Strict new cybersecurity requirements could burst China’s tech bubble
Covid has driven ubiquitous growth in digital services in nations as geographically far apart as the UK and China. London has seen massive tech IPOs this year with listings of Deliveroo, Alphawave and Wise.
However, the sharp rise in digitalisation has brought an inevitable need for businesses to protect their networks, as vast swathes of us being online has led to more and more vulnerabilities. High-profile ransomware and other cyberattacks, like that on the Colonial Pipeline, are also on the rise. Perhaps unsurprisingly, one of the largest of London’s tech listings in recent months was that of Cambridge’s own cyber-defence champion, Darktrace.
Governments are now reacting to better protect critical infrastructure.
Mainland China’s cyber authorities are arguably at the forefront of these initiatives. The new Cybersecurity Review Measures released earlier this month aim to bolster the regulatory review of major companies’ cyber procurement proposals. Under the draft rules, officials will be given greater opportunity to verify that companies’ cybersecurity standards are adequate.
But eye-catching provisions in the rules are already having a profound impact on overseas capital markets and M&A investment strategies.
Compared to the previous iteration of the rules, officials’ reach has been expanded to give them oversight of any businesses operating within the Chinese mainland that possess personal data of more than one million users when looking to list abroad. Previously, they had only been able to review critical information infrastructure operators.
Beijing has often paired cybersecurity regulations with the country’s national security and at a time of heightened focus on mainland Chinese companies looking to list in the US, the addition seems intrinsically linked to geopolitical tensions between the two tech superpowers.
One million users is not a big number in China. It effectively means that practically any tech firm looking to monetise its user base with an overseas listing will be subject to a regulatory review from officials.
With elongated timetables – three months for “special” cases and an unspecified period for “complex” cases – these new review procedures could significantly increase listing uncertainty for companies, investors and their respective advisors.
To add to concerns, the new rules also require companies to disclose their “IPO materials”, but leave the scope of this term undefined. Do the financial advisors on the IPO need to produce their financial projections? Are underwriters’ book-building excels required to be disclosed? Does the issuer’s legal counsel need to hand over their confidential advice?
While Chinese apps might seem a world away from mobile phone screens in the UK, the corporate finance exploits of their owners are close to the hearts of hordes of financial services and legal professionals working for firms with substantial bases in the Square Mile. Not to mention the knock-on effect that developments involving China’s Big Tech has in the global digital economy.
Initial market reaction has suggested that tech IPOs are more likely to head to the Hong Kong or Shanghai exchanges as non-foreign destinations for a listing.
The change in regulatory winds for Chinese tech could cause investors to retreat from Chinese tech; statements from New York’s Ark Investment Management and Japanese investment giant SoftBank have already implied as much.
But there will be others who remain bullish, even in the face of heavier due diligence burdens and tricky negotiations for more robust contractual protections – many will keep confidence in a sector of the world’s second largest economy that drove almost 40 per cent of China’s GDP growth last year.
The final outcome of the new measures may not be known for some time, but the development of Chinese tech will need to outlast the state of flux. It is not the first time Chinese firms have faced investor uncertainty and it will undoubtedly not be the last.