, the CSRC approval was not required under the M&A Rules in the context of our initial public offering because the ownership structure of our PRC subsidiaries was established by direct investment instead of through acquisition of equity interests or assets of any PRC domestic company by foreign entities as defined under the M&A Rules.

However, we have been advised by our PRC legal counsel that there are uncertainties regarding the interpretation and application of the PRC laws and regulations, and there can be no assurance that the PRC government will ultimately take a view that is not contrary to the above opinion of our PRC legal counsel. Furthermore, the recently issued Opinions on Strictly Cracking Down on Illegal Securities Activities emphasized the need to strengthen the supervision on overseas listings by China-based companies and provided that the special provisions of the State Council on overseas issuance and listing of shares by those companies limited by shares will be revised. There are still uncertainties regarding the interpretation and implementation of these Opinions, and further explanations or detailed rules and regulations with respect to these Opinions may be issued in the future which could impose additional requirements on us.

In addition, the draft amendment to the Measures for Cyber Security Review published by the CAC on July 10, 2021 provides that an application for cyber security review must be made by an issuer who is a “critical information infrastructure operator” or a “data processing operator” as defined therein before such issuer’s securities become listed in a foreign country if such issuer possesses personal information of more than 1 million users, and that the relevant governmental authorities in the PRC may initiate cyber security review if such governmental authorities determine an operator’s cyber products or services, data processing or listing in a foreign country affect or may affect national security. The draft Regulations for the Administration of Cyber Data Security, published by the CAC on November 14, 2021 for public comments, reiterates that a data processor who processes personal information of more than 1 million individuals shall go through the cyber security review if it intends to be listed in a foreign country, and if an issuer conducts any data processing activities that affect or may affect national security, an application for cyber security review shall also be made by such processor.

We may be adversely affected by an ongoing investigation involving our majority shareholder and our former chief executive officer and Chairman. Although we and Genscript have conducted targeted internal reviews relating to the investigation, Genscript has not conducted a comprehensive internal review of all transactions it handled on behalf of us prior to our initial public offering, and there can be no assurance that the investigation will not involve us or that the Authority or other governmental authority will not pursue criminal or civil remedies against us or our directors, officers or employees in the future, including sanctions, monetary penalties and regulatory actions, which could adversely affect us.

Our majority shareholder, Genscript, and Dr. Fangliang Zhang, our former chairman and chief executive officer, and the former chairman and chief executive officer of Genscript, are currently under investigation by the Customs Anti-Smuggling Department of Zhenjiang, or the Authority, in the PRC. The Authority’s inspection included places of business in Nanjing and Zhenjiang, China, of Genscript, and certain of its subsidiaries, including our location in Nanjing. The inspections are in connection with what we believe to be an investigation relating to suspected violations of import and export regulations under the laws of the PRC, which has, to date, focused on Genscript’s import and export activity preceding our initial public offering in June 2020, at which time we were a subsidiary of Genscript and Dr. Zhang was chairman and chief executive officer of Genscript. Following a period of residential

surveillance and arrest by PRC law enforcement, Dr. Zhang was released on bail by the Authority on February 9, 2021. Two Genscript employees had also been placed under arrest. Five of our employees have been questioned by the PRC authorities about their prior roles at Genscript. One of these five employees, who was previously a Genscript employee, was briefly detained and this employee is currently released on bail. In May 2021, Dr. Zhang and the four employees of Genscript, along with two PRC subsidiaries of Genscript, were notified by the Authority that the investigation was complete, and that their respective matter had been handed over to the Zhenjiang Municipal People’s Procuratorate, or the Procuratorate, for examination and possible prosecution. In July 2021, the Procuratorate returned the case to the Authority for supplementary investigation. As of the date of this prospectus supplement, the supplementary investigation is completed and the Authority has handed the case back to the Procuratorate. Whether or when the Procuratorate will pursue pressing any charges against GenScript, Dr. Zhang or Genscript employees remains undecided. To the best of our knowledge, no charges have been filed to date against Dr. Zhang, Genscript or us and the Authority has not notified us that we are a target of the Authority’s investigation.

