Sensitive Information Management Procedures Before an IPO

The SFC’s enforcement report for 2024 recorded a 45% year-on-year increase in disciplinary actions against sponsors and listed companies for inadequate internal controls, with a particular focus on the handling of material non-public information (MNPI) during the pre-IPO period. For companies targeting a Main Board or GEM listing on HKEX, the gap between commercial necessity and regulatory compliance has never carried higher personal liability risk. Under the Securities and Futures Ordinance (SFO, Cap. 571), Section 307G imposes a strict liability regime for insider dealing, meaning a director who inadvertently shares quarterly revenue figures with a potential cornerstone investor before the prospectus is registered can face criminal prosecution regardless of intent. Concurrently, the HKEX’s Listing Decision LD127-2023 clarified that the Exchange will treat a failure to maintain a proper “wall-crossing” process as a disclosure failure under Listing Rules Chapter 8. This article provides a procedural framework for establishing sensitive information management procedures (SIMPs) from the initial board committee (BC) resolution through to the submission of the A1 application, citing specific rule provisions and market practice benchmarks.

The Legal Basis for Pre-IPO Information Controls

The Statutory Framework Under the SFO and the Listing Rules

The primary statutory instrument governing MNPI in Hong Kong is Part XIVA of the SFO, which defines “inside information” under Section 307A as specific information that is not generally known, and which would be likely to materially affect the price of the listed securities if it became generally known. For a pre-IPO company, this definition applies from the moment the board resolves to pursue a listing — typically the first board committee (BC) resolution — because that resolution itself constitutes price-sensitive information.

HKEX Listing Rule 8.04 requires that an issuer and its business must be “suitable for listing,” which the Exchange interprets through the suitability guidance in Listing Decision LD127-2023 to include the existence of an effective internal control system for handling confidential information. The decision explicitly states that a sponsor must confirm, in the sponsor’s declaration submitted with the A1 application, that the applicant has implemented procedures to prevent the leakage of inside information during the listing process. Failure to do so can result in the application being returned or the sponsor being referred to the SFC for disciplinary action.

The Director’s Personal Liability Exposure

Section 307G of the SFO creates a strict liability offence for insider dealing. The SFC’s 2024 enforcement data shows that 12 out of 28 insider dealing cases involved directors of companies in the 12-month period immediately preceding their IPO. The defence of “reasonable measures” under Section 307I is available only if the director can demonstrate that the information was not communicated, or that the director had in place and complied with “adequate procedures” for preventing such communication. This shifts the evidentiary burden onto the director and the company to document every step of information control.

Building the Information Management Architecture Pre-BC

The Information Classification Matrix

Before the first board committee (BC) meeting to approve the listing timeline, the company secretary or legal counsel should establish a written information classification matrix. This matrix categorises all material business data into three tiers:

• Tier 1 – Board and Sponsor Eyes Only: Financial projections, legal settlement terms, valuation ranges, cornerstone investor negotiations, and the draft prospectus. Access is limited to the CEO, CFO, company secretary, and the sponsor’s managing director.
• Tier 2 – Senior Management and Working Group: Operational KPIs, customer concentration data, supplier contracts exceeding HKD 10 million, and regulatory filing status. Access requires a signed confidentiality undertaking.
• Tier 3 – General Employee Awareness: Publicly available information and non-price-sensitive operational data.

The matrix must be approved by the BC and minuted in the first BC resolution. The SFC’s “Code of Conduct for Persons Licensed by or Registered with the SFC” (the Code of Conduct), paragraph 12.1, requires that licensed persons (including sponsors) ensure that their clients have “adequate policies and procedures for the handling of inside information.” The classification matrix serves as the documentary evidence of this requirement.

