A Sponsor's Responsibility to Review the Information System Security of a Listing Applicant

The SFC’s December 2024 circular on cyber resilience and the HKEX’s updated Listing Decision LD143-2024 have placed the information system security of listing applicants squarely within a sponsor’s due diligence scope. For the first time, the regulator has explicitly linked a failure to review a company’s IT infrastructure to potential enforcement action under the Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct), paragraph 17.6. This shift is not theoretical. In 2024, the SFC reprimanded a sponsor for inadequate IT due diligence in a listing involving a PRC-based fintech firm, citing a lack of independent verification of the applicant’s system architecture and data integrity. The message is clear: a sponsor cannot rely on management representations alone. The HKEX’s Listing Rules, specifically Rule 9.11(24a), now require a sponsor to confirm that the applicant’s business systems are “adequate and appropriate” for its stated operations, a standard that extends directly to cybersecurity protocols. For a sponsor, the cost of non-compliance is not merely a fine; it is a potential suspension of the sponsor’s licence under the Securities and Futures Ordinance (SFO), Section 194. This article dissects the regulatory framework, the practical steps a sponsor must take, and the specific documentation required to satisfy both the SFC and the HKEX.

The Regulatory Framework: From Guidance to Mandate

The SFC has moved from issuing general guidance on cyber resilience to embedding specific requirements within the sponsor’s due diligence obligations. The 2024 circular on cyber resilience for licensed corporations is the most direct statement to date. It states that a sponsor’s duty under paragraph 17.6 of the Code of Conduct to “exercise reasonable care and judgment” extends to assessing a listing applicant’s ability to protect its own information systems from “material disruption, loss of data, or unauthorised access.” This is not a new rule, but it is a significant interpretation of an existing one. The HKEX’s Listing Decision LD143-2024 reinforces this by clarifying that a listing applicant’s failure to disclose a material cybersecurity incident during the track record period constitutes a breach of Listing Rule 2.13(2), which requires all information in a prospectus to be “accurate and complete in all material respects.” For a sponsor, this means that a simple management representation that “systems are secure” is insufficient. The sponsor must obtain independent evidence.

The SFC’s Code of Conduct, Paragraph 17.6

Paragraph 17.6 of the Code of Conduct requires a sponsor to “conduct reasonable due diligence to satisfy itself that the listing applicant’s business systems are adequate and appropriate for its stated operations.” The SFC’s 2024 circular explicitly states that “business systems” includes “information technology infrastructure, data management protocols, and cybersecurity controls.” The sponsor must document its review of the applicant’s IT policies, incident response plans, and third-party vendor risk management. The standard of proof is high: the sponsor must be able to demonstrate, in writing, that it has “independently verified” the applicant’s claims. This means the sponsor cannot simply accept an internal audit report from the applicant’s IT department. The sponsor must either commission its own third-party penetration test or, at a minimum, review the scope and results of a recent external audit.

The HKEX’s Listing Decision LD143-2024

LD143-2024, published in November 2024, dealt with a listing applicant that had suffered a ransomware attack during its track record period. The applicant’s prospectus did not disclose the incident. The HKEX took the view that the omission was material, as the attack had disrupted the applicant’s core operations for 48 hours and resulted in a loss of customer data. The HKEX stated that the sponsor’s due diligence had been “insufficiently robust” because it had not reviewed the applicant’s incident response logs or verified the effectiveness of the post-incident remediation measures. The decision is a direct warning: a sponsor must treat a cybersecurity incident as a material event requiring disclosure under Listing Rule 11.07. The sponsor’s work programme must include a specific step to identify and assess any cybersecurity events during the track record period, defined as the three full financial years preceding the listing application.

Practical Due Diligence: What a Sponsor Must Do

The regulatory framework translates into a set of concrete actions for a sponsor. The work programme must be tailored to the applicant’s industry, size, and data sensitivity. A fintech applicant processing customer payments will require a deeper review than a traditional manufacturing company. However, the baseline is the same: the sponsor must obtain and review the applicant’s IT security policies, system architecture diagrams, and data flow maps. The sponsor must also interview the applicant’s head of IT and, where possible, the external IT auditor.

