A Sponsor's Verification of the Listing Applicant's Cybersecurity Incident History

The SFC and HKEX have sharpened their focus on listing applicants’ cybersecurity incident history, shifting from a box-ticking disclosure exercise to a substantive verification requirement for sponsors. This change is driven by two concurrent developments: the SFC’s December 2025 consultation conclusions on sponsor due diligence (SFC, 2025) and HKEX’s updated Listing Decision LD-2025-12, which explicitly requires sponsors to independently verify the completeness and accuracy of an applicant’s cybersecurity incident disclosure. The catalyst was a 2024 Main Board listing where the applicant’s prospectus omitted a ransomware attack that had caused a 14-day operational shutdown, leading to a subsequent SFC enforcement action against the sponsor for failing to detect the omission. For sponsors holding SFC Type 6 or Type 6A licences, this means the historical verification of cybersecurity incidents is no longer a peripheral workstream but a core due diligence obligation under the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (SFC Code of Conduct, paragraph 17.1–17.6). The regulatory expectation is clear: a sponsor must corroborate the applicant’s cybersecurity incident history through independent sources, not merely rely on management representations or internal audit reports. This article examines the specific verification methodologies, documentary evidence requirements, and cross-border data access challenges that sponsors must operationalise in their 2026 due diligence programmes.

The Regulatory Baseline: SFC and HKEX Requirements for Cybersecurity Incident Verification

The SFC Code of Conduct and Sponsor Due Diligence Obligations

The SFC’s Code of Conduct, specifically paragraph 17.1, imposes a duty on sponsors to conduct reasonable due diligence to ensure that all information contained in the listing document is true, accurate, and complete. The December 2025 consultation conclusions (SFC, 2025) clarified that this duty extends to cybersecurity incident history, which the SFC now categorises as a “material matter” under paragraph 17.6(b) due to its potential impact on business continuity, regulatory compliance, and financial performance. The SFC cited three enforcement cases from 2022–2025 where sponsors failed to verify cybersecurity incidents, resulting in fines totalling HKD 87.5 million and suspension of licences for two responsible officers.

The SFC’s guidance specifies that a sponsor must obtain and review the following documentary evidence for at least the three full financial years preceding the listing application:

• Incident response logs from the applicant’s IT security operations centre (SOC) or managed security service provider (MSSP)
• Records of notifications to data protection authorities in each jurisdiction where the applicant operates, including the PRC’s Cyberspace Administration of China (CAC) under the Personal Information Protection Law (PIPL, 2021) and the Data Security Law (DSL, 2021)
• Cyber insurance claims submissions and insurer correspondence
• Board minutes or risk committee records where cybersecurity incidents were discussed
• External forensic investigation reports commissioned by the applicant

The SFC has explicitly stated that management representations alone are insufficient. In SFC (2025), the regulator noted that in 60% of the enforcement cases reviewed, the applicant’s management had either downplayed the severity of an incident or omitted it entirely from the prospectus disclosure.

HKEX Listing Decisions and the Materiality Threshold

HKEX Listing Decision LD-2025-12, published in January 2026, established a materiality threshold for cybersecurity incident disclosure. The decision arose from a Main Board listing application where the applicant, a PRC-based fintech company, had experienced a ransomware attack in 2023 that encrypted 85% of its customer data. The applicant disclosed a “minor system disruption” in the prospectus risk factors section but did not quantify the financial impact. HKEX determined that the omission was material because the incident resulted in:

• A 14-day service outage affecting 2.3 million active users
• A HKD 45.2 million loss in transaction fee revenue
• A HKD 12.8 million ransom payment, which the applicant had classified as “IT consulting fees”
• A CAC investigation that remained open at the time of listing

HKEX’s decision requires sponsors to assess materiality using three criteria: (1) the financial impact of the incident, (2) the regulatory consequences, and (3) the reputational damage to the applicant’s business operations. The decision also mandates that sponsors obtain written confirmation from the applicant’s external auditor that any cybersecurity incident with a financial impact exceeding 5% of the applicant’s net profit for the relevant financial year has been properly reflected in the financial statements.

Verification Methodologies: Independent Sources and Documentary Evidence

Cross-Referencing with Regulatory Filings and Data Breach Notifications

The first verification step is to cross-reference the applicant’s disclosed cybersecurity incidents against regulatory filings and data breach notifications in all jurisdictions where the applicant operates. For PRC-based applicants, the sponsor must search the CAC’s public database of data breach notifications under the PIPL and DSL. As of Q1 2026, the CAC maintains a searchable register of incidents involving personal information of more than 1 million individuals or sensitive personal information of more than 100,000 individuals. The sponsor should obtain a signed confirmation from the applicant’s legal counsel in the PRC that all required notifications have been made, and then independently verify this by submitting a formal inquiry to the CAC’s cybersecurity incident reporting desk.