The Audit Committee of our Board of Directors engaged external counsel to conduct an internal review of our import and export transactions. The review identified no apparent issues with respect to transactions conducted since our initial public offering in June 2020. However, transactions prior to July 2020 were handled by Genscript on our behalf, which limits our ability to review such transactions. While Genscript, with the assistance of its external counsel, conducted a targeted review based on feedback from its communications with the Authority, it has not conducted a comprehensive internal review of all transactions it handled on behalf of us prior to our initial public offering. Accordingly, our ability to ascertain the risk of our exposure to the Authority’s investigation is limited and there is a risk that we may become a subject of the Authority’s investigation, and thereafter subject to proceedings, penalties and restrictions on our activities, which could adversely affect us.

While no charges have been filed against us or any of our officers or directors, and we understand that we are not a target of the Authority’s investigation at this time, we believe that the investigation has had an adverse impact on the price of our ADSs and ordinary shares, and could continue to have such an adverse impact, particularly if charges are brought against Genscript or Dr. Zhang, if PRC authorities seek to impose restrictions on Genscript’s or our activities, or if the Authority decides to investigate us, our officers, employees or directors in the context of its investigation of Genscript and Dr. Zhang or otherwise, or if any of our or Genscript’s executive officers are subjected to residential surveillance, detention, arrest, charges or imprisonment. As of October 31, 2021, (i) Dr. Zhang directly owns 14.5% of the issued and outstanding ordinary shares of Genscript, plus 1.4% of ordinary shares of Genscript through his trust, (ii) Genscript, in turn, beneficially owns 58.4% of our ordinary shares, and (iii) two out of six of the members of our board of directors are employees of Genscript.

Furthermore, despite the fact that Dr. Zhang is no longer one of our executive officers or directors, Dr. Zhang may still be able to influence us and/or Genscript, and such influence, or the perception that Dr. Zhang exerts such influence over us and/or Genscript, may lead to further investigations by the Authority or other governmental authorities, and have an adverse impact on the price of our ADSs and ordinary shares. In each situation, our management’s attention may be diverted, management of our operations could be adversely affected, significant expenses could be incurred, our reputation and ability to raise capital in the future may be harmed, and there could be a material adverse effect on our business, financial condition, results of operations, and prospects, especially if there is an adverse outcome.

Additionally, any investigation could damage our reputation or cause our existing collaboration partner, Janssen, and other third parties to terminate existing agreements and potential partners to seek other partners, any of which could impact our results of operations. Separately, Genscript has conveyed that in the course of the Authority’s inspection of Genscript, the Authority has also identified nine imports, which Genscript handled on behalf of the Company prior to the IPO, in respect of which there may be minor non-compliance issues concerning import declarations, which are distinct from the matters that have been the focus of the Authority’s investigation. Genscript has informed us that it believes that Genscript is the target of the Authority’s inquiries with respect to these import declaration matters, and the Authority has not contacted us with respect to such import declaration matters.

Our business may be significantly affected by the newly enacted Foreign Investment Law and the “negative list.”

On March 15, 2019, the PRC’s National People’s Congress promulgated the Foreign Investment Law, which took effect on January 1, 2020 and replaced three existing laws regulating foreign investment in China, namely, the PRC Equity Joint Venture Law, the PRC Cooperative Joint Venture Law and the Wholly Foreign owned Enterprise Law, together with their implementation rules and ancillary regulations. The Foreign Investment Law grants foreign invested entities the same treatment as PRC domestic entities, except for those foreign invested entities that operate in industries deemed to be either “restricted” or “prohibited” in the “negative list” published by the State Council. We are a Cayman Islands company and our PRC subsidiaries, Nanjing Legend Biotech Co., Ltd., or Legend Nanjing, and Hainan Chuanji Biotech Co., Ltd., or Legend Hainan, are currently considered to be foreign invested entities. Legend Hainan was established in October, 2021. As of the date of this prospectus supplement, Legend Hainan is not engaged in substantive business operations in the PRC.

