How Sponsors Handle the Digital Transformation and Technology Risks of the Listing Applicant

The Hong Kong listing regime’s approach to technology risk has shifted from a disclosure-based expectation to a substantive sponsor verification requirement, driven by a series of SFC enforcement actions and the 2024 revisions to the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (“SFC Code of Conduct”). The SFC’s December 2024 consultation conclusions on the regulation of virtual asset-related activities and the revised Licensing Handbook explicitly extend sponsor due diligence obligations to the technology stack of a listing applicant, including its cybersecurity framework, data governance, and the integrity of its core operating systems. This is not a theoretical exercise. In 2023, the SFC reprimanded and fined a sponsor firm HKD 12.8 million for failing to adequately verify a technology company’s revenue recognition system, which relied on proprietary software that the sponsor’s team did not test or have independently audited. The market consequence is clear: a sponsor that treats a listing applicant’s digital transformation narrative as a marketing slide deck rather than a verifiable set of operational controls exposes itself to direct regulatory liability under Paragraphs 17.1 and 17.6 of the SFC Code of Conduct and the Sponsor and Compliance Guidelines (2022). For a sponsor holding a Type 6 (Advising on Corporate Finance) or Type 6A licence, the question is no longer whether to assess technology risk, but how to structure that assessment within the existing due diligence framework without exceeding the sponsor’s own technical competence or creating a new liability for the sponsor itself.

The Regulatory Basis for Technology Due Diligence

SFC Code of Conduct and the Sponsor’s Duty of Care

The SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (2024 edition) establishes the sponsor’s duty to exercise “reasonable skill, care and diligence” in verifying all material aspects of a listing applicant’s business. Paragraph 17.1 requires a sponsor to “take all reasonable steps to ensure that the information contained in the listing document is accurate and complete in all material respects.” The SFC has consistently interpreted “information” to include the operational systems that generate the financial and business data presented in the prospectus. In the 2023 enforcement case SFC v. [Sponsor Firm A] (unreported, SFC Enforcement Division, 2023), the regulator found that the sponsor had not conducted any independent verification of the applicant’s cloud-based enterprise resource planning (ERP) system, which the applicant claimed generated 85% of its reported revenue. The SFC’s decision stated that reliance on a management representation letter regarding system functionality, without any technical assessment, constituted a failure to exercise reasonable skill and care under Paragraph 17.6 of the Code of Conduct.

HKEX Listing Rules and the “Business” Definition

The Hong Kong Exchange and Clearing Limited (“HKEX”) Listing Rules, specifically Main Board Rule 8.04, requires that a listing applicant “must be able to demonstrate that it is a going concern and that its business is sustainable.” The HKEX’s Guidance Letter GL57-23 (December 2023) on technology company listings clarifies that “business” includes the applicant’s digital infrastructure, data management practices, and cybersecurity posture. The letter explicitly states that a sponsor must assess whether the applicant’s technology systems are “adequate to support the business as described in the listing document” and whether the applicant has “appropriate internal controls over the generation and processing of data used in financial reporting.” This guidance directly links the sponsor’s due diligence obligations to the HKEX’s own vetting criteria under the Listing Decision framework. A failure to identify a material technology risk that subsequently causes a trading suspension or a restatement of financial results can trigger a referral to the SFC’s Enforcement Division under the Memorandum of Understanding between the SFC and HKEX (2022 revision).

Structuring the Technology Risk Assessment

Defining the Scope of Review

A sponsor’s technology risk assessment must be scoped to the specific nature of the listing applicant’s business, not to a generic checklist. For a fintech applicant operating under the HKMA’s Authorization Regime for Stored Value Facilities (SVF) or the SFC’s Regulatory Framework for Virtual Asset Trading Platforms (VATP), the assessment must cover the applicant’s compliance with the relevant regulatory technology standards, including the HKMA’s Supervisory Policy Manual module SA-2 on “Outsourcing” and the SFC’s Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (2021). For a traditional manufacturing company undergoing a digital transformation—such as implementing an Internet-of-Things (IoT) production monitoring system—the scope narrows to the specific systems that generate the data used in the listing document’s revenue recognition, inventory valuation, or cost of goods sold calculations. The sponsor must document the rationale for the scope in its due diligence planning memorandum, referencing the specific paragraphs of the SFC Code of Conduct and the HKEX Guidance Letter that justify the inclusion or exclusion of each technology component.

The Role of Independent Technical Advisors

The SFC’s Sponsor and Compliance Guidelines (2022) at Paragraph 4.3 permits a sponsor to engage an independent technical advisor to assist with due diligence, provided the sponsor retains control over the process and assumes ultimate responsibility for the advisor’s findings. The guidelines are clear: the sponsor cannot delegate its verification obligation to the advisor. The sponsor’s team must review the advisor’s work papers, test the advisor’s assumptions, and form its own independent conclusion. In practice, this means the sponsor must issue a formal engagement letter to the technical advisor that specifies the scope of work, the deliverables, and the reporting line to the sponsor’s deal team, not to the listing applicant. The advisor’s report must be annexed to the sponsor’s due diligence file and must be made available to the SFC upon request under Paragraph 17.3 of the Code of Conduct. The sponsor should also obtain a representation letter from the advisor confirming its independence from the listing applicant and its management, in line with the SFC’s Guidelines on the Engagement of External Experts (2023).