The Physical and Digital Segregation Protocol

Physical segregation of documents is often overlooked in an era of cloud-based collaboration. For pre-IPO work, the sponsor and legal counsel typically require a dedicated virtual data room (VDR) with granular access controls. The VDR should be configured to prevent downloading, printing, or forwarding of Tier 1 documents. The company’s internal file-sharing systems — whether Microsoft Teams, Google Workspace, or Slack — must be segregated by a separate “IPO Working Group” channel to which only Tier 2-cleared personnel have access.

A practical benchmark: the HKEX’s “Guidance for Listing Applicants on the Use of Virtual Data Rooms” (2023 update) recommends that the VDR audit trail be maintained for at least seven years after the listing. This audit trail must show who accessed which document, at what time, and from which IP address. For companies with a PRC parent or subsidiary, the PRC Cybersecurity Law (Article 37) and the Data Security Law (Article 21) impose additional requirements for cross-border data transfer of “important data,” which may include financial projections and customer lists. The VDR should be hosted on a server that complies with both Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486) and PRC regulations, typically through a Hong Kong-based cloud provider with a PRC mirror.

Wall-Crossing and Selective Disclosure Protocols

The Pre-Marketing Wall-Crossing Procedure

Wall-crossing is the process of selectively disclosing inside information to potential cornerstone investors, analysts, or underwriters before the prospectus is publicly available. Under the SFC’s “Guidelines on the Disclosure of Inside Information” (June 2012, updated 2022), a wall-crossing must be conducted only when the information is necessary for the recipient to perform their role in the listing process, and only after the recipient has signed a non-disclosure agreement (NDA) that explicitly acknowledges the recipient’s obligation to keep the information confidential and not to trade in the securities of the company or any related entity.

The standard market practice, as documented in the HKEX’s “Guide for New Listing Applicants” (2024 edition), requires the following steps to be minuted:

1. The sponsor identifies the need to wall-cross a specific counterparty (e.g., a potential cornerstone investor).
2. The company secretary prepares a wall-crossing memo that identifies the information to be disclosed, the recipient, and the business rationale.
3. The memo is approved by the CEO and CFO.
4. The NDA is executed before any information is communicated.
5. The wall-crossing is recorded in a central register maintained by the company secretary, including the date, time, and duration of the disclosure.

A common compliance failure, cited in SFC enforcement actions against two sponsors in 2023, is the failure to include a “clean-up” clause in the NDA that requires the recipient to destroy or return the information if the wall-crossing is not completed (i.e., if the investor declines to proceed). Without this clause, the recipient retains the inside information, creating ongoing insider dealing risk.

The “Quiet Period” and Selective Disclosure Restrictions

Listing Rule 9.09(1) imposes a “quiet period” from the date of the A1 application submission until the date on which the listing document is registered. During this period, the issuer and its directors are prohibited from making any public announcement that is not contained in or consistent with the listing document. This rule is often interpreted narrowly — it applies to any communication that could be construed as promoting the securities or providing material information that is not in the prospectus.

The SFC’s “Guidelines on the Disclosure of Inside Information” (paragraph 3.4) further clarifies that selective disclosure to analysts or journalists during the quiet period is a breach of the issuer’s continuing obligation to disclose inside information as soon as reasonably practicable under Part XIVA of the SFO. For pre-IPO companies, this means that any communication with the media, analysts, or even industry conferences must be reviewed by the sponsor and legal counsel to ensure it does not contain any information that is not already publicly available or that could be considered price-sensitive.

The Role of the Company Secretary as Gatekeeper

The Central Register and the Audit Trail

The company secretary is the statutory officer responsible for maintaining the central register of inside information under the company’s SIMP. Under the Companies Ordinance (Cap. 622), Section 474, the company secretary must ensure that the minutes of board meetings and committee meetings are properly recorded and kept for at least seven years. For pre-IPO work, the central register should include:

• The information classification matrix (approved by BC).
• The wall-crossing register (including all NDAs).
• The VDR audit trail (exported quarterly).
• The record of all training sessions on MNPI handling for directors and senior management.
• The minutes of any BC or audit committee meeting that discusses information control procedures.

