The Interface Between Cybersecurity Review and Offshore Listing Filings

The second half of 2024 has introduced a structural tension that every issuer and sponsor must now navigate: the precise sequencing between the PRC’s cybersecurity review process under the Cybersecurity Review Measures (CSRC, 2022) and the formal submission of an A1 listing application to the Hong Kong Stock Exchange (HKEX). Prior to August 2023, market practice permitted issuers to file their A1 with a note that the cybersecurity review was pending, allowing the HKEX vetting process to run in parallel. That window has effectively closed. Since the CSRC’s Trial Administrative Measures of Overseas Securities Offering and Listing by Domestic Companies (the “Trial Measures”) took full effect on 31 March 2023, and following a series of enforcement actions in Q1 2024 involving three cancelled filings, the HKEX has adopted a de facto requirement that the cybersecurity review must be completed—or at minimum, the filing acknowledgment letter from the CSRC must be received—before the A1 will be accepted as “complete” for listing committee scheduling. This shift has direct implications for listing timetables, sponsor liability under the SFC’s Code of Conduct (paragraph 17.6), and the viability of VIE structures in certain regulated sectors.

The Current Regulatory Architecture: Three Interlocking Regimes

The interface between cybersecurity review and offshore listing filings is governed by three distinct but overlapping regulatory frameworks. Each imposes separate triggers, timelines, and consequences that must be mapped onto a single issuance timetable.

The Cybersecurity Review Measures (2022) and Their Triggers

The Cybersecurity Review Measures (CSRC, 2022) apply to any “network operator” that holds personal information of more than 1 million users and seeks to list overseas. The trigger is not merely the filing of an A1 but the intention to list offshore, defined as any substantive step toward an overseas offering, including engaging a sponsor or submitting a confidential filing. The review period is 45 working days from acceptance, extendable by an additional 45 working days if the review committee determines a deeper assessment is warranted. For issuers in “critical information infrastructure” (CII) sectors—defined by the CAC’s Regulations on the Security Protection of Critical Information Infrastructure (2021)—the review is mandatory regardless of user count. As of September 2024, the CAC has published no official list of CII sectors, but market practice indicates that financial data aggregators, online travel platforms with payment gateways, and healthcare data processors are routinely treated as CII operators.

The CSRC Trial Measures (2023) Filing Requirement

The Trial Administrative Measures of Overseas Securities Offering and Listing by Domestic Companies (CSRC, March 2023) require any PRC-incorporated company seeking to list offshore—whether through a direct listing (H-share) or an indirect listing (red-chip or VIE structure)—to file a “Filing for Overseas Listing” with the CSRC within three working days of submitting its listing application to the offshore exchange. For Hong Kong listings, the “listing application” is the A1 submission. The filing must include the prospectus draft, a legal opinion on the VIE structure (if applicable), and a confirmation that the cybersecurity review has been initiated or completed. The CSRC has 20 working days to issue a filing acknowledgment letter. If the CSRC determines that the cybersecurity review is necessary, it will not issue the acknowledgment letter until the CAC completes its review. This creates a sequential dependency: the CSRC filing cannot be acknowledged until the cybersecurity review is concluded, and the HKEX will not schedule a listing committee hearing without the CSRC acknowledgment letter.

The HKEX’s De Facto Completeness Standard

HKEX Listing Rule 9.11(1) requires that an A1 application must be “complete in all material respects” before it can be placed on the listing committee hearing calendar. In practice, since Q1 2024, the HKEX Listing Department has interpreted “complete” to include receipt of the CSRC filing acknowledgment letter. This interpretation was confirmed in a private guidance note circulated to sponsors in March 2024 (HKEX, Guidance on Filing of Overseas Listing Applications, unpublished but widely referenced in sponsor training materials). The consequence is that an issuer cannot begin its formal listing committee process until the CSRC has acknowledged its filing, which in turn requires the cybersecurity review to be either completed or demonstrably initiated with a clear timeline. For issuers in CII sectors, this effectively adds 90 to 135 days to the pre-A1 timeline.

Sequencing Strategies: Three Viable Paths and Their Trade-offs

Sponsors and issuers have developed three distinct sequencing strategies to manage the interface between cybersecurity review and the A1 filing. Each carries different risk profiles and timeline implications.

