What changed in PALVELLA THERAPEUTICS, INC.'s 10-K — 2023 vs 2024

Item 1C. Cybersecurity We recognize the critical importance of maintaining the trust and confidence of our patients, employees, and business partners toward our business and are committed to protecting the confidentiality, integrity and availability of our business operations and systems.

Our audit committee of the board of directors is actively involved in oversight of our risk management activities, and cybersecurity represents an important element of our overall approach to risk management. We have taken into account recognized frameworks established by the National Institute of Standards and Technology, or NIST, when developing cybersecurity policies, standards, processes and practices among other considerations.

In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.

Cybersecurity Risk Management and Strategy; Effect of Risk We face risks related to cybersecurity such as unauthorized access, cybersecurity attacks and other security incidents, including as perpetrated by hackers and unintentional damage or disruption to hardware and software systems, loss of data, and misappropriation of confidential information.

To identify and assess material risks from cybersecurity threats, we maintain a comprehensive cybersecurity program to ensure our systems are effective and prepared for information security risks, including regular oversight of our programs for security monitoring for internal and external threats to ensure the confidentiality and integrity of our information assets.

We consider risks from cybersecurity threats alongside other company risks as part of our overall risk assessment process. We employ a range of tools and services, including phishing training, regular network and endpoint monitoring, audits, vulnerability assessments, to inform our risk identification and assessment.

As discussed in more detail under “Cybersecurity Governance; Management” below, our audit committee provides oversight of our cybersecurity risk management and strategy processes, which are led by the General Counsel and third-party information technology and security providers who act as our information technology team. We also identify our cybersecurity threat risks by comparing our processes to standards set by NIST.

To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following activities: • monitor emerging data protection laws and implement changes to our processes that are designed to comply with such laws; • through our policies, practices and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care and enter into confidentiality agreements, and enter into data processing agreements with third parties that are processing personal data we control; • employ technical safeguards that are designed to protect our information systems from cybersecurity threats, including physical security measures to prevent access to data processing systems, firewalls, intrusion prevention and detection systems, email security controls, anti-malware functionality and access controls, endpoint detection and response systems, all of which are evaluated and improved through internal and external vulnerability assessments and cybersecurity threat intelligence; • provide mandatory training and notifications for our employees and contractors regarding cybersecurity threats as a means to equip them with effective tools to understand, identify and address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices; • conduct mandatory annual phishing training and regular phishing email simulations for all employees and contractors with access to our email systems to enhance awareness and responsiveness to possible threats; • utilize pseudonymized data for patients and use other encryption methods to ensure security of personal data; • leverage procedures informed by appropriate incident handling frameworks to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident; and • carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident.

Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation.

As part of the above processes, we engage with third parties, including annually having a qualified third-party review our incident response plan and our cybersecurity measures to help identify areas for continued focus, improvement and compliance.

Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those who have access to patient and employee data or our systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers.

We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and assess cybersecurity threat risks identified through such diligence.

Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, for example, by engaging with known, reputable vendors, and requiring they have industry standard safeguards and notification procedures.

In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. We also have not been subject to any penalties or settlements.

Cybersecurity Governance; Management Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. In general, our board of directors oversees risk management activities designed and implemented by our management, and considers specific risks, including, for example, risks associated with our strategic plan, business operations, and capital structure.

At least quarterly, our audit committee receives an update from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks.

In such sessions, our audit committee generally receives materials that include discussions of current and emerging general material cybersecurity threat risks, including our particular cyber risk situation, and describing our ability and strategy to mitigate those risks and may discuss such matters with our Information Technology team or General Counsel.

Our audit committee also receives prompt and timely information regarding any cybersecurity incident that meets reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.

Members of our audit committee are also encouraged to regularly engage in conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.

Material cybersecurity threat risks are also considered during separate board meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, and other relevant matters.

Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our external Information Technology team, an Information Technology council composed of various management and senior level employees, and the General Counsel.

Such individuals have collectively over 10 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs, as well as several relevant degrees.

These management team members are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.