The SFC’s “Thematic Inspection of Sponsor Work on IPO Applications” (2022 report) found that 35% of the IPO applications inspected had deficiencies in the sponsor’s documentation of the issuer’s information control procedures. The most common deficiency was the absence of a central register that could be produced on demand during the SFC’s inspection of the sponsor’s working papers.

Training and Certification Requirements

The HKEX’s “Listing Committee Decision LD127-2023” requires that the sponsor confirm that the directors and senior management of the applicant have received training on the handling of inside information. This training must be documented, with each participant signing a certification that they understand their obligations under Part XIVA of the SFO and the company’s SIMP.

A practical approach adopted by most Hong Kong law firms advising on IPOs is to conduct a two-hour training session within 30 days of the first BC resolution, covering:

• The definition of inside information under SFO Section 307A.
• The prohibition on insider dealing under Section 307G.
• The company’s specific information classification matrix.
• The wall-crossing procedure.
• The consequences of breach, including personal criminal liability (maximum fine of HKD 10 million and imprisonment for 10 years under Section 307F).

The training materials and the signed certifications should be retained in the central register and made available to the sponsor for inclusion in the sponsor’s declaration.

The A1 Application and the Sponsor’s Declaration

The Sponsor’s Confirmation on Internal Controls

When the sponsor submits the A1 application to HKEX, the sponsor must include a declaration in the prescribed form (Form A1) confirming that the applicant has in place “adequate procedures” for the handling of inside information. This declaration is not a pro forma statement — the SFC’s “Code of Conduct for Persons Licensed by or Registered with the SFC” (paragraph 17.6) requires the sponsor to have conducted sufficient due diligence to form a reasonable belief that the procedures are effective.

The due diligence typically includes:

• Review of the central register.
• Interviews with the company secretary, CFO, and CEO.
• Review of the VDR audit trail.
• Testing of the wall-crossing procedure by conducting a mock wall-crossing.

If the sponsor identifies deficiencies, the sponsor must either require the issuer to remediate before filing the A1 application or, if the deficiencies are material, decline to submit the application. The SFC’s enforcement record shows that in 2023, one sponsor was fined HKD 8 million for failing to identify that the issuer had not implemented any information control procedures before the A1 submission.

The Post-A1 Period and the Prospectus Registration

After the A1 application is filed, the information control obligations do not diminish. The quiet period under Listing Rule 9.09(1) remains in effect until the prospectus is registered. During this period, the company secretary must continue to maintain the wall-crossing register for any additional disclosures made during the HKEX’s vetting process (e.g., responding to the Exchange’s comments on the draft prospectus).

The prospectus itself, once registered, becomes a public document. However, any information that is contained in the prospectus but that was previously inside information must be disclosed through the HKEX’s electronic disclosure system (EPS) as soon as reasonably practicable after the prospectus is registered, to ensure that the market has equal access to the information. Failure to do so can result in a breach of the continuing disclosure obligations under Part XIVA of the SFO, which apply from the moment the listing becomes effective.

Actionable Takeaways

1. Establish the information classification matrix at the first BC resolution and minute its approval — this single document serves as the foundation for the sponsor’s declaration and the SFC’s inspection of internal controls.
2. Conduct the mandatory MNPI training for all directors and senior management within 30 days of the first BC meeting, with signed certifications retained in the central register for at least seven years.
3. Implement a wall-crossing procedure that includes a written memo, an NDA with a clean-up clause, and a central register — the SFC’s 2023 enforcement actions demonstrate that a missing clean-up clause is a recurring compliance failure.
4. Maintain a VDR with full audit trail capability and a seven-year retention policy, ensuring compliance with both Hong Kong’s PDPO and PRC’s cross-border data transfer requirements.
5. Require the sponsor to conduct a mock wall-crossing test before the A1 application submission — this test provides documentary evidence that the procedures are operational, not merely theoretical.