China to subject firms to cybersecurity test before foreign IPOs

Cyberspace Administration of China will apply new rules to firms that hold data for more than 1 million users.

Chinese regulators will subject firms with data on more than 1 million users to a cybersecurity review before they can list shares overseas [File: How Hwee Young/EPA]

China’s cyberspace regulator said it will implement new rules from February 15 that require platform companies with data for more than one million users to undergo a security review before listing their shares overseas.

The Cyberspace Administration of China (CAC) also said on Tuesday such firms should apply for cybersecurity reviews before submitting listing applications to foreign securities regulators, according to statements published on its WeChat account.

Companies will not be allowed to list abroad if the review finds that national security could be impacted, it said.

It was the latest move in a series of recent regulatory changes ordered by the Chinese government to tighten the rules governing offshore listings.

Hong Kong stocks weakened on the CAC news. The Hang Seng Index fell 0.36 percent in early trade on Tuesday, and the city’s tech index lost 1.32 percent.

Shares in Hong Kong Exchanges and Clearing Ltd, the operator of the Hong Kong stock exchange, were last down 1.8 percent, after having fallen as much as 2.4 percent following the announcement.

Tighter restrictions

The CAC first proposed the rules in July, saying that the security review will put a focus on risks of data being affected, controlled or manipulated by foreign governments after overseas listings.

New rules governing the use of algorithm recommendation technology will also be implemented from March 1, the CAC said in a separate statement.

Those rules, which were first proposed in August last year, will require companies to give users the right to switch off the service and will also tighten oversight of news providers that use such technology.

China’s cyberspace regulators are imposing tighter restrictions on data collection and data storage. Authorities are also more broadly pushing for companies to list domestically.

Two other new sets of rules, the Data Security Law and the Personal Information Protection Law, which cover data storage and data privacy respectively, went into effect last year.

Source: Reuters