As discussed above, these management team members report to the audit committee of our board of directors about cybersecurity threat risks, among other cybersecurity related matters, at least annually. Item 2.

PROPERTIES In October 2018, Pieris GmbH entered into a lease initially comprising of approximately 96,400 square feet of mixed laboratory and office space in Hallbergmoos, Germany, which became our location for all German operations in February 2020.

This agreement, or the Lease Agreement, provides for an initial term of 150 months, commencing on the date the lessor first delivers the leased property to Pieris GmbH as agreed under the Lease Agreement, which occurred in February 2020. On December 15, 2023, the Lease Agreement was terminated effective December 31, 2023.

As consideration for the lessor’s agreement to terminate the Lease Agreement, Pieris GmbH paid a fee of approximately €9.7 million. The Company will continue to occupy a limited portion of the office space through June 2024. Our corporate headquarters continues to be located in Boston, Massachusetts, but we now generally conduct our operational functions remotely. Item 3.

Regardless of the outcome, legal proceedings can have an adverse impact on us because of defense and settlement costs, diversion of management resources, and other factors. Item 4. MINE SAFETY DISCLOSURES Not applicable. 47 Table of Contents PART II Item 5.

MARKET FOR REGISTRANT ’ S COMMON EQUITY, RELATED STOCKHOLDER MATTERS AND ISSUER PURCHASES OF EQUITY SECURITIES Market Information Our common stock is listed on The Nasdaq Stock Market LLC under the symbol “PIRS” and on June 30, 2015 our common stock began trading on The Nasdaq Capital Market.

Stockholders As of March 26, 2024, there were 31 and 4 stockholders of record of our common stock and preferred stock, respectively. Because many of our shares are held by brokers and other institutions on behalf of stockholders, we are unable to estimate the total number of beneficial holders represented by these record holders.

Dividends We have never paid dividends but may elect to pay out dividends to stockholders if it is determined that there is sufficient cash and investments to achieve our near and long-term objectives. Unregistered Sales of Securities None. Issuer Purchases of Equity Securities None. Item 6. [RESERVED] 48 Table of Contents Item 7.

MANAGEMENT ’ S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS You should read the following discussion and analysis of our financial condition and results of operations together with our consolidated financial statements and the related notes and other financial information included in this Annual Report on Form 10-K.

Some of the information contained in this discussion and analysis or set forth elsewhere in this Annual Report on Form 10-K, including information with respect to our plans and strategy for our business, includes forward-looking statements that involve risks and uncertainties as described under the heading “ Forward-Looking Statements ” elsewhere in this Annual Report on Form 10-K.

You should review the disclosure under the heading “ Risk Factors ” in this Annual Report on Form 10-K for a discussion of important factors that could cause actual results to differ materially from the results described in or implied by the forward-looking statements contained in the following discussion and analysis.

Overview We are a biotechnology company that historically discovered and developed Anticalin® protein-based drugs to target validated disease pathways in unique and transformative ways. Proprietary to us, Anticalin proteins are a novel class of therapeutics validated in the clinic and through partnerships with leading pharmaceutical companies, including Servier, Pfizer (formerly Seagen), and Boston Pharmaceuticals in immuno-oncology, or IO.

Our clinical pipeline consists of IO bispecifics in partnership with collaborators, including S095012 (also referred to as PRS-344) targeting PD-L1 and 4-1BB, SGN-BB228 (also referred to as PRS-346) targeting CD228 and 4-1BB, and BOS-342 (also referred to as PRS-342) targeting GPC3 and 4-1BB.

On March 27, 2024, we announced an update on our review of strategic alternatives, and our decision to implement measures that are expected to extend our cash runway into at least 2027, while maximizing our ability to collect potential milestones from our clinical pipeline of partnered drug candidates, potentially obtain value for cinrebafusp alfa and other proprietary platform capabilities, and explore other strategic opportunities.

As part of this strategy, we intend to discontinue all of our research and development efforts that we expect will be completed by the middle of 2024, reduce our workforce, which is expected to affect additional employees and the executive leadership and be implemented in the second quarter of 2024, and reduce the size of our Board of Directors, which is also expected to be implemented in the second quarter of 2024.

