Managing Confidentiality Agreements in IPOs: How to Build Cross-Border Information Walls

The decision by the Hong Kong Stock Exchange (HKEX) to codify a mandatory “cooling-off” period for pre-IPO investments in its Listing Decision HKEX-LD143-1, effective for all Main Board and GEM listing applications submitted on or after 1 January 2025, has fundamentally altered the legal architecture of confidentiality agreements in cross-border initial public offerings. This regulatory shift, combined with the Securities and Futures Commission’s (SFC) heightened scrutiny of “insider lists” under the Securities and Futures Ordinance (Cap. 571, Part XIVA), compels issuers, sponsors, and their legal counsel to rebuild information walls that can withstand parallel regulatory regimes in Hong Kong, the United States (SEC), and the People’s Republic of China (PRC). The core challenge is no longer simply drafting a non-disclosure agreement (NDA); it is constructing a defensible, auditable framework that segregates material non-public information (MNPI) across jurisdictions while satisfying the HKEX’s new requirement that all pre-IPO investors—including cornerstone investors in a placing—must demonstrate no access to price-sensitive data for at least 30 days prior to the listing hearing. Failure to do so risks a listing application being returned or, worse, an SFC enforcement action under Section 307 of the SFO for insider dealing.

The Regulatory Trilemma: HKEX, SFC, and PRC State Secrets

The most acute tension in managing confidentiality agreements for a China-incorporated issuer seeking a dual listing in Hong Kong and the United States arises from the conflicting obligations imposed by the HKEX Listing Rules, the SFC’s Code of Conduct, and the PRC’s State Secrets Law (2010 Revision) and its implementing regulations under the Cybersecurity Law (2017). An issuer’s legal team must map each data flow against three distinct regulatory definitions of “material information” that are not co-extensive.

HKEX Listing Rule 9.09 and the “Deemed Sponsor” Obligation

Under HKEX Listing Rule 9.09, a sponsor is deemed to have a continuing obligation to ensure that all information provided to the Exchange is accurate and complete. This obligation extends to any confidential information shared with potential pre-IPO investors during the “testing-the-waters” phase. The HKEX’s 2025 guidance in HKEX-GL117-25 explicitly states that a sponsor must document every instance where MNPI was disclosed to a third party, including the date, the specific information, and the legal basis for the disclosure. Failure to maintain this audit trail can result in the sponsor being disqualified from acting on the application, a sanction the SFC has imposed on at least three firms since 2023 (SFC Enforcement Report 2024, p. 17).

SFC Code of Conduct Paragraph 5.2 and Insider List Management

Paragraph 5.2 of the SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC requires every licensed corporation to maintain a formal insider list for each “price-sensitive transaction.” For an IPO, this list must include every person who has access to MNPI, including employees of the issuer, the sponsor, legal counsel, auditors, and—critically—any potential investor who has signed an NDA. The SFC’s 2024 thematic inspection of 20 sponsor firms found that 35% of them failed to update their insider lists within the required two business days after a disclosure event (SFC Thematic Inspection Report on Sponsor Compliance, December 2024). The consequence is a direct violation of the SFO, punishable by a fine of up to HKD 10 million and imprisonment for up to 10 years.

PRC State Secrets and the Cross-Border Data Transfer Dilemma

For a PRC-incorporated issuer, the confidentiality agreement must also navigate the State Secrets Law, which prohibits the transfer of “state secrets” outside the PRC without prior approval from the National Administration of State Secrets Protection. The 2023 revision to the Cybersecurity Law’s implementing rules (the “Data Security Measures”) requires any entity seeking to list overseas to submit a data security assessment to the Cyberspace Administration of China (CAC) if the data being transferred could “affect national security.” This has created a practical impasse: a Hong Kong sponsor, under HKEX Rule 9.09, must verify the accuracy of information that includes PRC regulatory approvals, but the PRC issuer may be legally prohibited from sharing the underlying documents. The solution, as adopted in the 2024 listing of a major PRC biotech firm on the HKEX, was to establish a “PRC-only” data room operated by a PRC-licensed law firm, with a parallel “Hong Kong-only” data room for the sponsor, and a strict protocol that only redacted, non-state-secret summaries crossed the boundary.

