Our ability to use our net operating loss carryforwards and other tax attributes may be limited.
As of December 31, 2025, we had approximately $53.4 million of federal net operating losses, or NOLs. Federal NOLs generated in taxable years beginning after December 31, 2017, may be carried forward indefinitely, but the deductibility of such federal NOL carryforwards in a taxable year is limited to 80% of our taxable income in such year. As of December 31, 2025, we had approximately $53.7 million of state NOLs. As of December 31, 2025, we had approximately $2.9 million of federal research and development tax credit carryforwards. Federal tax credit carryforwards expire at various dates beginning in 2044. As of December 31, 2025, we had approximately $1.0 million of state research and development tax credit carryforwards. The state tax credits carryforwards expire at various dates beginning in 2039.
Under Sections 382 and 383 of the Internal Revenue Code of 1986, as amended, or the Code, if a corporation undergoes an “ownership change,” generally defined as a greater than 50 percentage point change (by value) in its equity ownership by “5 percent shareholders” over a three-year period, the corporation’s ability to use its pre-change NOLs and other pre-change tax attributes (such as research and development tax credits) to offset its post-change income or taxes may be limited. A corporation that experiences an ownership change will generally be subject to an annual limitation on the use of its pre-ownership change NOLs equal to the value of the corporation immediately before the ownership change, multiplied by the long-term tax-exempt rate (subject to certain adjustments). We may have experienced ownership changes in the past and may experience ownership changes as a result of subsequent shifts in our stock ownership (some of which are outside our control). There is also a risk that due to regulatory changes, such as suspensions on the use of NOLs by federal or state taxing authorities or other unforeseen reasons, portions of our existing NOLs could expire or otherwise be unavailable to reduce future income tax liabilities. As a result, our ability to use our pre-change NOLs and tax credits to offset future taxable income, if any, or taxes could be subject to limitations. Similar provisions of state tax law may also apply. As a result, even if we attain profitability, we may be unable to use a material portion of our NOLs and tax credits.
Changes in tax law could adversely affect our business and financial condition.
U.S. federal, state, local, and foreign tax laws, regulations and administrative guidance are subject to change as a result of the legislative process and review and interpretation by the U.S. Internal Revenue Service, the U.S. Treasury Department and other taxing authorities. Changes to tax laws (which changes may have retroactive application), including with respect to net operating losses and research and development tax credits, could adversely affect us or holders of our common stock. For example, on July 4, 2025, President Donald Trump signed the One Big Beautiful Bill Act into law. Key tax provisions included the restoration of 100% bonus depreciation for certain qualified property, immediate expensing for domestic research and experimental expenditures and the ability to make elective adjustments for prior years, changes to the Section 163(j) interest limitations and updates to net CFC tested income (formerly GILTI) and FDII rules. In recent years, many other such changes have been made and changes are likely to continue to occur in the future. Future changes in tax laws could have a material adverse effect on our business, financial condition, results of operations, or cash flow. We urge investors to consult with their legal and tax advisers regarding the implications of potential changes in tax laws on an investment in our common stock.
Our information technology systems and infrastructure, or those of our collaborators and service providers, or our data, may be subject to cyberattacks, security breaches, compromises or other incidents, which could impact the confidentiality, integrity, and availability of our operational system and result in additional costs, loss of revenue, significant liabilities, harm to our brand, material disruption of our development programs and operations, or other adverse consequences.
In the ordinary course of our business, we and the third parties upon which we rely, process sensitive data, and, as a result, we and the third parties upon which we rely face a variety of evolving threats that could cause cyber-attacks, security breaches, compromises, or other incidents that impact the confidentiality, integrity, and availability of our operational systems. Although we, and the third parties upon which we rely, take steps to develop and maintain systems and controls designed to protect our sensitive data, systems, and infrastructure, there can be no assurance that our internal technology systems, and infrastructure, or those of third parties upon which we rely, will be sufficient to protect against a cyber-attack, security breach, compromise, or other incident such as an industrial espionage attack, ransomware, or insider threat attack, which may compromise the confidentiality, integrity, and availability of our system infrastructure, or those of third parties upon which we rely, or lead to the loss, destruction, alteration, or dissemination of, or damage to, our sensitive data. Such threats are prevalent and continue to rise, are increasingly difficult to detect, and come from a variety of sources, including traditional computer “hackers,” threat actors, “hacktivists,” organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation states, and nation-state-supported actors.
The risk of a cyber-attack, security breach, compromise, or other adverse impact to our and our third-party service provider’s information technology systems and sensitive data has generally increased as the number, intensity, and sophistication of attempted attacks and intrusions from around the world have increased. Such risks come from a variety of evolving threats, including but not limited to, social-engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks, credential stuffing, credential harvesting, personnel misconduct or error, ransomware attacks, supply-chain