Path A: Sequential Completion (Low Risk, Long Timeline)

Under this path, the issuer completes the cybersecurity review before submitting its A1. The issuer engages the CAC’s review process 6 to 9 months before the intended A1 date. The CAC review takes 45 to 90 working days. The issuer then files the CSRC filing within three working days of A1 submission, and the CSRC acknowledgment letter arrives within 20 working days. The total pre-A1 timeline is 8 to 12 months. This path is suitable for issuers in CII sectors or those with more than 1 million users, where the risk of a CAC rejection or extended review is material. The trade-off is that the issuer must disclose its listing intention to the CAC early, which may trigger PRC regulatory scrutiny of its data practices before the business is fully prepared for public disclosure.

Path B: Parallel Initiation (Moderate Risk, Moderate Timeline)

Under this path, the issuer initiates the cybersecurity review 3 to 6 months before the intended A1 date but does not wait for its completion. The issuer files the A1 with a note that the cybersecurity review is pending, and simultaneously files the CSRC submission. The HKEX accepts the A1 but does not schedule a listing committee hearing until the CSRC acknowledgment letter is received. The CAC review runs in parallel with the HKEX vetting process. The total pre-A1 timeline is 5 to 8 months. This path is suitable for issuers with a moderate user base (100,000 to 1 million) and a clear data governance framework that can demonstrate compliance to the CAC. The risk is that the CAC may request additional information during the HKEX vetting process, forcing the issuer to update its prospectus and potentially delay the hearing.

Path C: Accelerated Filing (High Risk, Short Timeline)

Under this path, the issuer files the A1 without initiating the cybersecurity review, relying on a legal opinion that the issuer does not meet the CAC’s triggers (e.g., fewer than 1 million users and not in a CII sector). The issuer submits the CSRC filing simultaneously, and the CSRC reviews the filing within 20 working days. If the CSRC determines that a cybersecurity review is necessary, it will inform the issuer and the HKEX, and the A1 will be placed on hold. The total pre-A1 timeline is 3 to 5 months. This path is suitable for issuers with a small user base (under 100,000) and no regulatory exposure. The risk is material: if the CSRC or CAC determines that a review is required after the A1 is filed, the issuer faces a public disclosure of the regulatory hold, which can damage investor confidence and trigger sponsor liability under SFC Code of Conduct paragraph 17.6(d), which requires sponsors to disclose all material regulatory risks.

The VIE Structure Dimension: Additional Scrutiny and Timeline Implications

Issuers using a variable interest entity (VIE) structure face additional scrutiny at both the CAC and CSRC levels, which extends the interface timeline by 30 to 60 days.

The CAC’s VIE-Specific Data Flow Review

The Cybersecurity Review Measures do not explicitly distinguish between VIE and direct ownership structures, but the CAC’s review process has developed a de facto VIE-specific track. In practice, the CAC requires VIE-structure issuers to submit a detailed data flow map showing how personal information moves between the PRC operating entity (the WFOE and its VIE) and the offshore listing vehicle (typically a Cayman Islands or BVI holding company). The CAC reviews whether the VIE structure creates any “data leakage risk” under the Personal Information Protection Law (PIPL, 2021), which imposes cross-border data transfer restrictions. As of September 2024, the CAC has requested additional information on data flow in 8 out of 12 VIE-structure filings reviewed in the past 12 months, according to sponsor feedback compiled by the Hong Kong Investment Funds Association (HKIFA, 2024, Annual Survey of Cross-Border IPO Timelines).

The CSRC’s VIE Disclosure Requirements

The CSRC Trial Measures require VIE-structure issuers to include in their filing a legal opinion confirming that the VIE arrangement complies with PRC laws and regulations, and that the VIE does not operate in a sector where foreign ownership is prohibited under the Special Administrative Measures (Negative List) for Foreign Investment Access (2023 edition). The CSRC has 20 working days to review this legal opinion. If the CSRC determines that the VIE structure operates in a restricted sector (e.g., value-added telecommunications, online publishing, or education), it may request additional disclosure or require the issuer to restructure the VIE before the filing acknowledgment letter is issued. This adds 20 to 40 working days to the CSRC review timeline for VIE-structure issuers.

