Confidentiality of Share Price Sensitive Information and Leakage Response Plans Post-Listing

The regulatory landscape for price-sensitive information (PSI) management in Hong Kong underwent a structural recalibration in 2024-2025, driven by the SFC’s intensified enforcement of the Market Misconduct Ordinance (MMO, Cap. 571) and the HKEX’s updated Listing Rule guidance on disclosure obligations. A review of SFC enforcement actions in 2024 shows that 38% of all disciplinary fines imposed on listed issuers and their directors related to failures in maintaining confidentiality of inside information or inadequate leakage response protocols, a figure up from 22% in 2022 (SFC Annual Enforcement Report, 2024). This shift reflects a broader regulatory push to align Hong Kong’s disclosure regime with global standards, particularly following the HKEX’s 2023 consultation on the “Disclosure of Inside Information” framework, which introduced stricter timelines for leak confirmation and market-sounding procedures. For CFOs, company secretaries, and sponsors, the practical implication is clear: post-listing, a listed issuer must not only identify and assess PSI but also operationalise a documented leakage response plan (LRP) that can be executed within hours, not days. The cost of non-compliance extends beyond fines—the SFC has increasingly sought disqualification orders against directors in cases where leaks were mishandled, as seen in the 2024 SFC v. Hontex International decision (HCCT 45/2024). This article dissects the regulatory architecture governing PSI confidentiality, the structural components of an effective LRP, and the specific procedural obligations under the HKEX Listing Rules and SFC codes that issuers must embed into their governance frameworks.

The Regulatory Architecture for Price-Sensitive Information

Statutory Foundations and the Inside Information Definition

Hong Kong’s regime for PSI, or “inside information” as defined under Part XIVA of the Securities and Futures Ordinance (SFO, Cap. 571), imposes a disclosure obligation on listed issuers as soon as reasonably practicable after any inside information has come to their knowledge. Section 307A of the SFO defines inside information as specific information that is not generally known, which, if generally known, would be likely to materially affect the price of the listed securities. The HKEX Listing Rules, specifically Main Board Rule 13.09 and GEM Rule 17.10, operationalise this statutory duty by requiring issuers to announce any inside information as soon as reasonably practicable, subject to the safe harbour provisions in Section 307D of the SFO.

The safe harbour allows an issuer to delay disclosure if the information remains confidential and one of three conditions is met: the information concerns an incomplete proposal or negotiation, the issuer’s financial position is in imminent jeopardy, or immediate disclosure would prejudice the issuer’s legitimate interests. Critically, the burden of proof for invoking the safe harbour rests with the issuer. The SFC’s 2024 Guidelines on the Disclosure of Inside Information (the “2024 Guidelines”) clarified that the safe harbour is not a blanket exemption—issuers must maintain a contemporaneous written record of the decision to delay, including the specific rationale and the identity of the director or officer who authorised the delay. In practice, the 2024 Guidelines have led to a 40% increase in the number of issuers maintaining formal “inside information assessment logs” as part of their board minutes, according to a 2025 survey by the Hong Kong Institute of Chartered Secretaries.

The SFC’s Enforcement Trajectory and Director Accountability

The SFC’s enforcement approach has shifted from reactive penalties for disclosure failures to proactive investigations of leak-origin tracing. In 2024, the SFC obtained its first disqualification order under the MMO against a non-executive director who had failed to escalate a suspected leak of quarterly earnings data to the board within the mandated 24-hour window (SFC v. Chen & Ors, HCMP 1289/2024). The court imposed a three-year disqualification from serving as a director of any listed company in Hong Kong. The SFC’s reasoning, as stated in the judgment, was that the director’s inaction constituted “reckless disregard” for the issuer’s disclosure obligations under Listing Rule 13.09.

This case underscores a broader principle: the duty to maintain confidentiality of PSI is not delegable to the company secretary or compliance team alone. The board, and specifically the audit committee, bears ultimate responsibility for ensuring that a leakage response protocol exists and is tested at least annually. The HKEX’s 2023 Corporate Governance Code (CG Code) amendments, effective 1 January 2024, introduced a new mandatory requirement under Code Provision D.2.3 that the board must review the issuer’s internal controls for handling inside information at least once every financial year. Failure to comply with this provision results in a mandatory disclosure in the issuer’s corporate governance report, which the HKEX has flagged as a “red flag” indicator for heightened regulatory scrutiny in its 2025 Listing Enforcement Review.

Structuring a Leakage Response Plan

Pre-Incident Architecture: Information Classification and Access Controls

An effective LRP begins before any leak occurs. The HKEX’s Guidance on Insider Dealing and Market Misconduct (2024 update) recommends that issuers implement a tiered information classification system, categorising PSI into three levels: “Strictly Confidential” (known to fewer than 10 individuals), “Confidential” (known to the board and senior management), and “Internal” (accessible to employees with a specific need-to-know). The guidance explicitly states that issuers should maintain a “clean desk” policy for all PSI-related documents and enforce electronic access logs that timestamp every instance of file access or modification.

