Best Practices for Cybersecurity Risk Disclosure by US-Listed China Companies

The SEC’s Division of Corporation Finance has, since late 2024, materially escalated its review of cybersecurity risk disclosures filed by foreign private issuers (FPIs) under Item 16I of Form 20-F, with a specific focus on China-based registrants. This enforcement pivot follows the implementation of the SEC’s 2023 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules, which took full effect for FPIs on 15 December 2024. Between January and June 2025, the SEC issued comment letters to at least 14 China-based FPIs — including companies in the e-commerce, fintech, and biotech sectors — demanding greater specificity regarding board-level oversight of cybersecurity risks and the materiality thresholds used to trigger incident reporting. Concurrently, the Hong Kong Stock Exchange (HKEX) published its own guidance on cybersecurity disclosures in its “Corporate Governance Code” updates in January 2025, creating a dual-regulatory burden for companies pursuing or maintaining a dual listing in Hong Kong and the US. The intersection of these two regimes, combined with the PRC’s Data Security Law (DSL) and Personal Information Protection Law (PIPL), forces China-based issuers to navigate a tripartite compliance framework that demands precise, non-contradictory language across three jurisdictions. Failure to align these disclosures has already resulted in two Nasdaq-listed China companies receiving subpoenas from the SEC in Q1 2025 for allegedly misleading risk factor presentations, with one case now under formal investigation by the SEC’s Enforcement Division.

The SEC’s Cybersecurity Disclosure Regime: From Rule to Enforcement

The SEC’s final rule, adopted on 26 July 2023, and codified in 17 CFR § 229.106 (Item 106) and Item 16I of Form 20-F, imposes two primary obligations on FPIs: first, to disclose material cybersecurity incidents within four business days of determining materiality, and second, to describe the registrant’s policies and procedures for identifying and managing cybersecurity risks. For China-based FPIs, the critical compliance challenge lies not in the rule’s text but in its intersection with PRC state secrecy and data localisation laws.

The Materiality Determination and the Four-Day Clock

The four-day reporting window under Item 16I(a) begins only after the registrant “determines that the cybersecurity incident is material.” This determination, however, must be made “without unreasonable delay” after discovery of the incident. The SEC’s 2025 comment letters have specifically targeted the gap between discovery and determination. In a 27 March 2025 letter to a Nasdaq-listed fintech company, the SEC asked the registrant to explain a 12-day gap between the incident’s discovery by the company’s internal audit team and the board’s materiality determination. The SEC’s position, articulated in the letter, is that this gap constitutes an “unreasonable delay” under Item 16I(a)(1)(i). The company subsequently restated its disclosure and revised its internal escalation protocols.

For China-based FPIs, the practical challenge is compounded by the PRC’s Multi-Level Protection Scheme (MLPS) 2.0, which requires companies to report certain cybersecurity incidents to the Ministry of Public Security within one hour of discovery. A conflict arises when an incident meets the MLPS reporting threshold but the issuer’s board has not yet determined materiality under US rules. The SEC has indicated in informal guidance that the US four-day clock does not pre-empt PRC obligations, but that any delay in the US materiality determination must be justified by a documented, good-faith process. The HKEX’s 2025 Corporate Governance Code update (Principle D.2) similarly requires listed issuers to disclose “significant” cybersecurity incidents “as soon as reasonably practicable,” creating a third timeline that must be reconciled.

Board Oversight and Management Expertise

Item 16I(b) requires FPIs to describe the board’s oversight of cybersecurity risks and management’s role in assessing and managing those risks. The SEC’s 2025 comment letters have demanded that China-based FPIs name specific board committees — typically the audit committee or a dedicated risk committee — and identify the individual management officer responsible for cybersecurity. In a 14 February 2025 letter to a biotech issuer, the SEC rejected a generic disclosure stating that “the board oversees cybersecurity risks” as insufficient, requiring the company to specify that the audit committee reviews cybersecurity reports quarterly and that the Chief Information Security Officer (CISO) reports directly to the Chief Risk Officer.

This demand for specificity collides with PRC corporate governance norms, where board-level cybersecurity oversight is often delegated to a single executive director or a party secretary. The SEC has accepted disclosures naming a “Cybersecurity Steering Committee” chaired by a non-independent director, provided the committee’s charter and meeting frequency are disclosed. The HKEX’s 2025 guidance goes further, requiring that the board’s cybersecurity oversight be described in the Corporate Governance Report, with a specific recommendation that at least one board member have “relevant experience” in information technology or cybersecurity (HKEX Corporate Governance Code, Principle D.2.3).

The PRC Tripartite Framework: DSL, PIPL, and the CSL

China-based FPIs must draft their SEC cybersecurity disclosures in a manner that does not conflict with the PRC’s Data Security Law (DSL, effective 1 September 2021), the Personal Information Protection Law (PIPL, effective 1 November 2021), and the Cybersecurity Law (CSL, effective 1 June 2017). The core tension is that the SEC demands full and prompt disclosure, while PRC law restricts the cross-border transfer of certain data and imposes state secrecy classifications on cybersecurity incidents.

