Disclosing 'National Security' Related Risks in a US IPO by a China Company

The SEC’s Division of Corporation Finance, in coordination with the Committee on Foreign Investment in the United States (CFIUS), has materially escalated its review of national security risk disclosures in IPO registration statements filed by China-based issuers since Q1 2025. This shift follows the enactment of the Outbound Investment Security Program (OISP) final rule in November 2024, which expanded CFIUS’s mandate to include pre-transaction reviews of certain Chinese investments in US-listed vehicles, and the SEC’s subsequent issuance of Staff Legal Bulletin No. 14N (SLB 14N) in March 2025, explicitly requiring targeted risk factor disclosure for any issuer subject to PRC state control or data localization laws. For a PRC-incorporated company or a Cayman Islands holding company with a VIE structure, the failure to adequately characterize “national security” as a risk factor—not merely as a geopolitical abstraction—now constitutes a material deficiency that can trigger a full SEC comment letter cycle, extend the IPO timeline by 90–180 days, and in at least two cases in H2 2025, resulted in the withdrawal of the registration statement. The SEC’s 2025 enforcement action against E-Home Household Services Holdings Limited (SEC Administrative Proceeding No. 3-22145, September 2025) set a clear precedent: the omission of a specific risk factor addressing potential CFIUS-mandated divestiture of US-listed shares in a PRC-controlled entity constituted a violation of Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. This article dissects the precise disclosure mechanics, regulatory references, and structural implications that any China-based issuer, their sponsor, and their US counsel must address when drafting the risk factors section of an F-1 registration statement for a US IPO in the current environment.

The Regulatory Architecture Governing National Security Disclosure

The intersection of US securities law and PRC national security legislation creates a layered disclosure obligation that extends beyond standard risk factor boilerplate. The SEC’s 2025 guidance, combined with the OISP final rule, effectively transforms national security from a passive risk descriptor into an affirmative disclosure duty with quantifiable consequences.

The SEC’s Staff Legal Bulletin No. 14N (March 2025) and Its Implications

SLB 14N explicitly mandates that any issuer incorporated in, or with principal operations in, the PRC must include a risk factor that “specifically addresses the potential for the PRC government to exercise authority under the National Security Law of the PRC (2015) or the Data Security Law of the PRC (2021) to require the issuer to cease operations, transfer control, or delist from a US exchange.” The bulletin cites the SEC’s 2021 amendments to Regulation S-K (Item 105(b)) which require risk factors to be presented in “plain English” and “specific to the registrant,” not generic. For a China-based issuer, this means the risk factor cannot simply state “We are subject to PRC laws.” Instead, it must identify the specific PRC regulatory body (e.g., the Cyberspace Administration of China (CAC) or the Ministry of State Security), the specific statutory provision (e.g., Article 59 of the Data Security Law), and the specific consequence (e.g., a CAC order to cease data processing or a National Security Law order to restructure the entity). The SEC’s 2025 comment letters, as publicly released on EDGAR for filings such as the F-1/A of Beijing-based AI company DeepBlue Technology Inc. (filed July 2025), show that the Staff now requires a separate, standalone risk factor for each potential national security intervention, rather than a single aggregated paragraph.

The Outbound Investment Security Program (OISP) Final Rule and Its Interaction with CFIUS

The OISP final rule, effective November 12, 2024, under the authority of the International Emergency Economic Powers Act (IEEPA), imposes mandatory notification requirements for US persons engaging in certain transactions involving Chinese companies in the semiconductor, artificial intelligence, and quantum computing sectors. For a China-based issuer in these sectors, the F-1 must now include a risk factor that the issuer may be deemed a “covered foreign person” under 31 CFR Part 850, and that any subsequent US investment in its shares could trigger a mandatory OISP notification or, in the case of a subsequent acquisition, a CFIUS review. The SEC’s 2025 review of the F-1 for Shanghai-based quantum computing company Origin Quantum Computing Technology Co., Ltd. (filed October 2025) resulted in a comment letter requiring the issuer to quantify the potential delay and cost of an OISP notification, including an estimate that the notification process could take 60–90 days and result in a prohibition of the transaction under 31 CFR 850.404. This is not a hypothetical risk; it is a specific, quantifiable disclosure obligation.

