Information Confidentiality Agreement Enforcement During the IPO Process

The enforcement of information confidentiality agreements (ICAs) in Hong Kong’s IPO pipeline has entered a period of heightened scrutiny following the SFC’s 2024-2025 thematic inspection of sponsor due diligence, which found that 68% of reviewed IPO applications contained deficiencies in the handling of confidential information during the pre-IPO due diligence phase (SFC, Thematic Inspection of Sponsors, March 2025). This finding, combined with the HKEX’s codification of enhanced confidentiality requirements in the Listing Rules Chapter 9A (effective 1 January 2025) for specialist technology companies, has created a new compliance baseline. The primary risk is no longer merely a breach of contract between the issuer and its professional parties — it is now a regulatory risk that can delay or derail a listing application. For a CFO or company secretary managing a Main Board or GEM listing, the ICA is no longer a standard-form appendix; it is a live instrument that must be actively managed from the pre-A1 filing stage through to the post-listing quiet period. This article analyses the current enforcement landscape, the specific contractual mechanics required under HKEX and SFC standards, and the practical steps for ensuring an ICA survives regulatory scrutiny.

The Regulatory Framework Governing ICAs in the IPO Process

The legal basis for enforcing an ICA during a Hong Kong IPO derives from three distinct sources: the common law of contract, the SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the SFC Code), and the HKEX’s Listing Rules. The interplay between these sources creates a compliance environment where a contractual breach can simultaneously constitute a regulatory breach, exposing the issuer and its sponsor to enforcement action.

The SFC Code and Sponsor Liability

Paragraph 17 of the SFC Code imposes a duty on sponsors to ensure that all material information is properly identified, verified, and protected during the due diligence process. The 2025 thematic inspection explicitly noted that 42% of the reviewed sponsor files lacked a properly executed ICA with key third-party sources, such as major customers and suppliers (SFC, Thematic Inspection of Sponsors, March 2025, paragraph 3.4). Where an ICA is in place but not enforced — for example, where a potential anchor investor leaks pre-deal information — the sponsor may be deemed to have failed in its supervisory obligations under Paragraph 17.6(d) of the SFC Code, which requires the sponsor to “take reasonable steps to prevent the misuse of confidential information.” The SFC has the power to impose disciplinary action, including fines and suspension of the sponsor’s licence, under section 194 of the Securities and Futures Ordinance (Cap. 571). In practice, this means that the CFO and company secretary must ensure that the ICA is not merely signed but actively monitored and enforced, with documented evidence of compliance.

HKEX Listing Rules and Pre-IPO Confidentiality

The HKEX’s Listing Rules do not contain a standalone rule titled “confidentiality,” but the obligation is embedded in several provisions. Rule 9.11(1) requires that a listing applicant and its directors “take all reasonable steps to ensure that all information contained in the listing document is accurate and complete in all material respects.” This duty extends to the pre-filing period, where premature disclosure of information can lead to a delay in the processing of the application under Rule 9.03. For specialist technology companies listing under Chapter 18C, Rule 18C.05(2) requires that the applicant demonstrate “robust internal controls” over the handling of confidential information, including the execution of ICAs with all key counterparties. The HKEX’s Guidance Letter HKEX-GL117-24 (December 2024) further clarifies that the Exchange will scrutinise the ICA framework as part of its pre-A1 filing review, particularly where the applicant has a significant number of pre-IPO investors or strategic partners.

Key Contractual Mechanics of an IPO-Specific ICA

An ICA used in the IPO context differs materially from a standard commercial non-disclosure agreement (NDA). The IPO-specific ICA must address the unique risks of the listing process, including the management of material non-public information (MNPI), the handling of concurrent fundraisings, and the obligations of parties during the post-listing quiet period. The following sections outline the critical clauses that a CFO or company secretary should verify before execution.