The latest version of the “negative list,” namely, the Special Management Measures (Negative List) for the Access of Foreign Investment (2020), which was promulgated by the Ministry of Commerce (“MOFCOM”) and the National Development and Reform Commission (“NDRC”) and became effective on July 23, 2020, provides that foreign investment is prohibited in the development and application of human stem cell or gene diagnostic and therapeutic technologies. As of the date of this prospectus supplement, there has been no official interpretation of the scope of “human stem cell or gene diagnostic and therapeutic technologies” specified in the Negative List and the application of this regulation remains unclear. The Encouraged Industry Catalogue for Foreign Investment (2020), or the 2020 Encouraged Industry Catalogue, which was promulgated by the MOFCOM and the NDRC and became effective on January 27, 2021, provides that foreign investment is encouraged in the development and production of cell therapy drugs except in areas where foreign investment is prohibited. Besides, the Technical Guidelines for Clinical Trials of Immune cell Therapy Products (Trial), or Technical Guidelines for Clinical Trials, which was published by the Center for Drug Evaluation of National Medical Products Administration, or the CDE, on February 10, 2021, provides that CAR-T, as a kind of immune cell therapy products, has the nature of gene therapy products. The Technical Guidelines for Clinical Trials was issued for sponsors’ references, and is not compulsory or to identify the regulatory nature or classification of immune cell therapy products, and is subject to modifications and improvements from time to time. On December 3, 2021, the CDE published the Technical Guidelines for Non-clinical Research and Evaluation of Gene Therapy Products (Trial) (“Technical Guidelines for Gene Therapy Products”) and Technical Guidelines for Non-clinical Research of Gene Modified Cell Therapy Products (Trial) (“Technical Guidelines for Gene Modified Cell Therapy Products”), which became effective as of the date of promulgation. The Technical Guidelines for Gene Therapy Products provides that it is applicable to gene therapy products other than genetically modified cells therapy products, and genetically modified cells therapy products, such as CAR-T cell therapy products, shall refer to the Technical Guidelines for Gene Modified Cell Therapy Products, which was formulated according to the Technical Guidelines for the Research and Evaluation of Cell Therapy Products (Trial).

Legend Nanjing is engaged in the research and development of CAR-T cell therapies. We believe the CAR-T cell therapies, as they are currently being researched and developed by Legend Nanjing, do not involve the use of human stem cells or genetic diagnosis and treatment, and as such should not fall into the category of “human stem cell or gene diagnostic and therapeutic technologies” under the negative list. Moreover, relevant governmental authorities also confirmed the research and development of CAR-T cell therapies currently engaged in by Legend Nanjing complies with the requirements of foreign investment industrial policies. We have been advised by our PRC legal counsel, JunHe LLP, that Legend Nanjing has complied with PRC laws and regulations in all material respects for, and obtained all material governmental approvals and permits from PRC regulatory agencies for, the research and development of CAR-T cell therapies. However, we have been advised by our PRC legal counsel that there are uncertainties regarding the interpretation and application of the PRC laws and regulations, and there can be no assurance that the PRC government will ultimately take a view that is not contrary to our view and the opinion of our PRC legal counsel above. If our CAR-T cell therapies or other technologies that are being researched and developed by Legend Nanjing are deemed by relevant PRC regulatory agencies as falling into the category of “human stem cell or gene diagnostic and therapeutic technologies” under the negative list, Legend Nanjing would be prohibited from engaging in the research or development of such CAR-T cell therapies or other technologies. In that event, we may have to stop investing in Legend Nanjing or consider restructuring Legend Nanjing as a PRC domestic entity and our variable interest entity. Legend Nanjing may also have to forfeit its income derived from the research and development of such technologies. Any of these occurrences may harm our business, prospects, financial condition and results of operations significantly.

Failure to comply with PRC regulations regarding the registration or filing requirements for employee stock ownership plans or share option plans may subject the plan participants or us to fines and other legal or administrative sanctions.

Under the applicable regulations and SAFE rules, PRC citizens who participate in an employee stock ownership plan or a stock option plan in an overseas publicly listed company are required to register with SAFE and complete certain other procedures. In February 2012, SAFE promulgated the Notices on Issues concerning the Foreign Exchange Administration for Domestic Individuals Participating in Stock Incentive Plans of Overseas Publicly Listed Companies, or the Stock Option Rules, which replaced the Application Procedures of Foreign Exchange Administration for Domestic Individuals Participating in Employee Stock Ownership Plan or Stock Option Plans of Overseas Publicly Listed Companies issued by SAFE in March 2007. Pursuant to the Stock Option Rules, if a PRC resident participates in any stock incentive plan of an overseas publicly listed company, a qualified PRC domestic agent must, among other things, file on behalf of such participant an application with SAFE to conduct the SAFE registration with respect to such stock incentive plan and obtain approval for an annual allowance with respect to the purchase of foreign exchange in connection with the exercise or sale of stock options or stock such participant holds. Such participating PRC residents’ foreign exchange income received from the sale of stock and dividends distributed by the overseas publicly listed company must be fully remitted into a PRC collective foreign currency account opened and managed by the PRC agent before distribution to such participants. We and our PRC resident employees who have been granted stock options or other share-based incentives of ours are subject to the Stock Option Rules. However, we do not have control over our PRC resident participants and cannot compel them to comply with SAFE registrations.