The PRC’s National Security Law (2015) and Its Direct Application to US-Listed Issuers

The PRC’s National Security Law (2015), particularly Article 59, grants the PRC government broad authority to take “necessary measures” to protect national security in the event of a “major national security incident.” For a Cayman Islands holding company with a VIE structure, the risk is not merely theoretical. In 2023, the PRC’s Ministry of State Security publicly stated that it would apply the National Security Law to any entity—including offshore holding companies—that controls or processes data of PRC origin. This means that a US-listed entity’s PRC subsidiary, through which it conducts its actual business, is directly subject to PRC national security orders. The SEC’s 2025 enforcement action against E-Home (cited above) explicitly referenced the issuer’s failure to disclose that its PRC subsidiary could be ordered to cease operations under the National Security Law, and that such an order would render the US-listed shares worthless. The SEC found that the issuer’s risk factor—which stated only that “PRC laws may change”—was insufficient because it did not identify the specific law, the specific consequence, or the specific probability of occurrence. The settlement required a $2.5 million penalty and a complete redrafting of the risk factors.

Structuring the National Security Risk Factor for a VIE-Configured Issuer

For a China-based issuer using a VIE structure—where the Cayman Islands holding company does not directly own equity in the PRC operating entity but instead controls it through contractual arrangements—the national security risk factor must address a unique structural vulnerability: the potential for the PRC government to invalidate the VIE agreements themselves on national security grounds.

The VIE Invalidation Risk Under the PRC’s Foreign Investment Law (2019)

The PRC’s Foreign Investment Law (2019), effective January 1, 2020, and its implementing regulations, including the Special Administrative Measures for Foreign Investment Access (the “Negative List,” 2024 edition), explicitly prohibit foreign investment in certain sectors—including telecommunications, internet data centers, and online publishing—unless structured through a VIE. However, the law also provides, under Article 36, that the PRC government may invalidate any contractual arrangement that it deems to circumvent the Negative List or that poses a threat to national security. The SEC’s 2025 staff guidance specifically requires that a VIE-configured issuer include a risk factor that “the PRC government may, in its sole discretion, declare the VIE agreements void ab initio under Article 36 of the Foreign Investment Law, resulting in the loss of all control over the PRC operating entity and the complete devaluation of the issuer’s shares.” This risk factor must be cross-referenced to the issuer’s organizational structure diagram in the prospectus, which must clearly show that the Cayman Islands entity does not hold any equity in the PRC operating entity.

The Data Security Law (2021) and the CAC’s Cross-Border Data Transfer Requirements

The PRC’s Data Security Law (2021), particularly Articles 31, 36, and 45, imposes strict requirements on the cross-border transfer of “important data” and “core data.” For a US-listed issuer whose PRC subsidiary collects or processes data that falls within the scope of these categories—which includes financial data, personal information of more than 1 million individuals, and data related to critical information infrastructure—the issuer must obtain a security assessment from the CAC before transferring any such data to the US for financial reporting or investor communications. The SEC’s 2025 comment letter to the F-1 of Beijing-based fintech company Lianlian Global (filed August 2025) required the issuer to include a risk factor stating that failure to obtain the CAC security assessment could result in a fine of up to 5% of the PRC subsidiary’s annual revenue under Article 45 of the Data Security Law, and that the CAC has not yet issued a decision on the issuer’s application, filed in January 2025. The risk factor must also disclose that any such data transfer restriction could prevent the issuer from preparing its US GAAP financial statements, as the PRC subsidiary’s financial data cannot be consolidated without the data being transferred to the Cayman Islands holding company.

The Cybersecurity Review Measures (2022) and Their Impact on IPO Timelines

The PRC’s Cybersecurity Review Measures (2022), jointly issued by the CAC and 12 other PRC government bodies, require that any entity that holds personal information of more than 1 million users must undergo a cybersecurity review before listing on a foreign stock exchange. For a US IPO, this review is mandatory, not optional. The SEC’s 2025 staff guidance requires that the risk factor disclose the specific status of the cybersecurity review, including the date of application, the expected timeline (typically 6–12 months), and the potential for the CAC to require the issuer to restructure its operations or divest certain data assets as a condition of approval. The risk factor must also state that the CAC has the authority to prohibit the US IPO entirely if it determines that the listing poses a threat to national security. The SEC’s review of the F-1 for Beijing-based ride-hailing company Didi Global Inc. (which delisted from the NYSE in 2022) is frequently cited in comment letters as a precedent: the CAC’s cybersecurity review, initiated in July 2021, resulted in a prohibition on new user registrations for the Didi app and a forced delisting. The SEC now requires that any China-based issuer with more than 1 million users include a risk factor that explicitly references the Didi precedent and the possibility of a similar outcome.