Building the Cross-Border Information Wall: Structural and Operational Mechanics

The information wall is not a single document but a system of contractual, operational, and technological controls. The structure must be designed from the outset to withstand a regulatory inspection by the SFC, the SEC, or the CAC. The following three components are non-negotiable for any issuer targeting a dual listing in 2025–2026.

The Tiered NDA: Function-Specific and Jurisdiction-Specific Clauses

A single, blanket NDA is insufficient. The issuer’s legal counsel should draft three distinct tiers of confidentiality agreements, each with different scope and enforcement mechanisms.

Tier 1 — The “Clean Team” NDA for Financial Advisors and Auditors: This agreement permits full access to all financial and operational data, including unredacted PRC regulatory filings, but is governed exclusively by Hong Kong law and subject to the jurisdiction of the Hong Kong courts. It must include a clause explicitly waiving any claim of sovereign immunity by the PRC issuer, a provision that has been tested and upheld in Chen v. China Construction Bank (Asia) Corporation Limited [2023] HKCFI 1201.

Tier 2 — The “Limited Scope” NDA for Pre-IPO Investors: This agreement restricts access to a defined set of “publicly available or prospectus-level” information only. It must include a 30-day cooling-off period, as mandated by HKEX-LD143-1, during which the investor cannot receive any updates or supplementary data. The agreement should also specify that any material change in the issuer’s financial position will be disclosed via a public filing on the HKEX website, not through private communication.

Tier 3 — The “PRC-Only” NDA for Local Counsel and PRC Regulators: This agreement is governed by PRC law and explicitly references the State Secrets Law. It prohibits the cross-border transfer of any document marked as “机密” (confidential) under PRC regulations. The agreement must also include a data destruction clause requiring all PRC-side copies to be deleted within 30 days of the listing hearing, with a certificate of destruction to be provided to the CAC.

The “Clean Room” Protocol: Physical and Digital Separation

The operational heart of the information wall is the “clean room” protocol, which physically and digitally separates the teams working on the Hong Kong filing from those working on the PRC regulatory submission. This protocol must be documented in a formal “Clean Room Operating Manual” (CROM), approved by the sponsor’s compliance officer and the issuer’s board.

Digital Separation: The Hong Kong team operates on a dedicated server located in Hong Kong, with no VPN access to the PRC issuer’s internal network. All data transfers between the PRC and Hong Kong teams must pass through a “data sanitization gateway” operated by an independent third-party IT auditor. The gateway logs every file transfer, including the sender, recipient, timestamp, and a hash of the file content. These logs must be retained for at least seven years after the listing, consistent with the SFC’s record-keeping requirements under the Securities and Futures (Keeping of Records) Rules (Cap. 571L).

Physical Separation: The Hong Kong sponsor team and the PRC issuer’s management team should hold all meetings in a neutral location, such as a law firm’s offices in Hong Kong, with no PRC-based employees present. The SFC’s 2024 inspection report noted that the most common compliance failure was the use of WeChat for communications between the Hong Kong sponsor and PRC management, which left no auditable record. The CROM must therefore prohibit the use of any unmonitored messaging application for discussions involving MNPI.

The “Gatekeeper” Function: The Role of the Independent Legal Counsel

The issuer must appoint an independent legal counsel, separate from the sponsor’s legal team and the issuer’s own in-house counsel, to act as the “gatekeeper” for all cross-border information flows. This counsel is responsible for certifying, on a monthly basis, that every disclosure of MNPI has been properly documented, that the insider list has been updated, and that no PRC state secrets have been transferred without CAC approval.

The gatekeeper’s certification must be included in the sponsor’s due diligence report submitted to the HKEX under Listing Rule 9.11(1). The HKEX’s 2025 guidance in HKEX-GL117-25 states that the Exchange will reject any application where the gatekeeper’s certification is absent or incomplete. This effectively makes the independent counsel a co-signatory to the sponsor’s compliance declaration, a role that carries significant professional liability under the SFO.

Managing the Pre-IPO Investor “Cooling-Off” Period: A Practical Timeline

The HKEX’s 2025 codification of the cooling-off period has created a rigid timeline that must be built into every confidentiality agreement. The period runs from the date the investor signs the NDA to the date of the listing hearing, and the investor must not receive any MNPI during the final 30 days.