We remain eligible to receive potential contingent milestone and royalty payments from its partnered 4-1BB bispecific Mabcalin protein franchise from Pfizer, Boston Pharmaceuticals, and Servier.

These include aggregated milestones of approximately $20 million in connection with dosing a first patient in the phase 2 trials for SGN-BB228, S095102, and BOS-342, and aggregated milestones of approximately $55 million in connection with dosing a first patient in the pivotal clinical trials for SGN-BB228, S095102, and BOS-342.

Our strategy announced in March 2024 follows from our July 2023 announcement where we stated our intention to explore one or more strategic transactions with the assistance of our advisors, Stifel, Nicolaus & Company, and also announced a reduction in our workforce by approximately 70% in light of decision to reduce our operating footprint and expenses by opting out of and terminating programs.

Discovery and Development Programs We currently have several IO drug candidates, both proprietary and partnered with major biopharmaceutical companies and are at varying stages of development: 49 Table of Contents • Our IO partnered portfolio includes the following drug candidates that are multi-specific Anticalin-based fusion protein drug candidates designed to engage immunomodulatory targets, in partnership with Pfizer (formerly Seagen), Boston Pharmaceutics, and Servier. ◦ In the Pfizer collaboration, SGN-BB228 (also referenced as PRS-346), a CD228 x 4-1BB bispecific antibody-Anticalin compound, was previously handed over to Pfizer, which is responsible for further advancement and funding of the asset.

In January 2023, the first patient was dosed in a Pfizer-sponsored phase 1 study of SGN-BB228, upon which we achieved a $5.0 million milestone.

Pfizer, as they were referred to at the time, presented preclinical data for this program at the Society for Immunotherapy of Cancer 37th Annual Meeting in November 2022 and at the American Association for Cancer Research (AACR) Annual Meeting in April 2023, Pfizer presented the study design of the phase 1 study of SGN-BB228 at the American Society of Clinical Oncology (ASCO) Annual Meeting in June 2023.

The program is one of three programs in the Pfizer alliance, and we believe the previous achievement of a key development milestone for this program validates our approach in IO bispecifics, complementing the encouraging clinical data seen with cinrebafusp alfa.

We transferred the second and third programs to Pfizer at the end of 2023, and retain a co-promotion option for one program in the Pfizer collaboration in the United States. ◦ BOS-342 (also referenced as PRS-342) is a GPC3 x 4-1BB bispecific Mabcalin compound that we have exclusively licensed to Boston Pharmaceuticals.

In August 2023, the first patient was dosed in a Boston Pharmaceuticals sponsored phase 1/2 study of BOS-342 in hepatocellular carcinoma (HCC), for which we received a $2.5 million milestone payment and are entitled to receive up to approximately $350 million in potential development, regulatory and sales-based milestone payments, and tiered royalties on potential sales of BOS-342. ◦ S095012 (also referenced as PRS-344) is a bispecific Mabcalin compound comprising a PD-L1-targeting antibody genetically linked to 4-1BB-targeting Anticalin proteins being developed by Servier on a worldwide basis.

The first-in-human phase 1/2 multicenter open-label dose escalation study is designed to determine the safety and preliminary activity of S095012 in patients with advanced and/or metastatic solid tumors. In July 2023, we notified Servier that we were opting out of co-development and commercialization of S095012 in the U.S.

Servier retains exclusive, even as to us, worldwide rights to the program including the right to advance development and potential commercialization in the U.S.

As a result of our election to opt out, we are entitled to increased royalty rates and potential royalties and milestones, if any, for S095012. • In May 2021, we also entered into a multi-program research collaboration and license agreement with Genentech, a member of the Roche Group, to discover, develop and commercialize locally delivered respiratory and ophthalmology therapies.

In April and May 2023, the ophthalmology and respiratory programs were jointly discontinued, respectively. Cinrebafusp alfa is a bispecific Mabcalin compound comprising a HER2-targeting antibody genetically linked to 4-1BB-targeting Anticalin proteins. Cinrebafusp alfa is designed to drive tumor localized T cell activation through tumor-targeted drug clustering mediated by HER2 expressed on tumor cells.

