CSj highlights the latest additions to the Institute’s guidance note series, updating members on information technology risk, intitial public offering due diligence and the latest changes to the Companies Ordinance.
The Institute’s guidance notes, available from the publications section of the Institute’s website, keep practitioners up to date with the latest issues in governance, compliance and company secretarial practice. In June 2016, the Institute set up seven interest groups under its Technical Consultation Panel to issue guidance notes in their areas of expertise. In the three years it has been running, this project has added a substantial body of guidance to the Institute’s website for the benefit of the Institute’s members and the wider profession and community. This article highlights three new additions to this series.
1. Overseeing IT risk
Overseeing information technology (IT) risk has some special characteristics that make it a tough assignment for directors. Firstly, and most obviously, the consequences of getting it wrong have become a lot more severe as threats – such as cyber attacks, malware, data breaches, or simply the danger of falling behind the competition in the degree to which the company harnesses new technology – proliferate and escalate.
Secondly, the capacity of the board to address IT risks has often not advanced with the same rapidity as the threat level they involve. In the past, directors were rarely chosen for their IT skills and awareness, and while that is changing, many directors and executive level management don’t have an adequate grasp, at least at a technical level, of the nature of the threats or even their organisation’s own IT system.
The new guidance note published in June this year by the Institute’s Technology Interest Group (the third in the series) hopes to arm directors and those tasked with managing risk, including company secretaries, with some tools for understanding the key IT concepts and systems that make up a standard corporate network.
Do you know your LAN from your WAN?
The new technology guidance note, now available on the Institute’s website, gives a primer in the basic infrastructure of a typical corporate IT network. Generally, corporate networks will have a number of local area networks (LANs) – the local network of computers and other electronic devices – each with their own access rights and privileges.
It is when you start connecting your LAN to a wide area network (WAN) – the internet or other office locations – that the fun starts. The guidance note points out that ‘connecting a LAN to a WAN is like opening a door where there was once a wall’. Ideally, file servers and databases containing important data should be on networks that are not connected or accessible from other networks and certainly not open to the internet.
For networks where an external connection is a necessity, protecting your LAN from external intrusions is the job of a firewall. This will filter the data arriving on the WAN connection that is destined for a device on the LAN. If the data is flagged by the filters on the firewall, it won’t be allowed through. Firewalls can also work in the opposite direction (data going from LAN to WAN) enabling companies to control how its employees connect to websites, whether and what type of files are allowed to leave the company over the network and so on.
Upgrading – the hardware vs software debate
The board will often be involved in assessing the need for an IT upgrade. The guidance note makes the point that the board needs to understand the relative merits of upgrading hardware (the physical computers and electronic devices in your IT system) or software (the code or computer programmes that enable the hardware to perform specific tasks).
Often the assumption is that an upgrade is all about buying better gear (hardware), but the guidance note emphasises the fact that your hardware is only as good as the software running on it. ‘Your organisation may get better performance from the same database server for example with faster hardware. However, it may get even better performance and more security features without needing to upgrade the hardware if your organisation was instead to upgrade the database server (that is, the database programme) or use a different one altogether,’ the guidance note states.
The distinction between hardware and software is equally valid when it comes to your operating system (OS) – the computer programme running on the hardware that manages the hardware itself. Here the key recommendation is to keep your OS updated. When vulnerabilities or bugs in the OS are found, OS software developers release patches to fix them. ‘Upgrading to the latest and greatest hardware won’t make an organisation any more secure if it is running the same OS as the old hardware,’ the guidance note points out.
Are you storing too much data?
Not all decisions required of the board when overseeing IT risk will involve technical IT knowledge. The new technology guidance note points out that one risk mitigation measure companies can take is simply to avoid storing more data than you need. ‘The probability of a breach increases as the amount of data stored grows,’ the guidance note states. This is particularly true for companies holding types of data that are more vulnerable to attack – the prime targets for hackers are large companies holding personally identifiable information (PII), health, financial and credit card information.
‘In the quest to store everything forever and as the price of digital storage has continued to go down, boards should insist on a comprehensive audit of what data their organisation stores and why. This should be done in the context of your organisation’s knowledge management practices and needs,’ the guidance note states.
The IT challenge
The foregoing makes it clear that effective oversight of IT risk should be high on the agenda of directors and the governance professionals advising them. ‘Gone are the days when it was acceptable to be oblivious and ambivalent to the technology infrastructure installed in our organisations’, the guidance note states. The new technology guidance note will be a useful resource for directors and practitioners seeking to upgrade their understanding of the basic concepts in data security technology and the resilience of their company’s IT system.
2. Due diligence for IPOs
The due diligence process required to take a company public in Hong Kong is a long and complex one. The regulations relevant to initial public offerings (IPOs) seek to maintain market quality and listing applicants are therefore required to demonstrate their financial viability, the character, experience and integrity of their directors, their independence from the controlling shareholder, etc. Listing applicants are also subject to disclosure requirements to ensure that prospective investors can access the information they need to assess whether the company is a good investment.