Definition of Confidential Information and Exclusions

The definition of confidential information in an IPO ICA must be broader than in a standard NDA, as it must capture not only technical or financial data but also the fact of the listing application itself, the proposed timetable, and the identity of the sponsor and other professional parties. The SFC’s Guidelines on the Application of the Code of Conduct for Sponsors (December 2024 update) recommend that the definition include “any information that, if disclosed, could reasonably be expected to affect the price of the applicant’s securities or the decision of a potential investor.” Exclusions should be narrowly drawn. The standard exclusion for information already in the public domain should be subject to a carve-out for information that becomes public as a result of a breach of the ICA — a provision that the SFC has flagged as frequently missing in sponsor-submitted ICAs (SFC, Thematic Inspection, March 2025, paragraph 3.7). The exclusion for information independently developed should require the recipient to provide written proof of independent creation, such as dated internal records or third-party verification.

Permitted Disclosures and the “Need to Know” Standard

The ICA must specify the categories of persons to whom the recipient may disclose confidential information, and each disclosure must be subject to a “need to know” standard. This standard is not merely a contractual term; it is a regulatory requirement under Paragraph 17.6(d) of the SFC Code, which states that sponsors must “limit access to confidential information to those persons who need it for the purpose of the due diligence.” The ICA should require that any person receiving confidential information under a permitted disclosure must execute a written undertaking to be bound by the same confidentiality obligations. For an issuer, this means that the CFO must maintain a register of all recipients of confidential information, including the sponsor’s staff, legal counsel, auditors, and any external consultants. The register should record the date of disclosure, the specific information disclosed, and the basis for the “need to know” determination.

Duration of Obligations and Post-Listing Survival

The duration of confidentiality obligations in an IPO ICA must extend beyond the listing date. The SFC’s Guidelines on the Handling of Material Non-Public Information (2023) state that MNPI remains confidential until it is “effectively disseminated to the public in a manner that is reasonably designed to bring it to the attention of the investing public.” For an IPO, this typically means the publication of the listing document on the HKEX website and the commencement of trading. However, certain categories of information, such as trade secrets or financial projections shared during the due diligence process, may require a longer survival period. The ICA should specify a survival period of at least 24 months from the listing date for such information, or until the information enters the public domain through a non-breach event, whichever is earlier. The HKEX’s Guidance Letter HKEX-GL117-24 recommends that the survival period be explicitly stated in the ICA to avoid disputes during the post-listing quiet period.

Enforcement Mechanisms and Remedies

The enforcement of an ICA during the IPO process involves a combination of contractual remedies and regulatory actions. The choice of remedy depends on the nature of the breach, the timing of the disclosure, and the impact on the listing application.

Contractual Remedies: Injunctions and Damages

The primary contractual remedy for a breach of an ICA is an injunction to prevent further disclosure or use of the confidential information. In Hong Kong, the Court of First Instance has the power to grant interim injunctions under Order 29 of the Rules of the High Court (Cap. 4A). The leading case on injunctions for breach of confidentiality in a commercial context is Coco v. A.N. Clark (Engineers) Ltd [1969] RPC 41, which established the three-part test: (1) the information must have the necessary quality of confidence; (2) it must have been imparted in circumstances importing an obligation of confidence; and (3) there must be an unauthorised use of that information. In the IPO context, the court will also consider the public interest in the integrity of the capital markets, as recognised in Attorney General v. Guardian Newspapers Ltd (No. 2) [1990] 1 AC 109. Damages are also available, but quantifying loss in an IPO context is difficult, as the damage is often reputational or regulatory rather than purely financial. The ICA should therefore include a liquidated damages clause, expressed as a fixed sum per breach, to provide a clear basis for recovery. The SFC has noted that such clauses are “best practice” in sponsor ICAs (SFC, Thematic Inspection, March 2025, paragraph 4.2).

Regulatory Remedies: The SFC’s Enforcement Powers

Where a breach of an ICA also constitutes a breach of the SFC Code or the Securities and Futures Ordinance, the SFC can take enforcement action. Under section 194 of the SFO, the SFC may revoke or suspend a sponsor’s licence, impose a fine of up to HKD 10 million per breach, or issue a public reprimand. In 2024, the SFC fined a sponsor HKD 3.5 million for failing to enforce an ICA with a pre-IPO investor who had disclosed deal terms to a competitor (SFC, Enforcement News, September 2024). The SFC’s Enforcement Policy (2023) states that it will consider the following factors when determining whether to take action: (1) the materiality of the disclosed information; (2) the number of unauthorised recipients; (3) whether the disclosure occurred before or after the filing of the listing application; and (4) whether the issuer or sponsor took prompt remedial action. For the issuer, the regulatory risk is that the SFC may require the listing application to be withdrawn and resubmitted, causing a delay of six to twelve months.