Therefore, we cannot assure you that any required registration under SAFE registrations will be completed in a timely manner, or at all. If we or our PRC resident participants fail to comply with these regulations, we and/or our PRC resident participants may be subject to fines and legal sanctions. Besides, failure to complete the SAFE registrations may limit our PRC resident participants’ ability to make payment under our share incentive plan or receive dividends or sales proceeds related thereto, or limit our ability to contribute additional capital into our wholly-foreign owned enterprises in China and limit our wholly-foreign owned enterprises’ ability to distribute dividends to us. We also face regulatory uncertainties that could restrict our ability to adopt additional share incentive plans for our directors and employees under PRC laws.

In addition, the State Taxation Administration issued the Notice on Several Measures for Further Deepening the Reform of “Simplifying Administration and Decentralizing Powers, Combining Decentralization with Appropriate Control, and Optimizing Services” and Cultivating and Stimulating the Vitality of Market Participants, or the Notice, in October 2021, which require any enterprise that implements equity (stock) incentive plan shall submit a Report Form of Equity Incentives and other materials to the competent tax authority within 15 days of the next month after deciding to implement equity incentives or before the end of 2021 for equity incentive plans that have been implemented but not yet completed, including domestic enterprises that provide equity incentives for employees with equity of overseas enterprises. However, as the Notice is newly issued, there are still substantial uncertainties as to its interpretation and implementations in practice. Therefore, we cannot assure you that any required registration or filing under the Notice or other regulations will be completed in a timely manner, or at all. If we or our participants fail to comply with these regulations, we and/or our participants may be subject to fines and other legal sanctions.

The audit report included in Legend Biotech’s Annual Report is prepared by an auditor who is not inspected by the Public Company Accounting Oversight Board, or the PCAOB and, as such, Legend Biotech’s investors are deprived of the benefits of such inspection. The Holding Foreign Companies Accountable Act, or the HFCA Act, and other legislative and regulatory developments related to political tensions between the United States and China may have a material adverse impact on Legend Biotech’s continued listing and trading in the U.S. and the trading prices of Legend Biotech’s ADSs.

As an auditor of U.S. publicly traded companies and a PCAOB-registered accounting firm, the independent registered public accounting firm that issued the audit report included in Legend Biotech’s Annual Report is required by the laws of the United States to undergo regular inspections by the PCAOB to assess its compliance with the laws of the United States and professional standards. Because our auditor is located in the PRC—a jurisdiction where the PCAOB is currently unable to conduct inspections without the approval of the Chinese authorities—our auditor is not currently inspected by the PCAOB.

PCAOB inspections are able to identify deficiencies in the inspected firms’ audit procedures and quality control procedures, which may then be addressed as part of the inspection process to improve future audit quality. The lack of PCAOB inspections in China prevents the PCAOB from regularly evaluating our auditor’s audits and quality control procedures. As a result, investors may be deprived of the benefits of PCAOB inspections of our auditor. The inability of the PCAOB to conduct an inspection of our auditor makes it more difficult to evaluate the effectiveness of our auditor’s audit procedures or quality control procedures as compared to auditors outside of China that are subject to PCAOB inspections. Accordingly, investors may have a lower level of confidence in Legend Biotech’s reported financial information and procedures and the quality of Legend Biotech’s financial statements than if our auditor were subject to PCAOB inspections.

Further, U.S. legislators and regulators have in recent years voiced concerns about risks associated with investing in companies that are based in or have substantial operations in emerging markets, including China. In particular, lawmakers have highlighted the increased risks associated with companies whose independent auditors are unable to be inspected by the PCAOB. As part of this continued focus in the United States on access to audit and other information currently protected by national law, in particular China’s, on December 18, 2020, the U.S. president signed the HFCA Act into law. On December 2, 2021, the SEC adopted final rules implementing the HFCA Act.