For issuers with cross-border operations, particularly those with PRC subsidiaries, the classification system must also account for the PRC’s Securities Law (2019 revision) and the Measures for the Administration of Information Disclosure by Listed Companies (CSRC Decree No. 195, 2023). The PRC regime imposes a parallel obligation to disclose material information to the Shanghai or Shenzhen stock exchanges within two trading days of the event occurring. A leak in Hong Kong that originates from a PRC-based employee triggers obligations under both jurisdictions. The Mayer Brown Cross-Border Leakage Response Protocol (2025) recommends that issuers maintain a joint Hong Kong-PRC legal team on retainer for immediate cross-border coordination, as the CSRC has increasingly used mutual legal assistance treaties with the SFC to pursue enforcement actions—there were 12 such cross-border referrals in 2024, up from 7 in 2022.

Incident Response Timeline: The 24-Hour Window

The core operational requirement of any LRP is the ability to confirm a leak, assess its materiality, and issue a disclosure announcement within 24 hours of becoming aware of the potential leak. The SFC’s 2024 Guidelines specify that “awareness” is triggered when any director, officer, or employee with compliance responsibilities receives information that suggests inside information may have been disclosed to an unauthorised party. This includes indirect indicators such as unusual trading volumes, media inquiries, or social media posts.

The LRP must designate a “Leak Response Team” (LRT) comprising at least the CEO, CFO, company secretary, and the chair of the audit committee. The LRT’s first action within one hour of the leak being flagged is to convene an emergency meeting—by teleconference if necessary—to determine three things: (1) the scope of the leak (what information was disclosed, to whom, and through what channel), (2) whether the leaked information constitutes inside information under Section 307A of the SFO, and (3) whether the safe harbour provisions in Section 307D apply. If the safe harbour does not apply, the issuer must file an announcement with the HKEX under Main Board Rule 13.09 within the 24-hour window.

The HKEX’s Listing Decision LD-2024-01 clarified that the 24-hour clock starts from the moment the issuer’s LRT chairperson is notified, not from the time the leak first occurred. This distinction is critical: in a 2024 enforcement action against a Main Board issuer, the SFC imposed a fine of HKD 8.5 million because the issuer’s company secretary had waited 14 hours to inform the LRT chair, believing the leak was “immaterial” based on an initial assessment by the PRC subsidiary’s legal team. The SFC held that the company secretary’s failure to escalate within one hour of the subsidiary’s report constituted a breach of the issuer’s internal control obligations under Listing Rule 3.08.

Post-Incident Remediation: Market-Sounding Controls and Insider Lists

Once a leak is confirmed and a disclosure announcement is made, the issuer must immediately implement market-sounding controls. The SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (the “Code of Conduct”), specifically paragraph 5.6, prohibits any person who is in possession of inside information from engaging in market-sounding activities until the information has been publicly disclosed. The 2024 Guidelines expanded this prohibition to include any employee or agent of the issuer, including external PRC or financial advisers, who may have been involved in the leak.

The issuer must also update its insider list within two business days of the leak, as required by Section 312 of the SFO and the Securities and Futures (Insider Lists) Rules (Cap. 571AA). The updated list must include the names of all individuals who had access to the leaked PSI, the date and time of their access, and the reason for their access. The HKEX’s 2025 Enforcement Report noted that 27% of all insider dealing investigations in 2024 were initiated because of discrepancies between an issuer’s insider list and the actual individuals who traded in the issuer’s securities during the leak period. The report recommended that issuers use electronic insider list management systems that automatically timestamp access events, rather than manual spreadsheets.

Board and Sponsor Obligations

The Audit Committee’s Role in LRP Testing

The audit committee is the primary governance body responsible for overseeing the LRP. Under the HKEX’s CG Code Provision D.2.3, the audit committee must review the LRP at least annually and report its findings to the board. The review must include a tabletop exercise simulating a leak scenario, with the results documented in the audit committee minutes. The HKEX’s 2024 Guidance on Board Effectiveness recommends that the tabletop exercise involve at least three scenarios: a financial results leak, a merger negotiation leak, and a regulatory investigation leak.

The SFC has indicated in its 2025 Statement on Enforcement Priorities that it will scrutinise the quality of these tabletop exercises. In a 2024 enforcement case against a GEM issuer, the SFC found that the audit committee’s “review” consisted of a single email exchange confirming that the LRP document existed. The SFC imposed a fine of HKD 2.3 million on the issuer and a reprimand on the audit committee chair for “failure to discharge the duty of care” under Section 308 of the SFO. The takeaway is clear: the audit committee must actively challenge the LRP, not merely approve it.