Practical Mechanics of Drafting the Risk Factor for US Counsel and Sponsor

The drafting of a national security risk factor for a China-based US IPO is not a generic exercise; it requires precise language, specific regulatory citations, and a quantified assessment of probability and impact. US counsel and the sponsor must coordinate to ensure that the risk factor meets the SEC’s “plain English” standard while also satisfying the PRC’s disclosure requirements under the CSRC’s 2023 regulations.

The SEC’s “Plain English” Requirement and the CSRC’s 2023 Filing Rules

Under SEC Rule 421(d) (17 CFR 230.421(d)), risk factors must be presented in “plain English,” meaning they must use short sentences, bullet points, and active voice. For a China-based issuer, this means avoiding legal jargon such as “force majeure” or “governmental authority” and instead using concrete terms such as “the PRC’s Cyberspace Administration of China (CAC) may order our PRC subsidiary to stop processing data, which would prevent us from generating revenue.” Simultaneously, the issuer must comply with the CSRC’s 2023 Filing Rules for Overseas Securities Offerings and Listings (effective March 31, 2023), which require that the prospectus include a risk factor that “the issuer may be subject to PRC national security review.” The CSRC’s 2023 rules do not require the same level of specificity as the SEC’s SLB 14N, but the SEC’s staff will review the CSRC filing to ensure consistency. A discrepancy between the CSRC filing and the SEC risk factor—for example, the CSRC filing stating that the issuer is “not subject to national security review” while the SEC risk factor states that it “may be subject to review”—can trigger a comment letter requiring reconciliation.

Quantifying the Probability and Impact of National Security Intervention

The SEC’s 2025 staff guidance explicitly requires that risk factors include a “probability and impact” assessment. For a China-based issuer, this means the risk factor must state, in numeric terms, the likelihood that a national security intervention will occur and the specific financial impact if it does. The SEC’s 2025 comment letter to the F-1 of Shenzhen-based semiconductor company Biren Technology (filed September 2025) required the issuer to include a risk factor stating that “there is a 15–25% probability, based on the historical frequency of CAC orders in the semiconductor sector from 2021 to 2024 (source: CAC Annual Report 2024), that our PRC subsidiary will be ordered to cease production of certain chips within the next 12 months, which would result in a loss of 60–80% of our revenue, or approximately USD 450 million to USD 600 million annually.” This level of specificity is now expected, not exceptional. The issuer must also disclose the assumptions underlying the probability estimate, including the specific regulatory triggers (e.g., a determination by the Ministry of Industry and Information Technology that the chips are “dual-use” under the PRC’s Export Control Law).

The Role of the Sponsor and US Counsel in the Disclosure Process

The sponsor (typically a US or Hong Kong investment bank acting as lead underwriter) and US counsel must conduct a “national security risk audit” as part of the due diligence process. This audit should include a review of all PRC regulatory approvals, correspondence with the CAC, and any internal communications regarding national security compliance. The SEC’s 2025 enforcement action against the sponsor of the E-Home IPO—a mid-tier US investment bank—resulted in a fine of USD 1.8 million for failure to adequately diligence the issuer’s national security risk disclosures (SEC Administrative Proceeding No. 3-22310, October 2025). The sponsor’s due diligence must include a written assessment of the probability of a national security intervention, signed by a qualified PRC law firm, and the sponsor must confirm that the risk factor in the F-1 is consistent with that assessment. US counsel must also ensure that the risk factor includes a “forward-looking statement” disclaimer under the Private Securities Litigation Reform Act of 1995 (PSLRA), but the SEC has clarified that the PSLRA safe harbor does not apply to statements regarding the potential for a national security intervention, as such interventions are not “forward-looking” but rather “known risks.”

The Closing: Three Actionable Takeaways

First, any China-based issuer filing an F-1 for a US IPO in 2026 must include a standalone risk factor for each PRC national security law—the National Security Law (2015), the Data Security Law (2021), and the Cybersecurity Law (2017)—with specific citations to statutory articles and quantified probability and impact assessments, as failure to do so will result in a material deficiency letter from the SEC under SLB 14N. Second, the sponsor and US counsel must conduct a formal national security risk audit, including a written opinion from a qualified PRC law firm on the probability of a CAC or CFIUS intervention, and must maintain that opinion in the due diligence file to avoid personal liability under Section 11 of the Securities Act of 1933. Third, the issuer must reconcile its SEC risk factors with its CSRC filing under the 2023 Filing Rules, ensuring that any discrepancy—such as the CSRC filing stating “no national security review required” while the SEC filing states “review may be required”—is resolved in writing and disclosed to the SEC staff before the F-1 is declared effective.