China exempts Hong Kong listings from cybersecurity review as regulators finalise rigid rules for ‘foreign’ IPOs

  • Internet platforms operators with more than 1 million users in China must go through a cybersecurity review before they apply to “foreign” regulators to list, the CAC said
  • The rules make no mention of Hong Kong, a region that is not considered a “foreign” authority under China’s “one country two systems” governance arrangement

China’s regulators will exempt Hong Kong from the rigid cybersecurity review process for all initial public offerings (IPOs) in foreign markets by companies with the personal data of at least 1 million customers, according to analysts’ reading of the finalised regulations published on Tuesday.

Internet platforms operators with more than 1 million users in China must go through a cybersecurity review before they apply to “foreign” regulators to raise funds through IPOs, the Cyberspace Administration of China (CAC) said.

The regulation did not mention Hong Kong, a special administrative region (SAR) that is not considered a “foreign” authority under China’s “one country, two systems” governance arrangement. That means IPOs by Chinese technology companies will be exempted from the review, according to an article on the Chinese blog Xiaobei Talks Security, a cybersecurity policy-themed blog started by a group of cybersecurity lawyers and scholars.

“The policy is clear now; the document only proposed requirements for IPOs in foreign markets without mentioning Hong Kong, which means cybersecurity reviews are not required for companies going public in Hong Kong,” according to the article.

The new review regulation was approved by China’s State Council and is backed by 13 government ministries, including the CAC, the National Development and Reform Commission (NDRC), the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security and the Ministry of State Security, as well as the China Securities Regulatory Commission (CSRC).

Still, a separate draft by the CAC in November 2021 cited national security reasons for a cybersecurity check on “data-processing entities seeking a listing in Hong Kong that will influence or may influence national security.” The draft is still being studied and may be amended in the final version in light of the cybersecurity review.

The first cybersecurity review was launched last July following probes into Didi Global’s US$4.4 billion New York IPO, which defied injunctions by Chinese authorities. It roiled markets in Hong Kong and New York, forcing the CSRC, which was not involved in the probe into Didi, to assure investors that China still supports fundraising by its companies in overseas markets.

Nevertheless, the uncertainties and ambiguities surrounding the additional requirement have contributed to a wave of businesses opting for IPOs in Hong Kong instead of the US, a traditionally more attractive capital market for Chinese companies.

Three scenarios apply for overseas listings, under the cybersecurity review regulations. The first scenario involves companies that don’t require any cybersecurity review. The second applies to companies whose IPOs are deemed not detrimental to national security and are therefore cleared for foreign IPOs. The final scenario forbids companies from listing in foreign markets if their IPOs are deemed to affect national security, CAC said.

The security review office is positioned with the CAC, although the specific procedural work such as the acceptance of applications and the handling of documents fall under the China Cybersecurity Review Technology and Certification Centre, a unit affiliated with the antitrust watchdog agency the State Administration for Market Regulation (SAMR).

Author: Xinmei Shen, SCMP

You might also like