Sponsor Liability for Pre-Listing Leakage Controls

For issuers preparing for an IPO, the sponsor’s role in establishing the LRP is critical. Under the HKEX’s Sponsor Rules (Chapter 3 of the Listing Rules), the sponsor is required to conduct due diligence on the issuer’s internal controls for handling inside information as part of the listing application. The HKEX’s Guidance Letter GL-2023-01 specifies that the sponsor must review the issuer’s proposed LRP and confirm to the HKEX that the plan is “adequate and operational” before the listing hearing.

Post-listing, the sponsor’s liability does not automatically terminate. The SFC’s Code of Conduct for Sponsors (paragraph 17.2) requires sponsors to maintain a “continuing duty” to report any material deficiencies in the issuer’s internal controls that come to their attention within 12 months of listing. In a 2024 enforcement action, the SFC fined a sponsor HKD 15 million for failing to disclose that the issuer’s LRP had not been tested during the first six months of trading, even though the sponsor’s compliance team had identified the gap during a routine post-listing review (SFC v. ABC Capital Limited, HCCT 67/2024). This decision has led to a structural change in the industry: most major sponsors now include a mandatory LRP testing clause in their post-listing engagement letters.

Cross-Border Leakage and PRC Considerations

The CSRC-SFC Coordination Mechanism

Issuers with significant PRC operations face a dual regulatory burden. The CSRC’s Administrative Measures for Information Disclosure of Listed Companies (2023 revision) requires listed companies to disclose material information to the Shanghai or Shenzhen stock exchanges within two trading days of the event occurring. A leak of PSI that originates from a PRC subsidiary triggers disclosure obligations under both Hong Kong and PRC law, often on different timelines.

The SFC and CSRC entered into a Memorandum of Understanding on Enforcement Cooperation in 2024, which formalised a 48-hour notification requirement for cross-border leaks. Under this MOU, an issuer that becomes aware of a leak in its PRC operations must notify both regulators within 48 hours, providing a preliminary assessment of the leak’s scope and the identities of any PRC-based employees involved. Failure to do so can result in parallel enforcement actions: in 2024, the CSRC imposed a RMB 20 million fine on a PRC subsidiary for failing to notify the CSRC of a leak that had already been disclosed to the SFC, because the issuer’s Hong Kong compliance team had not coordinated with the PRC legal team.

Practical Steps for Dual-Listed Issuers

For issuers dual-listed on the HKEX and a PRC exchange, the LRP must include a specific “PRC Addendum” that addresses the CSRC’s disclosure timeline and the PRC Securities Law’s prohibition on selective disclosure. The addendum should designate a PRC-based compliance officer who is authorised to communicate directly with the CSRC’s local bureau in the event of a leak. The Mayer Brown Dual-Listing Leakage Protocol (2025) recommends that the addendum be reviewed by PRC counsel at least quarterly, given the frequency of regulatory updates—the CSRC issued 14 new information disclosure-related circulars in 2024 alone.

The addendum should also address the PRC’s Cybersecurity Law (2017) and Personal Information Protection Law (2021), which restrict the cross-border transfer of data that may contain PSI. In a 2024 incident involving a pharmaceutical issuer dual-listed in Hong Kong and Shanghai, the issuer’s LRP required the immediate transfer of employee access logs from the PRC R&D centre to Hong Kong for analysis. The CSRC intervened, citing Article 37 of the Cybersecurity Law, which requires a security assessment for any cross-border data transfer involving “important data.” The issuer was forced to delay its disclosure announcement by 72 hours while it obtained the necessary clearance, during which time the issuer’s share price fell 12% on the HKEX. The incident highlights the need for dual-listed issuers to pre-clear data transfer protocols with both regulators as part of their LRP.

Actionable Takeaways

1. Mandate a 24-hour escalation protocol — designate a Leak Response Team chairperson who must be notified within one hour of any potential leak, with the clock starting from that notification for the purpose of HKEX Rule 13.09 compliance.
2. Conduct a tabletop exercise at least annually — the audit committee must simulate at least three leak scenarios and document the results in board minutes, as failure to do so exposes the issuer to fines of up to HKD 10 million under the SFO.
3. Implement an electronic insider list management system — manual spreadsheets are no longer acceptable; the system must timestamp every access event and automatically flag discrepancies with trading records to meet the SFC’s enforcement expectations.
4. Maintain a PRC Addendum to the LRP — for issuers with PRC operations, the addendum must address CSRC notification timelines, cross-border data transfer restrictions under the Cybersecurity Law, and designate a PRC-based compliance officer with direct CSRC communication authority.
5. Review sponsor engagement letters for post-listing LRP testing clauses — the SFC’s 2024 enforcement actions have established that sponsors bear continuing liability for LRP deficiencies within 12 months of listing, making pre-negotiated testing schedules a standard industry requirement.