This program was the first 4-1BB bispecific T cell co-stimulatory agonist to enter clinical development. ◦ In July 2022, we received fast track designation from FDA for cinrebafusp alfa.

In August 2022, we announced the decision to cease further enrollment in the two-arm, multicenter, open-label phase 2 study of cinrebafusp alfa as part of a strategic pipeline prioritization to focus our resources.

Cinrebafusp alfa has demonstrated clinical benefit in phase 1 studies, including single agent activity in a monotherapy setting, and in the phase 2 study in HER2-expressing gastric cancer, giving the Company confidence in its broader 4-1BB franchise.

In April 2023, clinical data showing an unconfirmed 100% objective response rate and promising emerging durability profile were presented at the American Association of Cancer Research annual meeting. This data provided encouraging evidence of clinical activity for this program.

The Company continues to remain committed to obtaining value for cinrebafusp alfa. 50 Table of Contents Our former drug candidates include: • Elarekibep , a former respiratory program that was partnered with AstraZeneca for the treatment of asthma, was a drug candidate that antagonizes IL-4Rα, thereby inhibiting the downstream action of IL-4 and IL-13, two cytokines known to be key mediators in the inflammatory cascade that drive the pathogenesis of asthma and other inflammatory diseases. ◦ In June 2023, AstraZeneca communicated to us its decision to discontinue and cease dosing in the p hase 2 clinical studies of elarekibep.

This decision was based on lung findings from a non-clinical 13-week GLP toxicology study with dry powder inhaler-formulated elarekibep, which did not support long-term use and progression to later-stage development. The 13-week non-human primate study included three active dose cohorts.

AstraZeneca concluded that there were no clinical observations across any of the doses but that there were respiratory tract pathology findings. These findings included inflammation-mediated lung tissue damage, which did not appear to be dose related.

AstraZeneca’s decision was made independent of any data from the phase 2a study. ◦ In July 2023, AstraZeneca notified us of its intention to terminate the AstraZeneca Collaboration Agreement and the AstraZeneca Platform License, which terminations became effective October 15, 2023.

AstraZeneca’s decision to terminate these agreements was based on the non-clinical safety findings in a 13-week toxicology study of elarekibep in non-human primates previously disclosed by us.

Based upon our review, we have determined to discontinue the program for scientific reasons. • PRS-220 is an orally inhaled Anticalin protein targeting connective tissue growth factor, or CTGF, that was being developed as a local treatment for idiopathic pulmonary fibrosis, or IPF, and other forms of fibrotic lung diseases.

CTGF, a matricellular protein, has been demonstrated to be a driver of fibrotic tissue remodeling and the protein has been found over-expressed in lung tissue from patients suffering from IPF. ◦ In 2021, we received a €14.2 million grant from the Bavarian Ministry of Economic Affairs, Regional Development and Energy supporting research and development of the PRS-220 program.

We conducted a phase 1 study of PRS-220 in healthy volunteers in Australia, which we completed in August 2023. The study was a randomized, two-part, blinded, placebo-controlled study, designed to assess the safety, tolerability, pharmacokinetics, and immunogenicity of single and multiple ascending doses of PRS-220 when administered by oral inhalation to healthy subjects.

The clinical study report was finalized at the end of December 2023. Data from the single and multiple ascending doses of PRS-220, when administered by oral inhalation to healthy subjects, demonstrated that PRS-220 was safe and generally well tolerated by subjects in this study at all administered doses.

With the completion of the phase 1 clinical studies, we have decided to discontinue further development of the program for strategic and scientific reasons. Since inception, we have devoted nearly all of our efforts and resources to our research and development activities and have incurred significant net losses.

For the years ended December 31, 2023 and 2022, we reported net losses of $24.5 million and $33.3 million, respectively. As of December 31, 2023, we had an accumulated deficit of $315.0 million. We expect to continue incurring substantial losses as we devote time and resources into exploring strategic transactions.