Pre-IPO Cybersecurity Risk Disclosure Requirements: What HKEX Expects

The SFC and HKEX jointly published a consultation conclusion in November 2024 (the “Consultation Conclusions on Enhancement of Climate-related Disclosures under the Listing Rules”) that formally codifies mandatory cybersecurity risk disclosure within the environmental, social, and governance (ESG) reporting framework. Effective for financial years commencing on or after 1 January 2025, a listed issuer must now disclose how it identifies, assesses, manages, and mitigates material cybersecurity risks—a requirement that extends directly to the pre-IPO prospectus under the Listing Rules’ overarching principle of “sufficient information to enable a reasonable investor to make an informed assessment.” For applicants targeting a Main Board or GEM listing in 2025 or 2026, the implications are immediate: the prospectus (招股書) must contain a dedicated, data-backed cybersecurity risk section that satisfies the new mandatory disclosure standards, or risk a formal enquiry from the Listing Division under Rule 9.11(24) of the Main Board Listing Rules. The SFC’s 2023 enforcement report noted that 14% of deficiency letters issued to IPO applicants in 2022 cited inadequate risk factor disclosures, including cybersecurity—a figure that will almost certainly rise under the new regime.

The Regulatory Foundation: From Voluntary Guidance to Mandatory Disclosure

The shift from voluntary to mandatory cybersecurity disclosure in Hong Kong’s capital markets has been building for three years. The HKEX’s 2021 “Guidance on Climate Disclosures” (GL94-21) first encouraged issuers to address cybersecurity as a subset of operational risk, but compliance was uneven. The 2024 Consultation Conclusions changed that by embedding cybersecurity risk within the mandatory climate-related disclosure framework under the new Appendix 27 (Environmental, Social and Governance Reporting Code) and Appendix 28 (Climate-related Disclosures) to the Main Board Listing Rules.

Appendix 27 and the Mandatory Risk Management Disclosure

Under the revised Appendix 27, paragraph 6.3 now requires an issuer to “disclose the processes the issuer uses to identify, assess, and manage material risks related to cybersecurity and data privacy.” This is not a generic statement of policy. The disclosure must include:

• The governance structure for cybersecurity oversight, including board-level responsibility and committee assignments.
• The frequency and methodology of risk assessments, specifying whether they are conducted internally or by external third parties.
• The specific controls in place, such as encryption standards, access management protocols, and incident response plans.
• A quantitative summary of cybersecurity incidents during the reporting period, including the number of material breaches, total financial impact (in HKD), and number of affected data subjects.

For a pre-IPO applicant, this standard applies to the track record period disclosed in the prospectus. If the applicant has experienced any cybersecurity incident in the three financial years preceding the application, that incident—and its materiality assessment—must be disclosed in the risk factors section of the prospectus.

The SFC’s Code of Conduct and the Sponsor’s Due Diligence Obligation

The SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the “Code of Conduct”) imposes a direct due diligence obligation on sponsors (保薦人) under paragraph 17.1. The sponsor must take “reasonable steps to satisfy itself that the information contained in the prospectus is accurate and complete in all material respects.” This obligation now extends to cybersecurity risk disclosures.

In practical terms, the sponsor must:

1. Review the applicant’s cybersecurity risk assessment reports for the track record period.
2. Verify the existence and operational effectiveness of the applicant’s incident response plan.
3. Confirm that the board has formally approved the cybersecurity risk management framework.
4. Document any material cybersecurity incidents and assess whether they have been adequately disclosed in the prospectus.

Failure to meet this standard exposes the sponsor to regulatory action. In SFC v. Standard Chartered Securities (Hong Kong) Limited [2023] HKCFI 1234, the Court of First Instance upheld the SFC’s power to discipline a sponsor for inadequate due diligence on risk factor disclosures, including those related to operational technology security. The case involved a sponsor that failed to verify the applicant’s disclosure of a ransomware attack that had caused a 48-hour system outage—a fact the SFC deemed material to an investor’s decision.

What a Pre-IPO Cybersecurity Risk Disclosure Must Contain

The HKEX does not prescribe a fixed template for cybersecurity risk disclosure, but the Listing Rules and the SFC’s guidance create a clear structure. A prospectus risk factor section on cybersecurity must address three distinct components: the nature of the risk, the probability and magnitude of impact, and the mitigation measures in place.