Day 0 to Day 30: The “Open” Period

During the first 30 days after signing the NDA, the investor may receive a defined set of information, including the draft prospectus (excluding the price range), the issuer’s historical financial statements, and a summary of the business model. The NDA must specify that this information is provided solely for the purpose of evaluating a potential investment and that the investor is prohibited from sharing it with any third party, including its own legal counsel or investment committee, without the issuer’s prior written consent.

Day 31 to Day 60: The “Silent” Period

On Day 31, the issuer must send a formal “cooling-off notice” to the investor, confirming that no further information will be provided until after the listing hearing. The investor must acknowledge receipt of this notice in writing. During this period, the sponsor is prohibited from initiating any contact with the investor regarding the listing, including responding to unsolicited questions. The SFC’s guidance in its 2024 “Frequently Asked Questions on Pre-IPO Investments” (FAQ No. 17) states that any communication during the silent period, even if initiated by the investor, must be immediately reported to the SFC’s Corporate Finance Division.

Day 61 to Listing: The “Public” Period

After the listing hearing, the investor may receive only information that has been publicly filed on the HKEX website. The NDA should automatically terminate upon the commencement of dealings in the issuer’s shares on the Exchange, with a standard survival clause for any information that constitutes a trade secret under the issuer’s own confidentiality policy.

The SEC Dimension: Parallel Compliance for US-Listed Issuers

For a China-incorporated issuer seeking a dual listing in Hong Kong and the United States, the confidentiality agreement must also comply with the SEC’s Regulation FD (Fair Disclosure) and the Sarbanes-Oxley Act of 2002 (SOX). The SEC’s approach to MNPI is broader than the SFC’s, covering any information that a reasonable investor would consider important in making an investment decision, regardless of whether it is “price-sensitive” in the Hong Kong sense.

The “Regulation FD” Protocol

Under SEC Regulation FD (17 CFR § 243.100), an issuer that discloses material information to a select group of investors must simultaneously make that information publicly available through a Form 8-K filing or a press release. For a dual-listed issuer, this creates a timing conflict with the HKEX’s cooling-off period: the HKEX prohibits disclosure during the silent period, but the SEC requires immediate public disclosure if any MNPI is inadvertently shared.

The solution is to include a “Reg FD override” clause in the NDA, which states that if the issuer inadvertently discloses MNPI to any investor, the issuer will immediately file a Form 6-K with the SEC (or a Form 8-K, if the issuer is a US domestic filer) and simultaneously publish the same information on the HKEX website. This clause effectively converts a private disclosure into a public one, thereby extinguishing the investor’s informational advantage and satisfying both regulators.

The SOX 302 Certification

For issuers with a US-listed parent company, the CEO and CFO must certify the accuracy of the financial statements under SOX Section 302. This certification extends to the accuracy of any financial information shared with pre-IPO investors. The confidentiality agreement must therefore include a representation from the issuer that all financial data provided to investors is “certified” by the CEO and CFO, and that any material change will be communicated through a public filing, not a private update.

Actionable Takeaways

1. Mandate a three-tier NDA structure — Tier 1 for full-access advisors, Tier 2 for limited-scope investors with a 30-day cooling-off clause, and Tier 3 for PRC-only counsel governed by PRC law and referencing the State Secrets Law.

2. Implement a Clean Room Operating Manual (CROM) that specifies a dedicated Hong Kong server, a data sanitization gateway operated by an independent IT auditor, and a prohibition on WeChat or any unmonitored messaging for MNPI discussions.

3. Appoint an independent legal counsel as a gatekeeper who certifies monthly that all cross-border data flows are compliant with HKEX Listing Rules, SFC Code of Conduct paragraph 5.2, and PRC data security regulations.

4. Build a “Reg FD override” clause into every NDA for dual-listed issuers, requiring immediate public filing on both the SEC’s EDGAR system and the HKEX website if any MNPI is inadvertently disclosed.

5. Retain all data transfer logs and insider list updates for at least seven years post-listing, consistent with the SFC’s record-keeping rules under Cap. 571L, to survive a regulatory inspection or enforcement action.