laitimes

The scope of network security review is outlined, and the rules for overseas listing are gradually clarified

With the promulgation of the Cybersecurity Review Measures (hereinafter referred to as the Review Measures), what changes will be made to the overseas listing rules?

On the first trading day of 2022, the thirteen departments revised and issued the "Review Measures", clarifying that critical information infrastructure operators purchasing network products and services, and network platform operators carrying out data processing activities, affecting or may affect national security, shall conduct a network security review in accordance with the Measures.

Among them, network platform operators who have more than 1 million users' personal information must apply for network security review to the Network Security Review Office if they go public abroad.

At present, the Provisions of the State Council on the Administration of securities issuance and listing by Domestic Enterprises Abroad (hereinafter referred to as the Administrative Provisions) and the Administrative Measures for the Filing of Securities Issued overseas by Domestic Enterprises (hereinafter referred to as the "Filing Measures") are being publicly solicited for comments, which also make it clear that for enterprises listed overseas within the scope of laws and regulations such as foreign investment security review and network security review, before submitting the filing application, the enterprise shall declare a security review in accordance with the law.

"The thirteen departments jointly revised the Review Measures, undertook the establishment of the national data security review system, formed a linkage with the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law and other relevant laws and regulations, and also linked with the State Council's Administrative Provisions, further clarifying and improving the work content and regulatory scope of network security, data security and listing review." Pang Min, chief economist and chief strategist of Huaxing Securities (Hong Kong), told CBN.

The Review Measures have clear provisions on foreign listings, but there is no clear reference to how to list overseas. So do companies listed in Hong Kong need a cyber security review? In this regard, Pang Min believes that in practice, the network security review is still more likely to apply to enterprises planning to go public in Hong Kong, and at the same time, it is not excluded that the Hong Kong regional regulator and the Listing Division of the Hong Kong Stock Exchange require relevant listed enterprises to provide the results of network security and data security review.

Uncertainty is further eliminated

Since the second half of 2021, the market has been waiting for regulatory clarification on rules related to network security review, data security review, personal information protection, etc.

The promulgation of the "Review Measures" means that the network security review has been further clarified.

In terms of the targets of review, where critical information infrastructure operators procure network products and services, and network platform operators carry out data processing activities that affect or may affect national security, they shall conduct a network security review in accordance with the Measures. Network platform operators with more than 1 million users' personal information must apply for a network security review to the Cyber Security Review Office if they go public abroad.

In terms of the content of the review, the products and services, the security of data processing activities, and the possible national security risks will be reviewed.

In terms of review mechanisms, under the leadership of the Central Cyber Security and Informatization Commission, the Cyberspace Administration of China, together with the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the State Administration of Radio and Television, the Securities Regulatory Commission, the State Secrets Bureau, and the State Cryptography Administration, has established a national network security review work mechanism.

The Cyber Security Review Office is located in the State Internet Information Office, which is responsible for formulating relevant systems and norms for network security review and organizing network security reviews.

In terms of the review cycle, the Cyber Security Review Office shall determine whether a review is required and notify the parties in writing within 10 working days from the receipt of the eligible review declaration materials. If it is confirmed that the review is required, the preliminary review shall be completed within 30 working days. If the situation is complicated, it will be extended by 15 working days.

The Review Measures will come into force on 15 February 2022.

It is worth noting that on December 24, 2021, the China Securities Regulatory Commission (CSRC) promulgated the Administrative Provisions and the Filing Measures, and is currently soliciting comments from the public.

According to the above rules, the direct and indirect overseas listing activities of domestic enterprises will be uniformly managed for filing. For enterprises involved in the security review of foreign investment, network security review, and other laws and regulations within the scope of laws and regulations, before submitting the filing application, the enterprise needs to declare a security review in accordance with law.

The New Rules also clearly stipulate the supervision of the overseas listing of enterprises under the control of agreement (VIE) structures – under the premise of complying with domestic laws and regulations, VIE structure enterprises that meet the compliance requirements can go overseas for listing after filing.