In this context, good governance is key to a successful IPO and governance professionals, whether as part of the in-house team or as corporate service providers, will have a key role in taking a company public. The first guidance note issued by the Institute’s Securities Law and Regulation Interest Group in September 2017 provided practitioners with an essential primer in IPO due diligence. The second guidance note in this series, published in May this year, updates the guidance to take into account the many changes to Hong Kong’s listing regime in the intervening two years – notably, the new listing regime for emerging and innovative companies that came into effect on 30 April 2018.
One of the most useful aspects of the first guidance note was the single page synopsis of the IPO listing process. This ‘Flowchart of IPO process and vetting procedures’, which has been updated to the new requirements, still forms the centrepiece of the IPO guidance note. It represents graphically the various stages of the IPO process and the Hong Kong Exchanges and Clearing Ltd (HKEX) vetting procedures relevant to each stage of the process, providing practitioners with a step-by-step reference resource for IPO due diligence.
The latter part of the new guidance note is devoted to the new exemptions and requirements relevant to certain types of companies. It includes four additional riders setting out the new exemptions and requirements applicable to:
- mineral companies
- infrastructure project companies
- biotech companies, and
- companies with weighted voting rights (WVR).
The latter two categories have been the subject of consultations and a lot of media debate in the year since 2018. While the primary intention was to be enabling – allowing pre-revenue biotech companies and companies with WVRs to list – a complex raft of new requirements has been added to the listing regime to ensure a quality market and the protection of investors. The new guidance note highlights these new requirements and will be a useful resource for compliance and governance professionals working in this area.
3. Companies Ordinance update
Hong Kong’s Companies Ordinance (Cap 622), which sets forth the statutory framework for the incorporation and operation of companies in Hong Kong, is a core piece of legislation for compliance and governance professionals. In April this year, the Institute’s Company Law Interest Group added a third to its series of guidance notes on the changing compliance requirements of Cap 622. The new guidance note seeks to update practitioners on major changes brought in by the Companies (Amendment) (No 2) Ordinance 2018 (the Amendment CO), which was implemented on 1 February 2019.
Cap 622 allows for some reporting exemptions aimed at relieving the burden of non-public, wholly owned companies and eligible companies from certain disclosure requirements. The Amendment CO extends the scope of companies eligible for simplified reporting and, for ease of reference, the new guidance note provides a table setting out the types of companies/groups now eligible for simplified reporting under the Amendment CO and the new eligibility tests that apply to them.
The Amendment CO also implements changes to Cap 622 designed to better reflect current accounting standards. The definitions of ‘holding company’ and ‘parent undertaking’, for example, have been updated in such a way that ‘control’ is now recognised as a basis for determining whether an entity is a subsidiary of the parent undertaking. The new guidance note highlights and clarifies these amendments. An undertaking will be deemed to be a parent undertaking of another undertaking if it has ‘control’ over the other undertaking, or if it is a parent of it under applicable accounting standards. Much depends on the new definition of ‘control’ and this is defined in the Amendment CO as being the power to govern the financial and operational policies of that other undertaking in order to obtain benefits from that other undertaking’s activities.
The guidance note provides a table setting out the various amendments to Cap 622 under the Amendment CO designed to clarify the original policy intent of the law, or to remove the ambiguities or inconsistencies in the law. For example, the Amendment CO expressly allows a company’s articles to be in electronic form and aligns the penalty level for an offence for making a misleading, false or deceptive statement to an auditor relating to revised financial statements with a corresponding offence relating to original financial statements. It also empowers the Financial Secretary to make regulations for non–Hong Kong companies to provide for the detailed requirements relating to the display of company names and the disclosure of liability status in order to align the obligations of non–Hong Kong companies with those of local companies.
The guidance notes mentioned in this article are available from the publications section of the Hong Kong Institute of Chartered Secretaries website: www.hkics.org.hk.
SIDEBAR: A word of thanks
The members of the Technology Interest Group are: Gillian Meller FCIS FCS (Chairman), Ricky Cheng, Philip Miller FCIS FCS, Tommy Tong and Dylan Williams FCIS FCS. Gratitude is expressed to Dylan Williams FCIS FCS as the lead author of the latest technology guidance note.
The members of the Securities Law and Regulation Interest Group are: Daniel Wan (Chairman), Agnes Wong, Bill Wang FCIS FCS, Professor CK Low FCIS FCS, CK Poon FCIS FCS and Dr David Ng FCIS FCS.
The members of the Company Law Interest Group are: Benita Yu (Chairman), Angela Mak FCIS FCS, Cathy Yu FCIS FCS, Loretta Chan FCIS FCS, Susan Lo FCIS FCS(PE) and Wendy Yung FCIS FCS.
Mohan Datwani FCIS FCS(PE), the Institute’s Senior Director and Head of Technical & Research, serves as secretary to the interest groups. Please contact Mr Datwani, if you have any suggestions about topics relevant to these interest groups at: email@example.com.