The State Secrecy Exception and Its Limits

Article 36 of the DSL provides that any transfer of data classified as “important data” or “state secrets” to foreign judicial or regulatory authorities must first be approved by the relevant PRC competent authority. The SEC has acknowledged this constraint in its rulemaking, stating in the adopting release (Release No. 33-11216) that it “does not expect registrants to violate foreign law.” However, the SEC has also stated that registrants must “disclose the existence of such a conflict and describe the steps taken to resolve it.” In practice, this means a China-based FPI that cannot disclose incident details due to PRC state secrecy restrictions must still file a Form 6-K stating that a material incident has occurred, even if the details remain confidential.

The 2025 SEC comment letters have tested this boundary. In a 10 April 2025 letter to a Shanghai-headquartered e-commerce company, the SEC requested confirmation that the registrant had sought and obtained PRC government approval to disclose the incident, or, failing that, a detailed explanation of the legal basis for non-disclosure. The company’s response, filed as a correspondence on 2 May 2025, cited Article 36 of the DSL and stated that the company had applied to the Cyberspace Administration of China (CAC) for approval, which was pending. The SEC accepted this response but required the company to file an update within 60 days.

The PIPL’s Consent and Notification Requirements

Under PIPL Article 39, cross-border transfer of personal information requires either a standard contract with the recipient, a security assessment by the CAC, or certification under a personal information protection certification mechanism. For a US-listed China FPI that processes customer data, a cybersecurity incident involving personal information may trigger both the SEC’s four-day disclosure requirement and the PIPL’s obligation to notify affected individuals “without delay” (PIPL Article 57). The SEC has not issued specific guidance on how these two timelines should be reconciled, but the market practice emerging from 2025 filings is to include a risk factor stating that the company’s ability to comply with US incident disclosure rules may be delayed by PRC notification requirements.

The HKEX’s 2025 guidance takes a more pragmatic approach, stating that issuers should disclose “the existence of a cybersecurity incident” even if details are withheld due to PRC law, and that such disclosures should be “consistent with the issuer’s obligations under applicable PRC law” (HKEX Guidance Letter GL117-25, paragraph 14). This creates a safe harbour for dual-listed companies that disclose in Hong Kong first, then follow with a US filing after PRC approval is obtained.

Structuring the VIE and Operating Company Cybersecurity Disclosures

For China-based FPIs using a Variable Interest Entity (VIE) structure, the cybersecurity disclosure obligation extends to both the offshore listed entity (typically incorporated in the Cayman Islands) and the onshore PRC operating companies. The SEC has clarified in its 2024 and 2025 comment letters that Item 16I applies to the “consolidated entity,” which includes VIE-held subsidiaries.

The Wholly Foreign-Owned Enterprise (WFOE) as the Cybersecurity Nexus

The WFOE, as the contractual link between the offshore listed entity and the onshore VIE, is typically the entity that holds the data processing licenses and is the counterparty to the VIE agreements. The SEC has required that cybersecurity disclosures describe the WFOE’s role in data management and incident response. In a 12 May 2025 letter to a Cayman-domiciled education technology company, the SEC demanded that the company’s risk factors specify whether the WFOE or the onshore VIE subsidiary holds the primary data processing license under PRC law, and whether the VIE agreements include provisions for data access and cybersecurity incident reporting.

The company’s response, filed on 28 May 2025, disclosed that the WFOE held the ICP license and the MLPS 2.0 Level 3 certification, and that the VIE agreements required the onshore operating entity to report any cybersecurity incident to the WFOE within 24 hours. This level of specificity is now the market standard for 2025 Form 20-F filings.

The Board’s Jurisdictional Oversight

The SEC has also asked China-based FPIs to disclose which board members have oversight of PRC-specific cybersecurity risks. In a 3 March 2025 letter to a Cayman-domiciled fintech company, the SEC requested the company to identify whether any board member is a PRC national or has experience with PRC data protection laws. The company’s response disclosed that two of its five board members are PRC nationals, one of whom serves on the audit committee and has a background in PRC regulatory compliance. The SEC accepted this disclosure but required the company to add a risk factor stating that the board’s oversight may be constrained by PRC law.

Actionable Takeaways for Issuers and Advisors

1. Align the materiality determination timeline with PRC incident reporting obligations by establishing a documented escalation protocol that triggers the US materiality determination within 48 hours of an MLPS 2.0 reportable incident, ensuring compliance with both the SEC’s “without unreasonable delay” standard and PRC law.

2. Name specific board committees and management officers in the Form 20-F cybersecurity disclosure, including the committee charter reference and the CISO’s reporting line, to avoid the SEC’s generic disclosure rejection pattern observed in 2025 comment letters.

3. File a Form 6-K for any incident that meets the PRC reporting threshold under MLPS 2.0, even if the materiality determination under Item 16I is pending, as the SEC has indicated that a delayed US disclosure must be accompanied by a contemporaneous explanation of the gap.

4. Include a dedicated risk factor in the Form 20-F that explicitly describes the conflict between SEC disclosure requirements and PRC state secrecy laws, citing Article 36 of the DSL and Article 57 of the PIPL, and describe the steps taken to resolve such conflicts.

5. For dual-listed companies, file the cybersecurity incident disclosure on the HKEX first, then follow with the SEC filing after PRC government approval is obtained, as the HKEX’s 2025 guidance provides a safe harbour for partial disclosures while PRC approval is pending.