South China Morning Post
Advertisement
Advertisement
Cybersecurity
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
A specialist trader works at the post where the IPO of Chinese ride-hailing company Didi Global was traded on the New York Stock Exchange (NYSE). Didi was the first to be subjected to a new cybersecurity review process in China, which one analyst said was in response to US data collection in an opinion piece endorsed by the Cyberspace Administration of China. Photo: Reuters
TechPolicy

China’s imposed cybersecurity review is result of US audit inspections of listed tech firms, analyst says

  • An opinion piece published by the China’s cyberspace watchdog argues that companies listing overseas risk having data ‘maliciously used by foreign governments’
  • Part of the concerns stem from a rule in the US that would require regulators to inspect audits of China-based companies, which could violate Chinese law
Cybersecurity
Coco Feng
Coco Fengin Beijing
Why you can trust SCMP

Beijing’s mandated cybersecurity review for overseas listings aims to address a perceived danger stemming from US access to “sensitive” data from public Chinese tech firms, according to a Chinese expert whose opinions were endorsed and published by the Cyberspace Administration of China (CAC).

The published view of Hu Ying, who heads the data security department at the China Electronics Standardization Institute, a research agency under China’s Ministry of Industry and Information Technology, offers more insight into the driving force behind Beijing’s decision to require a security review before foreign initial public offerings. It also gives context to the cyberspace watchdog’s investigation into Didi Chuxing, launched just days after the ride-hailing giant’s listing on the New York Stock Exchange.

“After the US Holding Foreign Companies Accountable Act goes into effect, the US Securities and Exchange Commission (SEC) … also requires audit firms to be inspected by the US Public Company Accounting Oversight Board (PCAOB) and disclose information such as audit details and work papers of public companies,” Hu wrote.

China’s foreign listing rules that mandate data reviews apply to Hong Kong

“In this context, [Chinese internet] operators going public abroad will face more national data security risks, such as risks of critical information infrastructure being influenced, controlled or maliciously used by foreign governments; risks of foreign regulators accessing sensitive data of listed companies, resulting in core, important data or a large amount of personal information being influenced, controlled or maliciously used by foreign governments.”

His opinion piece was one of multiple explanatory pieces published on the CAC website regarding the updated cybersecurity review regulation, which went into effect this week. According to the regulation, Chinese companies holding the data of more than one million users – a low threshold given China’s market of 1 billion internet users – must submit to cybersecurity review before seeking to go public overseas.

While published as an opinion piece, Hu’s words reflect concerns that have been informing regulatory actions in China. The US SEC finalised rules at the end of last year to implement a law that could result in Chinese companies being delisted if they do not allow the PCAOB to inspect the audits of China-based companies.

China’s securities regulator has previously said that it is negotiating with the US over audit inspections. “We respect the PCAOB’s mandate to oversee the quality of audit works,” the China Securities Regulatory Commission (CSRC) said in a December statement. But the PCAOB’s determination that 60 Chinese audit firms were unable to be inspected has not “fully reflected the stance and efforts made by the Chinese authorities in an objective manner”, the CSRC added.

1