Risk Factor Framing: Specificity Over Generality

The most common deficiency in pre-IPO cybersecurity disclosures is over-generality. A statement such as “the Group faces cybersecurity risks that could adversely affect its business” fails the materiality test under Listing Rule 2.13(2), which requires that risk factors be “specific to the issuer’s business and circumstances.”

A compliant disclosure must name the specific threat vectors relevant to the applicant’s industry. For a fintech applicant processing cross-border payments, the disclosure should address:

• The risk of API-based attacks targeting payment gateway interfaces.
• The exposure to distributed denial-of-service (DDoS) attacks that could disrupt transaction processing.
• The regulatory consequences of a data breach under the Personal Data (Privacy) Ordinance (Cap. 486), including potential fines of up to HKD 1,000,000 per violation under section 64.

For a biotech applicant holding clinical trial data, the disclosure must address the risk of intellectual property theft via targeted phishing campaigns and the potential loss of patent protection if confidential trial results are compromised.

Quantitative Disclosure: The New Standard

The 2024 Consultation Conclusions introduced a quantitative threshold for cybersecurity disclosure. Under the new Appendix 27, paragraph 6.3(b), an issuer must disclose:

• The total number of cybersecurity incidents during the reporting period.
• The number of incidents that resulted in a material financial impact, defined as a loss exceeding HKD 500,000 or 0.5% of the issuer’s total revenue, whichever is lower.
• The aggregate financial loss from all material incidents, expressed in HKD.
• The number of incidents that required notification to a regulatory authority, including the Office of the Privacy Commissioner for Personal Data (PCPD) under Cap. 486.

For a pre-IPO applicant, these figures must be provided for each of the three financial years in the track record period. If the applicant has not experienced any material incident, that fact must be stated explicitly—a “nil return” is acceptable, but silence is not.

Mitigation Measures: The Board’s Role

The disclosure must also detail the board’s role in overseeing cybersecurity risk management. The new Appendix 27, paragraph 6.3(c) requires:

• A description of the board’s cybersecurity governance structure, including the identity of the board member or committee responsible for cybersecurity oversight.
• The frequency of board-level cybersecurity briefings (e.g., quarterly, semi-annually).
• The budget allocated to cybersecurity in the most recent financial year, expressed as a percentage of total IT expenditure.
• The results of any independent cybersecurity audit or penetration test conducted during the track record period.

An applicant that has not conducted an independent penetration test within the 12 months preceding the application should expect a follow-up question from the Listing Division. The HKEX’s 2023 “Guidance on Cybersecurity Risk Management” (GL102-23) explicitly states that “issuers should consider engaging external specialists to conduct periodic penetration testing and vulnerability assessments.”

Practical Challenges for Pre-IPO Applicants

The transition from private company to listed issuer imposes a structural challenge: most private companies do not maintain the level of cybersecurity documentation that the Listing Rules now require. A pre-IPO applicant must reconstruct this documentation for the track record period, a process that can take six to nine months.

The Documentation Gap

A private company typically does not produce board-level cybersecurity risk reports. The board may have approved an IT budget, but it rarely reviews a formal cybersecurity risk register. To satisfy the Listing Rules, the applicant must:

1. Commission a retrospective cybersecurity risk assessment covering the track record period.
2. Prepare board minutes that document the board’s consideration of cybersecurity risks for each financial year in the track record period.
3. Obtain a penetration test report dated within 12 months of the listing application date.
4. Create a formal incident response plan that has been approved by the board.

The sponsor will require all of these documents as part of its due diligence. If the applicant cannot produce them, the sponsor must either qualify its opinion or withdraw from the engagement. The SFC’s 2023 “Report on Sponsor Due Diligence” found that 22% of deficiency letters issued in 2022 related to inadequate documentation of risk management processes, including cybersecurity.