The HFCA Act requires the SEC to identify and maintain a list of U.S. listed companies whose audit reports are prepared by auditors that the PCAOB is unable to inspect or investigate completely because of restrictions imposed by the authorities in the foreign jurisdiction. The HFCA Act also requires SEC-identified public companies to (i) submit documentation establishing that the company is not owned or controlled by a governmental entity in the jurisdiction that restricts PCAOB inspections and (ii) make certain additional disclosures in their SEC filings regarding, among other things, the fact that the PCAOB is unable to inspect its audit firm, the percentage of the company’s shares owned by governmental entities in such foreign jurisdiction, whether governmental entities in such foreign jurisdiction have a controlling financial interest with respect to the company, the name of any Chinese Communist Party members on the company’s board of directors, and whether there are any charters of the Chinese Communist Party included in the company’s organizational documents (including the text of any such charter). For issuers remaining on the SEC-identified companies list for three consecutive years, the securities of such company would be prohibited from trading on a U.S. national securities exchange, such as The Nasdaq Global Select Market, or in U.S. over-the-counter markets. On June 22, 2021, the U.S. Senate passed a bill which, if passed by the U.S. House of Representatives and signed into law, would reduce the number of consecutive non-inspection years required for triggering the prohibitions under the HFCA Act from three years to two. It is uncertain whether this proposed legislation will advance.

The SEC will begin identifying issuers based on annual reports filed in 2022 for the fiscal year ended December 31, 2021. Because Legend Biotech’s Annual Report for fiscal year 2021 will include an audit report issued by our auditor, it is expected that Legend Biotech will be an SEC-identified company in fiscal year 2022, and would be required to comply with the SEC’s submission and disclosure requirements for Legend Biotech’s Annual Report for the fiscal year ending December 31, 2022. Legend Biotech is evaluating potential responses to the HFCA Act, including the possibility of changing its principal auditor to a firm that can be inspected by the PCAOB. Such evaluation is ongoing and until a definitive response is identified and implemented, Legend Biotech’s inclusion as an SEC-identified company could cause investor uncertainty and the market price of its ADSs could be materially adversely affected. If Legend Biotech is unable to meet PCAOB inspection requirements in a timely manner, it could be delisted. If Legend Biotech’s ADSs are unable to be listed on another securities exchange by then, such a delisting would substantially impair your ability to sell or purchase its ADSs when you wish to do so, and the risk and uncertainty associated with a potential delisting would have a negative impact on the price of Legend Biotech’s ADSs. In addition, any actions that Legend Biotech takes in response to the HFCA Act and compliance with the requirements of the HFCA Act for so long as Legend Biotech remains an SEC-identified company, may require Legend Biotech to incur additional legal, accounting and other expenses, which may be significant.

Governmental control of currency conversion may limit our ability to utilize our revenues effectively and affect the value of your investment.

The PRC government imposes controls on the convertibility of the Renminbi into foreign currencies and, in certain cases, the remittance of currency out of China. Under our current corporate structure, our Cayman Islands holding company may rely on dividend payments from our PRC subsidiaries to fund any cash and financing requirements we may have in the future. Under existing PRC foreign exchange regulations, payments of current account items, including profit distributions, interest payments and trade and service-related foreign exchange transactions, can be made in foreign currencies without prior approval of SAFE, by complying with certain procedural requirements. Specifically, under the existing exchange restrictions, without prior approval of SAFE, cash generated from the operations of our PRC subsidiaries in China may be used to pay dividends to our company. However, approval from or registration with appropriate government authorities is required where Renminbi is to be converted into foreign currency and remitted out of China to pay capital expenses such as the repayment of loans denominated in foreign currencies. As a result, we need to obtain SAFE approval to use cash generated from the operations of our PRC subsidiaries to pay off their respective debt in a currency other than Renminbi owed to entities outside China, or to make other capital expenditure payments outside China in a currency other than Renminbi.

In light of the recent flood of capital outflows of China due to the weakening of RMB, the PRC government has imposed more restrictive foreign exchange policies and stepped up scrutiny of major outbound capital movement including overseas direct investment. More restrictions and substantial vetting process are put in place by SAFE to regulate cross-border transactions falling under the capital account. If any of our shareholders regulated by such policies fails to satisfy the applicable overseas direct investment filing or approval requirement timely or at all, it may be subject to penalties from the relevant PRC authorities. The PRC government may at its discretion further restrict access in the future to foreign currencies for current account transactions. If the foreign exchange control system prevents us from obtaining sufficient foreign currencies to satisfy our foreign currency demands, we may not be able to pay dividends in foreign currencies to our shareholders, including holders of the Ordinary Shares.