Step One: Document Review and Policy Assessment

The sponsor should request the following documents from the listing applicant: (1) the information security policy, (2) the data classification and handling policy, (3) the business continuity and disaster recovery plan, (4) the incident response plan, and (5) the vendor risk management policy. The sponsor must review these documents for completeness and consistency with industry standards, such as the ISO 27001 framework or the HKMA’s Supervisory Policy Manual on Cyber Resilience (SA-2). If the applicant claims to be ISO 27001 certified, the sponsor must obtain the certification certificate and the latest surveillance audit report. If the applicant is not certified, the sponsor must assess whether the policies are “adequate and appropriate” for the applicant’s stated operations, as required by paragraph 17.6.

Step Two: Independent Technical Verification

The sponsor must arrange for an independent technical review of the applicant’s systems. This typically takes the form of a penetration test or a vulnerability assessment conducted by a qualified third-party firm. The SFC’s 2024 circular states that the sponsor should “consider the scope and depth of the testing” and ensure that it covers the applicant’s “critical systems,” defined as those that, if disrupted, would have a “material adverse effect” on the applicant’s business. For a listing applicant in the financial services sector, this would include the core banking system, the payment gateway, and the customer database. The sponsor must obtain the penetration test report and review it for any “high” or “critical” severity findings. If such findings exist, the sponsor must obtain evidence that they have been remediated before the listing application is filed.

Step Three: Interview and Management Representation

The sponsor must conduct an interview with the applicant’s chief information officer (CIO) or equivalent senior officer. The interview should cover: (1) the applicant’s cybersecurity governance structure, (2) the frequency and results of internal and external audits, (3) any material cybersecurity incidents in the past three years, and (4) the applicant’s budget for IT security. The sponsor must document the interview in a written memorandum. The SFC has made clear that a management representation letter, while useful, is not a substitute for independent verification. The sponsor must be able to point to objective evidence, not just a signed letter.

Documenting the Work Programme: The Sponsor’s File

The sponsor’s due diligence file must contain a clear record of the steps taken to review the applicant’s information system security. This file is the primary evidence that the SFC will examine during an inspection. The SFC’s 2024 circular states that the file should include: (1) a copy of the applicant’s IT security policies, (2) the penetration test report, (3) the interview memorandum, (4) any correspondence with the applicant’s external IT auditor, and (5) a written assessment by the sponsor’s own compliance officer on the adequacy of the review.

The Compliance Officer’s Role

The sponsor’s compliance officer must review the IT due diligence work programme and confirm in writing that it is “reasonable and appropriate” for the applicant’s business. This confirmation must be provided before the sponsor files the listing application with the HKEX. The compliance officer should also check that the work programme covers the specific risks identified in the SFC’s 2024 circular, such as data privacy compliance under the Personal Data (Privacy) Ordinance (PDPO) and the risk of third-party vendor compromise. If the compliance officer is not satisfied, the sponsor must not proceed with the filing until the gaps are addressed.

The Sponsor’s Liability Post-Listing

The sponsor’s liability for a failure to review information system security does not end at listing. The SFC can take enforcement action against a sponsor for a breach of paragraph 17.6 even after the listing, if it later emerges that the sponsor’s due diligence was inadequate. In 2023, the SFC fined a sponsor HKD 16 million for failing to verify a listing applicant’s revenue recognition system, which was later found to have been manipulated. The SFC’s reasoning applied the same principle to IT systems: if a sponsor fails to verify the security of a system that is material to the applicant’s business, the sponsor is liable. This means that a sponsor must retain the IT due diligence file for at least seven years after the listing, in accordance with the SFC’s record-keeping requirements under the Securities and Futures (Keeping of Records) Rules.

Actionable Takeaways

1. Treat the SFC’s December 2024 circular on cyber resilience as a binding interpretation of paragraph 17.6 of the Code of Conduct, and update your sponsor’s due diligence work programme to include a specific section on information system security.
2. Obtain an independent penetration test report from a qualified third-party firm for every listing applicant, and document the scope of the testing in your compliance file.
3. Review the HKEX’s Listing Decision LD143-2024 and ensure your work programme includes a step to identify and assess any material cybersecurity incidents during the applicant’s track record period.
4. Require your compliance officer to sign off on the IT due diligence work programme before the listing application is filed, and retain the file for at least seven years post-listing.
5. Do not rely on management representations alone; the SFC’s enforcement record shows that independent verification is the only acceptable standard for a sponsor’s due diligence.