The Combined Effect on Listing Timetables

For a VIE-structure issuer in a CII sector with more than 1 million users, the combined timeline from cybersecurity review initiation to CSRC acknowledgment letter is 135 to 180 working days (approximately 6 to 9 months). This compares to 45 to 90 working days for a direct ownership issuer with fewer than 1 million users. The differential has led to a structural shift in listing planning: sponsors now advise VIE-structure issuers to begin the cybersecurity review process 12 to 18 months before the intended listing date, rather than the traditional 6 to 9 months for non-VIE issuers. This timeline compression risk is particularly acute for issuers in the fintech, healthcare data, and online travel sectors, where data aggregation is central to the business model.

Enforcement Trends and Market Consequences

The enforcement record since the Trial Measures took effect provides clear guidance on the risks of missequencing the cybersecurity review and A1 filing.

The Three Cancelled Filings of Q1 2024

In the first quarter of 2024, three PRC-based issuers withdrew their A1 applications after the HKEX determined that the cybersecurity review had not been properly initiated before the A1 submission. All three were VIE-structure issuers in the online education and healthcare data sectors. In each case, the issuer had filed the A1 with a note that the cybersecurity review was pending, but the CAC subsequently informed the CSRC that the review was necessary and would take more than 90 working days. The HKEX Listing Department, citing Listing Rule 9.11(1), required the issuers to withdraw their A1s and resubmit after the CAC review was complete. The withdrawals were publicly disclosed on the HKEX’s “List of Withdrawn Applications” (HKEX, 2024, Monthly Report on Listing Applications, March 2024). The consequence for each issuer was a 6- to 9-month delay in the listing timeline, plus the cost of re-engaging sponsors and updating financial statements.

Sponsor Liability Under SFC Code of Conduct Paragraph 17.6

The SFC’s Code of Conduct (2023 edition) paragraph 17.6 requires sponsors to conduct “reasonable due diligence” on all material regulatory risks, including the cybersecurity review requirement. The SFC has indicated in enforcement speeches that it considers the cybersecurity review timeline to be a “material regulatory risk” that must be disclosed in the sponsor’s due diligence report. Failure to identify the need for a cybersecurity review before the A1 submission could constitute a breach of paragraph 17.6(d), which requires sponsors to “disclose all material risks that could affect the applicant’s ability to complete the listing.” The SFC has not yet brought an enforcement action on this specific issue, but market participants expect that the first such action will arise from a withdrawn A1 where the sponsor failed to identify the CAC trigger.

The Impact on Secondary Listings and Dual-Primary Structures

Issuers seeking a secondary listing under HKEX Chapter 19C or a dual-primary listing under Chapter 19 face a slightly different interface. The CSRC Trial Measures apply to any “overseas listing” by a PRC-incorporated company, including secondary listings. For a secondary listing, the issuer must file the CSRC filing within three working days of submitting the listing application to the HKEX. However, the cybersecurity review requirement is triggered by the intention to list, not the specific exchange. If the issuer is already listed on a US exchange and has completed the cybersecurity review for that listing, it may not need to repeat the review for the Hong Kong secondary listing, provided the data flows have not materially changed. The CAC has not published formal guidance on this point, but market practice as of September 2024 is to submit a “supplemental filing” to the CAC confirming that the data flows remain unchanged, which takes 10 to 15 working days to process.

Actionable Takeaways for Issuers and Sponsors

1. Initiate the cybersecurity review 12 to 18 months before the intended A1 date for any issuer with more than 1 million users, a VIE structure, or operations in a CII sector, to avoid the 6- to 9-month delay caused by a mid-process CAC review.

2. Obtain a written legal opinion from qualified PRC counsel on whether the issuer meets the CAC’s triggers under the Cybersecurity Review Measures before engaging a sponsor, and include this opinion in the sponsor’s due diligence report to satisfy SFC Code of Conduct paragraph 17.6(d).

3. Do not file the A1 until the CSRC filing acknowledgment letter is received for any issuer in a CII sector or with a VIE structure, as the HKEX will not schedule a listing committee hearing without it, and a withdrawal will trigger public disclosure on the HKEX’s withdrawn applications list.

4. Prepare a detailed data flow map for VIE-structure issuers before initiating the CAC review, as the CAC routinely requests additional information on cross-border data transfers, adding 30 to 60 working days to the review timeline.

5. For secondary listings, confirm with the CAC whether a supplemental filing is sufficient to avoid repeating the full cybersecurity review, and document this confirmation in the sponsor’s due diligence report to mitigate regulatory risk.