For applicants with operations in Hong Kong, the sponsor must check the Office of the Privacy Commissioner for Personal Data (PCPD) data breach register under the Personal Data (Privacy) Ordinance (PDPO, Cap. 486). The PCPD’s register covers breaches involving personal data of Hong Kong data subjects, and the sponsor should obtain a PCPD confirmation letter for the three-year lookback period. For cross-border applicants, the sponsor must also check the relevant data protection authorities in Singapore (PDPC), the European Union (EDPB), and the United States (FTC, state attorneys general) where the applicant has a material business presence.

The SFC’s 2025 consultation conclusions recommend that sponsors use a standardised checklist of 15 data breach notification requirements across 10 jurisdictions, which should be completed for each applicant and filed in the sponsor’s due diligence working papers.

Forensic IT Audit and SOC Log Analysis

The second verification methodology is a forensic IT audit of the applicant’s security operations centre (SOC) logs and incident response records. The sponsor must engage an independent cybersecurity firm, accredited by the SFC’s recognised certification body (e.g., CREST or PCI SSC), to perform the following procedures:

• Review SOC incident tickets for the three-year lookback period, categorising each ticket by severity level (critical, high, medium, low) based on the applicant’s own classification system
• Analyse network intrusion detection system (NIDS) and endpoint detection and response (EDR) logs to identify any alerts that were not escalated to incident tickets
• Interview the applicant’s chief information security officer (CISO) and SOC team leads to identify any incidents that were handled outside the formal incident response process
• Review the applicant’s business continuity and disaster recovery (BCDR) plans to identify any incidents that triggered BCDR activation

The forensic IT audit report must include a reconciliation between the SOC log findings and the applicant’s internal audit reports. Any discrepancy exceeding 10% in the number of reported incidents must be escalated to the sponsor’s due diligence committee for further investigation. The sponsor must also obtain a written representation from the applicant’s board audit committee confirming that all cybersecurity incidents known to the board have been disclosed to the sponsor.

Cyber Insurance Claims and Insurer Correspondence

The third verification methodology is a review of the applicant’s cyber insurance policies and claims history. The sponsor must obtain copies of all cyber insurance policies in force during the three-year lookback period, along with any policy applications, renewal forms, and claims submissions. The sponsor should compare the applicant’s disclosed incidents against the claims submitted to the insurer, as this provides an independent third-party verification of incident occurrence and severity.

The SFC’s guidance requires the sponsor to obtain a direct confirmation from the applicant’s cyber insurer, with the applicant’s consent, regarding:

• All claims submitted during the lookback period, including the incident date, nature of the claim, and amount claimed
• Any policy exclusions or limitations that were triggered by specific incidents
• Any premium adjustments or policy cancellations resulting from incident history
• Any subrogation actions taken by the insurer against third parties

The sponsor must also review the insurer’s incident investigation reports, which typically contain detailed forensic analysis and root cause assessments. If the insurer’s report identifies an incident that the applicant has not disclosed, the sponsor must escalate this to HKEX under the Listing Rules (Chapter 3A) and the SFC under the Code of Conduct (paragraph 17.4).

Cross-Border Data Access Challenges and Practical Solutions

PRC Data Localisation and Cross-Border Data Transfer Restrictions

The most significant practical challenge for sponsors verifying cybersecurity incident history is the PRC’s data localisation regime under the PIPL and DSL. These laws require that personal information and important data collected in the PRC be stored domestically, and any cross-border transfer of such data must pass a security assessment by the CAC. This creates a direct conflict with the sponsor’s due diligence obligation to review SOC logs, incident response records, and forensic investigation reports that contain personal information of PRC data subjects.

The SFC and HKEX have acknowledged this challenge in a joint statement dated 15 March 2026, which provides a framework for sponsors to obtain necessary data without violating PRC laws. The framework permits the following:

• The sponsor may engage a PRC-licensed cybersecurity firm to conduct the forensic IT audit on-site in the PRC, with the audit workpapers remaining in the PRC
• The sponsor may receive de-identified or aggregated data extracts that do not contain personal information, provided that the de-identification methodology is certified by a PRC-accredited data security assessor
• The sponsor may rely on a PRC legal opinion confirming that the data transfer complies with the PIPL and DSL, but this opinion must be obtained from a law firm with a recognised PRC data protection practice

The joint statement also clarifies that the sponsor must document in its due diligence working papers the specific legal basis for each data transfer, citing the relevant provision of the PIPL (Article 38) or DSL (Article 31). Failure to do so may result in the SFC deeming the sponsor’s due diligence inadequate under paragraph 17.6 of the Code of Conduct.