The deadline for solicitation of comments is 23 January 2022, and the industry is expected to implement the Review Measures simultaneously.

Pang Min analyzed that the above rules are connected with each other, further clarifying and improving the work content and regulatory scope of network security, data security and listing review.

"Whether it is for enterprises, financial institutions or even regulators and authorities, there may be a learning curve, and it is likely that there will be a process of familiarity and running-in for all parties in the early stage of implementation of the new regulations." He said that after setting boundaries, clarifying the process, and clarifying the rights and responsibilities, the uncertainty of listing applications, filings, and reviews is expected to drop significantly.

Listing in Hong Kong may not exclude review

With Chinese stocks encountering a "darkest moment" in the United States, Hong Kong, China, has become a more favored option for overseas listings. How the promulgation of the Review Measures affects enterprises listed in Hong Kong has attracted special attention from the market.

In the view of industry insiders, the high probability of listing in Hong Kong is not excluded from the scope of network security review.

From the context of the public statement of the regulator, the emphasis is also on overseas listing supervision, rather than foreign listing.

For example, on December 30, 2021, Yi Huiman, chairman of the CHINA Securities Regulatory Commission, said in an interview that it will "steadily promote the two-way opening of the capital market system, strengthen the interconnection of domestic and foreign markets, accelerate the reform of the overseas listing filing system, strengthen international securities regulatory cooperation, handle the relationship between openness and security, and support enterprises to make better use of the two markets and the development of two resources".

Pang Min told reporters that from the text point of view, article 7 of the revised Review Measures only proposes that "network platform operators who have more than 1 million users' personal information must apply for network security review to the Network Security Review Office if they go to the Cyber Security Review Office for listing abroad", but in practice, the network security review is still more likely to apply to enterprises that intend to go public in Hong Kong.

First, the revised Administrative Provisions clarify that the filing materials submitted by issuers to the CSRC include "safety assessment review opinions issued by relevant departments (if applicable)", and considering that the State Council's order rank is higher than that of departmental regulations, it is possible to conduct a security assessment review of the data involving enterprises intending to list in Hong Kong.

Secondly, the third paragraph of article 13 of the revised Regulations on the Administration of Network Data Security stipulates that "where a data processor goes public in Hong Kong and affects or may affect national security", it shall be subject to a network security review in accordance with the relevant provisions of the state, and there is a clause that "other data processing activities that affect or may affect national security" should also be submitted for review.

Therefore, considering the factors of time, cost, compliance, risk prevention and control, etc., enterprises that intend to go public in Hong Kong are likely to take the initiative to declare for network security review.

Third, article 16 of the revised Review Measures provides that "network products and services and data processing activities that are believed by member units of the network security review work mechanism to affect or may affect national security shall be reviewed by the Network Security Review Office in accordance with the procedures and after reporting to the Central Network Security and Informatization Commission for approval, they shall conduct a review in accordance with the provisions of these Measures." ”

Moreover, the China Securities Regulatory Commission has been added as a member of the network security review work mechanism, and there are no legal and procedural obstacles for the relevant departments to take the initiative to conduct a network security review of enterprises that intend to go public in Hong Kong.

In Pang Min's view, under the requirements of the new overseas listing regulations and the new information security regulations, companies with strong industry leadership, less sensitive data retention, mainly built by non-RMB funds, and whose core teams are more competitive for foreign investors, under the market segments of the mainland consumer, medical and health industries, Internet and information services, still have the need to go overseas, especially to Hong Kong.

"Compared with the A-share market, due to the needs of overseas financing, the investor base, the regulatory situation of the industry, the convenience of listing in red-chip and VIE structures, and the continuous innovation of the Hong Kong stock market, it is expected that the companies to be listed and the US-China stocks that are considering returning will still be the priority listing places at this stage will still be Hong Kong stocks." Pang Min said.

Read on