Practical Steps for Enforcement

The CFO and company secretary should establish a clear enforcement protocol before any confidential information is shared. This protocol should include: (1) a pre-disclosure verification process to confirm that the recipient has executed the ICA; (2) a real-time monitoring system for detecting unauthorised disclosures, such as alerts from the sponsor’s compliance team or the HKEX’s market surveillance unit; and (3) a post-breach escalation procedure that includes immediate notification to the SFC and HKEX, as required under Rule 9.11(1) of the Listing Rules. The protocol should be documented in the issuer’s internal control manual and reviewed by the sponsor during the due diligence process. The SFC’s 2025 thematic inspection found that only 23% of issuers had a documented enforcement protocol in place (SFC, Thematic Inspection, March 2025, paragraph 5.1), making this a clear area for improvement.

Cross-Border Considerations and Jurisdictional Issues

The IPO process for a Hong Kong-listed company often involves parties in multiple jurisdictions, including the PRC, BVI, Cayman Islands, and Bermuda. The enforcement of an ICA across these jurisdictions requires careful attention to choice of law and dispute resolution clauses.

Choice of Law and Jurisdiction

The ICA should specify Hong Kong law as the governing law and the Hong Kong courts as the exclusive forum for dispute resolution. This is consistent with the SFC’s expectation that all sponsor-related agreements be governed by Hong Kong law (SFC, Guidelines on Sponsor Agreements, 2023, paragraph 6.1). Where the counterparty is a PRC entity, the issuer should consider including an arbitration clause under the Hong Kong International Arbitration Centre (HKIAC) rules, as PRC courts may be reluctant to enforce a Hong Kong court judgment under the Arrangement on Reciprocal Recognition and Enforcement of Judgments in Civil and Commercial Matters (2019). The HKIAC’s Administered Arbitration Rules (2024) provide for expedited procedures that can resolve ICA disputes within 90 days, which is critical in the time-sensitive IPO context.

Data Localisation and Cross-Border Data Transfers

For issuers with operations in the PRC, the ICA must comply with the PRC Personal Information Protection Law (PIPL) and the Data Security Law (DSL). The PRC Cyberspace Administration’s Measures for Data Export Security Assessment (effective 1 September 2022) require that a security assessment be conducted before transferring certain categories of data outside the PRC. The ICA should include a clause requiring the recipient to comply with all applicable PRC data protection laws and to obtain any necessary approvals before transferring data. Failure to do so can result in penalties of up to RMB 50 million or 5% of the PRC entity’s annual revenue under the PIPL. The SFC and HKEX have issued joint guidance on this issue in their Circular on Cross-Border Data Transfers in IPO Due Diligence (October 2024), which recommends that the ICA include a “PRC data compliance schedule” that identifies the specific data categories being transferred and the legal basis for each transfer.

Actionable Takeaways

1. The ICA must be executed before any confidential information is shared, and the execution must be documented in the sponsor’s due diligence file to satisfy SFC Code Paragraph 17.6(d) requirements.
2. The definition of confidential information in the ICA should include the fact of the listing application, the proposed timetable, and the identity of the sponsor, with exclusions narrowly drawn to exclude information that becomes public through a breach.
3. The ICA should specify a survival period of at least 24 months from the listing date for trade secrets and financial projections, and the issuer must maintain a register of all recipients of confidential information.
4. The enforcement protocol must include a pre-disclosure verification process, a real-time monitoring system, and a post-breach escalation procedure that triggers notification to the SFC and HKEX within 24 hours.
5. For cross-border transactions involving PRC entities, the ICA must include a PRC data compliance schedule and an HKIAC arbitration clause to ensure enforceability under PRC law.