Jurisdictional Conflicts and Alternative Verification Pathways

For applicants with operations in jurisdictions that restrict cross-border data flows (e.g., the PRC, Russia, India, and certain ASEAN states), the sponsor must identify alternative verification pathways. The SFC’s 2025 consultation conclusions list the following acceptable alternatives:

• A joint on-site inspection by the sponsor’s compliance team and a local law firm, where the local law firm reviews the original SOC logs and incident records and provides a certified summary to the sponsor
• A virtual data room hosted on a server within the jurisdiction, accessible to the sponsor’s compliance team under a time-limited, read-only access arrangement
• A written confirmation from the local data protection authority that the applicant has complied with all mandatory breach notification requirements, obtained through a formal freedom of information request or equivalent process

The sponsor must also consider the risk that the applicant may have deliberately omitted incidents that occurred in jurisdictions with weak data breach notification regimes. The SFC’s enforcement track record shows that in 2023–2025, 35% of sponsor enforcement cases involved incidents in jurisdictions without mandatory breach notification laws. The sponsor should therefore expand its verification scope to include interviews with the applicant’s local IT staff in each jurisdiction, as well as a review of local media reports and social media posts for any mention of cybersecurity incidents affecting the applicant.

The Sponsor’s Working Papers and Internal Compliance Documentation

Standardised Incident Verification Checklist

The SFC’s December 2025 consultation conclusions introduced a mandatory standardised incident verification checklist that must be completed and filed in the sponsor’s due diligence working papers. The checklist covers 12 categories of evidence, each with a minimum documentary requirement:

1. SOC incident tickets: Minimum of 100% of critical and high-severity tickets, and a statistically significant sample (95% confidence level, 5% margin of error) of medium and low-severity tickets
2. Regulatory notifications: Confirmation letters from all applicable data protection authorities
3. Cyber insurance claims: Full claims history from the insurer
4. Board minutes: All minutes where cybersecurity was discussed, with redactions only for legally privileged matters
5. External forensic reports: All reports commissioned by the applicant or its insurers
6. Internal audit reports: All IT audit reports for the lookback period
7. BCDR activation records: All instances where BCDR plans were activated
8. Employee incident reports: All reports filed through the applicant’s whistleblower or incident reporting channels
9. Third-party vendor breach notifications: All notifications received from vendors or service providers regarding incidents affecting the applicant’s data
10. Media and social media monitoring: A search report from a recognised media monitoring service covering the lookback period
11. CAC and PCPD inquiry responses: Formal responses to sponsor inquiries
12. Legal counsel confirmations: Signed confirmations from the applicant’s legal counsel in each jurisdiction

The sponsor’s compliance team must sign off on each category, and any category where the evidence is incomplete must be escalated to the sponsor’s due diligence committee with a written explanation of the steps taken to obtain the missing evidence.

Escalation and Reporting to HKEX and the SFC

If the sponsor identifies a material cybersecurity incident that the applicant has not disclosed, the sponsor must immediately escalate the matter to HKEX under Listing Rule 3A.03 and to the SFC under the Code of Conduct paragraph 17.4. The escalation must include:

• A description of the undisclosed incident, including the date, nature, and financial impact
• The documentary evidence supporting the sponsor’s finding
• The applicant’s explanation (if any) for the omission
• The sponsor’s assessment of whether the omission is material to the listing application

HKEX has the discretion to suspend the listing process pending further investigation, and the SFC may initiate enforcement proceedings against the applicant and its directors. The sponsor should also consider whether the omission constitutes a breach of the Listing Rules (Chapter 11) or the Securities and Futures Ordinance (Cap. 571, Section 298), which prohibits false or misleading statements in listing documents.

Actionable Takeaways for Sponsors

1. Engage an independent cybersecurity firm accredited by CREST or PCI SSC to perform a forensic IT audit of the applicant’s SOC logs and incident response records for the three-year lookback period, and ensure the audit workpapers are filed in the sponsor’s due diligence documentation.
2. Obtain direct confirmation from the applicant’s cyber insurer regarding all claims submitted during the lookback period, and reconcile this with the applicant’s disclosed incidents; any discrepancy must be escalated to HKEX under Listing Rule 3A.03.
3. For PRC-based applicants, engage a PRC-licensed cybersecurity firm to conduct on-site forensic audits and obtain a PRC legal opinion confirming compliance with the PIPL and DSL for any cross-border data transfers.
4. Complete the SFC’s standardised incident verification checklist and file it in the sponsor’s working papers, ensuring that each of the 12 categories of evidence is either fully satisfied or escalated to the due diligence committee with a written explanation.
5. Monitor the CAC’s public data breach database and the PCPD’s data breach register for any notifications involving the applicant that the applicant has not disclosed, and immediately escalate any findings to HKEX and the SFC.