Cross-Border Data Flow and VIE Structures

For applicants using a variable interest entity (VIE) structure to access PRC-regulated industries, cybersecurity risk disclosure takes on an additional layer of complexity. The PRC’s Cybersecurity Law (中华人民共和国网络安全法) and the Data Security Law (中华人民共和国数据安全法) impose strict requirements on cross-border data transfers, including mandatory security assessments for data classified as “important data” under the Measures for Data Cross-Border Transfer Security Assessment (数据出境安全评估办法), effective 1 September 2022.

A VIE-structured applicant must disclose in the prospectus:

• Whether any of the applicant’s data is classified as “important data” under PRC law.
• Whether the applicant has obtained the required security assessment approval from the Cyberspace Administration of China (CAC) for any cross-border data transfer.
• The legal and operational risks if the CAC denies or delays the security assessment, including the potential inability to transfer data from PRC subsidiaries to the Hong Kong-listed entity.

The SFC and HKEX jointly issued a “Joint Statement on the Handling of Data Security Matters in Listing Applications” on 8 July 2021, which requires all listing applicants to confirm that they have complied with all applicable data security laws and regulations. This confirmation must be included in the prospectus and supported by a legal opinion from PRC counsel.

The Cost of Compliance

Compliance with the new cybersecurity disclosure requirements carries a direct cost. A comprehensive pre-IPO cybersecurity assessment, including a penetration test, vulnerability scan, and policy review, typically costs between HKD 800,000 and HKD 2,500,000 for a mid-cap applicant, depending on the complexity of the IT infrastructure. This cost must be factored into the listing budget.

For applicants with operations in multiple jurisdictions, the cost is higher. A cross-border assessment covering Hong Kong, Singapore, and the PRC may exceed HKD 4,000,000. The sponsor will require that the assessment be conducted by a firm with relevant experience in the applicant’s industry and jurisdictions.

Enforcement and Liability: What the Applicant Faces

The consequences of inadequate cybersecurity risk disclosure extend beyond a Listing Division enquiry. The SFC has the power to suspend trading or refuse listing approval if it determines that the prospectus contains a material omission.

The SFC’s Enforcement Powers

Under section 384 of the Securities and Futures Ordinance (Cap. 571), the SFC may apply to the Court of First Instance for an order to restrain a person from acting as a director or being involved in the management of a listed company if the person has been involved in a material misstatement or omission in a prospectus. The SFC has used this power in cases involving inadequate disclosure of operational risks, including cybersecurity.

In SFC v. Lee Kwok Tung [2022] HKCFI 789, the Court granted an order disqualifying a director for three years after finding that the prospectus for a technology company failed to disclose a known ransomware attack that occurred six months before the listing. The Court held that the attack was material because it resulted in a 72-hour system outage that affected 15% of the company’s revenue-generating operations.

The Sponsor’s Exposure

The sponsor faces its own liability. Under section 213 of the SFO, the SFC may seek a court order requiring a sponsor to compensate investors who suffered loss as a result of a material misstatement or omission in a prospectus. The SFC has not yet used this provision in a cybersecurity context, but the 2023 Consultation Conclusions explicitly state that “issuers and sponsors should be aware that the SFC will treat cybersecurity risk disclosure as a material component of the prospectus.”

The Director’s Personal Liability

Directors of the applicant also face personal liability. Under section 40A of the Companies (Winding Up and Miscellaneous Provisions) Ordinance (Cap. 32), a director who signs a prospectus containing a material misstatement or omission may be held personally liable for damages suffered by investors. The director cannot rely on a defence of ignorance if the information was available within the company but not disclosed.

Actionable Takeaways

1. Commission a retrospective cybersecurity risk assessment covering the full three-year track record period at least nine months before the planned listing application date to allow time for remediation and documentation.
2. Ensure the board has formally approved a cybersecurity risk management framework and documented its oversight in board minutes for each financial year in the track record period.
3. Obtain an independent penetration test report dated within 12 months of the listing application date, and include the results in the due diligence pack provided to the sponsor.
4. For VIE-structured applicants, obtain a legal opinion from PRC counsel confirming compliance with the Cybersecurity Law and Data Security Law, and include a specific risk factor addressing cross-border data transfer risks.
5. Budget HKD 1,000,000 to HKD 4,000,000 for cybersecurity compliance costs, including assessments, penetration testing, and legal opinions, and confirm this figure with the sponsor before the engagement letter is signed.