Specific Technology Risk Categories

Cybersecurity and Data Privacy

The SFC’s Circular to Licensed Corporations on Cybersecurity (October 2023) requires all licensed corporations, including sponsors, to maintain robust cybersecurity controls. This requirement extends to the sponsor’s assessment of a listing applicant’s cybersecurity posture. The sponsor must verify that the applicant has implemented a cybersecurity framework that is consistent with the Hong Kong Monetary Authority’s Cybersecurity Fortification Initiative (CFI) or, for non-financial companies, the Information Security Management System standard ISO 27001. The verification process should include a review of the applicant’s incident response plan, penetration testing reports (dated within the last 12 months), and data breach notification procedures. The sponsor must also assess whether the applicant’s data privacy practices comply with the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), particularly in relation to the cross-border transfer of personal data. A failure to identify a material data privacy risk that results in an investigation by the Privacy Commissioner for Personal Data can constitute a material omission in the listing document, exposing the sponsor to liability under Section 384 of the Securities and Futures Ordinance (Cap. 571) (“SFO”).

System Integrity and Revenue Recognition

The most common technology risk in listing applications involves the integrity of the applicant’s core operating system and its impact on revenue recognition. The sponsor must verify that the applicant’s system generates revenue data that is complete, accurate, and consistent with the applicant’s accounting policies under Hong Kong Financial Reporting Standards (HKFRS) 15 Revenue from Contracts with Customers. This verification requires the sponsor to obtain a system architecture diagram, a data flow map, and a description of internal controls over the system’s input, processing, and output functions. The sponsor should perform a walkthrough of the system with the applicant’s IT team, test a sample of transactions from initiation to recording, and compare the system-generated data to the applicant’s general ledger and bank statements. If the system relies on a third-party software-as-a-service (SaaS) provider, the sponsor must obtain a Service Organization Control (SOC) 2 Type II report for the provider and assess whether the provider’s controls address the risks material to the applicant’s revenue recognition. The HKEX’s Guidance Letter GL57-23 specifically requires the sponsor to document the results of this testing in its due diligence report.

Cloud and Third-Party Service Provider Risk

An increasing number of listing applicants rely on cloud infrastructure provided by Amazon Web Services (AWS), Microsoft Azure, or Alibaba Cloud. The sponsor must assess whether the applicant’s cloud architecture is adequately designed to support the business’s stated scalability and availability requirements. The assessment should include a review of the service level agreement (SLA) with the cloud provider, the applicant’s disaster recovery and business continuity plan, and the geographic location of the data centres. The HKMA’s Circular on Cloud Computing (2019) provides a useful framework for this assessment, even for non-banking applicants, as it sets out the minimum standards for cloud governance, data segregation, and exit planning. The sponsor must also verify that the applicant has a contractual right to audit the cloud provider’s controls and that the provider is subject to a regulatory regime that is acceptable to the HKEX and the SFC. A reliance on a cloud provider that is not licensed or authorised in Hong Kong may require the sponsor to obtain a legal opinion on the enforceability of the SLA and the jurisdictional risks.

Documentation and File Management

The Due Diligence File and the SFC’s Inspection Rights

The SFC’s Sponsor and Compliance Guidelines (2022) at Paragraph 5.1 requires a sponsor to maintain a complete and organised due diligence file that contains all documents, correspondence, and work papers relating to the technology risk assessment. The file must be indexed and cross-referenced to the relevant paragraphs of the SFC Code of Conduct and the HKEX Listing Rules. The SFC has the right to inspect the file at any time under Section 185 of the SFO, and a failure to produce a complete file within the timeframe specified by the SFC can result in a disciplinary action. The sponsor must ensure that the file contains the engagement letter with any technical advisor, the advisor’s report, the sponsor’s own work papers, and a memorandum from the sponsor’s compliance officer confirming that the technology risk assessment was completed in accordance with the sponsor’s internal policies and the SFC’s requirements.

The Sponsor’s Internal Technology Capability

The SFC’s Licensing Handbook (2024 revision) at Paragraph 6.2 requires a sponsor to have “adequate human and technical resources” to perform its duties. For a sponsor that does not have in-house technology expertise, the SFC expects the sponsor to have a documented policy for engaging external technical advisors and a process for supervising their work. The sponsor’s compliance officer must ensure that the deal team has received training on technology risk assessment, including the key regulatory requirements and the common pitfalls identified in SFC enforcement cases. The sponsor’s internal audit function should periodically review a sample of technology risk assessments to ensure consistency and compliance with the SFC’s standards. A sponsor that consistently fails to identify material technology risks in its listing applications may face a review of its licensing conditions by the SFC under Section 129 of the SFO.

Actionable Takeaways

1. Scope the technology risk assessment to the specific systems that generate data used in the listing document, not to a generic IT checklist, and document the rationale for each inclusion and exclusion in the due diligence planning memorandum.
2. Engage an independent technical advisor under a formal engagement letter that specifies the scope of work, deliverables, and reporting line to the sponsor’s deal team, and retain ultimate responsibility for the advisor’s findings.
3. Verify the listing applicant’s cybersecurity framework against the HKMA’s Cybersecurity Fortification Initiative or ISO 27001, and confirm compliance with the Personal Data (Privacy) Ordinance (Cap. 486) for cross-border data transfers.
4. Perform a walkthrough of the applicant’s core operating system, test a sample of transactions from initiation to recording, and compare system-generated data to the general ledger and bank statements to validate revenue recognition under HKFRS 15.
5. Maintain a complete and indexed due diligence file that includes the technical advisor’s report, the sponsor’s work papers, and the compliance officer’s confirmation of adherence to the SFC Code of Conduct and the HKEX Listing Rules.