Data security a priority for internet companies seeking overseas IPO

Data security and data compliance should be a priority for Chinese mainland internet companies seeking an initial public offering overseas, as the country will implement new rules that require firms holding large amounts of user data to get approval from regulators before listing overseas, industry analysts said.

They noted the costs of compliance for enterprises listing overseas will be on the rise, and regulation is likely to drive more Chinese mainland technology enterprises to list on the Hong Kong stock exchange.

Internet platform operators with data on more than 1 million users are required to undergo a security review before listing their shares overseas, a newly revised regulation on cybersecurity review unveiled on Tuesday said.

The regulation was released by 13 government agencies. They include the Cyberspace Administration of China and the National Development and Reform Commission, and will come into effect on Feb 15. It aims to further ensure cyberspace and data security, as well as safeguard national security.

Danny Weng, PwC China cybersecurity and privacy partner, said the regulation puts a focus on the impact or possible impacts of the data processing activities by platform operators on national security, and emphasized the significance of cybersecurity.

"Companies should take data security and data compliance seriously, whether they choose to go public in Hong Kong or overseas," said Weng.

Weng's views were echoed by Zhong Junyi, an expert on data security from security company Qi-Anxin Technology Group, who said the risk assessment of data security and analysis of data compliance, which means data processors know what to do and what not to do, is still a prerequisite for enterprises seeking IPOs in foreign markets over the long run.

Regulators will assess whether the public listing of a company may lead to key information infrastructure, core data, important data or a large amount of personal information being affected, controlled or maliciously used by foreign governments, according to the new rule.

Moreover, Hong Kong has become a popular destination for Chinese mainland technology IPOs amid the strengthened regulation in the cyberspace and data security domain, experts said.

Shen Meng, director of boutique investment bank Chanson and Co, said the new rule has relaxed the cybersecurity reviews requirement for IPOs carried out by Chinese mainland technology companies in Hong Kong, which is expected to draw these companies and those previously listed in the United States.

Hong Kong is part of the international capital market, just like New York and London where institutional investors can buy and sell financial products via stock exchanges, said Liao Ming, founding partner of Prospect Avenue Capital, an investment firm which focuses on China's technology sector.

However, Hong Kong investors usually prefer asset-heavy companies with good profitability and strong dividend capabilities, such as those in the financial, real estate, consumer and retail industries, Liao said, adding they have a low tolerance for money-losing outfits.

Last month, Didi Global Inc, the country's largest ride-hailing company, announced it will immediately start delisting from the New York Stock Exchange and prepare to list in Hong Kong. Chinese mainland regulators launched a cybersecurity probe into the company to protect national security and the public interest in July.

Cybersecurity company 360 Security Group said the newly revised regulation has further improved the country's cybersecurity review mechanism and greatly enhanced public awareness over data security protection.

It also provided explicit compliance guidelines for critical information infrastructure that purchase network products and services, and network platform operators that conduct data-processing activities, and bolstered them in increasing investment in the cybersecurity segment.

The revenue of the country's cybersecurity industry is expected to exceed 250 billion yuan ($39.1 billion) by 2023, with a compound annual growth rate of over 15 percent, a draft three-year action plan released by the Ministry of Industry and Information Technology said.